Sam.McGeown.co.uk

I’m pleased to announce that I’ve passed the 70-649, which gives me the following MCTS certifications:

Windows Server 2008 Active Directory, Configuration

Windows Server 2008 Applications Infrastructure, Configuration

Windows Server 2008 Network Infrastructure, Configuration

Next I’ll be looking at the 70-647 to get the full MCITP: Enterprise Administrator (I already took the 70-620 exam for my MCSE).

Microsoft, Qualifications MCTS, Microsoft, Windows Server 2008

No matter how good your network diagrams are, sometimes you need to verify the port your server/desktop is in. Cisco Discovery Protocol is a great tool for network admins when you need to quickly map routers and switches, and if you’ve got an ESX server connected you’ll see that it picks up CDP info too – but the vast majority of my managed systems are Windows.

Here’s how to use TCPDUMP by Micro Olap to extend that functionality to your Windows boxes.

Firstly you need to find the interface number of the network adaptor you are trying to find CDP data for.  Use this command:

tcpdump -D

Which gives you a list of the interfaces on the computer:

My actual NIC is the third one in the list, so I can run the command:

tcpdump -i 3 -nn -v -s 1500 -c 1 ether[20:2] == 0x2000

-i n [interface and the number in the list, for me 3]

-nn [don’t resolve DNS, speeds things up]

-v [verbose mode, otherwise we won’t see all the packet details]

-s 1500 [set the maximum packet size to capture, the MTU is 1500 by default so it will capture the entire packet]

-c 1  [Capture one packet only, since we only want the CDP packet and filter using the header]

ether[20:2] == 0x2000 [Check the Ethernet header packet ID for the hex value 0x2000 – CDP protocol]

Some output is omitted, but you can see that the name of the switch and the port are both in there.

Easier than tracing a cable!

Cisco, Networking, Windows 7, Windows Server, Windows XP, Windows Vista, Windows Vista SP1 Cisco Discovery Protocol, CDP, Cisco, Windows, Network, Cable, Trace

So you’ve upgraded your ESX 3.x servers to 4.0 and you’ve upgraded your vCenter server, now you want to access the shiny new hot-add feature to upgrade some running server’s memory. Except you can’t, the feature is no-where to be seen. Something to bear in mind though, your OS needs to support hot-add, so you’ll need a Windows Enterprise or Datacenter edition.

Here’s how to enable it:

Upgrade the VM’s tools, if you haven’t already. This requires a re-boot, but don’t reboot, shut the server down down, otherwise you’ll require another reboot to add the feature. The tools can be upgraded from the system tray icon.

Once the VM is shut down, upgrade the Virtual Hardware (again, assuming you haven’t already!)

Once your virtual machine is fully up to date with VMTools and Hardware, you can edit the Advanced options (again, while the machine is shut down) and enable the feature.

Now with the server booted, you can add Memory and CPU without the need for a reboot. In my tests changing the Memory from 1GB to 2GB caused a single dropped ping, and changing from 1 vCPU to 2 vCPUs caused a ping to drop.

VMware vSphere 4.0, VMware vCenter 4.0, VMWare, VMware ESX 4.0 vmware, esx 4.0, vsphere 4, hot add, memory, cpu, vcpu

If you read the Microsoft blurb for R2, the first thing you notice is that Server 2008 R2 is 64-bit only(!). It seems Microsoft are forcibly removing 32-bit server hardware from the data centre. I’ve not seen a decent upgrade guide online so far, so here’s my process.

I’m going to be upgrading a Server 2008 R2 x64 SP2 Standard Edition virtual server to R2. To see what editions can and can’t be upgraded, check out this Technet Article, but it’s safe to say that you can’t upgrade across architectures (32-bit to 64-bit) and you can’t downgrade SKUs (Enterprise to Standard).

The first step, as ever, is always to back up your server, if the upgrade goes wrong, you can always restore and try again. You have been warned!

So, without further ado, slip in your R2 DVD and begin…

Install

Update

Select your target SKU

Select “upgrade” (obviously :)

Check your upgrade report (which is saved as HTML on your desktop. The first time I ran this it said that I didn’t have enough free space – it required a whopping 15GB, which makes me think that this is no Server 2003 –> R2 upgrade, it’s the full blown OS install. Assuming everything checks out, go ahead.

