Frequently Asked Questions - BMC-IT


windows ubuntu macos xibo network zenworks android storage
  1. How do I connect a private computer to the department network?     [jump in page]   2019-05-08
  2. How do I force activation of Windows 10 using KMS?     [jump in page]   2019-05-03
  3. How does the reinstallation of Windows computers work at BMC-IT?     [jump in page]   2019-05-03
  4. How do I print on EduPrint with LPD on Windows 10?     [jump in page]   2019-04-26
  5. How do I connect to storage at Argos?     [jump in page]   2019-04-25
  6. Who is resposible for what on the BMC network? Who can help me?     [jump in page]   2019-04-11
  7. What should be done to introduce a new system administrator at BMC?     [jump in page]   2019-04-09
  8. What are the recommendations for buying a new mac?     [jump in page]   2019-04-09
  9. What are your plans for a common client network configuration?     [jump in page]   2019-03-22
  10. How do I install anti-virus software on macOS?     [jump in page]   2019-03-18
  11. How do I access my scans for eduPrint in Linux?     [jump in page]   2019-03-11
  12. How do I map a network drive via SMB on Windows?     [jump in page]   2019-03-08
  13. What is the BMC-IT computer platform and how does it work?     [jump in page]   2019-02-28
  14. We have a server, where should we put it?     [jump in page]   2019-02-25
  15. My Internet does not work! How can I find the problem?     [jump in page]   2019-02-08
  16. What is VPN?     [jump in page]   2019-02-05
  17. How do I send bulk mail?     [jump in page]   2019-01-25
  18. Where do I store my data? How do I take backup?     [jump in page]   2019-01-22
  19. How do I find specific files like the last updated, the one with the longest file name, or the largest one?     [jump in page]   2019-01-17
  20. We need more storage! Do you have a file server we can use?     [jump in page]   2019-01-11
  21. How do I mount my home directory or shared storage at HNAS?     [jump in page]   2018-12-21
  22. What is my IP-address and MAC-address?     [jump in page]   2018-12-19
  23. What is the name standard for network equipment on BMC.     [jump in page]   2018-11-13
  24. How do I start an elevated command prompt (as administrator) in Windows?     [jump in page]   2018-11-09
  25. What Internet bandwidth does the university have?     [jump in page]   2018-11-08
  26. Connect to eduroam using iPhone with iOS 10     [jump in page]   2018-10-04
  27. How do I use an Apple AirPort Time Capsule?     [jump in page]   2018-10-04
  28. Are there any desktop phones using the mobile network?     [jump in page]   2018-09-12
  29. How do I install Ubuntu?     [jump in page]   2018-09-06
  30. How do I connect to the VPN using Ubuntu?     [jump in page]   2018-08-13
  31. How do I install Adobe CC Complete (Photoshop, Illustrator...) in Windows?     [jump in page]   2018-06-11
  32. How to use the IBM Spectrum Protect (Tivoli Storage Manager aka TSM)     [jump in page]   2018-06-04
  33. What fun things can I do with Systemd in Linux?     [jump in page]   2018-06-04
  34. How do I change the Mac computer name, host name and NetBIOS-name?     [jump in page]   2018-06-04
  35. How do I set firewall rules in Linux to block SSH?     [jump in page]   2018-06-04
  36. How do I configure my resolver on a Linux machine?     [jump in page]   2018-06-04
  37. What should I think about when adding my own network printer?     [jump in page]   2018-05-31
  38. How do I add a macOS printer at IMBIM?     [jump in page]   2018-05-22
  39. Which VLANs are at the campus BMC-router?     [jump in page]   2018-04-25
  40. What is ransomware and CryptoLocker?     [jump in page]   2018-03-23
  41. How do I configure IPMI for remote management?     [jump in page]   2018-03-20
  42. I need a new subnet and a new VLAN!     [jump in page]   2018-01-19
  43. Who is responsible for the network in the BMC server room?     [jump in page]   2018-01-19
  44. There is no wired network here - what to do?     [jump in page]   2017-12-19
  45. How do I uninstall the Zenworks agent?     [jump in page]   2017-12-14
  46. What is the point with the zone files.uu.se?     [jump in page]   2017-12-07
  47. How are the network sockets identified?     [jump in page]   2017-10-26
  48. What service levels does BMC-IT have compared to others at the university?     [jump in page]   2017-08-23
  49. How do I activate group membership in AKKA?     [jump in page]   2017-08-21
  50. What is the cost of a PC file server?     [jump in page]   2017-06-02
  51. How do I use offline files?     [jump in page]   2017-05-22
  52. How do I use Eduroam, the wireless network, in Windows?     [jump in page]   2017-05-17
  53. How to use WinSCP to access files over SCP on Windows     [jump in page]   2017-03-31
  54. How do I activate my Office using KMS?     [jump in page]   2016-12-08
  55. Add a printer in Ubuntu 14.04     [jump in page]   2015-06-04




1. How do I connect a private computer to the department network?

See also: What is my IP-address and MAC-address?
See also: How do I find the serial number on macOS?
See also: How do I change the Mac computer name, host name and NetBIOS-name?

The most common way to connect private computers to the university network is to use the wireless network Eduroam. Read more about Eduroam on the central university support pages. Printing is done via eduPrint.

Some departments allow connecting private computers directly on the department internal LAN, because it might be the only way to use the internal department printers not connected to eduPrint.

When that is the case, the following information is needed to be put in the inventory. Please send the answers in a mail (in the body (text) of the mail not as an attachment) to helpdesk@bmc.uu.se.

  1. Full name of user and e-mail address
  2. Research group leader
  3. Serial number
  4. Computer name (hostname - what you are calling the computer)
  5. Computer manufacturer and model
  6. Operating system (Windows 10, macOS 10.12.6, Ubuntu 17.04 etc)
  7. Procurement date
  8. Name of anti-virus software (if any)
  9. Current firewall settings - enabled or disabled or something else? (Are there any open services on the computer? Please close any file shares, printers and similar services that are not needed and keep a password on those that must be open. No anonymous guest login should be possible for the services on the the computer.)
  10. Computer MAC-address on the LAN port
  11. Has the computer installed the latest updates for the operating system (Windows, macOS, Ubuntu etc) and major applications (Microsoft Office, Firefox, Google Chrome, anti-virus etc)?

The information is needed because the security division at Uppsala University must be able to trace security incidents, virus and similar activity. The university rules require every computer to run adequate anti-virus software. We also need too know if too old and insecure operating systems are being used (Windows XP) and who we should contact if there are any questions.

When the computer is registered it can be used on any network socket connected to the department network.

How to find some of this in Windows (type in command line)

  1. wmic csproduct get IdentifyingNumber
  2. hostname
  3. wmic csproduct get name
  4. ver && echo %PROCESSOR_ARCHITECTURE%
  1. getmac
    ipconfig /all (find the physical address for the ethernet adapter)

How to find some of this in macOS (type in command line)

  1. ioreg -l | grep IOPlatformSerialNumber (Also see How do I find the serial number on macOS? )
  2. hostname
  3. sysctl hw.model
  4. sw_vers -productVersion
  1. ifconfig en0 | grep ether




2. How do I force activation of Windows 10 using KMS?

See also: How do I activate my Office using KMS?
See also: How do I start an elevated command prompt (as administrator) in Windows?

When updating Windows Pro 7 to Windows 10 activation may fail. The name of the university KMS-server has also changed a few times, making Windows computers using the old name get unactivated.

It may look like this:

How to activate Windows

  1. Connect to the university fixed network (ethernet).
  2. First start a command window as administrator.
  3. The command slmgr.vbs /ato should try to do an automatic activation if the computer is part of the Active Directory. If it is not part if the Active Directory you need to specify the KMS-server, see below.

  4. If that do not work, try to specify the activation server first with slmgr.vbs /skms kms.user.uu.se and then followed by slmgr.vbs /ato again.
  5. And if that do not work, try to reset the product key and then do an activation with the command slmgr.vbs /rearm.

  6. Display information about activation with slmgr.vbs /dli. It should look like this:

  7. You can also check when the license expires with the command slmgr.vbs /xpr.
  8. If things do not work, maybe the KMS-address has changed? You can also check the current address with the command nslookup -type=srv _vlmcs._tcp.user.uu.se. If that is the case, the address kms.user.uu.se should be changed to the new one. Please send mail to helpdesk@bmc.uu.se to let us know if this is the case. In the example below both reference to the same server which is correct.





3. How does the reinstallation of Windows computers work at BMC-IT?

See also: What is the BMC-IT computer platform and how does it work?

These are instructions for installing Windows 10 x64 Enterprise via MDT 2013.

  1. Prepare installation
    1. Create USB flash drive
    2. Configuration for network boot
    3. Configuration of router filter
    4. Permissions for autojoin domain
    5. Hardware support
  2. Configure BIOS
  3. Starting install via USB flash drive
  4. Starting install via network
  5. Clearing partitions
  6. Continue with installing
    1. Select task sequence
    2. Fill in computer name and join domain
    3. Select applications
    4. Wait while installing
    5. Administrator password

Prepare installation

Create USB flash drive

  1. Get access to the installation directory through User-AD group bmc-autoadmin-group. Mail a mail to BMC-IT (helpdesk@bmc.uu.se) with your username and what you want.
  2. Get one or several 32 GB USB flash drives.
  3. Login on a Windows 10 computer with USB-ports as administrator.
    IMPORTANT: DO NOT HAVE A NETWORK DRIVE MAPPED TO G: H: I: OR J:!
  4. Reformat the USB flash drive with FAT32 file system
  5. Insert the USB flash drives (max 4 at the same time) in Windows 10 computer.
  6. Start a command prompt as administrator cmd (use CTRL and SHIFT to run as administrator from the prompt in the start menu)
  7. Run command: net use n: \\uuit-nasutus.its.uu.se\BMCIT-Common /user:user\account and login using your university account and password A.
  8. Run command: \\uuit-nasutus.its.uu.se\BMCIT-Common\MDT\scripts\MDT_FormatUSB.cmd \\uuit-nasutus.its.uu.se\BMCIT-Common\MDT\MDT-MediaMT

    This will format and erase all USB flash drives inserted in computer!

  9. Wait a long time. The faster the USB flash drives the better.
  10. Done!

Update USB flash drive

  1. If you already have done the above steps on a USB flash drive, you can choose to only update the USB flash drive by running command: \\uuit-nasutus.its.uu.se\BMCIT-Common\MDT\scripts\MDT_FormatUSB.cmd \\uuit-nasutus.its.uu.se\BMCIT-Common\MDT\MDT-MediaMT sync
    This will not format, just update the sticks with changed files.

Configuration for Network boot

For Windows DHCP it looks like this:


For ISC dhcpd it looks like this: from dhcpd.conf (this is using the central tftp.its.uu.se server)

 filename "bmc/pxelinux.0";
 next-server "130.238.7.37";
/tftpboot/pxelinux.cfg/default (already done)
PROMPT 1
TIMEOUT 100
DEFAULT l
DISPLAY msgs/boot.msg

LABEL l
      MENU LABEL ^Local Boot (default)
      LOCALBOOT 0

LABEL mdtmt
  MENU LABEL Windows MDT LiteTouchPE x64
  KERNEL memdisk
  APPEND iso initrd=LiteTouchPE_x64.iso raw

/tftpboot/msgs/boot.msg (already done)
Displaying tftp://tftp.its.uu.se/bmc/msgs/boot.msg from 130.238.7.37

 l        Local Boot (default)
 mdtmt    Windows 10 Enterprise x64

Pxelinux is coming from syslinux.org. It is included in most Linux-distributions.

The LiteTouchPE_x86.iso is located at \\BMCIT-Common.files.its.uu.se\BMCIT-Common\MDT\Boot\LiteTouchPE_x64.iso

Configuration of router filter

TFTP is using UDP. The request to the TFTP-server is sent on port 69/udp from any port. The TFTP-server at tftp.its.uu.se (130.238.7.37) is using UDP source ports 6900-6999 for responding.

Open up UDP, both directions, from host 130.238.7.37 to your clients. Usually this is all of your subnets. Send a request for this to netsupport@its.uu.se.

Permissions for autojoin domain

The account USER\bmc-autoadmin-mdt must at least have permission to Create Computer objects in the correct OU to be able to join automatically.

Hardware support

MDT 2013 based on Windows 10 have these requirements:

Microsoft has for Windows 8.1 dropped support for CPUs without the PrefetchW-feature. This includes the Pentium D 8xx CPUs hich are used in for example many Dell Optiplex GX620 desktops. So even if they have 4 GB RAM they cannot run the installation.

Some other Dell Optiplex with the slightly faster Intel Pentium D 9xx are working fine.

Check model with wmic csproduct get vendor, version

Configure BIOS

  1. Make sure you have the latest BIOS for the computer.
  2. Press F12 or F10 or whatever to enter BIOS. It depends on the computer model.

  3. To use UEFI-mode and install from USB flash drive, select:
    • Secure boot: OFF
    • Legacy boot: OFF
    • SATA mode: AHCI (not RAID)
    • UEFI boot order: Deselect USB flash drive

  4. To use Legacy-mode and install from network, select:
    • Legacy option ROMs: ENABLED
    • Secure boot: OFF

Starting install via USB flash drive

  1. Press F12 or F10 or whatever it is to be able to select boot source. It depends on the computer model.
  2. Choose to boot via USB. Some older computers might be limited to boot from an USB2-port. USB3 might not work on older computers.
  3. Continue with installing.

Starting install via network

  1. Press F12 when starting computer to boot via Network. If the Network adapter do not show PXE-booting may have to be enabled in BIOS.
  2. Choose to start MDT by typing M D T M T and pressing ENTER

  3. This will boot the netinstallation ISO over TFTP.
    If it do not work, boot via USB flash drive instead.
  4. Continue with installing (next section below).

Clearing partitions

If the installation stops because of a previous installation attempt or if something else is weird with the partition table, previously created partitions may be cleared manually.
  1. Press F8 during installation to start a command prompt
  2. diskpart
  3. sel dis 0
  4. cle
  5. exit
Diskart can also be used for unmounting a drive:
  1. Press F8 during installation to start a command prompt
  2. diskpart
  3. list volume
  4. sel dis 0
  5. remove all dismount
  6. exit

Continue with installing

  1. Select task sequence:
    • W10E is the normal Win10 Enterprise x64 deploy.

  2. Fill in computer name. The new computer name standard is first three letters for institution, then a dash and the computer serial number. The serial number is automatically read from the computer BIOS.
    USER\bmc-autoadmin-for-mdt must be given privileges to create new computer accounts in the USER-AD.
  3. If you are using a Virtual Machine then name the computer TLA - VM USERNAME. For me at BMC withe the username jny25782 I would name my first virtual machine BMC-VMJNY25782.

  4. Select what applications or other packages to install during installation:

  5. Wait up to two hours, but normally 20-30 minutes while the computer is running MDT for installing OS and applications.
  6. For computers in USER-AD at BMC the local administrator password is set by a GPO to a unique hash for each computer. Any locally set password will be overwritten.

    Without the GPO SetLocalPassAsMD5 the password will be set to bytgenast which means that you are responsible to CHANGE PASSWORD when the installation is done.

    Currently the algorithm looks like this: The serial number is upper case, cut to 11 characters, and padded by zeroes until 12 characters length, and then a secret password is added. The following works at the command line at macOS or Linux to create the password.

    macOS:

    echo -n SERIAL000000SECRET | md5 | head -c 12

    Scientific Linux, Ubuntu etc:

    echo -n SERIAL000000SECRET | md5sum | head -c 12






4. How do I print on EduPrint with LPD on Windows 10?

See also: How do I access my scans for eduPrint in Linux?
See also: How do I set up eduPrint for a Linux server?
See also: How do I print to eduPrint using LPD on macOS?

This solution pick the LPD username from the Windows user. You must use the same username on your Windows computer as the account you are trying to print to in EduPrint. Sorry about that, but I have not find any workaround for using local accounts with other names.

  1. Start the Control Panel

  2. Enter View devices and printers

  3. Enter Add a printer

  4. Pick The printer that I want isn't listed

  5. Pick Add a local printer or network printer with manual settings and then Next

  6. Pick Create a new port: followed by Standard TCP/IP port and then Next.

  7. Enter edp-uu-prn01.user.uu.se as the Hostname or IP address and for example EduPrint LPD as the name

  8. Wait a moment for Windows to time out while detecting ports.

  9. Pick Custom and enter Settings...

  10. Pick the Protocol LPR and then enter the Queue Name eduPrint-UU, check the option LPR Byte Counting Enabled and proceed with OK

  11. Proceed with Next.

  12. Choose the manufacturer RICOH and the Printer PS Driver for Universal Print and Next.

  13. This computer already have the driver so in this case just go Next.

  14. Name the printer for example EduPrint LPD
  15. Do not share the printer and proceed with Next

  16. Yoy may please Print a test page and then Finish.

  17. If everything works fine you should now be able to enter EduPrint on the web at Eduprint.uu.se your job should show up.

  18. This is how the new printer looks like when following this instruction.





5. How do I connect to storage at Argos?

See also: What is Argos?
See also: How do I order a personal storage at Argos?
See also: How do I order a group storage at Argos?
See also: How do I manage access to a group storage at Argos?
See also: How do I map a network drive via SMB on Windows?

The file server is currently only accessible within the Uppsala University network or from home using VPN.

Please use the guides at Rudbeck-IT portal “My Rudbeck” to see the different options to access the storage spaces.
Windows
Please note that Windows users with a BMC-IT installed computer should use the alternative "Access via server address" to connect to the storage. Learn more about how to map a network drive to your Personal Storage above.



