Essential competencies for IT professionals

Understanding existing and emerging technologies
Designing technical architecture
Integrating systems
Understanding business practices, approaches, organization, politics and culture
Managing projects; planning, prioritizing and administering work
Communicating and listening; gathering information
Focusing on results
Thinking strategically
Influencing and persuading
Being adaptable

Static performance tuning for Unix/Linux

Dynamic performance tuning is performed when a system shows signs of degradation under stress or load. Static performance tuning is done regardless of the load on the server. It serves to address issues different from those caused by high CPU, disk or network utilization. Static tuning is about health of system configuration and architecture.

Name service problems can show in the form of hanging logins for telnet, ftp etc services, slow connections for mail and related services and browser and new windows hanging. Both NIS+ and DNS support hierarchical namespace, while NIS has a flat structure. NIS+ may not have more than five replicas. Recursive groups should be avoided. NIS_PATH variable should be simple. Domain names should be simple (not many subdomains) in /etc/resolv.conf. It may be useful to disable name server cache daemon (nscd) for troubleshooting name service problems.

Avoid NFS nested mounting, particularly if they are from different servers.

Networks wise, fewer hops from client to server are better. Response times in a few milliseconds are usually WAN links. Traceroute can be used for ordering of name servers at client end. Solaris brings up all interfaces mentioned in /etc/hostname.* entries, so avoid disable interfaces. netstat -i shows input and output error rates. Output errors usually are due to faulty hardware or cables. Output error rate should be 0 or less than 0.25%.

Fault resiliency may mask hardware failures. For SUN Enterprise Servers, system will attempt to reboot after disabling failed CPU as part of Automatic System Recovery (ASR). Sun management console and configuration service tracker can be used for hardware status monitoring. Modern disks fault repair mechanisms can also affect performance in the long run. iostat -E shows disk errors. Negotiated transfer speed for SCSI devices can be shown by prtconf -v command. SCSI options can be disabled by using scsi-options parameter in /etc/system file. Browse the file /usr/include/sys/scsi/conf/autoconf.h to understand scsi options.

Finally patches may be released to improve existing performance. Search SunSolve patch database by the keyword 'performance' or 'slow' to find performance patches.

Windows 2000 and 2003 disk storage management

Important pointers for windows 2000/2003 OS disk management are:
There are two type of disk storage, basic and dynamic. Basic disk supports partitions, which are of fixed size on a hard disk. A max of four primary or three primary and one extended (with logical drives) are allowed within a basic disk. Dynamic disks support volumes, which are re-sizable. Both types of disks can co-exist within a single system. Only windows 2000 and later OS support dynamic disks.

An active partition is the one, where the computer looks for boot files to start an OS. Windows system partition is the active partition containing hardware-specific files required to load OS. Windows boot partition contains OS files and can be a primary or extended partition other than active.

There are five types of volumes on a dynamic disk. Simple, spanned stripped, mirrored and RAID-5 volumes. Choose among them for reasons of fault-tolerance, performance and disk space. Spanned volume can be extended or deleted but cannot be contained within a mirrored or striped volume. System or boot volume cannot be extended. Striped volumes cannot be extended or mirrored. They are the fastest type of volume. RAID-5 volume can only span over three or more disks.

Disk space management and monitoring on local and remote computers can be done via disk management snap-in. One can add/remove disk, change storage type from basic to dynamic and vice versa (changing from dynamic to basic loses data), import foreign disk from another computer, create different types of volumes and mount them. One has to be a member of domain administrators or server operators group to manage remote computer’s disks.

DHCP handshake

DHCP handshake occurs in the following sequence:

DHCP client broadcasts a DHCPDISCOVER message. The message is directly received or forwarded to DHCP server by routers or DHCP relay agents.
DHCP server responds with a broadcasted DHCPOFFER message offering an IP address to the client.
DHCP client chooses an IP from multiple DHCPOFFERs' as the case may be and broadcasts DHCPREQUEST. It is an implicit deny to the DHCP servers whose offered IP address is not chosen.
DHCP server sends a DHCPACK message to the client. If the address is no longer available (already allocated or wrong subnet) servers replies with DHCPNAK. In case of DHCPNAK, client re-initiates the process.
DHCP client can send a DHCPDECLINE to the server, in case IP is not suitable. e.g if is already in use. It will restart the process in such a case.
DHCP client may also release an IP using DHCPRELEASE prior to the expiration of the lease period.

securing BIND DNS

TSIG (transaction signatures), one-way hash function. Each bit of one-way hash value depends on each and every bit of input. Changing one bit of input, dramatically changes the hash. TSG uses HMAC-MD5, a variant of MD5, in which hash (128 bit) depends on both input and an encryption key. dnssec-keygen command can be used to generate encryption key. Own key can be chosen with mmencode command. TSIG works for queries, responses, zone transfers and updates between dns servers and resolvers.
allow-query global and zone sub-statement implements IP based access control.
allow-transfer directive restricts zone transfers to legitimate slaves. It can also be used both as a global or zone sub-statement. allow-transfer can also take a key option, to allow only TSIG secured zone transfer request.
BIND version can be hidden by using 'version' sub-statement within 'options' directive.
BIND can be run as a normal user and group and can also chroot to a particular directory. However chroot directory needs to be prepared for all requisite files before starting BIND.
recursion be turned off using allow-recursion or 'recursion no' sub-statement. It prevents the most common DNS attack of cache poisoning, which forces a DNS server to recursively respond to a zone request within a hacker DNS server's control.
fetch-glue can be turned off to that the DNS server doesn't try to resolve domain name servers listed in NS records.
use-id-pool sub-statement forces a DNS to use random message IDs in the queries. Hacker's DNS server can spoof a response by guessing message IDs.
allow-recursion and allow-transfer sub-statements can be used together to serve both delegated and resolving name server.
query-source address global statement allows to change source address and port
forwarders and 'forward only' statements configures DNS to send all non-authoratitive queries to another DNS server. BIND chooses one of the forwarders based on roundtrip time. Servers which are to be used as forwarders must be setup as recursive/resolving name servers. Use 'forwarders {}' to disable forwarding within a zone.
Internal root name servers can be setup for non-internet connected internal name servers. Internal root name servers can be non-recursive as other DNS servers will only send them iterative queries.
DNS security extensions is a complex method of securing DNS transactions