Sit back and grab a cup of coffee. After a while, you’ll reboot

  and the upgrade begins in earnest. Once the process is completed, and another reboot has happened, you’ll be upgraded to R2. You’ll need to activate it with your R2 key.

Once you’re activated, update your server using Microsoft update or your patching method.

Et voila!

Windows Server 2008 Windows Server 2008, R2, Windows Server, Server, 2008, upgrade

I do consider the Cisco qualifications as significantly more valuable than the others that I hold, simply because of the difficulty of the exams. I do find them “honest” in that they’re not trick questions, and you don’t need a technique to pass – just in depth knowledge.

Anyway, I think I’ll take few weeks before I look to my next study/exam.

Cisco, Qualifications Cisco, CCNA, Exams, ICND2

I’ve just upgraded to BE.Net 1.6, and I thought I’d migrate to GoDaddy’s IIS 7 servers at the same time. The theory is that this would be a an easy migration and I’d have the weekend to iron out any bugs. Not so.

After testing on my local IIS 7 and working perfectly, I uploaded the updates to my live blog and hit the “Migrate to IIS 7” button, which promises it will be completed in 24h. I received the “update your DNS” email, and duly updated my A records to the new server, and the transfer seems to be ok – aside from the fact that viewing any specific post causes an error – I’m guessing with the permissions of the App_Data folder. The catch being that I can’t access my IIS settings until GoDaddy have completed their 24h migration process.

It’s now been more than 72 hours since I kicked of the migration and still I cannot access and fix the IIS permissions issue which is dogging my blog. I’ve emailed twice and am still waiting for some resolution. Perhaps I won’t be renewing this year?

BlogEngine.NET, IIS GoDaddy, blogengine.net, IIS, IIS7

Configuring the Virtual Environment and Virtual Machines

Note – this configuration will work for ESXi 4 upwards due to the server 2008 MSCS requirement for persistent SCSI-3 reservations.

The first step is to create a new vSwitch for the host-only cluster heartbeat network, don’t assign any network adaptors to the switch as it’s going to be local only.

Create a new virtual machine with a single hard disk. For the purposes of this test, I’ve assigned 2 vProcessors, 1GB RAM, 30GB drive for the OS, 1 vNIC in the default vSwitch0.

Add a second vNIC and assign it to the cluster network vSwitch created in step 1.

Install Windows Server 2008 R2 Enterprise and all the Windows Updates, for the example I’ve named it SQLCluster01.

Clone the server and rename the new one to SQLCluster02. In ESXi you can’t clone, so shut down the first server, copy the files to a new folder and right click the VMX file to add it to the inventory. When you boot it the first time VMware will ask if it’s been moved or copied – select copied.

Create a disk for use as the Quorom, this needs to be shared and since I’m using ESXi with local storage only it must be “eagerzeroedthick”. To do this I have to use the unsupported mode in ESXi (Alt+F1, type unsupported and then your root password) and use the vmkfstools command to create it (vmkfstools –c <size> –d eagerzeroedthick –a lsilogic /vmfs/volumes/<datastore>/<folder>/<disk>.vmdk)

Add the new disk to SQLCluster01 using a new SCSI virtual controller (different from the current controller, e.g. my first HD is on SCSI 0:1, the Quorum is on SCSI 1:0)

Check that the new SCSI controller is set to LSILogic (it is for Server 2008 by default) and set the SCSI Bus Sharing to Virtual.

Add the Quorum disk to the second virtual machine, using the same settings.

Edit the .vmx file for both servers, adding in the following lines (edit for your SCSI controller):

scsi1:0.mode = "independent-persistent"
scsi1:0.shared = "TRUE"

Create a disk for some shared storage for the cluster too, it will be needed for the DTC application as well as the SQL server – in a production environment you may want to separate logs and data, but for my test, I’m just adding another two 10GB disks. Use the same process as for creating the Quorum disk.

More...