6. Who is resposible for what on the BMC network? Who can help me?

See also: What Internet bandwidth does the university have?
See also: Which VLANs are at the campus BMC-router?
See also: How are the network sockets identified?
See also: How do I use an Apple AirPort Time Capsule?
See also: What do the different symbols in BlueCat mean?
See also: My Internet does not work! How can I find the problem?
See also: There is no wired network here - what to do?

Local IT

This may be you, your department, BMC-IT or client support at UUIT or any other organisation at the university, depending on where you work.

BMC-IT

Contact helpdesk@bmc.uu.se

UUIT

Contact Domainmaster (DNS/DHCP/TFTP), Netsupport (Network), IRT (Security) or UU helpdesk (everything else).

Responsibilities

These reflect how it is usually done, but are not carved in stone

  • All usage on the VLAN/subnet
  • Local security on the VLAN/subnet
  • Identity of the different computers
  • Request change in router filter
  • Physical network copper and fiber.
  • Buy switches
  • Request change of VLAN configuration of switch ports
  • Patch network in cross connect cabinets
  • Keep documentation of cross connect cabinet patches
  • May help Local IT track down rogue computers
  • Router and router filter (Netsupport)
  • Perimeter Firewall (Security division)
  • Install, configure, replace and maintain switches (Netsupport)
  • Security tracking (Security division)
  • TFTP, DNS and DHCP for UU (Domainmaster)
  • May help Local IT track down rogue computers (Netsupport and Security division)
Install a new network socket (or move an existing network socket) Installation of a new socket costs around 3000 SEK for a double socket. It depends on the amount of work. Several sockets in one room is less work (cheaper) per socket than one single socket. Please write the following information in the mail:

  • Room number
    Example A1:123d
  • Other requests
    Example right side, near the window
  • Who to charge (Kostnadsställe)
    Example 123ABC

If you want to connect the network sockets to the network (and not only telephone) then also supply:

  • Which VLAN at BMC you would like to use.
    Example Vlan680 "BMC-Data"
  • If you want one or two sockets to be connected. If you only want one, clarify which socket to activate.
    Example Left, right or both
Install a new fiber network socket Installation of a new socket costs around 8000-10000 SEK SEK for a double socket with two single-mode fiber connections. In total the cable has four fibers. The cost depends on the amount of work. Several sockets in one room is less work (cheaper) per socket than one single socket. Please write the following information in the mail:

  • Room number
    Example A1:123d
  • Other requests
    Example right side, near the window
  • Who to charge (Kostnadsställe)
    Example 123ABC

If you want to connect the network sockets to the network then also supply:

  • Which VLAN at BMC you would like to use.
    Example Vlan680 "BMC-Data"
  • If you want one or two sockets to be connected. If you only want one, clarify which socket to activate.
    Example Left, right or both

If you want to connect the fiber somewhere else at the university let us and Netsupport know what your plans are.

Directly connect two network sockets Two network sockets connected to the same cross connect cabinet may be directly connected with two patch cables in the cross connect cabinet. Just send an email to helpdesk@bmc.uu.se with the network socket and cross connect cabinet identifiers.
New power socket Talk to Bo Ejdesjö at BMC. Will cost money. Hyresgästanpassning.
New pillar with power and network sockets Talk to technical service at BMC. Free of charge AFAIK.
All about fixed telephone Talk to teleservice at university. Will cost money.

Activate Network Socket ()

BMC-IT does the cross connect cabinet patching and requests VLAN change.

Please write the the following information in the mail. (Read more in FAQ on how the network sockets are identified. If you do not know the VLAN maybe you have other equipment that using that VLAN? Send the IP- and/or MAC-address of that equipment and we can look it up.)

  • Cross connect cabinet identifier
    Example A1-D101-11-17
  • Network socket identifier
    Example A1.202:1
  • VLAN name or number
    Example Vlan664 "NEURO"
  • If it is a double socket identifier, clarify which socket to activate
    Example Left, right or both

Here is an example how a mail could look like:

Deactivate network socket Send a message to BMC-IT with the following information in the mail. (Read more in FAQ on how the network sockets are identified.)

  • Cross connect cabinet identifier
    Example A1-D101-11-17
  • Network socket identifier
    Example A1.202:1
  • If it is a double socket identifier, clarify which socket to deactivate
    Example Left, right or both
Change VLAN in an already activated socket Send the request to BMC-IT. Please write the following information in the mail:
  • Cross connect cabinet identifier
    Example A1-D101-11-17
  • Network socket identifier
    Example A1.202:1
  • VLAN name or number
    Example Vlan664 "NEURO"
  • If it is a double socket identifier, clarify which socket to deactivate
    Example Left, right or both

Here is an example how a mail could look like:

UUIT Netsupport will do the configuration of VLAN in switch.
Server room access in D11:0 May give temporary guided access Contact UUIT for permanent access to your rack
Faster network Upgrades to 1 Gbit/s are available in most cross connect cabinets. Request upgrade from Fast Ethernet to Gigabit by sending a mail to helpdesk@bmc.uu.se with the following information written in the mail:
  • Cross connect cabinet identifier
    Example A1-D101-11-17
  • Network socket identifier
    Example A1.202:1
  • If it is a double socket identifier, clarify which socket to upgrade
    Example Left, right or both
If you need 10 Gbit/s contact BMC-IT together with UUIT Netsupport. This is available in a few cross connect cabinets.
Order a new VLAN/subnet First find out how many IP you need
(Remember to fix DNS and perhaps DHCP, router filter settings, and possibly perimeter firewall settings)
BMC-IT may be aware of spare ranges or networks on the way of being decomissioned that can be reused. We do not want to create a lot of small VLANs if not needed. Contact UUIT Netsupport to get new subnet and VLAN assignments
Campus router filter settings (Cisco) Figure out what you need And let UUIT Netsupport configure the router filter
University perimeter firewall settings (Fortigate) Figure out what you need And let Security Division configure the firewall
DNS Local IT can do this but should not. Use the BlueCat IPAM system at UUIT.
DHCP Local IT can do this but should not. Use the BlueCat IPAM system at UUIT.
TFTP / PXE-boot Local IT can do this Use the UUIT TFTP-server.
Finding a rogue computer The responsibility belongs to Local IT Arpwatch service is available. Manual check in router and the Upunet Tracking Database (NetDB) service
Finding used and unused IP-addresses Keeping track of who is using what. Registration and removal of IP in DNS. Arpwatch service is available. Manual check in router, Bluecat (IPAM) and the Upunet Tracking Database (NetDB) service
Router and uplink bandwidth Linkstatus graphs available for BMC Netstat graphs available for UU
Magic network problems Contact your Local IT And then let Local IT contact UUIT Netsupport
My windows server does not work Contact your Local IT
Eduroam do not work on my client or in general Local IT may help with client configuration Broken wireless hotspots should be reported to UUIT Netsupport

Wireless (Eduroam) coverage is low in some rooms or corridors ()

Contact BMC-IT to discuss what can be done. All office corridors should have coverage, or at least they originally had. Over the years more and more equipment is using the wireless network or the free frequencies used by the wireless network for different purposes.
  1. BMC-IT can together with IT-division order more hotspots to get better coverage. This is a payed for by the tenant (department). Send a mail to helpdesk@bmc.uu.se with the following information
    1. A list of room numbers with low coverage
    2. Who to charge (Kostnadsställe) Example 123ABC

    An approximate cost would be 3000 SEK for the network socket and 5000 SEK for the wireless access point. Current delivery times are around two months for a new network socket to be installed and the wireless access point to be delivered and set up.

  2. With a start in 2018 the IT-division will upgrade the network at BMC to a new generation of wireless hotspots. Most of the switches and wireless hotspots will be upgraded. It will take some time for this to be completed.

  3. If you have a laptop computer with no ethernet port you can use a USB-adapter for attaching the wired network to the computer.

  4. Some laboratory instruments and door locks also use the same free frequences. It is not much we can do, the equipment manufacturers and the landlord / facility providers do not always have the same priorities as us (IT-support and network users).

UUIT Netsupport may together with BMC-IT install new wireless hotspots. This may cost money. All public rooms for students should have coverage.
I need a network cable Contact your Local IT
The IRT-group has disconnected my computer from the Internet! Contact your Local IT to fix your computer Let the Local IT contact the IRT-group to open the router filter when computer is fine.
My Internet do not work! Help! Check how to find the cause of the problem here. Finding configuration problems in the local computer is a job for Local IT. If it should work but get no link then perhaps switch port is broken. Contact helpdesk@bmc.uu.se.
If a network port has been unused (no link) for over 300 days the switch port may reused for something else. If you want unused connectors to keep being active you have to use them from time to time. This counter is automatically reset in the switch so the network socket just has to be connected with an active link for a short time.
This might be a magic network problem. Then contact UUIT Netsupport.

Sometimes the Security division may have blocked an IP. So if a specific IP do not work but others do then this may be the case. This may have happened years ago when an old unpatched computer was using that IP.





7. What should be done to introduce a new system administrator at BMC?

There are several different systems a new employee may get access to. This is not a complete list of all systems that should be given access to but rather a list of external systems that one should at least be aware of.

Some of these things have to be done before an employee start.

Some of this applies to more than just BMC so you are more than welcome to take a look. Please let us know if there are things we are missing.

Personal computer and work space

Get an office. Chair, table, network. Do you need an ergonomic adjustable table? Make a raid down to the BMC campus office supply cabinet and get some pens, a notebook, a scissor and other office stuff that you might need.

If you have a Mac, get an external hard drive to run local Time Machine backups.

Get a standard PC and/or Mac up and running with the standard installation. When you have a UU account, make sure you are a local administrator.

If you need to, get two USB-sticks, one with Windows (with MDT) and one with latest macOS so that you can reinstall computers. Be familiar with the instructions regarding reinstallation of Windows and macOS.

There is a Mac installation server available on the BMC-Data network. There is a PXE boot menu available on almost all networks where legacy (not UEFI) installations of Windows can be done. Also basic network boot options for installing CentOS, installing Ubuntu and running Memtest86 etc are available there.

Configure the computer to work with eduroam and duPrint. Make sure it works.

Order a home directory at My Rudbeck and use the Medfarm voucher to get it for free. Make sure you can access this storage on your computer.

Try out Filr the file sync system. Install the Filr client on your computer. Understand where data is stored. Make sure you can access the data both via Filr and directly.

Let your boss order a phone, either fixed phone or mobile.

Activate your access to the VPN service by following the instructions.

Work clothing

You may get your own fancy BMC/UU hoodie at Grolls. Or whatever work clothing you need for doing your job.

Administrator access

Apply for administrator access to the Local IT organisation in the Active Directory. This will control access to USER.UU.SE\BMC and USER.UU.SE\LocalIT\BMCI in the Active Directory. The terminalserver to use is called dcts.user.uu.se.

The group BMC Computing Department in USER-AD (sorry for the odd name of this group) control some access to different systems, including the file share \\BMCIT-Common.files.uu.se\BMCIT-Common aka \\USER.UU.SE\BMCI\Common.

The Zenworks system for management of Windows (just FYI)

The Munki system for managemnt of Mac (just FYI)

The Symantec server (just FYI).

Physical access

You need an employee key card. This will grant access to the corridors at BMC but not to other campuses.

You need a key to your office. Almost all offices at BMC campus management share the same lock and key.

After instructions, you may get access to the BMC computer room at D11:0.

The cross connect cabinets of BMC are locked with a special key which could be granted access via the BMC-administration if needed. There exists an extra key in the Nyckelpiga at the basement so one do not need a physical key all the time.

Network management systems

There are some network administrative systems that one should be aware of and maybe given access. This includes:

  1. NetDB (for IP / VLAN / Mac / Switch-port information) (Ask Netsupport for access)
  2. NetReg (for Vlan and router and router filter configuration)
  3. Bluecat (the IPAM system for DNS DHCP information) (Ask Servicedesk for access)

Medarbetarportalen

Login at Medarbetarportalen. Here you can find for example:

  1. Sympa - mailing list server. You may want to join these mailing lists:
    • bmc-it@lists.uu.se
    • da-info@lists.uu.se
    • it-forum@lists.uu.se
    Someone at BMC-IT have to add you to:
    • bmc-it@lists.uu.se
    You will be automatically added to:
    • bmc-int@lists.uu.se
  2. Primula Web - wage, vacation, sick leave, parental leave etc.
  3. Product Web - procurement
  4. Progdist - software licence server
  5. Akka-self service - how to change password and create guest accounts
  6. eduPrint - the printing system
  7. EasIT - the helpdesk system. This is the tool to handle support requests.

Documentation to read

Read the docs in the FAQ at http://it.bmc.uu.se/faq/ and SOPs at http://it.bmc.uu.se/sop/. You do not have to read everything but it is good to have an idea of what it is. Of special interest may be how to reinstall computers with Windows and macOS.

There are more docs at the INV-Common share as well.

Take a look at the central IT helpdesk documentation at mp.uu.se/web/info/stod/it-telefoni

Take a look at the environment and security web pages at BMC. Make sure you know the way to the recycle rooms and to the container for the combustible fraction.

New employee introduction

The university has intrductions to new employees. Book in the next scheduled event!

Wellness, waste and environment at BMC

There are a gym, table tennis room, showers and sauna at BMC. Read more at BMC - health. Please note that employees at Uppsala University get a small wellness subsidy every year which can be used for gym membership and other similar activites. Also when job allows you may have one hour of wellness activities every week on paid time.

There are a couple of in-service bikes at BMC, two normal and two are electical. Lend them at the reception.

In order to learn on how to handle waste on BMC, please read the documentation.

Please note that no smoking is allowed closer than 15 meters from any university entrance.

Welcome! :-)





8. What are the recommendations for buying a new mac?

See also: How do I order a standard computer?
See also: What's the name of the connector?

Background information

Apple has switched to using only USB-C as interface for their MacBooks, which means that old adapters no longer work. There are adapters that convert to USB-C, but the cost is about the same as getting new ones, so we suggest that you replace the adapters to follow Apple's recommendations.

You should think about whether you want a docking station on your desk or not. It reduces the number of adapters you need to connect each day. You probably need one or more adapters anyway (e.g. Apple Multiadapter HDMI and/or VGA) for your computer bag, for when you have to present something and need to connect the computer to a projector.

In addition to this, Mac users should always have an external hard drive that backs up the entire computer with TimeMachine. This hard drive should always be connected to the computer on the desk and then stored in a safe place when not in use. Don't bring it when travelling!

Please note that all prices mentioned below are subject to change!

Computer

We recommend at least Intel Core i5 with 16 GB RAM and 256 GB SSD storage or better.

Display adapters

Docking station

Network adapters

If you don’t want a docking station you need a network adapter to connect to the department network.

Display

Keyoard

Mouse

External disk

To use with local TimeMachine backup

Lock

2.D. Option: Use Cisco software defined networks

Probably expensive, requires new equipment and is a bit more complicated than we need.

Reference: Cisco Identity Services Engine Data Sheet - Cisco

Cisco SD-Access Ordering Guide - SD-Access Platform Support Summary - Cisco

2.E. Option: Use automatically configured VLAN

Use MAC-address or login to automatically configure the VLAN on each edge switch port.

Maybe it is possible to populate the database server (RADIUS) with MAC-addresses from the BlueCat whitelists using the API. Good with integration.

1. Optional login with username and password and then select the correct VLAN based on the username. Extra security or special cases.
2. Check if the client MAC-address is in a Bluecat whitelist here at BMC (the local campus) and then select the correct VLAN: Vlan660
FarmBio
Vlan661
ILK-fkog
Vlan662
MCB-instr
Vlan663
Kemi-analut
Vlan664
Neuro
all the different local VLANs
3. Check if the client is in any whitelist at the university and pick the same VLAN for all of them: Vlan??? UU-Work
4. All others: Students, guests, private computers need to use the captive portal to login Vlan695 Netlogin

Pros:

Cons:

Unknowns:


Reference: MAC Authentication Bypass Deployment Guide - Cisco
Reference: Consolidated Platform Configuration Guide, Cisco IOS XE 15.2(6)E (Catalyst 2960-X Switch) - MAC Authentication Bypass - Cisco
Reference: Command Reference, Cisco IOS Release 15.2(2)E (Catalyst 2960, 2960-S, 2960-SF and 2960-Plus Switches) - authentication event - Cisco

Background: How does Protected Ports work on a multi-switch network

All uplinks must be normally configured as promiscuous. All downlinks must be protected. The network topology must be strictly hierarchical with all routers or servers connected via promiscuous ports on a single switch.

In this first example random clients port has been made protected. This does only work on a single switch - Computer1 and Computer2 cannot talk to each other since they are both on protected ports on a single Switch1. But protected ports on different switches can talk to each other because traffic may flow between protected and promiscuous ports on a single switch - Computer1 and Computer2 can both talk to Computer3


                     Router
                       |
         ===========Switch2===============
             |                    |
    =====Switch1=========   =====Switch3=====
     Protected  Protected      Protected
        |         |               |
     Computer1  Computer2      Computer3   

In the second example all downlinks are Protected. Traffic between Computer1 or Computer2 to Computer3 will be blocked on Switch2 because traffic cannot go between two protected ports on the same switch.


                     Router
                       |
         ===========Switch2===============
          Protected            Protected
             |                    |
    =====Switch1=========   =====Switch3=====
     Protected  Protected      Protected
        |          |              |
     Computer1  Computer2      Computer3   


Regarding the Cisco PVLAN Edge

It may be possible to use the protected ports feature on an EtherChannel group according to Configuring Protected Port for example the Cisco Catalyst C3850:

You can configure protected ports on a physical interface (for example, Gigabit Ethernet port 1) or an EtherChannel group (for example, port-channel 5). When you enable protected ports for a port channel, it is enabled for all ports in the port-channel group.

