What is Latency?

What is Latency? KB ID 0001874

What is Latency?

I hear people use the word ‘Latency‘ a lot, mostly without ever really understanding what it is, unlike its close relations bandwidth and thoughput* which are measurments of data, latency is a measurment of TIME, and in a lot scenarios is variable depending on what’s happening.

*Note: Too low bandwidth and thoughput can increase latency.

There will always be latency, becasue we are bound by the laws of physics, to pass a ‘light pulse’ down a fibre optic cable from London to Paris, will take less time than it will to pass that same lightpulse from London to New York. We call this propogation delay.

  1. Propagation Delay: This is the time it takes for a signal to travel from the sender to the receiver through the physical medium (such as fiber optics or copper cables). The speed of propagation is close to the speed of light but can vary slightly depending on the medium.
  2. Transmission Delay: This is the time required to push all the packet’s bits onto the wire. It is influenced by the size of the packet and the transmission rate of the network.
  3. Processing Delay: This is the time taken by network devices like routers and switches to process the packet header and make forwarding decisions. Processing delays are generally very small but can add up across multiple devices.
  4. Queuing Delay: This occurs when a packet waits in a queue before it can be transmitted. Queuing delays can vary significantly depending on the network congestion and the configuration of the network devices.
  5. Propagation Distance: The physical distance between the source and destination plays a critical role in latency. Longer distances naturally result in higher latency due to the increased time it takes for signals to travel.
  6. Network Congestion: High traffic volumes can cause congestion in the network, leading to increased queuing delays and, consequently, higher overall latency.
  7. Bandwidth and Throughput: Although bandwidth is the maximum rate of data transfer, actual throughput can be lower due to various factors, including network congestion and overheads. Lower throughput can contribute to higher latency.
  8. Protocol Overheads: Different network protocols have various overheads associated with them. For instance, the Transmission Control Protocol (TCP) has higher overhead due to its error-checking and recovery features compared to the User Datagram Protocol (UDP).
  9. Hardware and Software Limitations: The performance of network hardware (like routers, switches, and network interface cards) and software (such as drivers and network stacks) can impact latency. Faster and more efficient hardware and software reduce latency.

Latency is typically measured in milliseconds (ms) and can be assessed using various tools and techniques, such as ping tests and traceroute commands. Lower latency is especially crucial for applications requiring real-time interaction, such as online gaming, video conferencing, and financial trading systems.

Minimizing network latency involves optimizing network infrastructure, improving hardware and software efficiency, and ensuring adequate bandwidth and throughput to handle the expected traffic load.

What is Latency and Why is this Important?

Well the complaint is nearly always “We are experiencing latency issues“, usually when the ‘users’ are having performance issues with ‘something’. Now sometimes the problem IS the network (shock & horror). But all the bandwidth/Thoughput and Low latency in the worlds will not help you if you have a poorley coded application, or your DNS is not seup correctly.

But it’s not just old and poorley coded applications that require low latency Some application platforms we take for granted can suffer for example.

  1. Online Gaming: Real-time multiplayer online games require low latency to ensure smooth gameplay and quick reactions. High latency can result in lag, making the gaming experience frustrating and uncompetitive.
  2. Video Conferencing: Applications like Zoom, Microsoft Teams, and Skype require low latency to facilitate real-time communication. High latency can cause delays, leading to awkward conversations and reduced communication quality.
  3. Voice over IP (VoIP): Services like Skype, WhatsApp, and other internet-based telephony services need low latency to provide clear and immediate voice communication. High latency can cause echo and delays, making conversations difficult.
  4. Financial Trading: Stock trading platforms and high-frequency trading systems rely on low latency to execute trades in milliseconds. Even minor delays can result in significant financial losses or missed trading opportunities.
  5. Telemedicine: Remote medical consultations, surgeries, and other healthcare services often require low latency to ensure accurate diagnostics and timely intervention.
  6. Augmented Reality (AR) and Virtual Reality (VR): AR and VR applications need low latency to provide immersive and responsive experiences. High latency can cause motion sickness and degrade the user experience.
  7. Industrial Automation and Control Systems: Manufacturing processes, robotics, and other industrial applications require low latency for precise control and real-time monitoring to ensure safety and efficiency.
  8. Autonomous Vehicles: Self-driving cars and drones rely on low latency for real-time data processing and decision-making to navigate safely and respond to dynamic environments.
  9. Cloud Gaming: Services like Google Stadia, NVIDIA GeForce Now, and Xbox Cloud Gaming stream games from the cloud to users’ devices. Low latency is critical to provide a responsive gaming experience comparable to playing on a local console or PC.
  10. Smart Grids: Advanced electrical grid systems require low latency for real-time monitoring and control to manage power distribution efficiently and respond to fluctuations in demand and supply.
  11. Remote Desktop Applications: Tools like Remote Desktop Protocol (RDP) and Virtual Network Computing (VNC) require low latency to provide a seamless and responsive experience when accessing and controlling a remote computer.
  12. Live Streaming: Interactive live streaming platforms like Twitch and YouTube Live require low latency to ensure minimal delay between the broadcaster and viewers, enabling real-time interaction through chat and other features.