Windows Server 2008, Microsoft, SQL Server 2008, Microsoft Cluster Services sql, sql server 2008, windows server 2008, cluster, mscs, microsoft cluster services, active/passive, vmware, esxi 4.0

In the past, I would often say to my wife, “if it’s not in Outlook, it isn’t going to happen”. Increasingly it’s “if it’s not on my iPhone, it’s not going to happen”. The fact is that I can’t actually remember all the things that I need to do each day, I need reminding!

I spend perhaps 8 hours a day at my work PC, maybe 2 hours a day on my home laptop and my iPhone is with me pretty much 24/7 – all of which are both data sources, and data endpoints. They all remind me to do things. To add a bit more complication to the mix, some things are personal, some things are work related.

So, to summarise, I want email, calendaring and to-do/tasks on my desktop, laptop and iPhone, and I want to be able to add/edit/delete for any of them.

More...

Google, Exchange 2003, Outlook 2007, iTunes google, gmail, iphone, calendar, tasks, email, exchange, sync, laptop, desktop

As is normally the case when I’m studying, I haven’t had time to post much on here lately. I’ve been studying to pass the ICND1 exam (snappily titled “Interconnecting Cisco Network Devices Part 1”)

I’m really pleased to say that neglecting this site paid off, or rather the study did – I passed with a score of 930! It was a LOT harder than I had expected, I thought I’d walk out after 20m! It does now mean that I am CCENT. I’ll be taking the ICND2 exam early in the new year which will move me up to CCNA.

Also in the exams category, I’m taking a beta exam “PRO: Design & Deploy Messaging Solutions with Microsoft Exchange Server 2010”. Another snappy title and another bundle of fun!

Sam

Qualifications, Cisco, Exchange 2010 cisco, ccent, icnd1, icnd2, exchange 2010

I'm currently in the process of migrating a 2-host High Availability cluster of ESX 3.5u4 servers to vSphere 4. This is going to come in 3 distinct stages: Stage 1 is to upgrade VirtualCenter Server 2.5 to vCenter 4, which I am going to cover today. Stage 2 is to upgrade each host, and will be covered as I do it. Stage 3 is the upgrade of the Virtual Machines to the latest VMware Tools and then the new VM hardware.

So to start, I'll outline the process:

• Download the vSphere vCenter 4 installer from VMware (~1.8GB).
• Download your updated licensing for vSphere.
• Back up your VirtualCenter server.
• Run the installation.

I'm not going to run through the download of the installer or licensing, if you're not sure how to do that, probably best not to do the rest.

VMWare, VMware Converter, VMware Update Manager, VMware vCenter 4.0, VMware vSphere 4.0 vmware, vsphere, vcenter, upgrade, virtualcenter, vsphere 4, vi3

If you have an Alternate Access Mapping configured for a MOSS 2007 site with Integrated Authentication you might find that you get prompted for the DOMAIN\UserName and Password. After 3 attempts you get to a HTTP 401 error.

This can be resolved by following the steps in MS KB 896861

HTH,

Sam

MOSS, IIS moss, alternate access mapping, http 401, authentication, failed

I use a lot of free tools in my everyday work – some don't make the grade, but others I just couldn't do what I do without – check out my top free tools here: http://www.mcgeown.co.uk/BlogEngine/page/My-Top-Free-Tools.aspx

Admin Tools tools, free

I'm migrating some hosts off of an older storage LUN, but when I drag the disk to the new Datastore with the SVMotion plug-in the job fails with the following error:

The error occurs because the virtual disk cannot be moved without moving the source files, the .vmx, .vswap etc. Simply drag the entire VM, rather than the virtual disk to the new Datastore.

If you're trying to move a 2nd, 3rd or nth disk and you get this error, drag the entire VM as per above over to the new Datastore, once that's completed, go back in to SVMotion and drag the whole VM across again, only this time before you apply, drag the nth disk back to the new Datastore.

VMWare, VMware ESX 3.5, VMware Storage vMotion svmotion, vmware, storage vmotion

A.K.A Why not to use snapshots

I ran into a slightly confusing problem today - our SQL servers are all created with 4 disks on 4 separate LUNs (System, Swap, SQL Data and SQL Logs). When viewing the server through Virtual Center I couldn't see all of the LUNs, just the System LUN. It's not a major problem as the VM can see the storage, but a little annoying when you have to remember what LUN the disks are on.