This would in theory make it possible to cascade down from a stack of distribution switch to a edge switch. However it does not seem like it is possible to use the Protected Port feature on a trunk port and not on a single VLAN in a trunk. There are two possible solutions for this:


            Router
               |
    ====Switch1=C2960S=C2960S==== (multiple VLANs)
     Pro.  Pro.  Pro.  Protected
      |     |     |   Etherchannel
    Comp1 Comp2 Comp3  |  |  |
                       |  |  |
    ======SwitchC2960S=C2960S==== (single VLAN)
     Pro.   Pro.
      |      |
     Comp4 Comp5





10. How do I install anti-virus software on macOS?

See also: What is ransomware and CryptoLocker?
See also: My computer has got a virus! What do I do?
See also: How do I change the Mac computer name, host name and NetBIOS-name?
See also: How do I connect to a file server via SMB on macOS?

Contact helpdesk@bmc.uu.se for advice.

All computers have to run adequate anti-virus software according to the rules at Uppsala University.

We recommend Symantec Endpoint Protection (SEP). Licenses for this are in most cases payed for by the department, but you must notify BMC-IT if you install on your own so that we know what is going on. Notify BMC-IT by mailing to helpdesk@bmc.uu.se

The server is run by Polacksbacken campus for the whole of the university for those who like to cooperate on this.

For this to work your computer host name must follow the Uppsala University naming scheme. This is first a three-letter-ancronym for the department, then a dash and then your serial number (or some unique identifier, if not using your serial number let us know) so that when we receive a warning we can identify the computer. As an example, a computer may be named BMC-07JD0NADJD3.

How to install

First the preparation:

  1. Make sure your computer host name follow the Uppsala University naming scheme.
  2. Notify BMC-IT what you are doing by mailing helpdesk@bmc.uu.se. Send the name of the computer.
  3. You must be located on the Uppsala University network or connect via VPN.

Then the actual installation:

  1. Open the server smb://bmcit-common.files.uu.se/BMCIT-Common in Finder
  2. Open Public
  3. Open Public Installation Files
  4. Open Symantec_Endpoint_Protection_version_14.0.2332.0100_English for Mac (ANG) Pick the directory with this or the latest version number!
  5. Download Symantec_Endpoint_Protection_version_14.0.2332.0100_English.pkg by copying it to your local computer (for example the Desktop). Pick the package with this or the latest version number!
  6. Open the package and do the installation.
  7. Reboot computer.
  8. Start application Symantec Endpoint Protection and make sure it is working as it should.

Configurations you might want to do:

Turn off notifications
(For the computer only. A report will still be sent to the server in case there is a virus found.)

  1. Click on "Notifications" in the top right corner of Finder.

  2. Click on the settings icon in the bottom right corner.

  3. Scroll down to "Symantec" in the left pane ad click on it.

  4. Choose "None" as Symantec alert style (or another style of your choice).




11. How do I access my scans for eduPrint in Linux?

See also: How do I set up eduPrint for a Linux server?

Where are the scans stored

The DFS-path to the directory where your scans are stored is smb://user.uu.se/eduPrint/Scan/USERNAME. This path works fine in macOS but may or may not work in Linux. The other official path is smb://eduprint.its.uu.se/scan.

How to access via user-space tool smbclient

Use smbclient to access your directory. But use your own username instead of mine. smbclient works like a very old school FTP-client if you remember those. It may be convenient because it is all in userspace and do not require any special privileges except access to the smbclient binary and network access.

smbclient -W USER -U jny25782 -m SMB3 //eduprint.its.uu.se/scan/ cd jny25782 ls

This works as well, without specifying a higher version of the SMB-protocol.

smbclient -W USER -U jny25782 -I eduprint.its.uu.se ///scan/ cd jny25782 ls

How to access them in Linux via kernel mount

You can mount directly on the command line like this. Use your own username and password.

sudo mount -t cifs -o username=jny25782,password=PASSWORDA,domain=user //eduprint.its.uu.se/scan/jny25782 /mnt/

You may exclude your password and be prompted instead. This works in Scientific Linux 6 (compatible with RHEL6) and CentOS 7 (compatible with RHEL7).

sudo mount -t cifs -o username=jny25782,domain=user //eduprint.its.uu.se/scan/jny25782 /mnt/

The default settings in Ubuntu 17.10 do not work. Try SMB version 2.1 like this. (Not needed anymore in 2019-03-11.)

sudo mount -t cifs -o username=jny25782,domain=user,vers=2.1 //eduprint.its.uu.se/scan/jny25782 /mnt/





12. How do I map a network drive via SMB on Windows?

See also: How do I mount my home directory or shared storage at HNAS?
See also: How do I access PCFS over SMB using smbclient?
See also: How do I use AddPrinterGUI to add printers in Windows 7/8/10 x64?
  1. Open the file explorer. Press Left Windows key together with E.
  2. Right click on my computer and choose Map network drive...

  3. Enter the network folder you would like to map. In this example \\filserver.uu.se\neuro
    Learn about server name and path to your home directory or shared storage at "HNAS" above.

  4. Enter your username and password. Please note that the Windows domain USER has to entered. Do not use my username jny25782 but your own username. Enter your password A.

Not working?

You may want to read about SMB Security Enhancements at Microsoft.



13. What is the BMC-IT computer platform and how does it work?

See also: What service levels does BMC-IT have compared to others at the university?
See also: Who manages IT-support for whom at BMC?
See also: What do the different symbols in BlueCat mean?
See also: Do you have a virtual machine (server) I can use?
See also: How does the reinstallation of Windows computers work at BMC-IT?
See also: We need more storage! Do you have a file server we can use?

The platform is the stack of software and infrastructure that BMC-IT use.

Goals for the BMC-IT work with the platform:

  1. Provide a well working platform environment for the end users.
  2. Listen to what the users need. Implement changes in the platform when possible.
  3. Work together with the university and use central systems whenever possible.
  4. Provide options for the users with different needs regarding management, storage and operating system.

These are the major components of the platform

UpUnet and internal campus network

  • backbone and router financed via IT-division
  • campus switches financed via BMC
  • maintained by IT-division
  • cross connect patched by BMC-IT

The network and maintenance is payed for by the rent. There are no extra cost involved. However new networks sockets have to be payed for by the tenant.

BlueCat

  • pushed for and initiated by BMC-IT via IPAM-talk on IT-forum
  • maintained by and financed via IT-division

BlueCat is a tool for IPAM, an interface to manage DHCP and DNS. BMC-IT are using whitelists in BlueCat to control what clients will get an IP on which networks. BMC-IT also using central TFTP (PXE) server maintained by IT-division.

BMC server room

  • owned via IT-division and BMC
  • maintained by Akademiska Hus
  • operated by IT-division with assistance by BMC-IT
  • financed by the users from the whole university

The server room is for use by the whole university. Servers BMC-IT maintain for the departments we give support too are paid for by the users of BMC-IT.

Microsoft deployment toolkit (MDT)

  • included in present licenses
  • maintained by BMC-IT

MDT is used for installation of Windows and an engine for software distribution (Zenworks) on client computers.

Munki

  • open source software
  • maintained by BMC-IT

Munki is used for software distribution on Mac. Munki does one thing, program and configuration distribution, and does that very well.

Microsoft Active Directory

  • maintained by IT-division

The client computers are joined to the Active Directory providing authentication and directory services.

OCS Inventory

  • maintained by BMC-IT

Light weight inventory of software and hardware. Currently run in Mediateket (student computer laboratories) and some Linux servers at BMC.

Zenworks

  • maintained by Uppsala University

Zenworks is used for software distribution on Windows. Packages that BMC-IT uses are mostly built by BMC-IT but some are shared over the university.

HNAS file server

  • owned and maintained by IT-division
  • financed by the users

Better storage. Cost 7000 SEK/TB/year (7 SEK/GB/year) in steps of 500 GB. Offline files may be used for access of Documents and Desktop, but not shared group folders.

PCFS (Archive storage)

  • owned maintained by BMC-IT
  • financed by the users

In the price range of cloud storage. Simple storage with compression, snapshots and rsync to secondary server. The solution can handle tens of millions of files with hundres of snapshots with snapshots for over a year.

OwnCloud sync storage (In development)

  • open source software
  • maintained by BMC-IT

Syncronized storage, similar to Dropbox in functionality. Currently used by a single department.

IBM Spectrum Protect tape backup

  • owned and maintained by IT-division
  • financed by the users

IMB Spectrum protect is a enterprise standard backup and recovery system maintained by IT-division for the whole university. It is not very fast for many small files, in particular when backing up tens of millions of files incrementally.

Shared parts of the platform and comparison with some of the other platforms at UU made in 2018

SUNET highed BMC-IT EPI UADM UUIT RBL-IT POL-IT EBC UUB EKIT GT BLAS
info / contact JNvB JNvB BB various CR HH SÅ+BG EL AL
server room 3000 SEK/U/y BMC server room BMC server room
BMC server room
UUIT
BMC server room
Ångström
ITC + Ångström EBC
CAR
BMC server room
Ekonomikum
virtual machine platform Openstack KVM
UUIT VMWare VCenter ESXi
KVM
Microsoft Datacenter Hyper-V UUIT VMWare VCenter ESXi RUD-IT VMWare VCenter
Cloud­system OpenStack
POL-IT VMWare VCenter ESXi
EBC VMWare VCenter ESXi
UBIT VMWare VCenter ESXi
KVM
MS Hyper-V
network infra­structure Cisco Cisco
Fortinet
Cisco
Cisco
Fortinet
HP
Cisco
Cisco Cisco Cisco
IPAM solution BlueCat BlueCat BlueCat
Bluecat
ISC DHCP
?
BlueCat
ISC DHCP
BlueCat BlueCat
tape backup solution IBM Spectrum Protect IBM Spectrum Protect IBM Spectrum Protect IBM Spectrum Protect Arcserve IBM Spectrum Protect IBM Spectrum Protect IBM Spectrum Protect
main client storage
UUIT Hitachi NAS (HNAS)
RBL-IT EMC Isilon
Microsoft Windows Storage Spaces UUIT Hitachi NAS (HNAS) RBL-IT EMC Isilon HP 3Par NetApp UBIT SAN EKIT SAN
sync storage SUNET box
Windows offline files
OwnCloud
UUB Micro Focus Filr
Windows work folders -
dat­Anywhere
Micro­focus Filr (2018)
Micro­focus Filr Windows offline files UUB Micro Focus Filr
Micro Focus Filr
SUNET Box
software distribution and inventory
SCCM
Jamf Casper Suite
Munki
Micro Focus Zenworks
Munki
OCS Inventory
SCCM
Jamf Casper Suite
- LanRev Micro Focus Zenworks Micro Focus Zenworks
Micro Focus Zenworks
Mobile Manage­ment
Micro Focus Zenworks
anti-virus software POL-IT SEP SCEP System Center Endpoint Protection - RUD-IT SEP POL-IT SEP (Windows)/ FortiClient (Mac) F-Secure F-Secure EKIT SEP
printing system eduPrint
eduPrint
direct print
? eduPrint eduPrint
eduPrint
direct print
eduPrint
eduPrint
direct print
Gespage
eduPrint
signage Xibo ? ? Samsung ? ? ? EKO-sign
number of computers in USER-AD 1174
bmc- fbv- farmbio- icm- ifv- ikv- imb- neuro- inv- isp- kmb- mcb- sll- mms- !inv‑opht !inv-srv00
2841
epi- ep- uadm- ucr- ilk- farmaci- nai- far-
- 1240
surgsci- igp- rud- rudb- inv-d0 inv-l1 imv- inv‑opht-
996
itc- mat- pol- fys- ang- kem- it- pol- polb-
335

ebc-
574
uub-
504
eki- kug- eh- fek- im- obs- kg- stat- nek-
624
psy- ipb- peki- uue- ipbs- bla- edu- did- fba- ffs- pu- kuup- ped-




14. We have a server, where should we put it?

See also: What is the postal address for BMC-IT?
See also: Who is resposible for what on the BMC network? Who can help me?
See also: How do I buy a new computer?
See also: Do you have a virtual machine (server) I can use?
See also: Who manages IT-support for whom at BMC?
See also: Open the server room for me please
See also: Who is responsible for the network in the BMC server room?
See also: What is the cost of a PC file server?

BMC has a server room in D11:0. The room was built in 2013 and is maintained together by the IT-division (UUIT) at the university administration (UADM) and Uppsala Biomedical Centre (BMC). The management team (styrgrupp) for the BMC-hall includes the IT director of the IT-division and the director of Uppsala Biomedical Centre.

K R T
333

The server room is equipped with:


The BMC-hall-router VLANs on the normal BMC-hall-switches cannot be shared with the VLANs on the router (called the BMC-router) for the rest of the building. Contact netsupport@its.uu.se for help with network configuration for the server room.

Current rate is 60000 SEK/rack/year or 2000 SEK/U/year plus a one time fee of 5000 SEK. (This should be about the cost of production. Prices from 2015-06-05.)

For renting space in the server room, contact bmc-hall@uu.se.

Also consider renting virtual servers or using some of the shared services at the university before buying your own physical servers. Contact uppdrag@its.uu.se for renting virtual servers in the the shared VMware environment or storage. Contact UPPMAX for using the shared HPC resources for computation and storage. Check on them from time to time to see what they are up to before building something on your own to reduce the duplicated effort.

The BMC server room does not have a postal address. If you want to send packages of servers or other equipment to the server room at BMC please send to BMC-IT with your name as the recipient. (If you or your department has offices at BMC just send it to yourself at your department, do not send to BMC-IT.) Send us a mail to helpdesk@bmc.uu.se so that we know what is going on. When your package has been delivered you can pick it up at The Goods Reception and you need to show your ID.



15. My Internet does not work! How can I find the problem?

See also: How are the network sockets identified?
See also: How do I configure my resolver on a Linux machine?
See also: Some Cisco switch commands
See also: What is my IP-address and MAC-address?
See also: Who is resposible for what on the BMC network? Who can help me?

What network are you using?

  1. First check - are you trying to connect via the Wireless Network or the Wired network?

The wireless network:

  1. Do not use UpUnet-S
    Make sure you are not using UpUnet-S. UpUnet-S has a captive portal and require login. Forget that network.
  2. Connect via Eduroam
    I will not go into details regarding how to configure Eduroam, but begin to read more about it here: Internet access with eduroam
  3. Do you not have coverage?
    • In student areas - order new Wi-Fi hotspots via Netsupport. In department areas, the department has to order and pay for them.
    • Use the wired network instead.

The wired network:

  1. Do you not have a link?
    If no link, check network cable. Throw away and destroy faulty Ethernet cables, even if only the little retainer tab is broken.

  2. If the link is down - has the network socket never been used before? Or was it a very long time ago since it was last in use?
    Contact your Local IT and activate the network socket. If there has been a switch upgrade in the cross connect cabinet recently, only the patch cables for the network sockets (or rather the switch ports) that has been used in the last year has been moved over to the new switch. If that is the case the network socket has to be activated again.
  3. Is the switch out of order?
    If the network socket suddenly stopped working with no link, maybe the switch is broken. Did the network suddenly go dark in some parts of the corridor and not on others? Then this may be the case. Contact helpdesk@bmc.uu.se.
  4. Is it really the network that is broken and not the computer?
    Try the network socket with another computer that is working with another network socket. This can help to identify whether the network socket is not working or if the problem is somewhere in the computer.
  5. Is the power out in the network cabinet?
    If Internet suddenly stopped working - it does happen that the power is out. It is not very common. The cross connect cabinets are usually located in the same part of the building that the lab or office housing the network socket. So go check if power is out. Are the lights on? If the power is out, just wait, Akademiska Hus is almost always already working on it.
  6. Do you have an IP-address?
    Check with ifconfig (Mac/Linux) or ipconfig (win). The IP-address should usually begin with 130.238 if you are at the university.
  7. Do you get intermittent link flaps?
    If the link sometimes goes down but not all the time this may be the case. Maybe the switch has put the switch port in link flap error disabled and then after a timeout period turn the switch port on again. Send message to helpdesk@bmc.uu.se or netsupports@its.uu.se.
  8. Are you on the correct VLAN? (1)
    If you get a link but do not get an IP-address you may be on the wrong Vlan. You can listen on the network to see what traffic there is. Then you can quite often figure out whether you are on the correct subnet or not. This can be done in Linux with sudo tcpdump -n -i eth0 or on Mac with sudo tcpdump -n -i en0. (The network interface names may differ - check the names with ifconfig) For Windows Wireshark is a bit overkill but should work as well.
    As an administrator you can search for the MAC-address in NetDB to see how the switch port is configured.
  9. Are you on the correct VLAN? (2)
    If you have a static IP, you have link, but cannot reach the gateway you may be on wrong Vlan. This may be due to switch upgrades or wrong configuration of the switch. Se above for possible ways of diagnosing this.
  10. Does the switch have that VLAN in the trunk?
    If the VLAN is correct, the link is up but everything is silent, check if the port is the first port with that VLAN on the switch. If so then maybe the trunk is missing that particular VLAN. Let Netsupport add the VLAN to the trunk.
  11. Is the DHCP-server out of free leases?
    If you have a link but do not get an address via DHCP then perhaps the DHCP-server are out of leases for your VLAN. You must contact your Local IT (which could be helpdesk@bmc.uu.se or someone else) to check what is going on. If it looks there are free leases but when it still do not work let the Local IT send a request to servicedesk@uu.se and ask for DHCP-server-logs for that particular MAC-address.
  12. Is the computer in the whitelist?
    If this is the first time you are connecting this particular computer, maybe your computers MAC-address has not been included in the DHCP whitelist. This is a list of computers that are allowed to connect to the network. Again you must contact your Local IT (which could be helpdesk@bmc.uu.se or someone else) to check what is going on.
  13. Does the network not have a DHCP-server at all, or maybe a local one?
    You have to check how your department has set up the network. On some networks, by historical reasons, the IP adresses are still distributed manually. Please contact your local IT-support. (The local IT may be, or may not be, be BMC-IT.)
  14. Is the default gateway address wrong?
    Do you have a gateway? route print (Windows), ipconfig (Windows) netstat -nr (Mac) or route (Linux). If you got an IP-address but cannot reach the gateway maybe there are old firewall rules that are blocking your IP. Check with your Local IT (which could be helpdesk@bmc.uu.se or someone else) and then let them check with Netsupport or Security Division.
  15. Can the gateway be reached?
    Ping the gateway! First check what the default gateway is and then ping it. Example: ping 130.238.39.193...

