12/30/11
SANs and NASs
A free SAN OS, OpenFiler, looks really cool. I want to try it out. Started reading a discussion about it here. OpenFiler is said to be fast and comprehensive - it's also the only free SAN platform that I'm aware of.
A free NAS OS, FreeNAS, looks quite slick and very current/active. It does offer iSCSI. It also supports the ZFS filesystem, which is targeted at very, very large storage arrays where silent errors have a statistically higher probability of occurring. ZFS offers online disk repair (unlike CHKDSK), checksums for all disk writes, a certain amount of roll-back via copy-on-write, and tremendous volume sizes. I decided this is not relevant to my life right now, but FreeNAS and OpenFiler both are. Sometime it would be worth coming back and reading this short overview of building a small SAN.
9/18/11
2011: Week 37
1. On 9/17 I ordered a Lenovo T520 to replace the Latitude D800 that I've had for 4+ years.
2. Had a Windows Server (2003) this past week that freaked out after I modified some permissions in the registry. Fortunately their Backup Exec had been faithfully saving the System State, so I restored the registry files to an alternate location, booted up off of an Ultimate Boot Disc CD, and restored clean registry files.
3. An Elastix phone server was going offline repeatedly. I could not ping its gateway, although I could ping LAN devices...and Windows workstations could ping the same gateway just fine. The problem was an IP conflict, and that was determined by running arp -a 192.168.1.1 to see that a working PC was using the real gateway's MAC address and the phone server was using a Linksys Access Point's MAC address.
4. When trying to uninstall Sophos Antivirus on an XP Home box, it told me to become a member of the SophosAdministrator group...but XP Home doesn't have groups, right? Wrong. Running net localgroup lists all the groups, and running net localgroup SophosAdministrator /add
1/22/10
VoIP training
I'm now getting up early in the morning for the first time in quit a while and feeling good for it. As you may recall, I just purchased a big training package for MCITP / CCNA training. My current thought is that I'm going to finish the MCITP training, then purchase the Teracom suite, then dive into VoIP.
1/20/10
Windows Mail: Outbox
1/12/10
DNS review
I remember the first time I ever saw a tech use NSLOOKUP - I asked him "How do you learn about tools like this?" One answer is to use a study package that teaches you through video and hands-on activities. :-)
Server 2008 introduces some new DNS features:
-> Background zone loading. I’ve never seen a heavily loaded DNS server, but presumably this helps a busy server start answering client requests right away, rather than waiting for the whole entire zone to be loaded first.
-> GlobalNames zone – this is cool, because you can now tell DNS about simple NetBIOS names (i.e. machines that are not in a domain), just like in WINS. Sweet!
-> Conditional forwarding can now be replicated in Active Directory (presumably in the past it was staying put on the individual DNS server).
-> Global Query Block List – this helps you keep hackers from registering an unwelcome computer name (e.g. a fake web proxy) on your DNS servers.
-> ...and RODC, LLMNR, DNSSEC, domain controller search, and IPv6/AAAA record support. I did not look into these.
1/7/10
VoIP Intro
Here's what I've learned so far:
You can test your Internet connection (or here) to see if you have enough bandwidth. Skype calls from my PC to their testing service sound great, but calls to my own voicemail or my parents' landline were terribly muffled. At first I thought this might be caused by my ISP maliciously tampering with VoIP packets, but poor audio quality remained even after signing up for and installing HotSpotVPN (an OpenVPN implementation). You do have to tell the VPN to use UDP instead of TCP.
I also tried VoxOx, but couldn't sign-in to my account with the program. Considered signing up with RingCentral.com, but $28/month would be overkill in this case. VirtualPBX.com looks very reputable, but is way too pricey for me at $50/month. Next, I looked at Google Talk, but for now it only does PC to PC calls (not landlines). Supposedly you can combine it with a free DID (Direct Inward Dial) number from GroovyTel to receiving incoming calls.
So, I signed up with IP Communications and purchased one SIP line (with one DID) for $10/month. This allowed me to receive calls on my new Bellevue, WA number, but not make outbound calls - for that, you have to sign in here and purchase a minimum of $10 credit. I think they debit your credit at the rate of 2 cents per minute or less. I'm using Counterpath's free X-Lite softphone. The audio quality isn't too bad, but isn't as good as I want it to be. I test it by calling my own voicemail.
