I2P Revisited

I wrote a post about Anonymous P2P back in 2008 and basically concluded that it was too slow and didn't have enough files to be useful.  Well, 5 years later, I can now come to a different conclusion.  While it's not as fast as regular old Bittorrent, and it doesn't have nearly the selection that Pirate Bay does, I2P is now faster and has enough files on it to at least be useful.

I2P is basically a service that gets installed to Windows (or Linux) and then you access the user interface through your web browser.  Its interface is pretty easy to use, but a lot of the buttons don't make sense when you first start using it.  This is because many of the items are links to eepsites - which are web sites that people run exclusively through the I2P network.  These eepsites are often some guy's personal web site with a bunch of links and useful information.

The way I2P works is it is an overlay network that runs on top of your internet connection.  The data you send through I2P gets encrypted and proxied through the network.  So you can run pretty much anything you want through it.

While you can use I2P like Tor and browse the regular internet through it, I2P provides many services that stay within the I2P network, like Bittorrent, IRC, and the aforementioned eepsites.  It also should be noted that I2P's "exit nodes" are much slower and less reliable than Tor's, so you'll want to use the internal I2P services whenever possible.

I2P has a Bittorrent client built in to the web interface called I2PSnark.  In it, you can click on links to the 3 (as of this writing) Bittorrent trackers in I2P and browse or search for the files they have.  There's some newer stuff on there, but you probably won't find anything obsecure or cutting edge.  Download and upload speeds were pretty good though.

Overall my experience with it was pretty good, but it still doesn't have nearly the selection that the regular torrent sites offer.  The program has come a long way in 5 years, and I hope it only gets better from here.

My experience with running Dentrix on a Terminal Server

We have a customer at work that runs Dentrix.  They have 4 offices, and need to have all of the patient data in one place.  Unfortunately, the only way that Dentrix supports this is through the use of Dentrix Enterprise, which costs about $80,000.  The customer wasn’t willing to spend that much on it, so we were forced to look at unsupported solutions.

From talking to one of the developers at Henry Schein, Dentrix is a very disk and network intensive application, which tends to cause problems when you run it on virtual PCs that share physical storage.  I set it up in a lab environment and experienced similar issues, but this may be because we were also using other non-Dentrix applications on the same physical hardware, and the hardware needed to be upgraded.

With our virtual infrastructure not up to the task of running Dentrix, I decided to build a physical infrastructure for it instead.  I grabbed two old servers and installed terminal services on them, along with the Dentrix G4 Clinical Workstation edition.

I talked with the developer about doing this, and he said that there were several known issues with installing Dentrix on a terminal server.  Namely, “slowness, refresh issues, and not prompting for a password when it should.”  Additionally, there are “identity issues, because the database won't know if the computer has the information it needed, because that computer is connecting and requesting the same information multiple times.”  However, with no other options available, I had to try it.

Getting it installed was a little less straightforward than it was on a Windows 7 workstation.  In order to get it installed (on a Server 2008 R2 operating system), I had to install two role services first: the .NET Framework 3.5, and Windows Desktop Experience.  Dentrix would not work without them.

After Dentrix was installed, I wanted to make sure it would work without giving everyone Administrator privileges.  I gave Domain Users permission to the “C:\Program Files (x86)\Dentrix” folder, and also had to disable UAC, and this allowed Dentrix to work for non-Administrators.  I also had to give users full permission to the “C:\DtxTemp” folder to allow them to be able to print the predefined letters they had set up there, but the program will run without doing this.

One of the offices also uses XDR.  I was able to get XDR to work as a non-Administrator by giving Users full access to the "C:\XDRClient" folder.

After all of this was done, I copied the program icons over to the Public Desktop (as the program only installs icons to the User’s desktop, by default), and everything was working fine.

The main terminal server I am running Dentrix on has dual quad-core Xeon 3.20GHz processors and 8GB of RAM, although I would like to get it upgraded to 16GB.  The second one has fewer users on it, and has a dual-core AMD Opteron 2.0GHz processor and 16GB of RAM.  I have about 10 concurrent users on the primary terminal server, and 5 on the secondary.