Ensuring low latency for these applications often involves optimizing network infrastructure, using efficient communication protocols, and sometimes deploying edge computing to process data closer to the source.

Related Articles, References, Credits, or External Links

NA

 

VMware – Setting up ESX NTP Time Sync

KB ID 0000798

Problem

Having your ESX Server running the correct time is quite important, and before you visit this subject, I would suggest you MAKE SURE the time is set in the ESX Servers BIOS, ie the internal clock is set correctly first. I’ve lost count of the amount of times I’ve seen Windows domains fall over because the ESX host has reverted to its BIOS time and replicated that time to its guests, suddenly your domain clocks are two years apart and carnage ensues!

Solution

Note: For this to work the hosts need to be able to communicate with public time servers over NTP (UDP Port 123), ensure your firewall has this port open or time sync will fail.

1. Connect to the host (or vCenter and drill down to the host(s)). Select the host in question > Configuration > Time Configuration > Properties > Tick NTP Client Enabled > Options > Add > Add in your public time server IPs > Tick ‘Restart NTP Service to apply changes’ > OK > OK.

Note: I’m in the UK so I’m using two time servers in this country, you may want to use one closer to home.

130.88.212.143 = turnip.mc.man.ac.uk (Manchester University)
130.88.200.4 = dir.mcc.ac.uk (Manchester University)

2. When you see the following all is well.

Note: If all these details are IN RED, then it has failed to sync, either be patient, try putting the host into and out of maintenance mode, or reboot it, if it continues to fail check it can see the public time servers on UDP port 123.

Related Articles, References, Credits, or External Links

NA

Windows – Setting Domain Time

KB ID 0000112

Problem

If you have arrived here, you have either noticed that the time is wrong on your server(s) or client PC(s), or you have looked in the event viewer and seen one of the following events being logged. Event ID’s 12, 22, 29, 36, 38, 47, and 50.

Time Problem Events – On the PDC Emulator

Event ID 12 (W32 Time Time Provider NtpClient: This machine is configured to use {text omitted}, but it is the PDC emulator…).

Event ID 29 (The time provider NtpClient is configured to acquire time from one or more time sources…).

Event ID 36 (The time service has not synchronized the system time for 86400 seconds…).

Event ID 38 (The time provider NtpClient cannot reach or is currently receiving invalid time data from…).

Event ID 47 (Time Provider NtpClient: No valid response has been received from manually configured peer…).

Time Problem Events – On Domain Members

Event ID 50 (The time service detected a time difference of greater than 5000 milliseconds for 900 seconds…).

Event ID 22 (The time provider NtpServer encountered an error while digitally signing the NTP response for peer…).

Solution

Setting domain time is a TWO-STEP process, set the time correctly on the PDC emulator, then let the clients take their time from the PDC emulator.

Locate the PDC Emulator

1. On a domain controller, Windows Key+R > netdom query fsmo {Enter}.

2. Take note of the PDC name and go to that server.

NTP Firewall config

1. Ensure UDP Port 123 is open outbound from the PDC Emulator. How this is done will vary depending on your firewall vendor. If you have a Cisco ASA or a Cisco PIX see my article here.

To Test Use NTPTool

Below either the port is blocked (or the hostname/IP of the external NTP server is incorrect);

This is how it should look, every-time you press query you should get a response, now you know the correct port is open;

Configure the PDC Emulator to collect Reliable Time

There’s two ways to do this, 1. Use Group Policy, and 2. Use command line.