IP Communications isn't the only SIP provider...VoicePulse.com and CallCentric.com both look interesting. VoicePulse may be less expensive than my current host.
This all-in-one $225 ooma Core VoIP Phone System (with no monthly fee) is big on Amazon.com - 717 reviews so far, with the vast majority being totally positive.
Reading up on "codecs" this evening...according to X-Lite's user manual, PC-only VoIP traffic can use "wideband" codecs that sample at 16 KHz, wheras calls into the PSTN require "narrowband" codecs (G711 only, in fact) that have a lower sampling rate. That explains why my test call into Skype sounded so much vastly better than to a landline. Maybe a Cisco IP phone would sound better...but that's a $100, so...not right now. :-)
1/6/10
Server 2008 Deployment
::> The roles are: AD, DNS, DHCP, File (big upgrade from 2K3), Print, WSS (SharePoint), NAP (Network Access Protection), TS, IIS, and WDS (Deployment).
::> "Server Manager" in 2K8 replaces "Computer Management" in 2K3.
::> Editions: Web, Standard, Enterprise, Datacenter.
:: ::> The Web edition is identical to Standard except it only runs IIS. Standard doesn't offer ADFS (a type of single-sign-on), nor does it have as many features for handling certificates (such as an online responder or network device enrollment (for hardware which (naturally) doesn't have a domain account)). I'm not clear on what the "online responder" is all about. Standard is also "limited" to 32GB of RAM and 4 CPUs in a 64-bit configuration (4GB in 32-bit mode).
:: ::> Enterprise is the sweet-spot with up to 32GB/2TB of RAM (depending on 32/64-bit mode) and up to 8 CPUs. Enterprise also seems to allow you to legally run up to 4 additional installations in a virtual Hyper-V environment!
:: ::> The Datacenter edition can be scaled up to more CPUs - 32/64 for 32/64-bit respectively (you pay per CPU and user) and lets you legally run as many virtual installations of Windows Server as you dare!
:: ::> Pricing at the moment (from CDW.com) is $400 for Web, $740 for Standard (with 5 CALs), $2,900 for Enterprise (with 25 CALs), and $8,200 for Datacenter (4 CPUs). Info on licensing.
Server Core:
Let's say you have a limited-purpose perimeter server with some Internet exposure. You can reduce its attack surface by installing just "Server Core" which is the same as what you'd have normally, except all administration is done via Shell rather than GUI. It also doesn't support managed code in the form of .Net or ASP.net. Core also doesn't support ADFS, failover clustering, WDS, and probably other stuff too. It doesn't have an explorer.exe process. It's especially recommended as a foundation for Hyper-V guests (maximum performance).
About Windows PE and the Windows AIK..."PE" stands for Pre-execution Environment.
For upgrading from Server 2003, you have to boot into Windows and then insert your DVD - booting off the DVD only permits a clean install. AIK answer files for 2K8 are in XML (vs *.inf text files in the past)
Regarding WDS (Windows Deployment Services) and its images (*.wim file - "windows image"). WDS is a role. You can configure it to communicate with all PCs, no PCs, or only PCs in Active Directory. Well, you may ask, what if you want to use it with a brand-new PC? You "pre-stage" that PC by adding its MAC or GUID to a new "managed" computer account in AD.
Quite interestingly, you can use WDS to "capture" an existing server/PC image and save it for future reference. If you plan to roll that image out to additional boxes, be sure to use sysprep first. ImageX can be used to apply updates to an image.
NovaBackup
12/31/09
Jumping back in
My laptop's HD crashed a while back (bad sectors - most data was recovered OK) and I lost my Parallels installation. So today I logged into my account on their site, purchased a link to re-download version 2.2 (the Intel Processor Identification Utility says my Pentium M @ 1.8GHz doesn't support hardware virtualization for Parallels 4.0), and am now ready for virtual servers.
I've been reviewing the different ways to prepare for tests. Two test-only providers are SelfTestSoftware.com (which is running a 35% off sale today) and Transcender.com.
To prep for 70-649 (exam #1 of 3 to upgrade an MCSE to MCITP), I've ordered a book with practice questions and a trial of Server 2008. To prep for the other two MCITP exams - and the CCNA - I just spent over $500 for access to training material by TestOut. They did an excellent job of teaching what I needed for the MCSE, so Lord-willing it it'll be another success story with the MCITP.