So far, they like the performance a lot better than their old infrastructure, which had everyone on their own physical blade PC – an Athlon XP 1500+ with 2GB of RAM, which is far below Dentrix’s minimum requirement of a 2.4GHz Pentium 4.  The only other issue I have had is when printing the appointment book view.  The reporting options there are a per-computer setting, so if a user at one office changes the settings there, all of the offices are affected.

Well, that’s all for now.  So far, the customer is happy, and hopefully, it will stay that way.

HP Laserjet 4050 on a 64-bit OS

I had an issue connecting an HP Laserjet 4050 parallel printer (connected with a USB adapter to a 64-bit Windows 7 laptop) to a terminal server running 32-bit Server 2003 R2.  It worked fine when the user was running Windows XP, but after upgrading to a new computer, it no longer showed up on the terminal server.

The problem is that Windows must have a driver on the terminal server with the exact same name as the driver on the local computer.  In this case, Windows automatically installed the "HP Laserjet 4050 PCL 5" driver, but the server only had drivers for the "HP Laserjet 4050 PCL5E" and "HP Laserjet 4050 PCL6" printers.

Windows 7 also comes with a PCL6 driver for this printer, so I went into the properties for this printer (Control Panel, Printers, right click the printer and go to Printer Properties, Advanced tab, New Driver).  I selected the PCL6 version of the driver.  However, when I clicked OK, it told me that a driver needed to be installed.  Strange, as I was just using the driver that came with Windows.

It turns out there is a bug in the Microsoft drivers for this printer.  Here is the fix for that (copied from here):

As was mentioned above:
On your Windows 2008 server, open the registry editor and change the HPTrayCount:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\(printerName)\PrinterDriverData]

Set HPTray to 12 (hex, it'll show 18 in decimal).

 Note if you have 50 printers, you may have to do it 50 times.  On my server some said 0, and others were still set to 12.  I'm not sure why some changed and some did not.  The ones the still had 12 were not displaying any problems.
Scott

After I got that working, she was able to see the printer on the terminal server, but not in Quickbooks.  It turns out that Quickbooks has another bug that won't allow you to see printers whose names contain too many characters.  I logged her out of the terminal server, renamed the printer to "Laserjet4050," logged her back into the terminal server, and she was able to print in Quickbooks!

A Very Strange Mouse Issue

On Sunday, I walked into my office, sat down at my computer, and grabbed a hold of my mouse.  Suddenly, a loud electric shock came out of my hand.

I started using the computer, and before long, I noticed one of the two thumb buttons wasn't working.  I ran Counter-Strike Source and noticed that my flashlight was on when I first started playing the game (the key I used to turn on the flashlight happened to be my second mouse button).  Then, I started VirtualBox and noticed that I couldn't click on any buttons or menus, although I could X out of the program.

I tried a different USB port and a different mouse, but nothing seemed to fix that problem.  Then I remote desktoped into the system, and everything was working.  Strange.

The next thing I tried was I completely uninstalled the drivers for my mouse, and then plugged in another mouse, and rebooted the computer.  Everything worked.

I plugged my old mouse back in, and the problems came back.  So I guess that was it - my beloved Logitech MX518 now has Mouse4 being pressed all the time, even when I'm not pressing it.  So now I'm stuck with a cheap HP 2-button mouse, at least for the time being.  (Why couldn't I have killed that one instead?)

NAT Routers

Remember telephone modems?  You had to wait for your modem to dial in to your ISP, and once you were connected, it was agonizingly slow.

Typically with this setup, you have only one computer with a modem inside.  When you dial into your ISP, a DHCP server assigns your modem a unique IP
address.  This IP address identifies your computer and your ISP on the Internet.

Frustrated with these slow modem speeds, many telecom and cable companies began offering DSL and Cable modems, which are much faster than modems, and you never have to wait to dial in with them.

About this time, people also started getting new computers.  Instead of having to fight over one computer, a family can have one computer for the parents and another for the kids.  Now, what could be done to get both computers on the Internet?