Setting PDC Emulator Time With Group Policy

Of course our PDC Emulator is also a domain controller, so we need to link a GPO to the domain controllers OU. But we dont want all DC’s getting their time from an external source, so we will create a WMI filter to ensure the policy will only apply to the PDC emulator server.

Administrative tools > Group Policy Management > WMI Filter > New > PDC-Emulator-Only > Add > Select * from Win32_ComputerSystem where DomainRole = 5 > OK.

Don’t panic if you see this error > OK > Save.

Create a new GPO linked to the Domain Controllers OU.

Change the policy so it uses your WMI filter;

Edit The Policy, and navigate to;

[box]Computer Configuration > Policies > Administrative eTemplates > System > Windows Time Service > Time Providers[/box]

Configure Windows NTP Client

Enable the policy > set the NtpServer setting to server-name(comma)stratum-type(space). If you get this wrong you wont sync, and you will see this error.

Enable Windows NTP Client

Enable the Policy (The server still needs to get its time from the external source!)

Enable Windows NTP Server

Enable the policy (The server also needs to provide time to the domain clients).

Save and exit the policy editor, then on the PDC emulator force a policy update  and resync the time. Finally run rsop to make sure the settings have applied.

Setting PDC Emulator Time From Command Line

 

1. On the PDC emulator Windows Key+R > cmd {Enter}.

2. At command line execute the following four commands;

[box]

w32tm /config /manualpeerlist:ntp2d.mcc.ac.uk /syncfromflags:manual /reliable:yes /update

net stop "windows time"

net start "windows time"

w32tm /resync 

[/box]

Note: If you are NOT in the UK or simply want to use a different NTP time server go here for alternatives.

3. Look in the servers Event log > System Log for Event ID 37.

---------------------------------------------------------------
Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 37
Date: xx/xx/xxxx
Time: xx:xx:xx
User: N/A
Computer: {servername}
Description:
The time provider NtpClient is currently receiving valid time 
data from ntp2d.mcc.ac.uk (ntp.m|0x0|10.0.0.1:123->130.88.203.64:123).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. —————————————————————

4. You will also see Event ID 35.

---------------------------------------------------------------
Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 35
Date: xx/xx/xxxx
Time: xx:xx:xx
User: N/A
Computer: {servername}
Description:
The time service is now synchronizing the system time with the time source 
ntp2d.mcc.ac.uk (ntp.m|0x0|10.0.0.1:123->130.88.203.64:123).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. —————————————————————

Step 2 Check the domain clients

This is all you should need to do, because, (by default) all Domain clients get their time from the PDC when they log on, but to check;

1. Windows Key+R > cmd {enter}.

2. Execute the following command;

[box] w32tm /monitor [/box]

3. You will see the time this client can see, on all the domain controllers.

[box]

C:Documents and SettingsAdministrator.yourdomain>w32tm /monitor
server-dc.yourdomain.co.uk [192.168.1.1]:
ICMP: 0ms delay.
NTP: +363.2032725s offset from server-pdc.yourdomain.co.uk
RefID: server-pdc.yourdomain.co.uk [192.168.69.6]
site2-dc.yourdomain.co.uk [192.168.2.1]:
ICMP: 70ms delay.
NTP: +0.0470237s offset from server-pdc.yourdomain.co.uk
RefID: dc.yourdomain.co.uk [192.168.69.4]
serverdc2.yourdomain.co.uk [192.168.1.4]:
ICMP: 0ms delay.
NTP: +0.0000553s offset from server-pdc.yourdomain.co.uk
RefID: server-pdc.yourdomain.co.uk [192.168.1.6]
server-pdc.yourdomain.co.uk *** PDC *** [192.168.1.6]:
ICMP: 0ms delay.
NTP: +0.0000000s offset from server-pdc.yourdomain.co.uk
RefID: scarp.mc.man.ac.uk [130.88.203.64]

[/box]

(In the case above the time on server-dc is way out, address that first – (it was an old Windows 2000 server and running “net time server-pdc” {enter} fixed it).

4. Once all the domain controllers have a time that’s accurate (like the last three in the example above), then proceed.

5. Execute the following commands on a client machine;

[box]

net stop "windows time"

net start "windows time"

w32tm /resync 

[/box]

6. The machines event log should show the following successful events;

Event ID 37 (The time provider NtpClient is currently receiving valid time data from..).