Slightly more distressing was the fact that the System-LUN was running out of space - fast. A LUN that should have had about 150GB free was running dangerously low. On investigation I found various snapshot files were being stored in with the System-LUN, which is where the VM's VMX, vswap etc are situated. These were the snapshot delta files of the additional disks, which were on other storage! This isn't first apparent at first as the disk snapshots have been named sequentially by ESX, so a VM with 4 disks on separate LUNs will in fact create 4 snapshot files on the SYSTEM-LUN named VM01-00001.vmdk, VM01-00002.vmdk, VM01-00003.vmdk and VM01-00004.vmdk. 00001 is for the System disk, 00002 is for the Swap disk etc etc. This means that the IO on that LUN has been multiplied, and the storage space is shrinking very rapidly.

A little more digging and it seems that this is by design - snapshots are not meant to be kept for very long, and I think VMware made a deliberate decision to make it difficult to do so. Any virtual disks created for a VM, lets call it VM01, were named VM01.vmdk. When additional virtual disks were created through vCenter on a different LUN, they were still named VM01.vmdk - there's no conflict because they're in different locations. However, when vCenter takes a snapshot it places them with the original disk, and because it's got the same name as the existing disk it starts to enumerate them.

This is bad for a number of reasons - most prominent of which is that if the snapshot file grows large, vCenter does not handle the commit well. In fact, neither does ESX, but I'll get to that. vCenter will time out on any operation that takes more than 15 minutes, so a commit of a 10GB snapshot will look for all intents and purposes in vCenter like it's failed. On top of that, the enumeration of snapshot delta files can cause confusion as to which disk it actualy belongs to, and if that happens, commiting

We all know snapshots are performance killers, but the functionality they provide is not insignificant, and as with most things a balance has to be struck between the functionality and the performance.

So the headlines

• VMs created with disks on multiple LUNs in vCenter use the SAME DISK NAME (eg; for VM01 the disks were created in /vmfs/volumes/SYSTEM-LUN/VM01.vmdk, /vmfs/volumes/SWAP-LUN/VM01.vmdk etc etc).
  • Mitigate this by creating disks using the vmkfstools and adding them to the VM or renaming the existing disks (see below).
• Snapshots cause ALL disk delta files onto the "system" LUN (i.e. where your VMX file is stored.) This is bad because a) it multiplies your I/O on that disk and b) you negate the benefits of storing on multiple LUNs.
  • Mitigate this by deleting your snapshots. There's no other way*, don't try manually moving them or you will have problems.
• Commiting large snapshots takes time - LOTS of time - and can have a big performance hit on your server.
  • Mitigate this by shutting down your VM first and commiting the disk using the vmware-cmd out of business hours. You can also merge the old disk and snapshots into a "new" disk, then shut down the VM and boot with the "new disk".
• vCenter has a hard coded 15m timeout.
  • If you are doing a operation that will take longer than that, do it via the console!

* when I say there's no other way, I mean, there's no other practical way. There are methods to move the snapshot files to another LUN but they bring some serious problems with them.

Create a vmdk (virtual disk) using vmkfstools

• Log in to your server console.
• Type su - (to log in as root, enter root password, note the "-" to load the root user environment variables)
• Navigate to the storage that you wish to use. E.g. cd /vmfs/volumes/System-LUN/
• Create a new folder for the virtual disk: mkdir VM01
• Navigate to the folder: cd VM01
• Create the disk: vmkfstools -c <size> <filename> -a <buslogic|lsilogic>
• For help just type vmkfstools

Rename vmdk files using vmkfstools

• Shut down the VM in vCenter.
• Edit the VM settings and remove the disk you wish to change. Do not delete the file!
• Log in to your server console.
• type su - (to log in as root - enter root password, note the "-" to load the root user environment variables)
• use the command: vmkfstools -E /vmfs/volumes/<LUN>/<Server Name>/<Disk Name>.vmdk /vmfs/volumes/<LUN>/<Server Name>/<New Disk Name>.vmdk

• Go back to the vCenter and re-add the disk, using the new name.