I just typed in "SQL" on dice.com - 429 results! "MCSE" yields 29 results, "CCNA" yields 16, "A+" yields 6. Pearson Vue handles CCNA testing, Prometric handles all Microsoft exams.
6/17/08
Edit registry offline
Symantec AV removal
How do you uninstall the corporate version of Symantec antivirus if it's password protected & you don't know the password?
First, try the word "symantec". If that doesn't work, open regedit and navigate to HKEY_LOCAL_MACHINE\Software\Intel\LANDesk\VirusProtect6\CurrentVersion\AdministratorOnly\Security. Change the useVPuninstallpassword from 1 to 0. Close the registry editor and retry the uninstall.
Bad ECC RAM
Internet health
Missing Icons
A month ago, I copied all the files from a repaired HD onto a new, blank HD for a laptop running Windows Vista. After repairing the boot sector on the new drive, I was able to boot into Vista just fine. The puzzling thing was that none of the programs installed by the Windows Installer had an icon! This was because my file copy program had skipped C:\Windows\Installer.
For more reading, about icon issues, see these links:
5/17/08
PhotoSmart via RDP
4/2/08
3/29/08
DHCP
1) Place a DHCP server on every subnet
2) Enable BOOTP in the router(s)
3) Place a DHCP relay agent on every subnet. The relay agent picks up a client's multicast request for an IP address and then unicasts that to the DHCP server...which unicasts a response to the relay agent and then the relay agent broadcasts that IP address to the client.
If you have a DHCP server and a relay agent on the same subnet, how do you know that the server will respond first? DHCP relay agent settings can be found in RRAS, and there's a setting called "Boot threshold" which lets you tell the agent to wait several seconds to see if a DHCP server will respond.
A "split scope" is a way to create fault-tolerance for DHCP. On subnets "A" and "B", you use both a DHCP server and a DHCP relay agent. Each DHCP server can assign up to 80% of its IP addresses and the server in the other subnet holds the other 20% (the percentage is flexible). This way, if one DHCP server dies, the associated relay agent can forward requests to the other server and receive a valid address for the original subnet.
To paraphrase, a DHCPDiscover broadcast says "Hi, my MAC address is blah-blah-blah and I used to have IP address blah-blah-blah. Are there any DHCP servers available to re-assign this address to me?". It receives an IP and subnet. Then it says "Thanks, I'm also looking for a default gateway and a DNS server - do you have that info?". Here's a really good article on this topic.
Two other methods of fault-tolerance for DHCP are to cluster your DHCP servers or to use the "alternate configuration" in Windows XP.
Random note:
In a big organization, it makes sense to keep the "root domain" of your forest empty (w/ only the Administrator account active - and assigned a good password) to protect the Enterprise Admins and Schema Admins group from misuse.
3/27/08
Delegating DNS
When I created a new zone on my test DNS server, I found that unqualified hostnames failed in nslookup. Using group policy (Computer\Admin\Network\DNS) I added an entry to the DNS suffix search order for the zone that had previously failed the nslookup. After fixing a subnet mask on my test workstation (oops) and rebooting (to apply the machine-level group policy), it worked!
3/26/08
More research 2
DNS...I'm comfortable with primary zones, ADI, forwarding, and recursion. Secondary zones are read-only copies of a primary server. In Server 2003 they don't seem to have any value. They can not be integrated into Active Directory. If you have a DNS server that needs to know about DNS servers in other forests, you can use a stub zone to avoid zone transfer traffic. It seems that secondary zones used to be handy for fault tolerance and load balancing, however that's a non-issue with ADI zones. According to informit.com, a BIND server can receive a secondary copy of an ADI zone.
It just occurred to me this evening that the default "ClientApps" share on Server 2003 is probably intended for applications published to clients via group policy in their Add/Remove Programs applet.
3/22/08
More research
Server 2003 (Standard) minimum system requirements are a 133MHz x86 CPU, 128MB of RAM, and 2.0 GB of available HD space. Server 2003 supports three processor architectures: x86 32-bit, x86 64-bit, and Itanium. This means that Server 2003 does NOT run on RISC processors.
To bone up on RADIUS, I followed instructions to install IAS and configure RRAS to use it. It worked! I ran IAS and RRAS on the same server.