Event ID 35 (The time provider NtpClient is currently receiving valid time data from..).

Setting Domain Clients Time via GPO

As already outlined you should not need to do this, (as it’s the default setting,) but if there’s a problem you can force domain clients to look at your PDC emulator for reliable time.

Create a GPO, and link it to the OU containing the computers you want to sync’

Edit the policy and navigate to;

[box]Computer Configuration > Policies > Administrative eTemplates > System > Windows Time Service > Time Providers[/box]

Configure Windows NTP Client

Enable the policy > Set the NtpServer to {Your-PDC-Name},0x9  > Set the Type to NT5DS.

Enable Windows NTP Client

Enable this policy.

Testing Client NTP Settings

Either run;

[box]w32tm /query /status[/box]

Or run RSOP.

 

Related Articles, References, Credits, or External Links

PDC Emulator: PDC Emulator: Cannot Sync Time From External NTP Server

Cisco ASA – Configuring for NTP 

 

Windows – Error ‘A Good Time server could not be located’

KB ID 0000705

Problem

Seen when running dcdiag,

Error(s):

Starting test: Advertising
Warning: Server-Name is not advertising as a time server.
......................... Server-Name failed test Advertising

 

Running enterprise tests on : PeteNetLive.com Starting test: Intersite ……………………. PeteNetLive.com passed test Intersite Starting test: FsmoCheck Warning: DcGetDcName(TIME_SERVER) call failed, error 1355 A Time Server could not be located. The server holding the PDC role is down. Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355 A Good Time Server could not be located. ……………………. PeteNetLive.com failed test FsmoCheck

Solution

Note: Any one of the things below can cause this problem, I suggest you retry running dcdiag after each step until it runs without error.

1. In a windows domain, clients normally get their time from the domain controller that holds the PDC Emulator role. Locate that server and log on.

Locate your FSMO Role Servers

2. Now configure your PDC emulator to get its time from a reliable external source.

Windows – Setting Domain Time

3. If you have got this far, then should already have the windows time service running, check!

4. From command line, remove and reinstall the Windows time service with the following two commands.

[box]w32tm /unregister<br />w32tm /register[/box]

Note: It’s not unusual to see the following error after you issue a ‘w32tm /unregister’ command,

Error
The following error occurred: Access is denied (0x80070005)

If this happens don’t panic, open the services console (Press F5) and the Windows Time Service may have disappeared (if so re-register it). If not manually stop the Windows Time service and try to unregister again, then re-register.

WARNING: After doing this, you will need to set the time service to get reliable time from an NTP External Server again.

5. Press Windows Key+R > regedit {enter} > Navigate to the following registry key;

[box]HKLM > System > CurrentControlSet > services > W32Time > Parameters[/box]

Ensure the Type value it set to NTP, the restart the Windows time service and check again.

5. Whilst still in the registry editor navigate to;

[box]HKLM > System > CurrentControlSet > services > W32Time > Config[/box]
Set the AnnounceFlags value to 5.

6. Whilst still in the registry editor navigate to;

[box]HKLM > System > CurrentControlSet > services > W32Time > Time Providers > NtpServer[/box]

Make sure the Enabled value is set to 1 (one).

7. If the problem persists, on the PDC Emulator run gpedit.msc > Navigate to;

[box]Computer Configuration > Administrative Templates > system > Windows Time Service[/box]

Make sure ‘Global Configuration Settings’ is set to ‘Not Configured’.

Navigate to;

[box]Computer Configuration > Administrative Templates > system > Windows Time Service > Time Providers[/box]

Make ALL the settings are to ‘Not Configured’.

If you changed anything, run ‘gpupdate /force’ and try again.

8. On the PDC Emulator, Open a command window (Note: You must Run as Administrator!) > In the Computer Settings section locate all the policies that are applying to the server.

Note: As a shortcut to find the offending policy, you could run ‘gpresult /v > c:gpresult.txt’ then search that text file, for any instance of w32tm, (here’s an example).

As above navigate to;

[box]Computer Configuration > Administrative Templates > system > Windows Time Service[/box]

Make sure Global Configuration Settings is set to ‘Not Configured’.

Navigate to;

[box]Computer Configuration > Administrative Templates > system > Windows Time Service > Time Providers[/box]

Make ALL the settings are set to ‘Not Configured’.