Commit your snapshots using vmware-cmd

• Log in to your server console.
• Type su - (to log in as root, enter root password, note the "-" to load the root user environment variables).
• Use the vmware-cmd -l command to list your VMs. Note the path to the VM you want to deal with.
• Remove all snapshots for a VM: vmware-cmd /path/to/vm/VM01.vmx removesnapshots

VMWare, VMware ESX 3.5, VMWare ESXi 3.5 vmware, esx, snapshots, snapshot, vmware-cmd, vmkfstools

Here's the setup. We have a core switch of 2 Cisco 3750s, connected together for fault tolerance as a single logical switch; we also have several ESX 3.5 hosts with 4 Gigabit Ethernet NICs installed each. The Virtual Machines will all be on VLAN 8 (reserved for internal servers) and the VMKernel will be on VLAN 107 (reserved for VMKernel traffic like VMotion).  I want to create a load balanced, fault tolerant aggregate of these four NICs over the Core Switch.

Configure ESX server's vSwitch

Configuring the vSwitch is actually pretty simple, but there are a couple of gotchas, so don't skip this bit! First thing to note is that if you are making changes to the vSwitch and the Service Console is on that vSwitch you can quite easily lock yourself out. Make sure you configure this correctly, first time! In this setup, I am adding all 4 NICs to vSwitch0, which will be the only vSwitch. I'll then use Port Groups to assign VLANs and Active/Passive configurations to the VMKernel/Service Console.

First things first then - assign the four NICs to the vSwitch. This is done in the Configuration Tab in VMware Infrastructure Client, then the Networking page. Edit the properties of your vSwitch, then select the Network Adaptor tab. Add all the NICs you wish to team in there (they may already be in there, depending on your setup). You should end up with something that looks like this (note that I've not assigned any VLAN yet):

Now you need to configure the NIC teaming, so edit the vSwitch Properties and under the Ports tab select the vSwitch. Click edit, and then go to the NIC teaming tab. Configure the teaming options like this:

That's the easy part over and done with! Time to move onto the Cisco!

Configuring the Cisco Core Switch

Firstly, we need to log on to the switch and enter enable mode; I'm going to assume you know how to do this - if not, you really shouldn't be attempting this setup!

Determine the switches trunk load balancing setup by using the command "show etherchannel load-balance". It should look something like this:

If the protocol is NOT src-dst-ip, then you won't be able to establish a trunk connection with the ESX server. If your protocol is not src-dst-ip, change it with the command "port-channel load-balance src-dst-ip". This now matches the "Route based on IP hash" setting you configured in ESX. Although ESX has a setting for MAC based hashing, as does the Cisco, I was unable to get it to work.

Moving on. You need to create a Port-Channel interface for the trunk (this is a virtual interface that binds the 4 GigabitEthernet interfaces together). As i've got other Port-channels in use for connections to other switches, I'm setting up port-channel 40. Move to config mode (conf t) and then enter the setup:

interface Port-channel40
 description VMTEST01 Aggregate
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 8
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
end

Description simply adds a description, "switchport trunk encapsulation dot1q" sets the encapsulation of the trunk to 802.1Q. "switchport trunk native vlan 8" means that any traffic without a VLAN tag will be automatically assigned to VLAN 8. "switchport mode trunk" obviously designates that we want a trunk, rather than access. "switchport nonegotiate" means that it will not attempt to negotiate the protocol, and be a static trunk, rather than LCAP or PGaP. "spanning-tree portfast trunk" causes a Layer 2 LAN interface configured as an access port to enter the forwarding state immediately, bypassing the listening and learning states (i.e. if the link goes down and then comes back up, it will do so quickly).

With the Port-channel configured, you now need to edit your GigabitEthernet ports and assign them to the Port-channel. For each port in the trunk, enter the following config (this example is port 8 on the master switch in my stack, hence 1/0/8):

interface GigabitEthernet1/0/8
 description VMTEST01 VMNIC1
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 8
 switchport mode trunk
 switchport nonegotiate
 channel-group 40 mode on
 spanning-tree portfast trunk
end

The difference between that and the Port-channel setup? "channel-group 40 mode on" is simply assigning the port-channel in static mode.