Operations masters - it seems I'm weak on these. They used to be called FSMO (fiz-mo) for Flexible Single Master Operation. The concept of Active Directory is a "multi-master" one overall, but there are some roles that only a single DC handles. Two of these are at the forest level: schema master and domain naming master. Three others are at the per-domain level: RID master (sort of the "master domain controller" - it allocates domain RIDs to the DCs for use in SIDs); Infrastructure Master (only important in multidomain environments - in which case it shouldn't be on a GC server); and the PDC Emulator, which handles password changes and account lock-outs. It's also the authoritative time source in a domain.
I think if I bandwidth isn't an issue, every DC in a small domain should be a GC.
For a short-term disaster recovery simulation, you only need a PDCe available. However, if you restore a DC from backup, it will invalidate its RID pool and need access to a RID master to replenish it for new object creation. See here and here.
When you install a Server 2003 box in a Windows 2000 forest, you have to update the 2000 AD schema for the new features in 2003's version of Active Directory. You do this by running adprep /forestprep on your forest's schema master & adprep /domainprep on each domain's infrastructure master.
In other news, SP1 for Vista was released on the 18th.
Unable to disjoin domain
3/20/08
Google Apps
Create a Google Apps account.
Follow instructions to change MX records for your domain (via CPanel).
Follow instructions to change custom webmail URL (via support ticket with web host - CPanel doesn't support this).
Log into each webmail account and enable POP or IMAP access.
Follow instructions to configure your mail client (e.g. Outlook Express)
- You login to pop.gmail.com:995 as username@yourdomain.com
I think this will provide good spam filtering for free - and might therefore be useful for nonprofits and small businesses who don't want to purchase Outlook 2003 for their users. Outlook 2003 has an excellent built-in spam filter, updated monthly by Microsoft via Microsoft Update.
3/8/08
Defragment Exchange
@echo off
echo Verify that you've backed up and dismounted the Exchange Store!
echo.
echo Press Ctrl + C to cancel...
echo.
pause
pause
cd "C:\Program Files\Exchsrvr\BIN"
eseutil /d ..\mdbdata\priv1.edb
Local user profiles
3/6/08
Local Admin
1) Batch file:
NET LOCALGROUP Administrators /ADD "YourDomain\YourDomainGroup"
2) VBScript:
On Error Resume Next
MyDomainName = "InsertYourDomainName
MyDomainGroup = "InsertYourDomainGroup
Set x = WScript.CreateObject("WScript.Shell")
ComputerName=x.ExpandEnvironmentStrings("%COMPUTERNAME%")
Set Local_Admins=getobject("WinNT://" & ComputerName & "/Administrators,group")
Local_Admins.add ("WinNT://" & MyDomainName & "/" & MyDomainGroup & ",group")
Computer startup scripts run with practically unlimited local permission; logon scripts rely on the current user's permission.
3/4/08
ADMT
After installation, you open the ADMT as an MMC snap-in on the target domain controller. Your target domain must be in domain native mode. User and computer accounts get migrated in separate steps; then you remotely run an “agent” on the workstations that you’re migrating to join them to the new domain and reset all the necessary file/registry permissions.
In order for this agent to run, your user account in the target domain must have local admin rights on the workstations. Automating the process may be the topic of another post. I did it manually by adding \\gold\Domain Admins to \\silver\Trusted-Admins
I couldn’t add \\gold\Domain Admins to \\silver\Domain Admins because both groups are global. Remember that global groups are great travelers, but poor hosts. Also found that I couldn’t place an individual user account from one domain in another domain’s group.
If you don’t have local admin rights to the workstations, the ADMT agent will report “access is denied” to the ADMIN$ share. The workstations also need need to have the same primary DNS server as the target domain controller(s).
By the way, during the course of this exercise I raised my forest functional level and learned that the Enterprise Admins group only exists on domain controllers in the “root domain” of a forest. You have to be in that group to make any schema changes (e.g. modifying the forest).
By default, the ADMT does not migrate user passwords; instead is sets the migrated user accounts to “change password at next login”.
After the ADMT agent runs, it reboots the workstation & viola! You’re finished! This is so cool.
3/1/08
Domain tinkering
Powered on a virtual workstation (XP1) and joined the second domain. After rebooting, XP1 saw every domain in the forest - meaning DOMAIN1, DOMAIN2, and XP1. A quick Google search determined that this list is not editable, but that you can set a default domain for a PC and then hide the domain list.