  16. Can you reach outside the gateway (router)?
    Test to ping Google resolver ping 8.8.8.8
    If this is not working this might also be a problem with router filters or firewall rules.
  17. Does DNS resolving work?
    1. Check the configured resolvers with nslookup www.uu.se
    2. Check if you can reach the UU resolver with nslookup www.uu.se 130.238.7.10
    3. Check if you can reach Google resolver with nslookup www.uu.se 8.8.8.8 or nslookup www.uu.se 8.8.4.4
  18. Are the network settings correct on the computer?
    Check Internet settings. Here is a guide at Microsoft for Windows.

    Check DNS-server settings. The Uppsala University resolvers (nameservers aka DNS-servers) are 130.238.7.10, 130.238.4.11, 130.238.164.6. (They should have the common name resolver.uu.se.) If you are using DHCP it should look like this:

  19. Does the computer work on another IP?
    if you are using a static IP you can try to use another free IP (check with your Local IT before using another IP). If that does work then:
    1. Maybe the IP you are trying to use is already in use. Please check arpwatch/NetDB.
    2. Maybe the IP is blocked in the university firewall. Please check with Security division.
  20. Is this a virtual machine that has been cloned?
    Check that you are using a unique MAC-address and unique IP-address for the cloned virtual machine. Otherwise the cloned machines will steal the addresses from each other which will make the network work erratically.

Windows specific fixes when all else fails

  1. Reset TCP/IP-stack
    If most things look OK but the computer can not connect to Internet anyway, they maybe the TCP/IP-stack needs to be reset. In Windows 7/8/10the command for doing this (as an administrator) is netsh winsock reset. Follow up by a restart of the computer.

  2. Reset firewall rules
    To reset the firewall rules in Windows 10/8/7/Vista type netsh advfirewall reset as an administrator at the command line.

For administrators

It could be of help to find out this information about the computer for a more efficient troubleshooting:

  1. Look up the computer login logs for standard Windows clients. Search for the user and the computers. Here you can find the computer name and the username.
  2. Look up the computer name in Active Directory. In the description you can find the computer model and the MAC-address used for installation.
  3. Look up the MAC-address in NetDB. Here you can find the IP-address, swith name and switch port.
  4. Look up the MAC-address in IPAM (BlueCat). Here you can find if the computer is in a DHCP whitelist or any other DHCP-configuration related to the computer.
  5. Look up the IP-address in NetReg. Here you can find VLAN number and VLAN name and the ACL (router filter) for the VLAN.
  6. Look up the Switch and SwitchPort in the network documentation Excel-sheets at BMC. Here you can find the cross connect cabinet ID and network socket ID.
  7. Look up the MAC-address in Arptrack. Here you can find previous arpwatch log entries.




16. What is VPN?

See also: How to connect with VPN using AnyConnect in Windows
See also: How do I connect to the VPN using Ubuntu?
See also: How to connect with VPN using AnyConnect in macOS?
See also: How do I use port forwarding and SOCKS-proxy in SSH?
VPN is short for Virtual Private Network. A VPN tunnel is an encrypted connection between two places at an open network.

If you would connect to the university network without a VPN tunnel, the ISP (Internet Service Provider) you use, would see that there is data sent between your computer and the university network. The ISP would also be able to see the data that is sent and possibly intercept data.

When you connect to the university via VPN, an encrypted tunnel is created from your computer to the university VPN server. The ISP can still see that there is data sent from your computer to the university network, but they can't see the data and they can't intercept any data.





17. How do I send bulk mail?

Use Bcc in your normal mail program

  1. In this example we will use the webmail for sending the mail. First create a list of recipients in Excel.

  2. Compose a mail in the webmail, Activate the Bcc-field (click on Bcc) and then copy and paste all the recpients into the Bcc-field. Put yourself in the To-field. You do not want everyone to be able to reply all to everyone receiving the mail, do you?

  3. Write your mail and send.

Use a mailing list at Sympa

If you wish to send to the list of persons several times you maybe want to create a mailing list on the mailing list server.

You can create a mailing list for this purpose who only you can send to. Please send a message to servicedesk@uu.se and tell them what you want. Visit the Mailing list service Sympa.

Make sure only you are allowed to send to the list.

Send the bulk mail with a script

This solution requires some basic knowledge in using a text editor like Vi, Nano, Emacs or the built in TextEdit in macOS. If you do not know how to do that then this solution is not for you.

  1. Put all your recipients in a file like this, one recipient on each line and call it to.txt.

    jerker.nyberg.1@bmc.uu.se jerker.nyberg.2@bmc.uu.se jerker.nyberg.3@bmc.uu.se

  2. Create your message in a file called message.txt like this. Change the subject and the sender address.

    Subject: The subject of the mail From: persona.non.grata@example.uu.se MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=utf-8 Content-Transfer-Encoding: 8BIT Hello all, Please read this important information. Bla bla bla. Kind regards, Jerker Nyberg von Below, UU BMC

  3. Then create a script that does the sending. Call it bulkmail.sh. Change the sender address again.

    #!/bin/bash REFILE=$1 BODY=$2 if test ! -e "$BODY" ; then echo Error file $BODY does not exist exit 5 fi if test ! -e "$REFILE" ; then echo Error file $REFILE does not exist exit 5 fi cat "$REFILE" | while read RE ; do echo Sending to $RE ( echo To: $RE cat $BODY ) | /usr/sbin/sendmail -f persona.non.grata@example.uu.se "$RE" done

    Make sure the script is exacutable.

    $ chmod +x bulkmail.sh $ _

  4. Make sure you can send mail via the university mail server from your computer. If this is a macOS machine you want to set the replay host to smtp.uu.se. You do this by adding the following row to the file /etc/postfix/main.cf. This will only work when you are located on the Upppsala University network.

    relayhost = smtp.uu.se

    You may need to restart the computer after this is done.

  5. Run the script like this:

    $ ./bulkmail.sh to.txt message.txt Sending to jerker.nyberg.1@bmc.uu.se Sending to jerker.nyberg.2@bmc.uu.se Sending to jerker.nyberg.3@bmc.uu.se $ _





    18. Where do I store my data? How do I take backup?

    See also: How do I manage access to a group storage at Argos?
    See also: How do I connect to storage at Argos?
    See also: How do I order a group storage at Argos?
    See also: How do I order a personal storage at Argos?
    See also: What is ransomware and CryptoLocker?
    See also: We need more storage! Do you have a file server we can use?

    Strategy

    The general idea is to focus on where you store your data instead of how you take backup of your data. You have to be aware of where your data is stored!

    Ideally the computer should not need to be backed up - all data should be on a secure file server. If the computer breaks down it should be possible to just grab another computer, login and access the data. Most standard software and configuration should be easy to reinstall.

    Where do I put my data

    Make sure you store your data safely on a secure file server. Check with your IT support organisation which file server you should use. Recommended file servers are "HNAS" and "Argos".

    • Store your personal data in a personal storage where only you can access the data.
    • Store your group's data in a group storage where all users in the group can access the data.

    How do I work with my data?

    Mount your storage folder on your local computer and work directly with the files on the file server. If you need to access the data when not at the university, you can connect to the university network via VPN and then mount the storage folder.

    Guides for connecting to the file server and mount a storage folder on your local computer:

    But I need all my data on the client!

    Do you really? We do not recommend this, but sometimes, this is the only solution that works. In that case:

      macOS
    • Use Apple's TimeMachine to make full computer backups to a local, external drive. Please note that this is not a complete backup system. It may not protect your data against malware or ransomware, and if the computer and the external drive are at the same place when something bad happens, it might happen to both of them...
    • Also, the central service TSM can be used.
      Windows
    • We recommend using the central service TSM to take complete backups of the Windows computer.

    What do I do now?

    Check if your computer was backed up with Retrospect or Time Machine (over the network). These services are no longer available and if your computer was configured to use them you need to make sure your data is secured in another way:

      macOS
    • Start storing your data safely on a secure file server.
    • In addition to the above, the recommendation is that macOS users have a local, external hard drive that backs up the entire computer with Apple’s TimeMachine service. Since it's easy to setup and cheap to use, there is no reason to not take backup this way too. The hard drive should always be connected to the computer when in office, and then stored in a safe place when not in use. Don't bring it when travelling!
    • Also, the central backup service TSM can be used.
      Windows
    • If your Windows computer is part of the BMC-IT platform, everything that is stored on your "Desktop" and in your "Documents" folder may already be automatically synchronized to your personal storage on the file server “HNAS”, and you don't need to do anything more than make sure your data is stored in one of these folders on your computer.
    • If not, start storing your data safely on a secure file server, in a personal or group storage as mentioned above.
    • Also, the central backup service TSM can be used.





    19. How do I find specific files like the last updated, the one with the longest file name, or the largest one?

    See also: How do I compare the content of two directories?
    These tools work on Linux (Ubuntu/CentOS/etc) and probably on macOS too.

    Find the most recently updated file

    Here is a small script that displays the most recently updated files in a directory. In the example this FAQ entry was the most recently updated!

    $ find . -type f -print0 | xargs -0 -P 1 stat --format '%Y :%y %n' | sort -nr | cut -d: -f2- | head -3 2018-04-27 08:55:47.517999369 +0200 ./last.updated.file.txt 2018-04-27 08:54:07.277999790 +0200 ./last.updated.file.txt~ 2018-04-27 08:51:50.658000281 +0200 ./compare.directories.txt $ _

    Find the number of files and the file with the longest file name

    This little script display the number of files in the current directory, the character length of the longest file name and the name of that file. There were in total 219 files and the longest filename has 49 characters in the path was ./how.to.map.network.drive.via.SMB.on.Windows.txt.

    $ find . -type f | awk 'BEGIN{N=0} {N=N+1; if ( length > L ) { L=length ;s=$0 } }END{ print N" "L" "s }' 219 49 ./how.to.map.network.drive.via.SMB.on.Windows.txt $ _

    Find the files with the longest file names

    This little snippet just find print the files with the longest names:

    $ find . -type f | while read ; do echo ${#REPLY} $REPLY ; done | sort -nr | head -3 45 ./how.to.map.network.drive.via.SMB.on.Windows 33 ./windows.office.force.activation 30 ./win.default.printer.settings $ _

    Find the largest files

    This will list the largest files. It will print a list of all files, in parallell do a stat on them, sort the list and then print the largest ones.

    $ find . -print0 -type f | xargs -0 stat -c "%s %n" | sort -rn | head -3 23637 ./network.8021x 20285 ./platform 18051 ./network.help $ _





    20. We need more storage! Do you have a file server we can use?

    See also: How do the different types of storage compare to each other?
    See also: How do I mount my home directory or shared storage at HNAS?
    See also: How do I map a network drive via SMB on Windows?
    See also: What is the cost of a PC file server?
    See also: Backing up via Rsync to Btrfs snapshots
    See also: How do I use an Apple AirPort Time Capsule?
    See also: What is the BMC-IT computer platform and how does it work?
    See also: What about the GDPR?

    UUIT HDS NAS file server (HNAS)

    K R T
    332

    The university has a common file server service run by IT-division running Hitachi NAS called file area (filarea)

    • Highly available and high performance
    • Good for home directories
    • Good for shared documents both small and large
    • Accessible via SMB (Compatible with macOS, Linux/Ubuntu and Windows as a network drive)
    • Offline-backup using TSM.
    • 7000 SEK/TB/year (2018-02-20)

    In general order by contacting IT-division or contact helpdesk@bmc.uu.se if your department is already using the service.

    BMC-IT PC file server (PCFS)

    K R T
    221

    The PC file server storage service is a cost-efficient storage solution for mostly high volume archive data. It is built of commodity PC hardware (which means the hardware can be replaced with equipment from other vendors) and open source software (no hidden costs or support agreements). This gives us freedom and a low price but it also means that we are on our own.

    The concept is from around 2010 where it was used for two departments. The service was originally built in 2016 for users at BMC who do not have to own their storage but since it is self-sustained it may be used by everyone at the university.

    The setup is fully documented in SOP - Install PC file server, SOP - Common service PC file server and SOP - Rsync backup to Btrfs snapshots. This means you can set up a very similar setup using the same concept on your own if you want to.

    • Storage size in steps of 10 TB beginning with 20 TB. Each share is using dedicated drives.
    • Not highly available. (There is no automatic failover.)
    • Good for archive storage of large documents like sequencing data, high-resolution images, and large movies.
    • Snapshots are taken every hour. Hourly snapshots are saved for two days, daily snapshots for two weeks and weekly snapshots for two months. Monthly snapshots are removed on request.
    • Accessible via SMB (Compatible with macOS, Linux/Ubuntu (also via smbclient) and Windows as a network drive)
    • Optional access via Rsync (Using Restricted Rsync) and SFTP.
    • Do not use for home directories.
    • Rsync replication from primary server to snapshots on secondary server every night.
    • Support and service is best effort during office hours. This means that if the primary server goes down during a weekend or vacation you may have to wait until the weekend or holiday is over until work can begin on resolving the problems.
    • 1000 SEK/TB/year (from 2018-07-01)
      Earlier price was 1200 SEK/TB/year (from 2016-09-01 to 2018-06-30)

    Order by contacting BMC-IT at helpdesk@bmc.uu.se.

    RBL-IT EMC Isilon file server (Argos)

    K R T
    331

    (The KRT-value 332 requires Gold-level.)

    Everyone at the university may use the Rudbeck-IT file servers running EMC Isilon. Technical Specifications Guide - Dell EMC Isilon OneFS and IsilonSD Edge.

    • Highly available and high performance
    • Storage size from 50 GB up to 128 GB, 258 GB, 512 GB, 1 TB, 1.5 TB, 2 TB and then in steps of 1 TB.
    • Accessible via SMB (Compatible with macOS, Linux/Ubuntu and Windows as a network drive)
    • The service is provided with four different levels of protection (2018-02-22):
      • Iron 1995 SEK/TB/year (base level includes server redundancy and disk parity)
      • Bronze 2995 SEK/TB/year (base level plus replication to secondary site)
      • Silver 3995 SEK/TB/year (base level plus offline-backup)
      • Gold 4995 SEK/TB/year (base level plus replication and offline-backup)
    • Monthly billing.
    • Snapshots on primary site up to 29 days and on secondary site up to 188 days
    • Offline-backup using TSM where inactive files (deleted or changed) are saved the default 300 days.

    For ordering please contact RBL-IT helpdesk@rudbeck.uu.se with this information:

    • Storage level of protection (Iron / Bronze / Silver / Gold)
    • Name of folder (A-Z a-z 0-9 _) Example TLA_Foldername
    • Owner (username)
    • Reference code (for the economy system like 123ABC)
    • Project code (optional) Example: Research group name
    • Who to access the storage - usernames or Akka-groups. Example: AKKA - X44_123

    Connect use Windows: \\argos.rudbeck.uu.se\MyGroups$

    Connect use Mac OSX: smb://argos.rudbeck.uu.se/MyGroups$

    UPPMAX

    K R T
    ???

    Uppmax has storage which is free if you have applied for and been granted resources. Please go to www.uppmax.uu.se to figure out what UPPMAX can do for you.






    21. How do I mount my home directory or shared storage at HNAS?

    See also: How do snapshots in the HNAS file server work?
    See also: We need more storage! Do you have a file server we can use?
    See also: How do I map a network drive via SMB on Windows?
    See also: How do I connect to a file server via SMB on macOS?
    See also: How do I mount SMB share in Linux?
    See also: How do I access my home directory?
    See also: What is the point with the zone files.uu.se?

    For Windows clients in USER-AD your home directory and the department common (public) share will automatically be mounted when you login using the drive letters below.

    This storage is in the university shared HNAS file server. Some departments also have other storage available - contact helpdesk@bmc.uu.se for details.

    1. Please select your department:

      DepartmentAcronym
      Biomedical Centre Campus Management
      Department of Cell and Molecular Biology
      Department of Medical Biochemistry and Microbiology
      Department of Medical Cell Biology
      Department of Neuroscience
      Department of Pharmaceutical Biosciences
      Department of Public Health and Caring Sciences
      International Science Programme (ISP)
      . . .
    2. Please enter your username here:


      PurposePlatformDFS-pathDirect path Driver letter
      Home directory for personal files Windows \\user.uu.se\BMCI\TLA-Users\account \\TLA-Users.files.uu.se\TLA-Users$\account X:
      Mac smb://account@user.uu.se/BMCI/TLA-Users/account smb://user\account@TLA-Users.files.uu.se/TLA-Users$/account
      Common (public) share for department,
      research groups etc.
      Windows \\user.uu.se\BMCI\TLA-Common \\TLA-Common.files.uu.se\TLA-Common$ P:
      Mac smb://account@user.uu.se/BMCI/TLA-Common smb://user\account@TLA-Common.files.uu.se/TLA-Common$
    3. Sometimes you want to mount via the command line.

      • Windows, command line version on mapping a network share:

        net use x: \\TLA-Users.files.uu.se\TLA-Users$\account /user:user\account

      • macOS, command line version on how to connect to a file server:

        mkdir ~/Desktop/account
        mount_smbfs //user;account@TLA-Users.files.uu.se/TLA-Users$/account ~/Desktop/account

      • On Linux, command line version on how to mount a CIFS file system:

        mkdir ~/Desktop/account
        sudo mount -o username=account,domain=user -t cifs //TLA-users.files.uu.se/TLA-users$/account ~/Desktop/account

    4. Also read in the SOP - Connect a Mac to HNAS (v1.0).pdf or follow the links to other FAQs above on how to use the Windows Explorer or Mac Finder GUI. Remember to use the VPN if you are connecting from outside the university network.