Once all four NICs are assigned you might have to wait a few minutes for every layer of the connection to settle down before the trunk comes up. To check the status of the etherchannel you can use the command "show etherchannel 40 summary", replacing the 40 for whichever number you assigned to your port-channel.

I hope this helps navigate the minefield that I found to be setting up the NIC teaming!

Cisco, Networking, VMWare, VMware ESX 3.5 cisco, vlan, teaming, nic, esx 3.5, aggregate, trunk, portfast, 802.1q, load balancing

I recently resolved an ongoing DNS issue where the Active Directory Integrated DNS was loaded in both the Domain and the DomainDNSZones partition of AD - this is a separate issue and should be resolved differently. My problem when I tried to verify that the fixed DNS setup had propogated around my domain controllers, DC01 and DC02. DC01 kept failing "DCDIAG /TEST:DNS" with errors regarding the root hint servers. Googling about it was clear that a lot of people were suffering the same issue, but no article I read had correctly identified the solution.

The error looked something like this:

P:\>dcdiag /test:dns

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: SITE\DC01
      Starting test: Connectivity
         ......................... DC01 passed test Connectivity

Doing primary tests

   Testing server: SITE\DC01

DNS Tests are running and not hung. Please wait a few minutes...

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : DOMAIN

   Running enterprise tests on : DOMAIN.com
      Starting test: DNS
         Test results for domain controllers:

            DC: DC01.DOMAIN.COM
            Domain: DOMAIN.com

               TEST: Forwarders/Root hints (Forw)
                  Error: Root hints list has invalid root hint server: a.root-se
rvers.net. (198.41.0.4)
                  Error: Root hints list has invalid root hint server: b.root-se
rvers.net. (192.228.79.201)
                  Error: Root hints list has invalid root hint server: c.root-se
rvers.net. (192.33.4.12)
                  Error: Root hints list has invalid root hint server: d.root-se
rvers.net. (128.8.10.90)
                  Error: Root hints list has invalid root hint server: e.root-se
rvers.net. (192.203.230.10)
                  Error: Root hints list has invalid root hint server: f.root-se
rvers.net. (192.5.5.241)
                  Error: Root hints list has invalid root hint server: g.root-se
rvers.net. (192.112.36.4)
                  Error: Root hints list has invalid root hint server: h.root-se
rvers.net. (128.63.2.53)
                  Error: Root hints list has invalid root hint server: i.root-se
rvers.net. (192.36.148.17)
                  Error: Root hints list has invalid root hint server: j.root-se
rvers.net. (192.58.128.30)
                  Error: Root hints list has invalid root hint server: k.root-se
rvers.net. (193.0.14.129)

               TEST: Dynamic update (Dyn)
                  Warning: Dynamic update is enabled on the zone but not secure
DOMAIN.com.

         Summary of test results for DNS servers used by the above domain contro
llers:

            DNS server: 128.63.2.53 (h.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 128.63.2.53

            DNS server: 128.8.10.90 (d.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 128.8.10.90

            DNS server: 192.112.36.4 (g.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 192.112.36.4

            DNS server: 192.203.230.10 (e.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 192.203.230.10

            DNS server: 192.228.79.201 (b.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 192.228.79.201

            DNS server: 192.33.4.12 (c.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 192.33.4.12

            DNS server: 192.36.148.17 (i.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 192.36.148.17

            DNS server: 192.5.5.241 (f.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 192.5.5.241

            DNS server: 192.58.128.30 (j.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 192.58.128.30

            DNS server: 193.0.14.129 (k.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 193.0.14.129

            DNS server: 198.41.0.4 (a.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 198.41.0.4

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: DOMAIN.com
               DC01                    PASS PASS FAIL PASS WARN PASS n/a

         ......................... DOMAIN.com failed test DNS

It looks pretty horrific - DNS is failing at a basic level! It turns out that the actual issue is an old version of DCDIAG.EXE. After several hours and a lot of head scratching I checked the versions of the DCDIAG.EXE (normally c:\Program Files\Support Tools\dcdiag.exe) and "Lo! And Behold!" the version was different. I downloaded the Windows Server 2003 Support Tools R2, uninstalled the old version (v5.2.3790.1800) and installed the new one (v5.2.3790.3959).