The cable companies' solution was to sell you another IP address.  That way, you could buy a switch, connect all your computers and your cable modem to the switch, and everyone could access the Internet at the same time.

However, consumers didn't like the idea of spending five, ten, or even as much as twenty extra dollars per month per additional IP address.  So companies like Linksys and Netgear came out with routers.

How NAT Routers Work

A router allows several computers to share the same IP address and therefore connect to the Internet at the same time.  Here is how it works:

1. Every computer on the network is assigned a local (LAN) IP address by the router.  These IP addresses are not unique and only apply to the LAN (local area network).
2. The router has two IP addresses: a LAN IP and a WAN (wide area network) IP address.  Computers on the LAN communicate with the router by connecting to its LAN IP address (the default gateway).  Computers on the Internet communicate with the router's WAN IP address.
3. When you request data from a server on the Internet, your router replaces your LAN IP address in the return header with its WAN address.  Then, when the data comes back, it changes the return address back to your LAN IP.

This process is called network address translation, or NAT.

Separating Applications into Ports

Every computer (or router) has 65,535 ports.  When one computer establishes a connection with another computer, it sends data to its IP and port.  The other computer must be listening on the port the data was sent to for it to receive anything.

Established standards usually dictate which ports should be used for specific types of services.  For example, HTTP services usually run on port 80.  FTP services are usually on port 21, and America Online uses port 5190.  Though these are the standard ports for these services, it is not a requirement to run those services on those ports.  You could, for example, run an HTTP server on port 21 and an FTP server on port 80.

So, when two computers establish a connection, the client opens a connection with the server on a certain port.

How NAT uses Ports to Share a Single IP Address

Most of the time, the server will need to send data back to the client.  So the client must also be able to accept connections on a port.  Note that this does not need to be the same port that the server is listening on.  In fact, it almost never is.

When the client sends a packet to the server, it specifies in that packet the IP address and return port of the client.

So let's see what happens when you access CNN.com.  For this example, we'll assume your IP address is 192.168.0.1. 

1. First, your computer will find out the IP address of www.cnn.com from a DNS server.
2. Next, it will request the file index.html from 64.236.24.12:80 (CNN's IP address, on port 80).  The request packet also includes the IP address and port your computer is listening on for the file.  We'll say it's 192.168.0.1:4000
3. CNN will send index.html to 192.168.0.1:4000.
4. The process will be repeated for pictures and other files that appear on index.html

The Caveat of NAT

What happens when someone behind a router is running a server?  Well, if you try to open a connection with someone behind a router, the router won't know which of the possibly hundreds of computers connected to the router you want to open the connection with.

In this case, the router will do one of two things: it will either respond saying that the port you are trying to connect to is closed, or it will not respond at all.  The latter case is called a filtered port.  Filtered ports are supposed to be more secure because a machine with filtered ports takes much longer to port scan.  This involves checking every port on the host to see which ports are open (and available to connect to, and try to hack).

Fortunately, there is a way around this limitation.  And it's a good thing, too, since P2P applications work much better when you can accept incoming connections.

Most routers allow you to set up port forwarding.  This means you can tell the router that you want incoming connection requests on a certain port to be forwarded to a specific IP address on your LAN.  Check your router's documentation for details, or try this site.

If you are unable to set up port forwarding, you will still be able to connect to P2P networks since you can open connections with other hosts that have port forwarding enabled.  However, in order for anyone to download from you, they will need to send something called a push request.  The way this works is their client tells your hub/server to tell your client to open a connection to his computer.

Naturally, you cannot send a push request if you yourself do not have port forwarding enabled.  So you will not be able to download from users who are behind routers (and they, of course, have the fastest connections).

Networking Basics

I've been going through my old homepage and looking for things that I want to keep, since I'm probably going to get rid of it. So here is the first of what will be many reposts of the content I have there.

-----

A network is a group of computers that are connected together using cables or wireless networking technology.  The Internet is a global network that connects many smaller networks together.