      Connect from Mac

    Problems with accessing the shared folders

    A common problem may be that your account has not got the correct permissions called group membership in AKKA, the university catalogue. Please then contact your department administration to get this fixed.





22. What is my IP-address and MAC-address?

See also: How to connect with VPN using AnyConnect in Windows
See also: How do I connect to the VPN using Ubuntu?
See also: How do I connect a private computer to the department network?
See also: My Internet does not work! How can I find the problem?

The easiest way to see what IP your computer or phone is currently using when contacting Internet is to go to a web page that displays it.

How to look up the local IP-address on different operating systems:

Your local IP-address may be translated into another external IP-address over a router using NAT (network address translation).

  1. macOS
  2. Linux
  3. Windows

1. macOS

On a Mac this is also displayed in System Preferences:

  1. Open the Network tab in System Preferences and go to active interface to see the IP-address. Example 130.238.39.228

  2. Open Advanced. The IP-address is displayed again.

  3. Check MAC-address in Advanced. Example a8:20:66:19:5b:b8

2. Linux

For Linux (or macOS) open a terminal and type ifconfig or ip addr list.

3. Windows

For Windows, open a command window and type ipconfig /all

Example: IP-address is 130.238.39.229 and MAC-address is 08:00:27:27:06:ad

The command getmac also display the currently used MAC-address.





23. What is the name standard for network equipment on BMC.

See also: How are the network sockets identified?
See also: What Internet bandwidth does the university have?
See also: Some Cisco switch commands

Unfortunately there are several systems still in use for naming the network equipment at BMC.

Name standardYearIntro- duced byExplanation
? 1976- BMC Naming of old terminal network blessfully forgotten.
? 1986- BMC Naming of old ethernet network blessfully forgotten.
C5:2 1998 BMC The first C5500 fast ethernet twisted pair switches were named named after the cross connect cabinets where they were located.
C5:2-2 2000 BMC With the addition of C2980 and C3500 switches, the naming included a serial number for each cabinet.

Cluster_A1-1
Cluster_A1-1-1
C1-2-2mem1
C3:3-3-Mem_1

2005 UUIT

At some point in time the switches were clustered C2950 in order to minimize the use of IP-addresses.

  1. Problem: It is getting really hard to know which switch is which with all members and clusters.

A3:1_Poe-Manager
A3:1_Poe-Manager-1
A3:1_Poe-Manager-2

2007 UUIT A new naming standard for PoE switches showed up with the need to identify the PoE capable switches.

C2960S-C6-3-319c
C2960S-C5-3_3
C2960-C6:013b
C5K-C7-3
C5K-C7-2

2007 (?) UUIT At some point in time the switch model was introduced in the name, perhaps to easier identify the switches, at least the new ones. However, several different seperators where used. When switches where not put in cross connect cabinets the room number where introduced.

MODEL HOUSE FLOOR [NUMBER]

MODEL HOUSE ROOM

BMC-A9-1-3 2011 BMC A prefix was introduced to separate BMC-switches from other switches. The switches were still named after the termination of the cables in the cross connect cabinet. The naming was:

CAMPUS HOUSE FLOOR NUMBER

  1. Problem: Do not scale to several cross cabinets (racks).
BMC-D9-3-01b-8 2013 UUIT The cross connect cabinet room number where used instead of the network socket termination rack. The idea was to use the same system all over the university.

CAMPUS HOUSE FLOOR ROOM NUMBER

  1. Problem: the cross connect cabinet rooms change house and room number even if they are vertically located above each other.
  2. Problem: the markings on the switch do not match the markings on the network socket.
BMC-D11-0-09a_48-1 2014 UUIT

Server room required naming based on racks introducing a new system:

CAMPUS HOUSE FLOOR ROOM RACK NUMBER.

  1. Problem: by only looking at the switch name it is not possible to know what VLANs are on it. The BMC-HALL switches should probably have used another prefix than BMC. Perhaps a router prefix?
BMC-C11-3-D302-3 2015 BMC

The introduction of room numbers makes it harder to figure out what switches are located in what cross connect cabinet. Introduce the rack for the cross connect cabinets like the in the server room.

CAMPUS HOUSE FLOOR RACK NUMBER.

  1. Problem: Redundant floor number, both in the FLOOR and in RACK.
  2. Problem: New flexstacked switches appearing at this time share the same network name but introduce a new physical name making it hard to identify which network socket it is.
  3. Problem: Large flexstacked switches may sit in two racks.

BMC-C1-3-D302-S-1
BMC-C11-3-D302-S1
BMC-C3-2-D202-S1

2016 UUIT

No problem, just add a number telling it is a stack and then a number for for each member in the stack! Or perhaps a slash?

CAMPUS HOUSE FLOOR RACK ROOM "S" NUMBER.

  1. Problem: Not the full room number, the room numbers are always three numbers and perhaps a letter.
  2. Problem: Redundant floor number, both in the FLOOR and in RACK.
  3. Problem: Still a bit hard to figure out what name is a switch name an what is a flexstack number...
FAL01-C7-03-301B-1 #1
FAL01-C7-03-301B-1 #2
2017 UUIT

Switches are put in DNS! Great! Unfortunatelly this introduced a new name with the FQDN and also a new name not always exactly as the old switch names due to partial rename.

Using the same naming as the Wi-Fi hotspots introducing block (kvarter) in the name via Byggnadsavdelningens register.

BLOCK HOUSE (with extra zero prefix)FLOOR ROOM NUMBER.

  1. Problem: introduce new prefix fal01- instead of bmc-
  2. Problem: the cross connect cabinet rooms change house and room number even if they are vertically located above each other.
  3. Problem: the markings on the switch do not match the markings on the network socket which references to the cross connect cabinet.
  4. Problem: The block name (fastighet / kvartetsnamn) for BMC is ROSENLUND. FALTLÄKAREN is the old Magistern or Kunskapsskolan. The plot is Kåbo 1:10.
  5. Problem: The NUMBER is not unique for each cross connect cabinet.
  6. Problem: Introduce a leading 0 in front of floor number.





24. How do I start an elevated command prompt (as administrator) in Windows?

See also: How to change language in Windows 10 Enterprise
See also: How do I activate my Office using KMS?
See also: How do I force activation of Windows 10 using KMS?
See also: How do I really delete a directory and files in Windows?
See also: How do I copy many files in Windows using Robocopy?
  1. Start a command interpreter window by entering cmd in the search prompt.

  2. Launch by pressing CTRL SHIFT and ENTER at the same time.

  3. Answer Yes to run as administrator.

    It should look like this for Windows 7:

    And like this for Windows 10:

  4. If everything works fine you are running as administrator. The Window title bar should contain the text Administrator:.

    It should look like this for Windows 7:

    It should look like this for Windows 10:

It does not work! What do I do now?

  1. Make sure you are connected to the university network. Then restart computer.

  2. Make sure you are using your employee account and not your old student account.

  3. If you need to be local administrator, send a mail to helpdesk@bmc.uu.se where you specify your computer name and your account name. We can then add you as a local administrator, after we have confirmed that it is your computer. Then restart computer.

  4. If it does not work anyway, restart computer again. When the computer restarts it should read the group policy which adds the members in a group in the Active Directory to that computers local administrators.

  5. If the group has been created and populated with members and it still do not work? Run the command gpupdate /force in a command window to force the computer to update the group policy if this was not done automatically. It may look like this. Answer y and enter to logoff. Then login and try again.





25. What Internet bandwidth does the university have?

See also: Who is resposible for what on the BMC network? Who can help me?
See also: We have a server, where should we put it?
See also: How to connect with VPN using AnyConnect in Windows
See also: How are the network sockets identified?
See also: What service levels does BMC-IT have compared to others at the university?
See also: How do I use Eduroam, the wireless network, in Windows?
See also: What is the name standard for network equipment on BMC.

Check your own bandwidth



Bredbandsskollen is a bandwidth measuring service. However, above 100 Mbit/s the service may be inaccurate regarding exact speed since it depend too much on the local computer and web browser performance. It requires Flash in the browser in order to work.

For mobile and wireless networks it is quite usually good.

Fixed network

SUNET had 2 x 40 Gbit/s connection to NORDUnet but now even more.

SunetC statistics

The Uppsala University network (UpUnet) had 2 x 10 Gbit/s bandwidth to OptoSUNET but are now connected to SunetC with 2 x 100 Gbit/s.

BMC-campus-router has 2 x 10 Gbit/s to the rest of Uppsala University network (UpUnet) for the BMC-router and 4 x 10 Gbit/s for the BMC-hall-routers.

BMC has internally in the building either 10 Gbit/s, multiple 1 Gbit/s or single 1 Gbit/s bandwidth to the cross connect cabinet distribution switches. BMC linkstatus

The network sockets at BMC are connected via either 100 Mbit/s (Fast Ethernet) or 1 Gbit/s (gigabit Ethernet) to the edge switches. If you only have Fast Ethernet and need gigabit let us know at helpdesk@bmc.uu.se. A few servers have 10 Gbit/s or multiple 1 Gbit/s.

The network in BMC is built by Cisco equipment. Over the years we seem to have acquired all possible models, but mostly C5500, C3500, C2980, C2950, C2960, C2960S, C2960X, C2960XR. Our oldest Fast Ethernet switches - C5500, C3500 and C2980 - are currently being replaced (2015).

Due to lack of personal resources this have been postponed. We will hopefully continue the upgrade in 2017-2018 and then also include replacement of all of the the C2950 and C2960 switches. Only C2960S, C2960X and C2960XR are left of the old.

New cross connect cabinets are built with 10 Gbit/s or dual 1 Gbit/s uplink and flexstacked C2960X with 1 Gbit/s to the clients. Old switches without flexstack are connected via EtherChannel to the stack or have direct connections to the router.

The idea with the network topology is that no switch failure should bring down any other switch. No single interface or transceiver (SFP/SFP+/GBIC) failure should interrupt any switch. The BMC-router is the big exception but Cisco 6500 series are in general quite reliable and can have multiple boards/interface cards. It is equipped with with redundant power supplies and is connected to a small dedicated UPS.

Wireless network

Most of the wireless access points in BMC are Cisco AP1131 with support for IEEE 802.11a/b/g up to 54 Mbit/s but in practice less. We have a few Cisco AP2602i with support for IEEE 802.11a/b/g/n which are slightly faster, but usually not above 80-100 Mbit/s since most of them are limited by their connection to 100 Mbit/s PoE Fast Ethernet anyway.




26. Connect to eduroam using iPhone with iOS 10

See also: How do I use Eduroam, the wireless network, in Windows?

Instructions how to connect to eduroam using an iPhone with iOS10.

1. First, open "Settings". Then select "Wi-Fi". Select "eduroam".

2. Enter your AKKA-id followed by "@user.uu.se" and then enter your password B.

If you have forgotten your password B you can reset it using https://akka-anv.uu.se and password A.

3. Click to trust the certificate. After this step the phone should connect to eduroam. It might take 30-60 seconds.

If it doesn't work, try to reboot the phone and repeat the procedure.

If it still doesn't work, you can try to reset the network settings (Allmänt / Nollställ / Nollställ nätverk). Beware though that if you do this you'll need to enter all Wi-Fi-passwords again on all networks.





27. How do I use an Apple AirPort Time Capsule?

See also: What is ransomware and CryptoLocker?
See also: Who is resposible for what on the BMC network? Who can help me?
See also: We need more storage! Do you have a file server we can use?
See also: What should I think about when adding my own network printer?

Please do not buy one of these for use at BMC! Your Local IT must be involved and usually do not allow these on the network. For large parts of BMC this is BMC-IT, Rudbeck-IT, IT-division/UADM/EP or Uppsala University Library and as far as I know none of us allow or recommend these. (2018-09-21)

Apple Airport Time Capsule is a great tool for a home or small office, providing simple backup, Wi-Fi hotspot and NAT-router all in one.

But we really recommend a normal external hard drive for backup. Keep one at home and one at work.

Also be aware that a backup, where the client has full write access to the backup and can erase old versions of the backup, do not protect against ransomware attacks. The attacker may destroy old backups from the compromised client.

Here is a summary what the problems may be with this kind of equipment:

NAT
SUNET and the Security and safety division at Uppsala University require that it is possible to identify which user is doing what on the network. NAT (in this level of home or small office equipment) is hiding this.

Read the Riktlinjer för säkerhetsområdet and the document UFV 2016/1944 Anskaffning och drift av IT-system in particular section 4.4 Anslutning till universitetets datornät.

DHCP-server
Apple AirPort has built in DHCP-server. When connected the wrong way (NAT-ports) to the department network the device will give IP-addresses to the other computers on the network. This will mess up the network. In the best case (when both WAN- and LAN-ports are connected at the same time to the department network) all that happens is that all traffic will pass through the Apple AirPort which will then act as a bottleneck. In the worst case (only LAN-ports are connected to department network) nothing will work and the whole department network will go down.

Wi-Fi hotspot
The Uppsala University IT-division is responsible to set up Wi-Fi-hotspots all over the Uppsala University campuses. The frequencies has been planned so that they do not interfere with each other. Even when using using a frequency that is not the same as the closest hotspot the frequency may interfere with other hotspots frequencies further away (but still in range).

Stability problems
We have been running the backups for many clients for several Mac servers using the same technology. It has shown that, although not very often, the backups using time machine over the network may go corrupt. Then the backup is not worth much. The problems may or may not be related to the use of a flaky network adapter (in particular the USB-Ethernet adapter used by Macbook Air).

Sharing the effort of building stable networks
By using the university centrally managed DHCP-server and routers it is possible try to help each other with management. Both the IT-division and the BMC-IT can help with finding problems with the network. When using this kind of small office / home office equipment it is really hard for somebody else to know what is going on. You are on your own.

It may be theoretically possible to turn off all server functions including NAT/Wi-Fi and then secure it with accounts, but it may not be worth the effort. When doing that (turn off NAT and only do Network bridge, turn off Wi-Fi) if the settings are reset by some reason, make sure that the AirPort in a reset state do not mess up the network - only attach the WAN port to the department LAN. The equipment is best used at home or at a small office.

At least these things has to be done:

  1. Turn off NAT and DHCP-functionality.
  2. Turn off Wi-Fi.
  3. Set up with account and password protection.
  4. Set up internal firewall in the equipment so that no one outside the department network can access it.
  5. If that do not work:
    1. Set a fixed IP for the device
    2. Set up the campus router filter so that no one outside the department network can access it.
  6. Actually set up both internal firewall and router filter if possible.
  7. Make sure that the firewalls are working.
  8. Make sure only the user creating the backups can access them.

This list is not guaranteed to be complete.

Our suggestion is to move the equipment to the home office for a backup when working at home. Then get another hard drive for the office.

If you need better Wi-Fi coverage contact helpdesk@bmc.uu.se and then we can together with IT-division hopefully improve the location and coverage of the Wi-Fi hotspots.

So what to do instead?

  1. Get a normal hard drive and use Time Machine on that one. Get a hard drive at home and one at work. This will take hopefully a backup of the whole computer on two different places.
  2. Store important data on a file server. Like the HNAS file server at the university.





28. Are there any desktop phones using the mobile network?

The costs for wired analog telephones are increasing compared to mobile phones. The cost for moving a mobile phone is obviously a lot smaller than for a wired phone.

Please read the pricelist for phone services at the university (in Swedish).

We have found two models of desktop phones that use the mobile telephone network (3G/UMTS)which can be bought via the university. (2018-09-11)

Do also consider a cheap and simple mobile phone for each employee.

  • Huawei F617-20 Desktop Phone Generic 818 SEK (2018-09-11)

  • Jablocom Essence Desktop Phone 1580 SEK (2018-09-11)

    Here are the same kind of mobile desktop phones at Dustin

    Please note, we cannot buy from phones from Dustin.





    29. How do I install Ubuntu?

    See also: Add a printer in Ubuntu 14.04
    See also: Print using UserCode for Ubuntu
    See also: How do I mount SMB share in Linux?
    See also: Do you have a virtual machine (server) I can use?
    See also: How do I configure my resolver on a Linux machine?

    This is documentation for a network installation of Ubuntu on the BMC network using the BMC-IT network boot menu over PXE. This applies to physical PCs or VirtualBox.

    You can always do a manuall installation. Just download the DVD from Ubuntu and install. Skip a few steps in the instructions below.

    1. Netboot the computer, usually by pressing F12 at BIOS boot time.
    2. In the PXE-boot men, start the latest and greatest Ubuntu installation. For example start a text installation of Ubuntu 18.04 Bionic Beaver x64 Mini:

      l Local Boot (default) m Memtest86 mdtmt Windows 10 Enterprise x64 (Mediatek network) c74 CentOS 7.4 x64 Netboot c73iso CentOS 7.3 x64 Minimal ISO debian74 Debian Netinstall 7.4 AMD64 sl65 Scientific Linux 6.5 x64 sl65kick Scientific Linux 6.5 x64 kickstart u1604live Ubuntu 16.04 "Xenial Xerus" x64 Mini Remix Live u1704mini Ubuntu 17.04 "Zesty Zapus" x64 Mini u1710mini Ubuntu 17.10 "Artful Aardvark" x64 Mini u1804mini Ubuntu 18.04 "Bionic Beaver" x64 Mini boot: u1804mini_

    3. Step through the text installation. Activate automatic updates.
    4. Please name the computer TLA-SERIALNUMBER where TLA is your department unique three letter ancronym and SERIALNUMBER is the computer serial number.
    5. If you want to keep the Windows installation, if there is one on the computer, you can resize the existing partitions.
    6. You can choose several different desktop environments, but I recommend to begin with the standard Ubuntu desktop. This is how the Xubuntu desktop looks like in VirtulaBox running in macOS:

    Installing in VirtualBox

    If you install in VirtualBox, remember to install the VirtualBox Guest Additions to enable shared clipboard and files between the host and guest OS.
    1. The CD is mounted automatically by VirtualBox. If everything works fine Ubuntu will find the CD and ask you for permission to install the guest additions. Just go ahead.
    2. Otherwise, tro to mount the CD via the menu in VirtualBox with Devices - Insert Guest Additions CD image.... Continue as above.
    3. And finally if the autorun does not execute but the CD has been mounted, you can manually run the installation:
      cd /media/jerker/VBOXADDITIONS_4.3.28_1003095
      sudo ./VBoxLinuxAdditions.run




    30. How do I connect to the VPN using Ubuntu?

    See also: How to connect with VPN using AnyConnect in Windows
    See also: How do I set firewall rules in Linux to block SSH?
    See also: What is my IP-address and MAC-address?
    1. First apply for the VPN-service. Go to VPN service at Medarbetarportalen and follow instructions in the section Application for VPN service.

