If you are using SUS to manage updates and you have a lot of faith in MS you probably got hit by hundreds of users asking what the new search bar is by the tray, you just got Windows Desktop Search.
Next issue is what to do, the search indexes your hard disk by default and if you are using Outlook 2003+ it will also use index the cache file on your drive. By default it does not go roaming off around the network despite what the press are saying. In fact it is actually pretty good, the toolbar is annoying but that can be turned off and it seems to overrule the default search but an extra click will get that back as well. In all whats not to like?
Of course you can set up all the settings via Group Policy but finding the ADM file was the hard bit, downloading the whole kit from: http://support.microsoft.com/default.aspx/kb/917013
Extracting the files from the download section you will find the desktopsearch30.adm file which will allow you to change all sorts of settings. Of course you can also go into your SUS server and make the update a remove option.
Thursday, 25 October 2007
Wednesday, 24 October 2007
Remove unattached Hardware from VMWare clone
Having done a clone of our BlackBerry server and settings it up in VMWare we came across an oddity. Our network card was complaining about setting its IP address to the same as one already set but we were only using one of the cards.
VMWare was imaged as usual using BartPE and Ghost but in doing so we had taken over the old hardware configuration which as we were on Win2k3 meant we couldn't see it in device manager or remove it using add-remove hardware in control panel.
Apparently we needed to make these available so from the command prompt:
SET DEVMGR_SHOW_NONPRESENT_DEVICES=1
followed by:
DEVMGMT.MSC
Please note running device manager from outside the window will mean its not using the variable you just set and nothing will work as stated.
VMWare was imaged as usual using BartPE and Ghost but in doing so we had taken over the old hardware configuration which as we were on Win2k3 meant we couldn't see it in device manager or remove it using add-remove hardware in control panel.
Apparently we needed to make these available so from the command prompt:
SET DEVMGR_SHOW_NONPRESENT_DEVICES=1
followed by:
DEVMGMT.MSC
Please note running device manager from outside the window will mean its not using the variable you just set and nothing will work as stated.
Wednesday, 22 August 2007
Powerchute and ESX
Although we have moved a significant number of our servers onto ESX we now have the issue of shutting down these servers using the Powerchute Network Shutdown, all the windows servers have been done but there is a 'VMWare aware' version of the client for ESX servers to allow them time to shutdown there virtual servers and then shut themselves down.
Powerchute Network Shutdown is available from HERE.
With instructions available HERE.
The story doesn't end there though as during my searching of information regarding the ESX server version I came across this handy post from a fellow blogger.
In short you need to run the following at the ESX server command line:
/usr/sbin/esxcfg-firewall -o 80,tcp,out,http
/usr/sbin/esxcfg-firewall -o 3052,tcp,in,PowerChute
The first line opens port 80 outwards to allow the Powerchute Network Shutdown client to register its IP onto the APC management card. You could of course do this by hand in the web interface of the card.
The second line allows the UPS to talk to the client on port 3052 to give it commands for shutting down etc.
When you have finished completing the setup you can close the port 80 outbound:
/usr/sbin/esxcfg-firewall -c 80,tcp,out,http
We did all this user WinSCP to copy over the client followed by Putty to connect and run the required commands.
Also worth noting, the default phrase for the APC management cards is 'admin user phrase', having not set these at original setup finding this out took longer than installing the client!
Powerchute Network Shutdown is available from HERE.
With instructions available HERE.
The story doesn't end there though as during my searching of information regarding the ESX server version I came across this handy post from a fellow blogger.
In short you need to run the following at the ESX server command line:
/usr/sbin/esxcfg-firewall -o 80,tcp,out,http
/usr/sbin/esxcfg-firewall -o 3052,tcp,in,PowerChute
The first line opens port 80 outwards to allow the Powerchute Network Shutdown client to register its IP onto the APC management card. You could of course do this by hand in the web interface of the card.
The second line allows the UPS to talk to the client on port 3052 to give it commands for shutting down etc.
When you have finished completing the setup you can close the port 80 outbound:
/usr/sbin/esxcfg-firewall -c 80,tcp,out,http
We did all this user WinSCP to copy over the client followed by Putty to connect and run the required commands.
Also worth noting, the default phrase for the APC management cards is 'admin user phrase', having not set these at original setup finding this out took longer than installing the client!
Tuesday, 21 August 2007
Powerchute
A few weeks ago we had a powercut that lasted several hours. During that time the UPS's depleted to zero and were useless when the power finally came back after being off over 2 hours.