Et voila! The working test...

P:\>dcdiag /test:dns

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: SITE\DC01
      Starting test: Connectivity
         ......................... DC01 passed test Connectivity

Doing primary tests

   Testing server: SITE\DC01

DNS Tests are running and not hung. Please wait a few minutes...

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : DOMAIN

   Running enterprise tests on : DOMAIN.com
      Starting test: DNS
         Test results for domain controllers:

            DC: DC01.DOMAIN.COM
            Domain: DOMAIN.com

               TEST: Dynamic update (Dyn)
                  Warning: Dynamic update is enabled on the zone but not secure
DOMAIN.com.

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: DOMAIN.com
               DC01                    PASS PASS PASS PASS WARN PASS n/a

         ......................... DOMAIN.com passed test DNS

Networking, Windows Server, Windows Server 2003 dcdiag, dns, domain controller, windows server 2003, root servers

I recently had an issue where a hosting environment was registering a lot of Netlogon Event 1030/1058 issues, being unable to find the Group Policy objects or download them. In this example, the server DC is the domain controller for DOMAIN.LCL.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date:  10/09/2009
Time:  06:24:29
User:  NT AUTHORITY\SYSTEM
Computer: DC
Description:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Date:  10/09/2009
Time:  06:24:29
User:  NT AUTHORITY\SYSTEM
Computer: DC
Description:
Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=DOMAIN,DC=LCL. The file must be present at the location <\\DOMAIN.LCL\sysvol\DOMAIN.LCL\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Windows cannot find the network path. Verify that the network path is correct and the destination computer is not busy or turned off. If Windows still cannot find the network path, contact your network administrator. ). Group Policy processing aborted. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

On the affected machines, when navigating to \\DOMAIN.LCL there were no shares available, however navigating to \\DC shows the NETLOGON and SYSVOL shares. Pinging DOMAIN.LCL and then the DC showed that the IP addresses were not the same as expected, DOMAIN.LCL was resolving to the backup network, whereas DC was resolving to the servers LAN IP.

I checked the DNS records for the server, which were correct. Investigating the adaptor binding settings under Control Panel > Network Connections > Advanced > Advanced Settings showed that the backup network's adaptor was first in the list. I moved the adaptor for the LAN to the top of the list and OK'd my way out. I restarted the NETLOGON service and the issue was solved.

Windows servers have never been particularly good at being multi-homed, especially domain controllers. My advice comes from some bitter experience...

• If you have multiple network adaptors for extra bandwidth/redundancy/resiliance, then I would strongly recommend using Teamed adaptors, most of the major manufacturers' drivers and management software support it. This will eliminate any issues with multi-homing because as far as the server is concerned, it has one adaptor.
• If you have multiple network adaptors for different network segments and you're using RRAS to route between them, I would strongly suggest not using a Domain Controller at all for this purpose. Better yet, buy a hardware router.
• If you have multiple network adaptors for different purpose networks (e.g. a LAN, a backup network and an iSCSI network) then make sure you do the following:
  • Disable "File and Printer Sharing for Microsoft Networks" and "Client for Microsoft Networks" on all but the LAN adaptor.
  • Ensure that your LAN adaptor is the FIRST adaptor in the bindings in the advanced network settings.

 Hope that helps!

Active Directory, Networking, Windows Server 2000, Windows Server 2003, Windows Server 2008 multi-homed, domain controller, 2003, server 2003, server, network

Why should a home user backup? Most don’t, most people just have their photos, music and video collection on a single hard drive, maybe an external drive or even a USB key. Unfortunately, no-one ever thinks about what they’d do if their drive were to fail, losing all their precious holiday snaps, their slightly embarrassing music collection, or perhaps their family finances. But stop and think for a second – can you really replace those holiday snaps? What about your music collection – do you want to spend 3 days importing all your CDs or DVDs? Or maybe your personal finance app – is that something you could afford to lose?