If you changed anything, run ‘gpupdate /force’ and try again.

Related Articles, References, Credits, or External Links

NA

Event ID 1014 and 1002 (Windows IIS Web Server)

KB ID 0000808 

Problem

Seen on Server 2003 running IIS 6, about once a week the website would fail, and the client had to reboot the server to bring things back up again. I took a look at the server and noticed that when the failure happened, we had five Event ID 1014 errors;

Source W3SVC
The World Wide Web Publishing Service encountered an internal error in its process management of worker process ‘<value>’ serving application pool ‘DefaultAppPool’. The data field contains the error number.

And finally we had an Event ID 1002;

Source W3SVC
Application pool ‘DefaultAppPool’ is being automatically disabled due to a series of failures in the process(es) serving that application pool

Solution

1. Before you proceed make sure this is not the problem.

2. Open the Internet Information Services (IIS) Manager > {Servername} > Application Pools > DefaultAppPool (unless your error is for another app pool) > Properties > Health.

3. Rapid-Fail Protection: You may wish to troubleshoot by simply increasing the thresholds, (the frequency of your 1002 events should give you a pointer). Though from what I’ve read this system tends to cause more problems than it cures, in the end I disabled it completely.

Warning: Disabling a system that is designed to protect you inherently has dangers.

If you suddenly get an unstable server, or memory leak problems you might want to reinstate this, and start checking the code in your website!

Related Articles, References, Credits, or External Links

NA

Error Adding Office KMS Keys “0x80072F8F”

KB ID 0000584 

Problem

Seen when adding an Office 2010 KMS key on a Windows 2008 R2 KMS Server.

Note: Using the Microsoft Office 2010 KMS Host License pack as per this article.

An error occurred: 0x80072F8F
To display the error text run the following:
slui.exe 0x2a 0x80072F8F

Solution

1. If you do run the command that they have asked you to, all you get is;

Code:
0x80072F8F
Description:
A Security error occurred

2. Not very helpful, however some Google searching turned up the solution. Check the time on the KMS server is correct, mine was way out.

Note: This had happened because the domain controller was on an ESXi host with the incorrect time, the KMS server took its time from the domain controller when it booted. (Domain clients typically take their time from the DC holding the PDC emulator role).

Locate your FSMO Role Servers

3. With the time fixed, try once again, and you should be successful.

Related Articles, References, Credits, or External Links

Using KMS Server for Windows Server 2008 R2, Windows 7, and Office 2010

Office 2010 – Find your Version and Licensing Information

Activation Error: Code 0x8007232b DNS Name does not exist

 

Mailbox Move Error – ‘Couldn’t switch the mailbox into Sync Source mode’

KB ID 0000795 

Problem

While attempting to move a mailbox between sites last week I got this;

Error details: Couldn't switch the mailbox into Sync Source mode.
This could be because of one of the following reasons:
Another administrator is currently moving the mailbox.
The mailbox is locked.
The Microsoft Exchange Mailbox Replication service (MRS) doesn't have the correct 
permissions. Network errors are preventing MRS from cleanly closing its session 
with the Mailbox server. If this is the case, MRS may continue to encounter this 
error for up to 2 hours - this duration is controlled by the TCP KeepAlive settings 
on the Mailbox server. Wait for the mailbox to be released before attempting to move 
this mailbox again.

Solution

I knew no one else was attempting to move it, and I had full exchange permissions.

In my case the two sites with Exchange were joined together with a site to site VPN, the error message was giving me a hint (though a cryptic one) with the ‘Network errors are preventing MRS‘ comment. What I needed to do was increase the ‘Keep Alive’ time for it to complete.

Note: I increased the keep alive time to 1 hour, most posts I’ve seen recommend 5 minutes, it’s up to you, I was running my mailbox moves overnight and I didn’t want to walk back into carnage. Just REMEMBER to DELETE the registry entry when the mailbox moves are compete!

1. Before you can attempt to move the mailbox again you need to remove the move request, either graphically (Exchange 2007/2010) from the Exchange Management console > Recipient Configuration > Move Request > Locate and delete the move request, or from PowerShell;

[box]
Remove-MoveRequest {Username}
[/box]

2. On the source mailbox server, Start > Run > Regedit > Navigate to the following registry key;

[box]
HKEY_Local_Machine > System > CurrentControlSet > Services > Tcpip > Parameters[/box]

Create (or edit if it’s already there) a 32 bit DWORD value.