Windows workstations cache domain credentials for up to 10 offline logins. To change/disable this, edit a group policy: Computer > Windows > Security > Local > Interactive logon: Number...
After a slow initial login on XP1, I checked the event log and found complaints that the domain controller was inaccessible. Creating reverse DNS entries appeared to resolve this (though maybe it just needed more time).
Lastly, I assigned a batch file login script to XP1 via group policy, but noted that my PAUSE command was ignored.
2/28/08
Rapid replication
Windows allows you turn off Global Catalog functionality completely in a domain, but if you try to create a user after that, it reports "Windows cannot verify that the user name is unique because the following error occurred while contacting the global catalog: The directory service is unavailable. Windows will create this user account, but the user can log on only after the user name is verified to be unique. Make the sure the global catalog is available." If the user that you create in this offline state is a duplicate, the global catalog server will keep the duplicate account name but assign a unique SID and append gibberish to the name in AD.
A cool tool for viewing an account's SID or last logon/off date comes with the Server 2003 Resource Kit. After you download and install the kit (it's free), run regsvr32 "C:\Program Files\Windows Resource Kits\Tools\acctinfo.dll".
Despite the fact that my two domain controllers are running in the default forest/domain modes, intrasite replication happens almost immediately! I thought you'd have to wait 15 minutes or 5 minutes or 15 seconds.
In other news, Windows Server 2008 was released yesterday (February 28) and I took 70-297 last Saturday, but failed.
2/18/08
Choppy DVD playback
Fixing RRAS and FPS
What was wrong? File and Printer Sharing had been disabled on the LAN interface (and enabled on the WAN)! This generated lots of errors in the event log, including event 1058 and 1030, because Windows couldn't access the SYSVOL share via UNC path (in fact, while shares were visible via \\servername, double-clicking on any of them merely brought up a username/password prompt). After correcting this, users could once again access shared resources on the server, but they still couldn't access the Internet.
It turned out that the LAN interface had recently been replaced or renamed...so RRAS wasn't doing NAT on the renamed interface. Right-clicking in RRAS/NAT and choosing "Add interface" quickly resolved the problem.
2/13/08
ActiveX error
2/12/08
Malware infections
1. Connect the infected hard drive to a spare PC running Windows XP or Vista so you can freely access the file system.
2. Search the Windows directory for recently created/modified *.exe, *.com, *.dll, *.ocx, *.bat, *.dat, *.drv, *.sys, *.bin, *.scr files. Configure the search results to display the file’s publisher and version number.
Recently created or modified files which do not display a publisher are probably malware and should be disabled (by appending a different file extension, e.g. *.bad). Files that do have a legitimate publisher but were recently modified, are probably corrupt and can be replaced by an older (clean) copy displaying the same version number.
Lastly, run HijackThis to cleanup any remaining traces of infection.
I've used this method to remove malware missed by NOD32 and Spyware Doctor.
2/7/08
Theory, part 1
- Control AD replication traffic
- Ensure that users logon to a local DC rather than crossing a WAN link during login
As a general rule of thumb, you should install a domain controller in a branch office if there are 50+ users, and you should install a global catalog if there are 100+ users.
There are three reasons to have an OU:
- To delegate administration
- To apply group policies
- To hide resources
2/6/08
Flowcharting
2/4/08
Powershell and VBScript
Fixing a BSOD
Never relay a message
At the same site, I drastically shortened the amount of time that Exchange spends on retrying message delivery so that users are quickly notified when there's a delivery problem.
SQL error 15401
Someday, I would like to take Test Out's SQL course or CBT Nuggets' SQL course.
2/2/08
70-284 - Passed!
1/22/08
Message size limit
When assigning logon/off scripts via group policy, you must use a UNC path.
1/21/08
Restricting RDP users
- User Config -> Admin Templates -> Start & Taskbar:
Add "Log off" to start menu
Disable and remove "Shutdown" from start menu
- User Config -> Admin Templates -> Windows Explorer:
Hide specified drives... (restricting all drives includes network drive letters!)