With my little preachy bit out of the way, I’ll come to my point – GFI have released their own home backup software, and from what I can see, it’s pretty good. Installation is dead simple, and then you’re presented with your main screen:

Simple enough, Backup lets you…well…backup, Restore, funnily enough, lets you restore, Sync is a handy tool for syncing data across several sources, and finally My Tasks lets you modify previously configured Backup, Restore and Sync tasks.

Backup

Configuring Backups is as simple as selecting What, Where and When – What do you want to backup? Where do you want to back it up to? When do you want to back it up? There are some nice features over the bundled-with-Windows NTBackup

1. email notifications
2. backup to an FTP site
3. backup registry keys
4. backup email applications
5. backup user settings (i.e. your AppData folder)
6. “stacked backup” that keeps versions of your data
7. zip compression
8. aes encryption

In my test the pre-scan element of the backup took a while, but the actual backup itself was pretty speedy. I backed up my website (about 3000 files, 10mb) in 54 seconds to an external USB drive.

Restore

Restoring is just as easy, you can select to restore the entire backup, or individual files and folders. Both work well and are intuitive. I restored the same web folder back to my hard drive in an incredible 9 seconds.

Sync

I’ve not tested comprehensively, but on the surface it looks like a great piece of home software, which I’ll be using to do some off-site backups at home. And it’s free, which means you can’t go far wrong – nice one GFI!

Download GFI Backup – Home Edition here

Backup gfi, backup, home, restore, sync, ftp, encryption

Like thousands of other IT pros out there, I'm testing Windows 7 out on my laptop - since I don't want to mess around with my main PC, it's running on some older kit. The problem with that is that there aren't many Vista drivers around for the hardware - why would there be, it's not even supposed to be able to run Vista?! It does, however, run Windows 7 very admirably (just one of the many improvements).

The only problem was the sound card, the only drivers available from Dell for the onboard sound were for XP, which crash in both Vista and 7. The sound card is compatible with Intel's generic AC97, so it didn't take long to find a Vista compatible AC97 driver from RealTek which will run any AC97 hardware, regardless of the actual manufacturer.

Dell, Windows 7 windows 7, ac97, audio, drivers, vista

I'm in the middle of rolling out Sophos as a replacement to the incumbent McAfee at work. One interesting thing that I found as I rolled out to some test users was that they were unable to log on to one of our internal systems using NTLM (integrated authentication). Instantly the roll out of Sophos was blamed - and I can understand why - the problem did not occur until Sophos was installed.

But the truth is that in it's dying breath McAfee had one last laugh and had un-registered jscript.dll and vbscript.dll. I can say that now because I've spent a morning with Sophos support and been on the brink of abandoning our roll-out until I looked into one of the side symptoms.

Sophos was ruled out as the cause because a) it did not effect ALL the Sophos test machines, just ones where McAfee was uninstalled b) with Sophos disabled (services and browser add on) the problem did not go away c) Uninstalling Sophos did not solve the problem. It did however, point me in the right direction - during the uninstall there was an error message, the fix for which was to re-register jscript.dll (clue #1)

When I opened Services.msc, the Extended view simply showed a blue frame - Standard view was fine. One of the fixes for this was to re-register jscript.dll and vbscript.dll (clue #2).

Clue #3 came when I googled McAfee and jscript.dll, rather than blaming it on Sophos. A myriad of pleas for help from McAfee users with stuffed browsers, update issues and the like.

The Solution 

• Download and run the McAfee Consumer Product Removal tool (http://service.mcafee.com/FAQDocument.aspx?lc=2057&id=TS100507)
• Reboot if required
• Open a command prompt (Start > Run > "cmd")
• Type the following commands in one at a time, hit enter and acknowledge the result
  • Regsvr32.dll jscript.dll
  • Regsvr32 vbscript.dll
• Reboot again

Now, let me take this opportunity to say that McAfee is a resource hogging, trouble making screwed up piece of software which I pray to God that I never have to support again. </rant> 

Security, Anti-virus mcafee, antivirus, internet explorer, javascript, jscript.dll, vbscript.dll, services, services.msc, uninstall