    2. Then install the openconnect client:

      sudo apt-get install network-manager-openconnect-gnome

    3. From the menu choose Edit connections...

    4. Select Add

    5. Select the Cisco AnyConnect Compatible VPN (openconnect) connection type.

    6. Edit your connection by naming it (VPN.UU.SE in this example) and then enter the gateway vpn.uu.se:

    7. The new connection will now show up in the Network Manager menu. Open it.

    8. Enter your username and password A and if you dare select Save passwords.

    9. It worked!

    10. Check your new IP-address:

      ip addr list vpn0

    11. You can also go to websites like www.whatismyip.com to see where you are connecting from.




    31. How do I install Adobe CC Complete (Photoshop, Illustrator...) in Windows?

    See also: How much do Adobe Photoshop and Illustrator cost?
    See also: How do I sign my documents with an electronic signature?

    For Windows computers that has a Zenworks agent it is quite easy.

    1. First restart computer if it has any pending upgrades. Otherwise the installation will fail.

    2. Open the Adobe Complete application in the Zenworks window.

    3. Answer OK once.

    4. Answer OK twice.

    5. Wait a very long time (all files are around 14.5 GB) for everything to install. The files are read from a file server so you have to be connected to the university network.

    6. It is possible to open a ZENworks progress window from the status bar. Step 7 of 8 will take a very long time.

    Normally in Zenworks everything may be loaded over the Internet, but in this case, since the package is so large, for technical reasons we choose to install it directly from a file server.

    When installing the bundle a request for registration of licenses will be automatically sent to helpdesk@bmc.uu.se who will confirm the registration at appropriate group or department.

    For Windows computers that do not run the Zenworks agent, the same package can be installed by a system administrator. Also contact helpdesk@bmc.uu.se for this.

    For macOS this installation is more or less manual. Contact helpdesk@bmc.uu.se.



    32. How to use the IBM Spectrum Protect (Tivoli Storage Manager aka TSM)

    See also: How do I take backup of the data on my computer?
    See also: How do I overwrite deleted data in Windows?
    See also: Backing up via Rsync to Btrfs snapshots
    See also: What is ransomware and CryptoLocker?
    See also: How do you secure delete data from the computers and servers?


    IBM Spectrum Protect is the backup system run at the university at the IT-division. The software was previously known as TSM - Tivoli Storage Manager and is still referenced as both names.

    Financing and pricing

    The services is paid for by the users. This includes salaries for everyone involved in maintaining the system and all equipment. The costs includes a starting cost per node and (decreasing) cost per GB depending on how much data that is stored in the system. Read the pricelist.

    Documentation

    IBM has their own documentation of TSM 7.1.3 (the latest version at 2016-04-14)

    Schedule

    Usually on Windows-systems the backup-client is asking the server whether it should backup or not. Send a mail to backup-admin to let them know.

    On Mac and Linux (and other Unix-based systems) instead the client is called at a certain point in time doing the backup like this:

    dsmc incr

    To put this in crontab in a Linux system first run editor for the crontab as root using emacs as an editor.

    EDITOR=emacs crontab -e

    Or use the default vi editor:

    crontab -e

    Then enter the point in time to run the backups (with the full path to the client)

    1 1 * * * /usr/bin/dsmc incr

    Performance with TSM

    TSM store files in tapes and after a while the incremental backups will store files in several different tapes. One way of taking care of this is to instead from time to time do a selection backup or a image (block device) backup. The block device backup is harder to read back for certain files obviously.

    There are several options to decrease the amount of data being sent on the wire by doing more work on the client. Inside the university network this usually it not a problem since we usually have enough bandwidth betwen the campuses and to the backup servers.

    • Zip up many small files and exclude the originals from backup.
    • Use virtual mount points to divide up the files in smaller sets.
    • Use journal-based backup to track which files have been changed
    • Use memory efficient backup, if the client is running out of memory.

    Compression yes Memoryefficientbackup yes

    Examples: Query the backup...

    To list what partitions (or file systems) have been backed up:

    dsmc query files

    To list files that have a backup date during a certain date range: (However, running with options time limits (todate, fromdate) will change the behaviour for the client and read a lot of data into RAM. With several millions of files this will be slow. Read about Classic Restore versus No Query Restore (NQR) at IBM)

    The option -inactive will list both active and inactive files.

    dsmc q ba -inact -fromdate=01/01/2016 -todate=01/03/2016 -subdir=yes '/blue/*'

    To get summary of all files backed up and the size:

    dsmc query backup '/etc/*' -subdir=yes -querysummary

    To get more details, for example to see files with the wrong backupclass which still are taking up space in the backup, run this command:

    dsmc query backup '/etc/*' -subdir=yes -querysummary -detail

    Examples: Restoring backup...

    To interactively pick and restore the files, restoring to the directory /tmp:

    dsmc restore -pick '/blue/*' "/tmp/"

    To also interactively pick among the inactive files when restoring:

    dsmc restore -pick '/blue/*' "/tmp/" -inactive

    To also restore subdirectories while restoring:

    dsmc restore -pick '/blue/*' "/tmp/" -inactive -subdir=yes

    To restore the state of a directory at certain different points in time. This will run the restore command each for the specified dates and restore the directory as it were at that point in time.

    for i in 10 11 12 13 14 15 16 17 ; do mkdir /var/tmp/jerker.restore.2016-04-$i-12.00.00/ dsmc restore -pitd=04/$i/2016 -pitt=12:00:00 -subdir=yes '/home/jerker/*' /var/tmp/jerker.restore.2012-11-$i-12.00.00/ done

    To backup everything irrespective of whether files have changed since the last backup, use the selective command:

    dsmc sel '/green/home/USER/jny25782/*' -subdir=yes

    Examples: Deleting old backup data...

    To delete a backup (which may require extra permissions), use the delete command. This time the -pick makes it interactive.

    dsmc delete backup '/archive/jerker/*' -subdir=yes -pick

    To delete all inactive files:

    dsmc delete backup '/archive/jerker/*' -subdir=yes -deltype=inactive

    To delete all inactive files backed up during a certain date range:

    dsmc delete backup -fromdate=01/01/2010 -todate=01/01/2016 '/green/home/USER/jny25782/*' -subdir=yes -deltype=inactive

    With the number of files into multiple tens of millions, this may not work so well since it takes up too memory or perhaps timeout when waiting too long for the confirmation prompt unless the operator (you) are staring at the window. Use the -noprompt option and break it down inte smaller parts like this:

    for i in /home/* ; do dsmc delete backup -fromdate=01/01/2010 -todate=04/01/2016 $i/'*' -subdir=yes -deltype=inactive -noprompt ; done

    To delete all files from the backup, including inactive files, specify -deltype=all. Do not prompt for confirmation.

    dsmc delete backup '/unwanted.data/' -deltype=all -noprompt

    This however do not delete parent directories from the backup. To remove them to, run the expire command. The position of the wildcard is described at IBM but look a bit strange, so be careful!

    dsmc expire '/unwanted.data*' -noprompt

    Different management classes:

    To view the different management classes:

    dsmc q mgmtclass

    To list the details different backup management classes:

    dsmc q mgmtclass -detail

    To change class when taking backup, the new class can be specified in the file dsm.opt when including file systems:

    include /myfilesystem/* TWOYEARCLASS

    Please note that this may (or may not) only affect new objects created in the backup system. Manual clean up (using the method in the previous section) may have to be done.

    The way I know about how to view the current backup management class is to start the graphical client: dsmj and in the menu Utilities the entry View policy information

    This is a small script to list managment classes:

    #!/bin/bash echo 'Management Retain Only Retain Extra Version Version' echo 'Class Version Version Data Exists Data Deleted' echo '--------------- --------------- --------------- --------------- --------------' ( dsmc q mgmtclass -detail ; echo DONE ) | grep -e 'MgmtClass Name' -e 'Retain Only Version' -e 'Retain Extra Version' -e 'Versions Data Exists' -e 'Versions Data Deleted' -e 'DONE' | ( while read A B C D E F ; do if test "$A" = "MgmtClass" -o "$A" = "DONE" ; then if test "$EXTRA" != "" -a "$ONLY" != "" ; then echo -e $MGMT'\t'$ONLY'\t'$EXTRA'\t'$EXISTS'\t'$DELETED | expand --tabs=16,32,48,64 ONLY="" EXTRA="" MGMT="" DELETED="" EXISTS="" fi MGMT=$D fi if test "$B" = "Only" ; then ONLY=$D fi if test "$B" = "Extra" ; then EXTRA=$D fi if test "$C" = "Exists...:" ; then if test "$D $E" = "No Limit" ; then EXISTS="NoLim" else EXISTS="$D" fi fi if test "$C" = "Deleted..:" ; then if test "$D $E" = "No Limit" ; then DELETED="NoLim" else DELETED="$D" fi fi done ) | sort -n --key=2,5

    The output looks like this on the current (2016-05-16) classes on the domain that I are using. Note that there may be different domains with different management classes.

    # ./tsm.list.mgmtclasses.sh Management Retain Only Retain Extra Version Version Class Version Version Data Exists Data Deleted --------------- --------------- --------------- --------------- -------------- ITSDBCLASS 0 0 1 0 ORACLECLASS 0 200 3 0 ONEDAYCLASS 1 1 3 2 DAYCLASS 2 0 1 1 MONTHCLASS 9 9 8 7 TWOWEEKS 14 14 14 1 TDPDIFF 30 30 No Limit No Limit TDPDIFF-META 30 30 No Limit No Limit TDPFULL 30 30 No Limit No Limit TDPFULL-META 30 30 No Limit No Limit TDPLOGS 30 30 No Limit No Limit TDPLOGS-META 30 30 No Limit No Limit PUBCLASS 60 30 2 1 STANDARD 60 30 2 1 QUARTERCLASS 120 90 3 2 ITSCLASS 300 200 3 2 LOGCLASS 300 200 3 2 ITS_DISK 365 200 3 2 DEVCLASS 500 450 4 3 TWOYEARSCLASS 750 30 2 1 ADMCLASS 900 800 8 7 TENYEARSCLASS 4000 30 2 1 # date Fri Aug 26 13:51:51 CEST 2016 # _

    This is how to Assign management class to specified directories or default.



    33. What fun things can I do with Systemd in Linux?

    Figure out what is taking so long to start:

    # systemd-analyze blame 1min 46.945s kdump.service 13.838s network.service 873ms postfix.service 602ms dev-md126.device 285ms systemd-udev-trigger.service 258ms tuned.service 186ms systemd-fsck-root.service 55ms httpd.service ... # _

    Check how a service is doing:

    # systemctl status httpd httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2017-04-14 05:22:28 CEST; 3 weeks 5 days ago Docs: man:httpd(8) man:apachectl(8) Process: 6484 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS) Process: 14190 ExecReload=/usr/sbin/httpd $OPTIONS -k graceful (code=exited, status=0/SUCCESS) Main PID: 6489 (httpd) Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec" CGroup: /system.slice/httpd.service 6489 /usr/sbin/httpd -DFOREGROUND 14198 /usr/sbin/httpd -DFOREGROUND 14199 /usr/sbin/httpd -DFOREGROUND 14201 /usr/sbin/httpd -DFOREGROUND 14202 /usr/sbin/httpd -DFOREGROUND 14203 /usr/sbin/httpd -DFOREGROUND Apr 14 05:22:28 bmc-pcfs2.bmc.uu.se systemd[1]: Starting The Apache HTTP Server... Apr 14 05:22:28 bmc-pcfs2.bmc.uu.se systemd[1]: Started The Apache HTTP Server. Apr 16 08:47:01 bmc-pcfs2.bmc.uu.se systemd[1]: Reloaded The Apache HTTP Server. Apr 24 05:52:36 bmc-pcfs2.bmc.uu.se systemd[1]: Reloaded The Apache HTTP Server. Apr 30 07:05:06 bmc-pcfs2.bmc.uu.se systemd[1]: Reloaded The Apache HTTP Server. May 07 08:18:32 bmc-pcfs2.bmc.uu.se systemd[1]: Reloaded The Apache HTTP Server. # _

    Start, stop and restart units (services):

    # systemctl stop httpd # systemctl start httpd # _

    Change the default device timeout for slow file systems like btrfs with a lot of snapshots: (ArchLinux Wiki about Fstab)

    # grep timeout /etc/fstab LABEL=data7 /data7/ btrfs compress,noatime,x-systemd.device-timeout=0 1 2 # _





    34. How do I change the Mac computer name, host name and NetBIOS-name?

    See also: What is my computer name in Windows?
    See also: How do I find the serial number on macOS?
    See also: How do I connect a private computer to the department network?
    See also: How do I install anti-virus software on macOS?

    In macOS, change the computer names in the system settings, in the Share (Delning) dialog.

    The university name standard begins with an identifier for each department and then a dash and a unique identifier. At BMC-IT and the departments we support we continue with the computer serial number like this:

    1. Begin with a TLA - the three letter acronym (Neuroscience - INV, Medical Biochemistry and Microbiology - IMB, Pharmaceutical biosciences - FBV, Medical Cell Biology - MCB, Uppsala Biomedical Centre - BMC, Public Health and Caring Sciences - IFV, etc)
    2. Then a dash -.
    3. Then the serial number max 11 characters (cut away the leading ones to keep the usually significant ones)
    4. The full computer name should be 15 characters or less (to not generate possible problems in old network sharing protocols like WINS... In a couple of years, when WINS is totally gone, then this rule most probably can be ignored)

    The host name is however picked up from the DHCP-server. It is used as a prompt in the command line. With dynamic DHCP the IP and the host name may change from time to time. So to get a consistent hostname set it manually like this; in this example BMC-COVFEFE is used as hostname, but please use your own instead!

    The terminal may look like this:

    $ scutil --get HostName HostName: not set $ sudo scutil --set HostName BMC-COVFEFE Password: $ sudo scutil --set ComputerName BMC-COVFEFE $ sudo scutil --set LocalHostName BMC-COVFEFE $ scutil --get HostName BMC-COVFEFE $ scutil --get ComputerName BMC-COVFEFE $ scutil --get LocalHostName BMC-COVFEFE $ _

    Also check and set the NetBIOS-name. It may or may not be the same as the computer name and host name. The default is the same as the hostname but if this has been changed before it may be something else. Change it like this:

    The NetBIOS-name can be changed in the terminal as well like this:

    $ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server NetBIOSName BMC-COVFEFE $ defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server NetBIOSName BMC-COVFEFE $ _





    35. How do I set firewall rules in Linux to block SSH?

    See also: How to connect with VPN using AnyConnect in Windows
    See also: How do I connect to the VPN using Ubuntu?

    This is an example on how to set firewall rules in Linux. The command iptables below first open incoming on port 22/tcp (SSH) for the university network and then drop all other.

    The first command (iptables) adds a rule (-A) to the input-chain (INPUT) for protcol tcp (-p tcp) on the incoming (--destination-port) port 22 for SSH (22) which has a source (-s) from the university (130.238/16) that it should accept the packets (-j ACCEPT).

    The second command just drops everything else.

    # iptables -A INPUT -p tcp --destination-port 22 -s 130.238/16 -j ACCEPT # iptables -A INPUT -p tcp --destination-port 22 -j DROP

    How to save the rules is different between different distributions. In CentOS 7 I use the command service iptables save. In Ubuntu/Debian, install the package iptables-persistent and then run the command iptables-save > /etc/iptables/rules.v4. Reboot computer to see that the firewall rules stick.

    To see the current firewall rules run this command:

    # iptables -L -n

    Also, to limit which accounts can login via SSH you can use the AllowUsers keyword in /etc/ssh/sshd_config like this:

    AllowUsers myaccount

    To allow more users:

    AllowUsers firstaccount secondaccount

    Restart or reload sshd or restart computer to use the new configuration for sshd.

    Read more about iptables at the Netfilter homepage.



    36. How do I configure my resolver on a Linux machine?

    See also: My Internet does not work! How can I find the problem?
    See also: How do I install Ubuntu?
    See also: How do I get deduplication to work in Linux?

    The university has a couple of resolvers which are referred to by resolver.uu.se.

    $ host resolver.uu.se resolver.uu.se has address 130.238.7.10 resolver.uu.se has address 130.238.164.6 resolver.uu.se has address 130.238.4.133 resolver.uu.se has IPv6 address 2001:6b0:b:215:130:238:4:133 resolver.uu.se has IPv6 address 2001:6b0:b:732:130:238:164:6 resolver.uu.se has IPv6 address 2001:6b0:b:242:130:238:7:10 $ _

    Historically the host name lookups in Linux were done by the resolver. No resolver was running and no cache existing locally in the machine. The resolvers were put in /etc/resolv.conf, either statically (manually) or via DHCP.