This hid most of the local drives on the server, leaving just the mapped network drive for the users' data. However, if they started typing a path in any address bar, folders in the "hidden" drives were listed as auto-complete options. To avoid this, I disabled autocomplete (effective for both Windows Explorer and Internet Explorer):
- User Config -> Windows Settings-> IE Maintenance-> Advanced-> Internet Settings
Exchange 6
- How to mail enable a public folder (I haven't tested this)
- Free/Busy data is kept in a systm Public Folder
- RPC over HTTPS can replace a VPN for checking email with Outlook 2003
- You can configure real-time block lists (RBLs) to reduce spam
Recently had a client ask us to simplify their email setup. Every user's Outlook was configured w/ a POP3 account which saved mail into an Exchange mailbox (rather than a PST file). Starting with one user as my "guinea pig", I removed his POP3 account in Outlook (retaining only the Exchange account), and created an entry for him in the Exchange server's POP3 connector. Also reconfigured the server's SMTP connector with current information.
The first time I tried to send a message to my own email address it bounced back w/ error 550, so I enabled SMTP authentication in the connector.
Next, I tried emailing two people who share the organization's domain name but who don't use the Exchange server. That test bounced back w/ error 5.1.1 (recipient doesn't exist). I checked the recipient policy in System Manager and found that the check box for "This Exchange Organization is responsble for all mail delivery..." was grayed out. So...I created a new policy (leaving that check box blank) and created an additional SMTP connector just for this organization's domain - with relaying enabled. Many, many thanks to msexchange.org for their article on SMTP Namespace Sharing.
1/14/08
Negative ping times
Eventually, I found a site that noted a correlation between group policy errors and AMD's multi-core CPUs. The server has an AMD processor, so I pinged the localhost and got some wild numbers in response. Installing a patch from AMD (their "Dual-Core Optimizer") resolved the incorrect ping times, the application log errors, and my issues with group policy!
Exchange 5
1/8/08
Exchange 4
- Address lists (e.g. creating lists other than the GAL; replacing the default OAB).
- Mailbox stores. It seems that a single mailbox store consists of two files, the .edb file and .stm file (MDBEF and MIME formats, respectively)...and one or more log files.
- Moving mailbox stores to different disks, and mailboxes into different stores.
In Exchange 2003 Standard w/ SP2, you can have a single mailbox store of up to 75GB. In the Enterprise version you can have up to 20 stores which, I think, can each be up to 8TB in size. Wow.
There's also something called circular logging which prevents Exchange from saving zillions of log files and thereby chewing up your disk space. The downside of enabling this is that it somehow reduces your disaster recovery options and requires that you regularly run a full backup of your stores. Of course, you can also keep logging enabled and do frequent backups & the backups will automatically delete the log files. So, there's little value in using circular logging.
The two database files, the .edb and .stm files have something to do with MAPI (i.e. "Outlook") and non-MAPI clients (i.e. everything else), but I'm not quite sure what.
Haven't figured out what an X400 address is, but one site says that you can't disable it.
Deleted items retention - it's a great feature. I've used it on two occasions to make people very happy. In one case, a user accidentally deleted her items. On the other occasion, an employee was terminated (but her user account was left enabled) and she logged in from home to delete emails via OWA. We recovered those emails, but what if the employee had known about DIRT (deleted items retention time) and what if the employee had purged those messages via OWA? We would've had to do a restore from backup...and that would've been very time-consuming ('cause so far, I've never restored an Exchange backup!). Microsoft tells how to hide the relevant command in Outlook via GP, but that won't help w/ OWA. There's a helpful post about this general topic at Experts-Exchange.
1/7/08
Exchange 3
Dynamically updated groups let people email everyone in Active Directory who is in a specific department or who has a middle initial of "J". This is for distribution groups who's membership changes frequently.
1/5/08
12/27/07
Exchange 2
- If possible, install Exchange on a server that does not also run Active Directory.
- You can set permissions on groups of servers by using Administrative groups.
- You can prevent individual accounts from using Outlook Web Access.
- Mailboxes are not created until they are logged into or receive a message.
- You can limit the message size that users are allowed to send and/or receive. I can think of two organizations where I need to implement this setting!
12/26/07
Exchange 1
12/13/07
Prevent users from clearing IE history
Vista 1
12/7/07
Domain trusts
After resolving that issue, I received a different error message stating that my target was "not a valid Windows domain". This was solved by adding conditional forwarding to the DNS server in each domain. Now I could establish a trust relationship.