Following on from that we had several small drops in power which meant that the UPS's didn't have time to recharge themselves in order to prevent another system failure. Although Powerchute wouldnt have saved us from the power failures it would have prevented the untidy shutdowns on many of the systems as the UPS connected to them simply stopped working.
With that in mind we decided to sort out the UPS software, in the past this was never an issue but the risk of losing a server meant that putting this into place was more important than before as the infrastructure of the system on the whole had got bigger and with that the UPS's were under more strain than before.
Installation is easy with the Powerchute Network Shutdown that is free from http://www.apc.com. Install the software on each of the clients connected to the UPS in question then go to the IP address of the network card in your browser.
Installing the client should have added it to the list of IP addresses to shutdown when required, check that this is the case in the network management website. A simple fix to what could have been a painful problem.
Following on from that we had several small drops in power which meant that the UPS's didn't have time to recharge themselves in order to prevent another system failure. Although Powerchute wouldnt have saved us from the power failures it would have prevented the untidy shutdowns on many of the systems as the UPS connected to them simply stopped working.
With that in mind we decided to sort out the UPS software, in the past this was never an issue but the risk of losing a server meant that putting this into place was more important than before as the infrastructure of the system on the whole had got bigger and with that the UPS's were under more strain than before.
Installation is easy with the Powerchute Network Shutdown that is free from http://www.apc.com. Install the software on each of the clients connected to the UPS in question then go to the IP address of the network card in your browser.
Installing the client should have added it to the list of IP addresses to shutdown when required, check that this is the case in the network management website. A simple fix to what could have been a painful problem.
Monday, 30 July 2007
SPAM!
Now the spam creators (whoever they are, burn in hell!) have come up with something new. Something I cannot stop!, something that pisses me off! PDF attachments.
The Microsoft IMF filter is a cracking little freebie with a nice way of stopping things manually included. Along with the IMF Companion this is all we have needed so far in the endless battle against spam.....until now.
How exactly d you stop PDF attachments with the IMF filter?
The Microsoft IMF filter is a cracking little freebie with a nice way of stopping things manually included. Along with the IMF Companion this is all we have needed so far in the endless battle against spam.....until now.
How exactly d you stop PDF attachments with the IMF filter?
Monday, 23 July 2007
MAC addressing in VMWare
After too many hours spent doing support calls and not enough time free to look at infrastructure we decided to pull a late night and Saturday working in order to get some things done out of normal hours.
The fact that each hour out of normal hours is worth about 5 hours in work time meant that we had time to look at some issues that had been hanging over our heads. Do a few installs and look at some left over servers from the virtualisation push earlier in the year.
First up was the DDM server. We thought this would be problematic as we wanted to virtualise it BUT still use the existing licenses on the server. Design Data Manager itself has its own licensing system built in using a web front end. The licenses themselves are MAC address locked. Due to the way that VMWare worked with its failover system MAC locking is problematic.
If a ESX server fails for whatever reason or is under stress VMWare has some clever load balancing available to allow the server to move (whilst staying up) to another ESX server in the cluster. As you can imagine moving the virtual server also moves the NIC that the server is running on. MAC addressing would be interesting to say the least....
We BartPE'd the server using Ghost peer-to-peer and then tried the Windows method of manually setting the MAC address in the driver of the network card:
Pulling up Pro-ENGINEER on the client didn't work, DDM ran like a charm using the same license but it appears as though FlexLM doesn't look at Windows for its information and was picking up an ESX MAC address starting 00:50:56. This code is still some ESX jiggery-pokery and not the REAL MAC address of the NICs in the server so although FlexLM ignores the windows change it couldn't get right to the hardware.
It looks as though we are going to have to get new license codes for the VM server using the ESX MAC address and then set the server so that it doesn't move. This of course has its downsides but I guess that the FlexLM software didn't want people getting free software by copying their friends MAC addresses onto their card in Windows.
The fact that each hour out of normal hours is worth about 5 hours in work time meant that we had time to look at some issues that had been hanging over our heads. Do a few installs and look at some left over servers from the virtualisation push earlier in the year.
First up was the DDM server. We thought this would be problematic as we wanted to virtualise it BUT still use the existing licenses on the server. Design Data Manager itself has its own licensing system built in using a web front end. The licenses themselves are MAC address locked. Due to the way that VMWare worked with its failover system MAC locking is problematic.
If a ESX server fails for whatever reason or is under stress VMWare has some clever load balancing available to allow the server to move (whilst staying up) to another ESX server in the cluster. As you can imagine moving the virtual server also moves the NIC that the server is running on. MAC addressing would be interesting to say the least....