3. Call the value KeepAliveTime and set it’s value to 3600000 (Note in milliseconds that’s 1 hour), if that’s to rich for you use 900000 (15 minutes).

4. Repeat the process on the destination mailbox server (and any hub transfer servers that will be in the ‘path’ of the mailbox move).

5. Don’t forget to remove these changes when you are finished.

 

Related Articles, References, Credits, or External Links

NA

Exchange 2003 – Defragmenting Your Database with Eseutil

KB ID 0000814 

Problem

I don’t have many clients left that still have Exchange 2003, so this will probably be the last time I have to do this (famous last words).

Exchange databases NEVER get smaller, if you delete information out of them, it simply creates white space, that Exchange will reuse, (so they will steadily grow in size). Before you carry out this procedure, get your users to clear down their mailbox’s. Also delete/purge any unused mailboxes, this will make your defrag more efficient.

Solution

In my case the server the database was on was short on drive space. Remember you need 110% of the size of the database free space to carry out this procedure (so a 50GB database needs 110GB of free space to defragment). I did this with an external USB Drive.

Note: Moving large databases to USB media can take a while, at USB 2 Speed (48MBps (480Mbps)) took about 45 minutes to copy the database files to it.

1. You don’t need to to do this but, locate where the log files for this database are being stored, because in a minute we are going to take a copy (just in case). Right click the storage group the database is in > Properties > General > Transaction log location.

2. Now for the database itself, right click the Mailbox Store (or public folder database if that’s the one you are going to defrag) > Properties > Database > Exchange databases.

3. On my external drive I’ve created two folders, one holds the original untouched database files and the logs, the other (EDB_Files) holds a copy of the priv1.edb and priv1.stm files for the mailbox database that I’m going to defragment.

4. Eseutil.exe lives in the Exchange program folder in the bin directory, change to that directory;

[box]
cd “c:Program FilesExchsrvrbin”
[/box]

Now if we simply run eseutil on the database, it will create a temporary database on the C: drive, which I don’t want (remember we are tight for drive space). So I will specify where the temp database will be, and start the defragmentation.

[box]

eseutil /d {Path to the Database} /t {Path to the temp Database}

e.g.

eseutil /d H:EDB_Filespriv1.edb /t H:EDB_FilesTempDB.edb

[/box]

How long will eseutil take? That’s a horrible question to answer, it depends on the CPU/memory of the server, and the size of the database itself. in this case it was a 70GB Database, on an HP G4 Series server, it took 11 hours and 6 minutes (approx).

5. When done it should say it has completed successfully.

6. You can now delete the original EDB and STM files from the Exchange Server.

7. Then copy and paste your defragmented versions back into the original folder.

8. You can now mount the mail store(s).

9. Finally make sure you get a full backup of the Exchange database, (with some Exchange aware backup software).

Related Articles, References, Credits, or External Links

ESEUTIL error – “Unable to find the callback library jcb.dll”

Cisco IOS – Enrolling for Certificates with NDES

KB ID 0000948

Problem

To get your Cisco Router or Switch to enroll, and obtain a certificate from a Windows Server running NDES, this is the procedure you need to follow.

Solution

When dealing with certificates, it’s important that your device is maintaining the correct time. You can set this manually, but I’d recommend setting up NTP.

Setting IOS Time (Manually and via NTP)

1. Choose either of the options below, (as applicable). Note: I’m in the UK so my time is GMT, and I need to allow for daylight saving time, (so your settings ma vary depending on your locale).

[box]

Setting Time Manually

Petes-RTR(config)#clock timezone GMT 0
Petes-RTR(config)#clock summer-time BST recurring last Sunday March 01:00 last Sunday October 01:00
Petes-RTR(config)#exit
Petes-RTR#clock set 10:47:00 Apr 30 2014
Petes-RTR#show clock
10:47:05.499 BST Wed Apr 30 2014
Petes-RTR#

Setting Time via NTP

Petes-RTR#show clock
*15:36:38.383 PCTime Mon Feb 16 2009
Petes-RTR#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-RTR(config)#ntp server 87.124.126.49
APPLY THE 'CUP Of COFFEE RULE'

Petes-RTR#show clock
10:09:52.437 PCTime Wed Apr 30 2014
Petes-RTR#

[/box]

Enrolling via NDES

1. Make sure the device can contact the NDES server, (simply pinging it should suffice). Then set a hostname and domain name. These are required to generate an RSA Key-pair on the device before we start.