After the two-way trust was setup, all was well for users on ServerB. However, when ServerA users tried to browse ServerB by name, an error occurred "Logon Failure: The target account name is incorrect". Running nslookup on ServerA revealed a problem w/ DNS ("Can't find server name for address x.x.x.x: Timed out"). I manually recreated a reverse lookup zone in DNS on ServerA (now nslookup reported "...Non-existant domain"), ran ipconfig /registerdns, and restarted the NetLogon service. That fixed the DNS problem (hurray!), but not the "Logon Failure".
Eventually, I found that a computer account for ServerB was present in ADUC on ServerA. Deleting that account solved the problem! This exercise has taken about five hours over two days.
12/5/07
Rename a domain
- Raised forest functional level to Server 2003
- Made a System State backup
- Executed rendom /list
- Edited the XML file, replacing references to the old domain name w/ the new
- Executed rendom /upload, rendom /prepare, rendom /execute
This completed successfully and triggered an automatic reboot w/ the message "The directory service is shutting down". After the reboot, I ran rendom /clean, rendom /end (this is important!).
Group policy objects are updated with gpfixup /oldDNS:GOLD.local /newDNS:PLATINUM.local /oldNB:GOLD /newNB:PLATINUM.
I still had a problem w/ the GPMC, but I opened it from within ADUC, edited a policy, exited GPMC, and then was able to re-open GPMC w/out any difficulties.
Lastly, restarted an XP workstation and verified that it was automatically updated.
Hurray!
12/1/07
70-294 - Passed!
11/29/07
Global Catalog servers
Microsoft's article gives a quick run-down on how to enable/disable a GC, a plain-english article on computerperformance.co.uk summarizes the role of a GC, and a particularly helpful TechNet article discusses GCs. If you logon w/ a UPN (email address), your workstation contacts the GC for a DC to authenticate to.
11/28/07
Replication
11/26/07
Alternate UPN suffixs
Learned how to set a different UPN (User Principle Name) suffix so that people can sign into their computers or OWA using their email address! After adding the alternate UPN, you can select multiple user accounts in ADUC & set their UPN all at once. For future AD installations I think I'll always use email addresses as sign-ons. This is really nice.
11/20/07
Group policy, part 3
- Computer Config \ Admin Templates pertains to HKEY_Local_Machine
- User Config \ Admin Templates pertains to HKEY_Current_User
- Microsoft's policy templates (ADM files) can be "fully managed", that is, they are removed when the GPO is removed. On the other hand, "preferences" (from 3rd party developers) "tatoo" the registry, meaning they are not automatically removed when the policy is removed.
- You can have the group policy editor display ONLY configured policies.
I was troubleshooting GP application on a wireless desktop client today & disjoined/rejoined the domain, but could not get my group policy to be recognized. The event log said no domain controller could be found, so GP processing was aborted. I wonder if a wireless router between the client and domain controller is the culprit. Item #1 on GPOGuy's FAQ says that GP processing requires specific ports which are sometimes blocked by firewalls.
11/19/07
Group policy, part 2
RSoP can be easily accessed from within Active Directory to see what policies apply to a workstation/user. To immediately test a GPO, first run GPUPDATE on the domain controller, then run GPUPDATE on the workstation.
Software distribution via GPO:
You can install MSI packages via GPO by "assigning" them to computers (full install) or users (installed at first use). Assigned packages are installed during Windows startup, before the login screen is shown. You can also make MSI packages available in the Control Panel via GPO by "publishing" them to users. For a walk-through on how to do this, see Brian Posey's article. To create your own MSI, check out this list of installers. I should try out the free Advanced Installer.
To learn more...
http://www.gpoguy.com/ - news, free tools and training videos
http://www.gpanswers.com/ - message board w/ an emphasis on advanced concepts
11/16/07
Group policy, part 1
-If user and computer policies conflict, the user policy takes precedence.
-Folder redirection in a GPO takes precedence over user profile settings in AD.
Many third parties offer extensions to group policy.
If you have a GPO w/ user settings that have to be applied no matter who is logging into a particular computer, you can use loopback processing.
An impressive tool for evaluating disk usage is TreeSize.