We BartPE'd the server using Ghost peer-to-peer and then tried the Windows method of manually setting the MAC address in the driver of the network card:
Pulling up Pro-ENGINEER on the client didn't work, DDM ran like a charm using the same license but it appears as though FlexLM doesn't look at Windows for its information and was picking up an ESX MAC address starting 00:50:56. This code is still some ESX jiggery-pokery and not the REAL MAC address of the NICs in the server so although FlexLM ignores the windows change it couldn't get right to the hardware.
It looks as though we are going to have to get new license codes for the VM server using the ESX MAC address and then set the server so that it doesn't move. This of course has its downsides but I guess that the FlexLM software didn't want people getting free software by copying their friends MAC addresses onto their card in Windows.
Monday, 9 July 2007
IMF XML Custumweights
Despite my good work from the previous entry the IMF filter failed me. Not through any fault of its own mind you.
The IMF filter runs from Microsoft Update and as I stated in my previous post it creates a new folder for each update deleting any folders except the latest 3 so you can roll back in time. It also reregisters the DLL from the latest update so its all nice and tidy....however.....
What it doesn't do is copy over the customweight XML file. What this means is despite your best efforts to stop certain emails using the XML it won't work when the new update comes in and you have to manually copy the XML file into the newly created directory.
I came in today and found that Saturday saw a nice IMF update come in and lo and behold my users now have an inbox full of 'US NMA' mails!
Copied over the file, restarted the SMTP service and now its blocking them again....anyone how this could be scripted?
The IMF filter runs from Microsoft Update and as I stated in my previous post it creates a new folder for each update deleting any folders except the latest 3 so you can roll back in time. It also reregisters the DLL from the latest update so its all nice and tidy....however.....
What it doesn't do is copy over the customweight XML file. What this means is despite your best efforts to stop certain emails using the XML it won't work when the new update comes in and you have to manually copy the XML file into the newly created directory.
I came in today and found that Saturday saw a nice IMF update come in and lo and behold my users now have an inbox full of 'US NMA' mails!
Copied over the file, restarted the SMTP service and now its blocking them again....anyone how this could be scripted?
Thursday, 5 July 2007
US NMA and IMF2
After a couple of days of spam from 'The United States National Medical Association' trying to sell us drugs online from an everchanging variety of email addresses I decided to investigate why these things were getting through even though we had the Exchange SP2 IMFv2 installed and enabled.
First up I added the required entry to the MSExchange.UceContentFilter.xml file (add opening and closing brackets and slash as required):
Make sure you save this in notepad in the unicode format or you can get application log errors and a failure to work regardless of getting the rest of this right.
Then I did a restart of the SMTP Virtual Server from within the Exchange admin tool. Back to gmail and a little test to my internal mail, straight to my mailbox.
Not to be deterred I had a quick rummage around the net regarding IMF not working. According to a fellow blogger the IMF although getting updated automatically with the required registry entry was basically creating a new folder structure each time an update was installed.
Looking at the folder structure I could see 3 different versions in the IMF folder. Another interesting point was that the XML file had to be in the version that you were running (IMFv1 ran from the IMF folder proper). So I copied the XML file into the newest folder.
Penultimately you had to make sure that the correct DLL was registered, one was in each version folder and one in the root presumably from the old IMFv1 days. So I ran a:
First up I added the required entry to the MSExchange.UceContentFilter.xml file (add opening and closing brackets and slash as required):
customweightentry type="SUBJECT" change="MAX" text="The United StatesNational Medical Association"
Make sure you save this in notepad in the unicode format or you can get application log errors and a failure to work regardless of getting the rest of this right.
Then I did a restart of the SMTP Virtual Server from within the Exchange admin tool. Back to gmail and a little test to my internal mail, straight to my mailbox.
Not to be deterred I had a quick rummage around the net regarding IMF not working. According to a fellow blogger the IMF although getting updated automatically with the required registry entry was basically creating a new folder structure each time an update was installed.
Looking at the folder structure I could see 3 different versions in the IMF folder. Another interesting point was that the XML file had to be in the version that you were running (IMFv1 ran from the IMF folder proper). So I copied the XML file into the newest folder.