[box]

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#hostname RTR-1
RTR-1(config)#ip domain-name testbench.local
RTR-1(config)#crypto key generate rsa modulus 2048
The name for the keys will be: RTR-1.testbench.local

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]

RTR-1(config)#
*Mar 1 01:01:47.491: %SSH-5-ENABLED: SSH 1.99 has been enabled

[/box]

2. Create a set of CA settings (a trustpoint), then authenticate to it.

[box]

RTR-1(config)#crypto pki trustpoint PNL-TRUSTPOINT
RTR-1(ca-trustpoint)# enrollment url http://192.168.80.130/CertSrv/mscep/mscep.dll
RTR-1(ca-trustpoint)#enrollment mode ra
RTR-1(ca-trustpoint)#revocation-check crl
RTR-1(ca-trustpoint)#enrollment retry count 3
RTR-1(ca-trustpoint)#enrollment retry period 5
RTR-1(ca-trustpoint)#fqdn RTR-1.testbench.local

RTR-1(ca-trustpoint)#exit
RTR-1(config)#crypto pki authenticate PNL-TRUSTPOINT
Certificate has the following attributes:
Fingerprint MD5: 0454B8F4 73374DE8 2FB034CB B887B1D4
Fingerprint SHA1: 2A542238 0CF3856B D0EF3E1A CBB57003 21C114F5

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
RTR-1(config)#
[/box]

3. If your NDES Server requires a password you can embed that.

NDES Server Removing or Enforcing Passwords

If you require a password you can obtain it from the NDES Server using the following URL.

http://{IP-or-name-of-NDES-server}/CertSrv/mscep_admin

This is the password you need to enter.

If it looks like (below), then password enforcement has been disabled, and you can skip the next step.

[box]

Firewall(config)# crypto ca trustpoint PNL-TRUSTPOINT
Firewall(config-ca-trustpoint)# password 24033E4BFF217D60[/box]

4. Enroll for a certificate.

[box]

RTR-1(config)#crypto pki enroll PNL-TRUSTPOINT
%
% Start certificate enrollment ..

% The subject name in the certificate will include: RTR-1.testbench.local
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: FTX0945W0MY
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate PNL-TRUSTPOINT verbose' commandwill show the fingerprint.

RTR-1(config)#
May 14 10:46:46.479: CRYPTO_PKI: Certificate Request Fingerprint MD5: 25E06B18 2BF6E2B7 780AA427 89AB9A15
May 14 10:46:46.483: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 044725E7 B34F6AF8 EFB4C28B 8E7CE192 230BDC9E
RTR-1(config)#
May 14 10:46:47.875: %PKI-6-CERTRET: Certificate received from Certificate Authority
RTR-1(config)#

[/box]

5. If you have a look on the Certificate Server you will also see that the certificate has been issued.

Oh Crap! It went wrong?

Possible errors you might see;

Error 1

[box]

RTR-1(config)#crypto key generate rsa modulus 2048
% Please define a domain-name first.

[/box]

To be honest, it couldn’t be more descriptive! You can’t generate an RSA key-pair without a hostname, and a domain name.

[box]

R1(config)#hostname RTR-1 RTR-1(config)#ip domain-name testbench.local[/box]

Error 2

[box]

RTR-1(config)#crypto pki authenticate PNL-TRUSTPOINT
% Error in saving certificate: status = FAIL

RTR-1(config)#%CRYPTO_PKI: Cert not yet valid or is expired -
start date: 13:18:46 UTC May 12 2014
end date: 13:28:46 UTC May 12 2019

[/box]

Certificates are time specific, make sure the device has its clock set correctly, (preferably via NTP). And the time on the Certificate Services Server is set correctly.

Windows – Setting Domain Time

Remember: We set the device to check the Certificate Servers CRL, make sure that’s setup properly, and the device can resolve its name.

Windows Certificate Services – Setting up a CRL

Related Articles, References, Credits, or External Links

Windows Server 2012 – Install and Configure NDES