Drive letter conflicts
11/15/07
VoIP
11/14/07
Operation Masters
Domain and forest functional levels:
- 2000 mixed (compatible w/ NT 4.0)
- 2000 native (allows nested and universal security groups; SID history)
- 2003 (lets you rename domain controller)
Operation Masters:
- RID (relative IDs, required for new objects)
- PDC (syncs domain passwords and clocks)
- Infrastructure (object moves/renames and group membership)
- Domain Naming Master (ensures unique domain names in a forest)
- Schema Master (maintains the schema for a forest)
If you have multiple DCs in a domain, your global catalog server should not be the infrastructure master as well (causes infrastructure replication problems).
Active Directory Migration Tool:
- So cool. Lets you move users, groups, and computers from one domain to another.
11/13/07
RDP and NetDom
Practiced renaming a domain controller with instructions from petri.co.il The author said that it's undesirable, but didn't say why. Renaming a DC which also happens to be a certificate authority is a very bad idea (it invalidates your existing certificates and prevents new ones from being issued).
The steps:
- netdom computername <oldserverFQD> /add:<newserverFQD>
- netdom computername <oldserverFQD> /makeprimary:<newserverFQD>
- reboot
- netdom computername <newserverFQD> /remove:<oldserverFQD>
- I manually removed the old server name from DNS at this point.
11/12/07
Groups and trusts
Also started learning about how to setup a trust between domains & heard of the Active Directory Migration tool. That's exciting. BTW, an intransitive trust is like only talking to your spouse; while a transtive trust lets you talk to the spouse's family and friends (other trusted domains).
11/10/07
ASR
Two free utilities that I've found useful are ISO Recorder and Folder2ISO.
I'm using Parallels Virtual Machine for this, but if you are working on a real server w/ no floppy disk drive, you can use the free (32-bit) Virtual Floppy Drive 2.1 to fool NTBackup.
Unfortunately, there doesn't seem to be a good way to schedule ASR backups - I have no idea why. However, a program called Firestreamer-RM ($60) claims to schedule ASR backups, auto-initialize tape media, and even email the results to you. The last two reasons are why my employer standardized on NovaBackup instead of NTBAckup.
What's the difference between an ASR backup and a normal backup + system state? ASR seems to speed up the process because the restoration of your system is integrated right into Windows setup - instead of having to go through the whole Windows setup and then do a restore.
For future reference, this page has a nice overview of restoring an Exchange server
11/9/07
LostAndFound
11/6/07
70-293 - Passed!
My 70-293 had a few questions about DHCP, DNS, WINS, NLB, clustering, backup, routing, and security templates...and a lot of questions about certificates, IPSec, and RRAS.
11/3/07
NLB, DFS, 2nd Shot
Last night I learned about Network Load Balancing (NLB) which sounds like it's best for webservers and SQL databases. With "client affinity" enabled it can even maintain a session between a single client and a single server in the background (needed for databases). Clustering is only available in 2003 Enterprise ($800+ on eBay) and DataCenter editions. Clustering is more for high availability of changing network resources and requires a single point of storage that all the clustered servers can access. That point is called a quorum (probably a SAN or RAID setup).
Distributed File System (DFS) is used to organize file shares from multiple servers into a single point of access (e.g. a drive letter). It can also replicate data placed in one space into another geographical site (for faster access) or to a different server (for seamless failover/backup). It seems kind of clunky though and I have a hard time envisioning a really good use of DFS apart from fault tolerance for non-clustered file servers.
Registered for Microsoft's second shot offer (valid until January 30, 2008) which gives you one free retake on each $125 exam that you fail. I hope I don't need it!
Helpful thoughts on NLB unicast vs. multicast.
I read about Fibre Channel in Wikipedia & it sounds like it's a bus technology that is just a bit (25%) faster than SATA (and probably a lot more expensive). You would need need 2-3x 1Gb NICs teamed together to completely harness the power of a single SATA drive.
11/1/07
Smart cards
There's no built-in way in Windows 2000/2003 to restrict concurrent domain logins. To address this problem, there's a free utility available from Microsoft and a commercial utility is available from Sonarware.
10/31/07
IPSEC II
-> If a policy isn't applied when you assign it, restart the IPSec service.
-> Normally, you can reset IPSec policies back to default settings; DCs are an exception.
10/30/07
Troubleshooting IPSec
10/25/07
Setup
I passed my first MCSE exam (70-290) on March 21, and my second exam (70-291) on September 11.