    The problem with this approach is that if the first in the list of external resolvers cannot be reached the timeout is defaulting to 5 seconds with 2 attempts. This means that if the first server is down there will be a timeout up to 2*5=10 seconds. When a resolver is failing most things using the network will get slow and not work very well. This can be decreased but not eliminated by adding a shorter timeout to /etc/resolv.conf:

    options timeout:1 attempts:1 rotate

    Using dnsmasq as a forwarding resolver

    Another, better, solution is to run dnsmasq in Linux. Dnsmasq will get you:

    1. Faster failover.
    2. Local cache.
    3. A well behaved client using central resolvers. (No problems with split-DNS, firewalls or router filters)

    This is how it looks like in CentOS 7 when not using NetworkManager (most common on servers) and using DHCP. It will replace the first nameserver with the local dnsmasq. This works for a server always located on the UpUnet network.

    Here we also add the Google public resolvers. But please note, if you add the those you cannot reach local split-DNS, like the Windows-domains or other local networks (RFC1918). Also check that you have access (not blocked by router filter or firewall) to the Google public resolvers before you add them.

    $ yum install dnsmasq $ echo 'resolv-file=/etc/resolv.dnsmasq' > /etc/dnsmasq.d/resolv.file $ echo 'DNS=127.0.0.1' >>/etc/sysconfig/network $ host resolver.uu.se | grep -v IPv6 | awk '{print "nameserver " $4}' >/etc/resolv.dnsmasq $ echo 'nameserver 8.8.8.8' >>/etc/resolv.dnsmasq $ echo 'nameserver 8.8.4.4' >>/etc/resolv.dnsmasq $ _

    if you are running a totally static setup without NetworkManager you need to manually add the 127.0.0.1 resolver first in resolv.conf instead of adding it to the /etc/sysconfig/network configuration file.

    $ sed -i '1i nameserver 127.0.0.1' /etc/resolv.conf $ _

    Most clients use NetworkManager. For a client moving around between networks you need to get the recommended resolvers from DHCP but also insert the dnsmasq 127.0.0.1 resolver first. NetworkManager has built in support for dnsmasq. Simply adding dns=dnsmasq to the [main] section and then restart NetworkManager should solve it.

    [main] dns=dnsmasq

    Also check that dnsmasq do not have the option bogus-priv activated in /etc/dnsmasq.conf otherwise queries about the local networks (RFC1918) will be blocked with answer NXDOMAIN in dnsmasq. These are used in the university network so they should not be blocked between client and resolver. The default in CentOS 7 is to not have bogus-priv activated which is fine. Otherwise, uncomment with:

    $ sed -i 's/\(^bogus-priv\)/#\1/1' /etc/dnsmasq.conf $ _


    Using Bind as a local resolver

    If you want to maximize reliability then nothing beats a local resolver. Just run BIND and set it up to only listen to the local machine (or local HPC cluster). On the university network, this usually requires openings in the router filters and perhaps firewalls in order to send UDP traffic in and out. Only do this if you do not want to pester the university resolvers with all your requests, like when you are running an HPC cluster connected to the USER-AD, doing statistics for a lot of webserver logs or something else similar.






    37. What should I think about when adding my own network printer?

    See also: How do I set up eduPrint for a Linux server?
    See also: What do the different symbols in BlueCat mean?
    See also: How do I use an Apple AirPort Time Capsule?
    See also: How do I use AddPrinterGUI to add printers in Windows 7/8/10 x64?
    See also: How do I add a macOS printer at IMBIM?

    Be aware that the Uppsala University already have a central printing system currently called eduPrint. Getting your own printer is in general contra productive.

    1. The printer should in general be configured to use DHCP. In order for the printer to get an IP-address thne MAC-address should be added to the DHCP-server at the network. This is in general the central IPAM-system called Bluecat.
    2. Close down any older or unused protocols on the printer that are not in use, like telnet or FTP. No other services than those to be used should be open at the printer.
    3. Set up a local firewall on the printer and only let those networks that should be able to also be able to print directly onto the printer.
    4. Check that the manufacturer has working drivers or instructions for at least macOS, Windows and Linux (RHEL/CentOS).
    5. Check that the PostScript module is added to the printer. Double check this when the computer has arrived. This makes printing on macOS work better or at some models at all.
    6. For scanning purposes, use the central mail server called smtp.uu.se. As a sender for the mail use the receivers own mail-address or create a special account for this. The sender must be accepted at the university mail servers. People receiving mail will eventually reply to this sender so the behaviour should be known - do not send everyting to a black hole for example.
    7. For searching use the catalogue LDAP-server at ldap.uu.se or maybe the Active Directory LDAP-servers at dc.user.uu.se. For the later an account is needed for access so create a function account for this.
    8. Set up logging for the printer to syslog.uu.se using the syslog protocol.
    9. Set up a unique password for the department printers. Make sure the default passwords are removed. Make sure the IT-support know about the passwords.
    10. Make sure to update the firmware on the printer regularly in order to follow normal security guidelines.




    38. How do I add a macOS printer at IMBIM?

    See also: What should I think about when adding my own network printer?
    See also: How do I change default settings for a printer in macOS?
    See also: How do I change default settings for a printer in Windows?

    Imbim has new printers since 2018-03-22. Users with macOS clients need to reinstall the printers. Remove old Imbim printers before installing new ones. Depending on your macOS version, you may need to install a printer driver before installing the printer. See instructions below.

    One of the old printers remains (D9:4). That printer can still be used as before, without any changes.

    Important! You need to be connected to the Imbim network via cable to print using these printers. If you're not, use the central printing system for the university, eduPrint!

    Remove an old printer
    • Click on "System Preferences..." in the Apple menu.
    • Click on "Printers & Scanners"
    • Click on the printer you wish to delete on the left side.
    • Click on the minus sign in the down left corner and click on "Delete Printer".
    Install printer drivers
    Install a new Imbim printer
    Click on a link below to download an installation package for all or individual Imbim printers. Run the installation package by double clicking it and follow the on screen instructions. Change default settings for a printer
    Select your computer's OS below to view instructions for how to change the default settings for a printer.



    39. Which VLANs are at the campus BMC-router?

    See also: Some Cisco switch commands
    See also: How are the network sockets identified?
    See also: Who is resposible for what on the BMC network? Who can help me?

    This list was updated in 2018-04-25.

    IT-division has a tool called NetReg for looking up which IP-addresses belong to different VLANs and vice versa all over UpUnet. Contact Netsupport for access.

    IT-division is also running NetDB - Network tracking database, that does similar things like Arptrack we are running on BMC and just like for Netreg please contact Netsupport for access.

    There is also another router pair at the BMC server room. Please check the Vlans at NetReg and NetDB mentioned above.

    VLAN numberVLAN name
    1 default
    2 Management
    3 Backbone
    4 Backbone-2
    50 WLAN
    660 FarmBio
    661 ILK-fkog
    662 MCB-instr
    663 Kemi-analyt
    664 Neuro
    665 ILK-anafarm
    666 Farmaci
    667 Ytbioteknik
    668 ILK-orgfarm
    669 eu-support
    670 Ludwig
    671 Struktbio
    672 LCB
    673 Medcellbiol
    674 IBG-kurs
    675 IMBIM
    676 Struktbio-internt
    677 Kemi
    678 BMC-Adm
    679 BMC-Gemensamt
    680 BMC-Data
    681 FKI
    682 BMC-Styr
    683 Ludwig-internt
    684 Bibliotek
    685 NatBiokemi
    686 ICM
    687 SLU-hgen
    688 Bioorgchem
    690 MedfarmDoIT
    691 SLU-mbv
    692 BMMS
    693 Neuro-micro
    694 Ventilation
    695 Netlogin
    696 BMC-Mediatek
    697 Medfarm-kansli
    698 Korint
    699 IBG-adm
    900 BMC-AD
    901 AKKIS-UU.225
    902 IHV
    903 HORS
    904 Pubcare
    905 AKKIS
    906 Farmbio-cluster
    907 BMC-signage
    908 ICM-MB
    909 IGP-Dumanski
    910 IGP-A
    911 IGP-B
    912 ICM-MB-IB
    913 ICM-MB-EN
    914 ICM-MB-IPMI
    915 Video-conf.
    916 MEDSCI-ARRAY
    917 IGP-UGC
    918 IGP-FUG
    919 UPPNEX
    931 Molmed-client
    932 Molmed-lab
    933 SciLifeAdm
    934 SciLifeLab
    935 Neuro-IPMI
    936 FarmBio-IPMI
    937 IGP-C
    938 IMV
    939 BMC-CAM
    940 BMC-PROJECTOR
    941 ISP
    942 RUD-Gemensamt




    40. What is ransomware and CryptoLocker?

    See also: Help me I get so much spam! What can I do?
    See also: My computer has got a virus! What do I do?
    See also: How to use the IBM Spectrum Protect (Tivoli Storage Manager aka TSM)
    See also: How do I use an Apple AirPort Time Capsule?
    CryptoLocker is a ransomware trojan that targets computers running Microsoft Windows.
    - Wikipedia on CryptoLocker

    CryptoLocker and TorrentLocker infects computers running Windows via seemingly innocent email with links or attachments. There has appeared other ransomwares attacking Mac too.

    Read more about ransomware, TorrentLocker and CryptoLocker on Wikipedia.

    To be infected, the receiver has in most cases actively tried to open and execute the payload. The payload may be disguised as a Word-document, a script or something that give the impression that it is innocent. Do not open files or attachments you have not requested!

    This (the example above in Microsoft Word) is not safe! Please be careful with Office files that require you to Enable Content. Enabling content may make it possible for evil macros to execute in Office allowing the attacker to take control of your computer.

    This (the example above from Windows File Explorer) is an example of an opened .zip-file. .zip-files are in itself not dangerous it is just a way of storing one or many files into one compressed file, but it may be a way to bypass other simple security checks. For example the anti virus software may warn when downloading an .exe-file but may not warn when downloading a .zip-file.

    This (the icon above) is an example of how an .js-file look like in the File Explorer. This file will run with the Windows Script Host (wscript/cscript) and execute and may download further potentially evil binaries. Windows Scripting Host also will run .jse and .wsf-files. Also note that a long file name like faktura.pdf.js may hide the real extension in File Explorer and show up as faktura.pdf which is a bit misleading. The real file name extension is hidden.

    Even though a ransomware in itself easily can be removed, the files stay encrypted, waiting for a ransom to be payed in order to get the decryption key.

    How to not get infected

    • Do not execute programs or even open attachments that random people have sent you.
    • Please don't do it.
    • If you have any suspicions regarding something you received via mail contact helpdesk@bmc.uu.se (BMC-IT).
    • Please forward the evil mail to no-spam@uu.se. Then the Uppsala University Security Division may adjust the rules for the mail filter and network firewall.

    What to do if infected

    1. Turn the computer off.
    2. Contact your local IT (helpdesk@bmc.uu.se) for help.
    3. Forward the evil mail to no-spam@uu.se so that the Uppsala University Security Division may adjust mail filter and network firewall rules.
    4. Change your passwords at the university. Change all passwords for all sites that you have automatically saved in your browser.
    5. In general, reinstall computer and restore data from backups or snapshots.

    Lessons to be learned from CryptoLocker

    • Use a file server with snapshots for storing data you do not want to lose. For example the central university HNAS file server store snapshots up to a month per default.
    • Everything locally on the computer running in the same security context as the user is not safe.
      • This means that local previous versions / snapshots are not safe, if the users can turn them off. But to have these are better than not.
      • This also means that backups like Time Machine, Cobian or similar where the system stores a copy of the files on another storage place is not safe, unless the backup storage in is snapshotted outside of the users security context.
      • If you store extra backups of your files on external USB-attached storage, do not keep it plugged in all the time. Keep a couple of them and in rotation so that you can go back to an older version.
    • Already taken backups should not be allowed to be overwritten from the client. This can be accomplished by for example using snapshots on the backup storage, like on a file server.
    • Even more advanced backup systems like TSM may not be safe since it only stores a limited number of versions of each file. If the ransomware encrypt the files and then make some small updates to the file each day, then after the limited number of days have passed, all old uncorrupted versions will be gone.

    Also read more

    Read more from Europol's European Cybercrime Centre with friends at the No More Ransom! website.

    The Uppsala University Security Division has courses in basic information security (in Swedish). Every chapters just takes 2-4 minutes. There are 16 chapters in total.



    41. How do I configure IPMI for remote management?

    See also: Who is responsible for the network in the BMC server room?

    It is generally recommended to not expose the management interface for servers to the Internet. Not only does some computers come pre-configured with a default login and password, but the embedded software may have vulnerabilities that are not patched as fast as normal operating systems or in some cases are not patched at all.

    Most servers with IPMI can change the IPMI out-of-band communication to go via a dedicated network. This is usually done in BIOS. Use a dedicated network or dedicated VLAN for this. In order to not let the servers expose them selves to each other use the Private VLAN (protected ports) feature in the switches. Read about Private VLAN in Wikipedia.

    This is how to get the current settings in Linux:

    ipmitool lan print

    Change to using DHCP instead of Static:

    ipmitool lan set 1 ipsrc dhcp

    Setting the LAN MAC Address:

    ipmitool lan set 1 macaddr 00:25:90:12:34:56

    Supermicro

    Some Supermicro servers come pre-configured with failover IPMI meaning that the out-of-band communication for IPMI will share the same network connection as the server is normally using.

    This is quite unsafe and will expose IPMI with default login and password via the normal network. This can be changed when running with these commands in Linux:

    Dedicated:

    ipmitool raw 0x30 0x70 0x0c 0x01 0x00

    Shared with LAN1:

    ipmitool raw 0x30 0x70 0x0c 0x01 0x01

    Failover:

    ipmitool raw 0x30 0x70 0x0c 0x01 0x02

    Even with correct router filters the management interface is not protected from traffic originating in the same VLAN. I addition to router filters blocking all traffic (except to clients using the management console) also set up local firewall in the management interface, for example by following these instructions.




    42. I need a new subnet and a new VLAN!

    See also: We have a server, where should we put it?
    See also: What Internet bandwidth does the university have?
    • For networks connected to the BMC-hall-routers (in the BMC D11:0 server room) contact UUIT Netsupport.
    • For networks connected to the BMC-routers (everywhere else in BMC) contact helpdesk@bmc.uu.se.
      1. First find out how many IP you need (Remember to fix DNS and perhaps DHCP)
      2. Then contact BMC-IT to see if there are any spare ranges
      3. Together with BMC-IT contact UUIT Netsupport to get new assignment




    43. Who is responsible for the network in the BMC server room?

    See also: We have a server, where should we put it?
    See also: Open the server room for me please
    See also: Which VLANs are at the campus BMC-router?
    See also: How do I configure IPMI for remote management?

    Physical Network

    Netsupport is responsible for the server room routers, the inter-rack connections and usually the top-of-rack switches.

    For the IP-layer there are several different options on how to setup the network.

    Currently the top-of-rack switches are usually connected with dual 1 Gbit/s connections to the server room routers (BMC-hall-routers). If there is a need for higher network connectivity please discuss with Netsupport.

    Securing the management networks

    Management ports for IPMI, LoM, RAID-controllers, dedicated NAS, etc are quite hard to get secure. In particular IPMI may use side-band management LAN connection. And some management controllers run their own operating system, complete with their own security problems and default passwords... This all means that the management ports has to be protected not only from the outside but maybe also from other management ports if they are located on the same network in order for an attacker not to jump between compromised systems over the management network.

    Keeping every management controller on its own VLAN of course solves this, but it use too many VLANs and is too hard to manage.

    On the BMC-IT management network in the server room (called BMC-hall-IPMI) we are using pricate VLAN (protected ports) feature in the switches to protect the management controllers from talking to each other. This is a RFC1918 network and incoming traffic there is restricted to the workstations meant for this management.

    Good Option one - your own network

    Tis option is good if you have a lot of servers in the server room, perhaps your own rack with equipment.

    The users of the server room may, if needed, order their own VLAN and subnet. This VLAN will only be available in the BMC server room. Contact and discuss this with Netsupport.

    BMC-IT will for their own servers (that BMC-IT do system administration for) have two VLANs, one network for the servers and one for the management.

    Good Option two - the shared networks

    This option is good if you need to put a single server or perhaps a small number of servers in the server room.

    There are two shared network, currently (2016-09-15) Vlan956 Public_servers_ACLed or Vlan962 Public_servers_open, which is meant for shared usage in the BMC server room, for activity that do not require their own VLAN.

    Please note that neither of these two networks have DHCP-servers activated. Neither static DHCP or dynamic DHCP. You need to set static IP on the server without using the DHCP-server.

    The BMC-hall function at the IT-division (UUIT) and BMC is responsible for allocating IP-ranges in this network.

    The normal procedure at the university is that the ones managing a network also is responsible for managing router filter (via Netsupport), perimeter firewall (via Security and safety division), DNS and DHCP (via IPAM or UUIT/Domainmaster).

    But in this network the IP-ranges have been allocated to different users in different parts of the university organisation. Each individual system administrator using the different IP-ranges is responsible for their own activity in the IP-ranges they have been allocated. This responsibility includes managing changes in the router filter and the perimeter firewall. And manage DNS and DHCP via UUIT/Domainmaster.

    Bad Option three - the BMC network

    It is possible, but Not Recommended to attach equipment to the VLANs in BMC in the server room. The switch in one of the BMC-IT racks is connected with a single 10 Gbit/s to the campus router in BMC (BMC-campus-router). Discuss this with BMC-IT. Responsible for that VLAN is the Local IT for that VLAN (which may or may not be BMC-IT).

    The only reasons we have seen for this is for example when handling old equipment with IP-related access control or using Bonjour-based services on Mac which work best over a single VLAN/Subnet.