Types of Networks

A Local Area Network (LAN) is a network that typically consists of computers in a single building or location.

A Wide Area Network (WAN) is a network that consists of computers in many locations.  They can be in different cities, different states, or different countries.  The Internet is, and is almost synonymous with, a WAN.

Network Identification

Each computer on the Internet must be identified uniquely.  This is done by using an IP (Internet Protocol) address.

IP Addressing

An IP address consists of four octets.  Each octet is an 8-bit number from 0 to 255.

It can be denoted in dotted decimal notation: 192.168.100.70

It can also be denoted in binary: 11000000 10101000 01100100 1000110

Host Names

On a LAN, computers can also be identified by their computer name.  This can be a 15 (maximum) character string consisting of alphanumeric characters and hyphens.  For example, my computer name is Chris1.

On a WAN, host names must be used.  A host name is a computer name plus a domain name.  For example, Chris1.chapman.edu.

When you access network resources by providing a host name or a computer name, a special server called a name server or a DNS server looks up the IP address that is associated with the provided host name or computer name.

If you are using Windows and are not on a domain, computer names are resolved by sending a broadcast packet to the entire network.  Whichever computer has the name you are attempting to resolve responds with its IP address when it receives the broadcast.

Dividing Networks into Subnets

Networks can be divided into subnets using a subnet mask.  The subnet mask can be used in combination with an IP address to obtain the network address (or subnet address).

Recall that an IP address consists of 32 bits (four 8-bit octets).  The subnet mask is simply a number from 0 to 32 that identifies how many bits of the IP address are used in the network address.

Subnet Mask Notations

The simplest way to denote a subnet mask is with a slash.  A subnet mask of /24 indicates that the first 24 bits of the IP address are used to represent the network address.

Using the example IP address 192.168.100.70, 192.168.100.70 / 24 denotes the entire network that 192.168.100.70 resides on.  By applying the subnet mask to the IP address, we can extract the network address.  In this case, the network address is the first 24 bits, or the first three octets of the IP address.  This works out to be 192.168.100.0.

Subnet masks can also be denoted in binary.  A subnet mask of 24 looks like this: 11111111 11111111 11111111 00000000.  If we denote an IP address and subnet mask in binary, performing a logical AND operation on the two will give us the network address:

  11000000 10101000 01100100 01000110 (192.168.100.70)

& 11111111 11111111 11111111 00000000 ( /24 )

= 11000000 10101000 01100100 00000000 (192.168.100.0)

Subnet masks can also be represented in dotted decimal notation: 11111111 11111111 11111111 00000000 = 255.255.255.0 = /24.

Note that the network address is the first address of any subnet.  It is reserved.  Therefore, no computers on your network can be assigned to use the network address.

Uses for Subnet Masks

Suppose another computer has the IP address 192.168.100.73.  If we apply a subnet mask of 24 to this IP address, we get 192.168.100.0 as the network address.  Since the network address is the same as the network address of the above IP address, both IP addresses are on the same network.

DCPromo error when removing a child domain

I set up a child domain in our lab at work. The child domain controller was a virtual 2008 server. When I tried to run dcpromo to get rid of it, I got the following error:

---------------------------
Active Directory Installation Wizard
---------------------------
The operation failed because:

Active Directory could not transfer the remaining data in directory partition
CN=Schema,CN=Configuration,DC=xxx,DC=NET to domain controller yyy.xxxx.NET.

"The RPC server is unavailable."
---------------------------
OK
---------------------------

After pouring through Google and tons of forums, I could not find the answer, but everything seemed to point to it being a DNS problem. It turns out, that was indeed the case. On the parent domain controller, I opened up DNS and navigated to the child domain under forward lookup zones. I tried to ping the FQDN of the child domain controller but could not, however, I was able to ping it by computer name.

When I opened up the properties of the child domain in DNS, the name server listed for the child domain controller had its old IP address listed. So I changed it to the new IP address, and suddenly, all of the RPC errors went away and I was able to demote the child domain controller and remove the child domain!

It took me months to figure this out, and all the trouble was because the IP address of the domain controller changed.