    It is very important to not connect equipment to both the BMC-router and the BMC-hall-routers at the same time since this may lead to STP-renegotiation which will mess up the network. Don't do this.

    Bad Option four - dedicated network for a specific VLAN

    It is possible, but Not Recommended to use dedicated network to connect to a VLAN somewhere else in the university (or SLU) too. This is only meant for shorter periods during for example migration from one server room to an other. Discuss this with UUIT/Netsupport. This configuration is only meant for a limited amount of time during a migration.

    This is bad in several ways:

    • Less availability. The network will depend on not only the server room functioning (power, cooling) but also the network in the other end (power, router, switches) where the dedicated connection terminate.
    • Complicated network. The stranger the network is setup the harder it is to maintain in the long run.
    • Limited amount of fiber. The university has a limited amount of dedicated fiber. New fiber between campuses is quite expensive.
    • Risk of network loops There is a risk of STP-renegotiation when connecting network from different routers together. This may leader to longer or shorter total network outages.

    It is very important to not connect equipment to both other routers and the BMC-hall-routers at the same time since this may lead to STP-renegotiation which will mess up the network. Don't do this.






    44. There is no wired network here - what to do?

    See also: Who is resposible for what on the BMC network? Who can help me?

    Is your room running out of network sockets? Here are your options.

    This usually happens when a room was planned for less persons than currently are using it.

    • Use the wireless network
      This may not be an option because of low bandwidth and coverage. The wired network is usually more reliable than the wireless.
    • Use a long cable
      Figure out where the closest wired network socket is located and use a long cable. Do not do this excessively - try to keep the network cables in the same room.
    • Split the network socket
      It is possible to split a network socket (8 wires) into two (with 4 wires). This only works for fast ethernet (which is only using 4 wires) and not gigabit ethernet (which is using 8 wires). (The network connection has to be splitted both in the cross connect cabinet and at the network socket.)
    • Get a small switch
      We usually do not prefer a lot of small switches around in the building since the network will be quite messy to find problems in. But using switches on the desk where a single person or desk is using the switch and is aware of that the switch exists is usually fine. Do not use long cables from desktop switches to another desk.
    • Order a new socket
      A new double network socket costs around 3000 SEK but cheaper when ordering more at the same time.




    45. How do I uninstall the Zenworks agent?

    See also: What is ZENworks? How to I install applications via ZENworks application window?

    Zenworks is used for these major reasons:

    1. Do automatic installation of software and settings when the computer is deployed. Some of the effort in this is shared all over the university.
    2. May be used for remote interactive control by user request.
    3. Self-service installation of software by the users, even without local administrator privileges, and far away from the university network over the Internet.
    4. Do inventory. This may save a lot of time when we really need to find out exactly how many copies of a certain program are installed on the computers.

    The Zenworks agent load on the computer is not much on a modern computer, but if the computer is very old and slow there are a chance to notice a performance impact. In this case you might want to uninstall the Zen agent even though this will increase the load of your local IT-support. There are often other better ways of speeding up the computer:

    1. Make sure the computer has enough RAM. Upgrade to at least 8 GB RAM so that all programs fit in memory.
    2. Replace HDD with SSD. Solid state drives are a lot faster than rotating hard disk drives.
    3. Reinstall Windows. Windows-computers seem to get slower and slower over time. An extreme example was Windows Update in Windows XP that got glacially slow over time. This has been improved with later versions of Windows but it still exists.

    In the Zenworks console

    Anyway. The Zenworks agent is protected from uninstallation by the settings in Zenworks. A system administrator (contact helpdesk@bmc.uu.se) has to open the client in the Zenworks console, open Settings, open Device Management, open Zenworks Agent, choose Override the System settings and enable the option Allow users to uninstall the ZENworks Adaptive Agent.

    On the computer

    1. You have to be local administrator on the computer.
    2. Refresh the Zenworks agent in the task bar.

    3. Then on the computer open Programs and Features

    4. Find the Zenworks client and choose uninstall.

    5. Check the box Local uninstallation only.

    6. Do not keep anything. Do not retain CASA.

    7. Ok, go ahead...

    8. Wait for the Zenworks Uninstaller to complete.

    9. It will probably complain about not being able to remove everyting, but just go ahead and restart when done.

    10. Uninstall done.




    46. What is the point with the zone files.uu.se?

    See also: What is Rrsync (restricted rsync)? How do I access PCFS storage over rsync?
    See also: How do I access PCFS over SMB using smbclient?
    See also: How do I mount my home directory or shared storage at HNAS?

    The initiative for the domain files.uu.se was taken in 2015-05 by BMC in order to get an aliases to file server shares with unique names.

    For example, the file server share is named with the TLA-SHARENAME, like INV-Common. Then the CNAME will be TLA-SHARENAME.files.uu.se or INV-Common.files.uu.se pointing to the current file server where the share is located.

    The reasoning behind this is the following:

    1. Get a unique name in DNS to each file server share. This will faciliate migration of file server shares to new servers.

      We (the university) had a lot of troubles with migration from the old NetApp file server to the new HNAS file servers. This zone with an extra level of abstraction in front of the real file server names was intended as a proactive way of eliminating one part of the problem in preparation for the next file server migration. It also makes it easier for those users users (research groups or department) that wish to or have to move their share from one storage system to another.

    2. Make it work for all operating systems. There is a function in the Microsoft Active Directory (with a similar goal) called the DFS that put all file server shares in a single name space. This however do not work all the time in all operating systems, like non-AD connected Windows-clients, macOS (not all of the time), Linux (it depends a lot on the configuration it do not work for example in Ubuntu out of the box).
    3. Network agnostic Get access to the servers even from other networks where needed when the USER-AD (user.uu.se) is not accessible due to using split DNS and access restrictions, like UAS, SLU, UPPMAX, HPC-centers in Sweden and maybe mobile data. It is also not a requirement to use the university resolvers, it should work even if the local resolvers are down.




    47. How are the network sockets identified?

    See also: Which VLANs are at the campus BMC-router?
    See also: What Internet bandwidth does the university have?
    See also: My Internet does not work! How can I find the problem?
    See also: Who is resposible for what on the BMC network? Who can help me?
    See also: What is the name standard for network equipment on BMC.

    This is a double socket. The identifiers are written together on a sticker on the socket. This is how to decipher them:

    Network socket identifier Cross connect cabinet identifier
    Left socket B1.216:05 C1-D202-01-03
    Right socket B1.216:06 C1-D202-01-04

    These numbers mean that the socket is located at the B1:216 beam in the B1:2 corridor. The cross connect cabinet serving this network socket is located in C1:2 and in this case the rack called C1-D202 in the panel number 1 and socket number 3 and 4.

    Some of the sockets have room numbers instead of beam numbers where the beam numbers are not applicable.



    48. What service levels does BMC-IT have compared to others at the university?

    See also: Who manages IT-support for whom at BMC?
    See also: How do the different types of storage compare to each other?
    See also: What Internet bandwidth does the university have?
    See also: What is the cost of a PC file server?
    See also: What is the BMC-IT computer platform and how does it work?

    The different organisations at the university have different level of service in order to fullfull their missions on a cost-efficient way.

    UUIT (IT-division) provides highly available services for the whole university.

    BMC-IT is focused on providing great services for the people at the campus and is trying to keep it simple and durable.

    UPPMAX is providing the best high-performance computing environment available, but is neither focused on high-availability nor user-focused service (not the individual users, but as a collective of course).

    ServiceUUITBMC-ITUPPMAX
    Server room cooling Redundant with backup (BMC-hall) Non-redundant
    Server room fire extinguisher Yes Yes
    Server room power Dual redundant UPS. Backup diesel power generator. Dual power to each rack. Non-redundant, UPS on critical systems
    Server room network Redundant routers, in general non-redundant top-of-rack switches but redundant etherchannel to clients via flexstacked switches also available Non-redundant (redundant core network)
    Server room stand-by personel in-house Yes No
    Server room stand-by personel external techician (power, cooling) Yes
    Stand-by decision making personel, possible to order in technical personel Yes No No
    Stand-by technical personel No No No
    Vacation spread out so that somebody always on duty during work hours Yes Yes Yes
    All systems maintained by a group (not individuals) Yes Usually, but with a primary responsible person and contact Yes (Primary and secondary contact)
    Somebody among the contacts or responsble for a service always on duty. (Not vacation on the same time) Yes No No
    Redundant storage systems which handle partial failure gracefully Yes (HNAS) Yes
    Simple and small storage system with faster full restore No Yes (PCFS) No
    Maintenance window adapted to individual user groups No Yes No




    49. How do I activate group membership in AKKA?

    See also: Who is an employee and who is a student at the university?

    AKKA can control whether the user will get group membership to the AKKA-group of the group.

    For example a person employed at the BMC campus management will get membership into the group called AKKA - SI29_9 in USER-AD.

    This group control access to network home directories for the department, shared folders for the group and automatic shared areas in Medarbetarportalen.

    1. You must be personal manager for the department.
    2. Get permission from the responsible person for the group. Group membership may give access (read-write) to research data belonging to the group.
    3. Find the user in AKKA. Check current status.

    4. Check the box gruppmedlemsskap





    50. What is the cost of a PC file server?

    See also: How do the different types of storage compare to each other?
    See also: We need more storage! Do you have a file server we can use?
    See also: What service levels does BMC-IT have compared to others at the university?
    See also: We have a server, where should we put it?

    Please note! BMC-IT has a PC storage solution service. Read more in the SOP - Common service PC file server. Also note that for home directories we recommend using the IT-division HNAS file server.

    These are examples of the costs of buying and maintaining a PC file server. The example below includes a server from Supermicro and one from HP. HP includes on-site support, Supermicro do not. Please note that TSM-backup is not included in these figures! (Prices updated in September 2016.)

    • Very cheap Good for lots of data when the price has to be low.
    • Acceptable speed Good bandwidth - can receive and send 1 Gbit/s (or 10 Gbit/s with appropriate network and multiple clients). Since the drives are rotating HDD, relative SSD the latency is high and IOPS are lower. But it works fine with large files.
    • Low availability BMC-IT in general only do support during office hours. If the PC server totally breaks down (it may happen!) it will take some time to get service or spare parts or restoring from backups. Compare this with the IT-division HNAS file server which has built in redundancy.
    • Linux and Active Directory These examples uses Linux (preferably CentOS 7) as an operating system and connects to the university Active Directory and works as a file server using Samba. More complex setups than this may need extra time to set up and maintain. For example running a Windows server instead of Linux requires extra costs for licenses.

    This is a Supermicro file server with enterprise drives. Includes ship-in support from Southpole.

    Normal HP file server with enterprise drives, three year next business day on-site support from HP.

    This is a Supermicro file server with archive drices.

    Cost of a rack unit per year: 1250 (full rack) or 2000 (single machine) SEK
    Number of rack units in the server room:
    (If no new space is needed, set a 0 here)
    U
    Cost for the server with no drives: SEK
    The number of drives: drives
    Size of the drives: TB
    Number of years to run the server
    (warranty)
    years
    Cost of each drive: SEK
    The number of working hours spent each year:
    (system administration and support)
    h/year
    The cost of a working hour: SEK/h
    The part of the raw storage that is usable:
    (RAID6 (two parity drives) on five drives equals 0.6.)
    usable storage factor

    Purchase cost SEK.

    Raw storage TB.

    Usable storage TB.

    Yearly cost SEK/year over years (includes everything)

    Cost for raw disk SEK/TB/year.

    Cost for usable storage SEK/TB/year.

    Two identical file servers (one for backup using snapshots / shadow copy) would cost SEK/TB/year

    Two servers (as above) and a cold standy (no drives) would cost SEK/TB/year





    51. How do I use offline files?

    See also: How do I access my home directory?
    See also: How do I change Windows offline files disk usage?

    What are offline files?

    Short story: It lets you always have access to your files even when not connected to the file server at the Uppsala University network.

    Long story: Windows has a feature for making files on a file server available offline even when the connection to the file server is lost. The client stores the files in a offline cache. Changes in the file when offline is stored locally. When the computer or server is back online the data is synced to the server. This works well on files a single user changes but not so well on shared folders where different users make changes on the same files.

    Enable offline files

    1. New computers installed and maintained by BMC-IT has offline files already enabled.

    2. In the start-menu, type offline to find and start Enable offline files On this computer the administrator (BMC-IT) has already activated it.

    3. In the Offline Files window, click on Enable offline files.
    4. Restart computer for the changes to take effect.

    Make files or folders available offline

    1. The default settings make the folder redirected folders always available offline. This includes Desktop, My documents, AppData etc. For normal use when all data is saved in these locations.

    2. It is possible to get other folders in the home directory available offline. In Explorer, right click on a folder or file and then choose Always available offline.
    3. The shared folders with other users should not be used with offline files. It is technically possible but may lead to conflicts.

    View offline files

    1. In the window Offline files (see above) choose the button View your offline files.

    2. Here is a representation of all files available offline. Enter the different directories to see what has been picked up.

    Keeping an eye on what's going on

    1. Open the task bar notification window for offline files. It looks like a green recycle circle.

    2. Right click to for example View conflicts

    3. Since the notification did not show a warning there are no conflicts:

    Conflicts and how to handle them!

    1. However, we can provoke a conflikt.
      1. Go offline by pressing Work offline in the file explorer.

      2. Change a file on your computer.
      3. Change the same file on another computer.
      4. Then Work online again on your computer.

      5. The status notification should now show a conflict:

      6. Thge View Conflicts dialog now show the file where there is a conflict:

      7. By right-clicking on the file and show View options to resolve... Windows try to help with what to do:

      8. Keeping both versions make both show in the file explorer:





      52. How do I use Eduroam, the wireless network, in Windows?

      See also: What Internet bandwidth does the university have?
      See also: Connect to eduroam using iPhone with iOS 10

      For manual installation follow this guide.

      With ZENworks you do like this.

      1. Start ZENworks application window and open Eduroam

      2. Wait for installation. It will not take long.
      3. Windows will ask for user and password

      4. Enter your username followed by @user.uu.se and your password B. This is not the password you use for logging in to your computer but the other one.

      5. If you have disconnected from Eduroam and want to connect again open the wireless connections in the taskbar and click on Eduroam.





      53. How to use WinSCP to access files over SCP on Windows

      SCP is encrypted making this a relatively secure way to access files even from home or over WLAN (wireless network).

      1. Download and install WinSCP from http://winscp.net/eng/download.php or open it in ZENworks application Window.
      2. Login on the server, in this example neuro-l2.neuro.uu.se using your username and password A.

      3. Accept the host key.

      4. Access your files. This is your home directory. If this is on a file server where the group store data. you should not put stuff here.

      5. Change directory into the share for your group. On this particular server the shares are located in /data/hl, /data/kl2 etc. Go here by clicking on the / in the location and then on data.

        Or click on this little icon first and then on data.





      54. How do I activate my Office using KMS?

      See also: How do I start an elevated command prompt (as administrator) in Windows?
      See also: How do I force activation of Windows 10 using KMS?

      Microsoft Office 2010, 2013 or 2016 on Windows 7 or Windows 10 connected to the USER-AD, the university Active Directory (using the university accounts), should automatically activate on the university network.

      If it does not work or if the computer is not part of the Active Directory, follow these steps:

      1. Connect computer to the wired network at your department.
      2. Start an elevated command prompt window - run cmd (command prompt) as administrator. Please see the FAQ How do I check if I am a local administrator in Windows? on how to do this.
      3. Enter the Office installation directory (
        Office 2010 (32-bit)
        Enter the Office installation directory with typing cd c:\Program Files (x86)\Microsoft Office\Office14
        Office 2013 (32-bit)
        Enter the Office installation directory with typing cd c:\Program Files (x86)\Microsoft Office\Office15
        Office 2016 (32-bit)
        Enter the Office installation directory with typing cd c:\Program Files (x86)\Microsoft Office\Office16
        Office 2016 (64-bit)
        Enter the Office installation directory with typing cd c:\Program Files\Microsoft Office\Office16
      4. Run the activation script:
        1. First try to run the command cscript ospp.vbs /act. (Read more about this here: Tools to manage Office 2013 volume activation.)
        2. If the computer cannot find the KMS-server (you may be behind NAT in a virtual machine) you can try the command: slmgr /skms kms.user.uu.se first and then the command slmgr /ato to activate (Windows) or cscript ospp.vbs /act (just Office).

          To find the correct host (currently 2016-05-30 kms.user.uu.se) follow these instructions: How to discover Office and Windows KMS hosts via DNS and remove unauthorized instances

      5. Close the command prompt window.

      If an old version if Windows in some way managed to block the new installation, then run the EasyFix uninstall tool from Microsoft

      1. Uninstall Office 2016, Office 2013, or Office 365 from a PC using the easy fix tool (Really useful if you have an Surface Pro or any other new computer with pre-installed Office 365 that you want to get rid of!)
      2. Uninstall or remove Office

      It is possible to do a manual uninstall of Office





      55. Add a printer in Ubuntu 14.04

      See also: How do I install Ubuntu?
      See also: Print using UserCode for Ubuntu
      1. Find System Settings.

      2. Open System Settings

      3. Open Printers in System Settings

      4. Add a New Printer

      5. Expand the Network tree and see if it is browsable. Choose a way to connect. It usually does not matter. If the printer has dynamic DHCP (different IP from time to time) then use DNS-SD (Bonjour).

      6. Many printers are automatically found correct drivers for, but if not, see if you can find it in the driver database. You need to know:
        • Manufacturer
        • Model
        • Perhaps the IP-address of the printer

      7. If not found automatically, pick Maker

      8. If not found automatically, pick Model

      9. Give it a name. We recommend room number and model.

      10. Ok! Lets go! Print Test Page and press Ok.

      11. Done!

      This documentation is covered by GNU Free Documentation License. 52 ms