Penultimately you had to make sure that the correct DLL was registered, one was in each version folder and one in the root presumably from the old IMFv1 days. So I ran a:
Still nothing so I did a restart of the SMTP Virtual Server, no dice so finally did a restart of the SMTP service....and....HUZZAH! We now have blocking again.regsvr32 C:\Path To Exchange\BIN\MSCFV2\6.5.7931.0\MSExchange.UceContentFilter.dll
Tuesday, 3 July 2007
Event 6161
We have another printing problem. This time with Remote Desktop users.
They can add printers to there RDP profile fine and the driver appears to have installed correctly with all the HP bumf included so I don't think this is a driver specific issue.
When they print to this printer they get an event 6161 in the system log and the document fails to print. Trawling of Google has done little to fix this problem at present so if anyone has a fix drop me a comment.
The error is 31 which equates to 'a device attached to the system.....' its a bugbear for so many issues in Terminal Services so I am kind of clueless at the moment.
Everything works fine for admins so this looks to be some sort of rights thing somewhere.
They can add printers to there RDP profile fine and the driver appears to have installed correctly with all the HP bumf included so I don't think this is a driver specific issue.
When they print to this printer they get an event 6161 in the system log and the document fails to print. Trawling of Google has done little to fix this problem at present so if anyone has a fix drop me a comment.
The error is 31 which equates to 'a device attached to the system.....' its a bugbear for so many issues in Terminal Services so I am kind of clueless at the moment.
Everything works fine for admins so this looks to be some sort of rights thing somewhere.
Friday, 29 June 2007
There is 19" rackmount and there is 19" rackmount
It seems that although 19" rackmount gear is meant to be 19" some is more than others. In the case of our new tape unit for our new backup solution it came without rails which although not an awful problem did leave us with some issues.
Having stolen a couple of sets of rails from our old IBM rackmount servers and first trying some low profile screws to allow the deep unit to slide all the way to the back we finally ended up using a little brute force and loosening the screws on some other IBM rails to get the unit to sit on a shelf of rails.
It seems that some suppliers are better than others at allowing you to get your hardware in the rack. IBM 1 - HP 0
Having stolen a couple of sets of rails from our old IBM rackmount servers and first trying some low profile screws to allow the deep unit to slide all the way to the back we finally ended up using a little brute force and loosening the screws on some other IBM rails to get the unit to sit on a shelf of rails.
It seems that some suppliers are better than others at allowing you to get your hardware in the rack. IBM 1 - HP 0
Wednesday, 20 June 2007
IE7 Hover styles
Part of my job is looking after an Intranet and HR Portal and one of the current tasks I have assigned myself is keeping it up to date as its starting to look a little sad.
Its going to be a long project from start to end but I have started nonetheless. With auditors due in shortly we thought it be for the best if we followed up on their observations from last time which meant sorting out our asset management.
Currently we have an old excel file that is way out of date which we just wave about when the auditors come alas it failed us last time so we thought we had better do something about it and make it more easy to look after so I started doing an asset management and tracking PHP and MySQL addition to the current Intranet.
Having done a few item entries and testing the search functionality I though a row highlighter would be good so you could hover over the item in question and it would be highlighted. Having looked through some dirty fixes and pages of endless JScript to do the task I found that IE7 has a :hover tag for all parts now similar to how it did for hyperlinks in previous versions.
Having played and failed to get it to work the fix was found in a posting on a fellow Bloggers site: http://www.bernzilla.com/item.php?id=762 , to save those too lazy to read any more basically enter:
(Remove the first and last hyphen) Add this to the start of your page even before the opening <-html-> (hyphens added to protect the innocent) tag. Just make sure that you have no existing styles on yourtag when you create your TR:Hover style.
Its going to be a long project from start to end but I have started nonetheless. With auditors due in shortly we thought it be for the best if we followed up on their observations from last time which meant sorting out our asset management.
Currently we have an old excel file that is way out of date which we just wave about when the auditors come alas it failed us last time so we thought we had better do something about it and make it more easy to look after so I started doing an asset management and tracking PHP and MySQL addition to the current Intranet.
Having done a few item entries and testing the search functionality I though a row highlighter would be good so you could hover over the item in question and it would be highlighted. Having looked through some dirty fixes and pages of endless JScript to do the task I found that IE7 has a :hover tag for all parts now similar to how it did for hyperlinks in previous versions.
Having played and failed to get it to work the fix was found in a posting on a fellow Bloggers site: http://www.bernzilla.com/item.php?id=762 , to save those too lazy to read any more basically enter:
<-!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"->
(Remove the first and last hyphen) Add this to the start of your page even before the opening <-html-> (hyphens added to protect the innocent) tag. Just make sure that you have no existing styles on your
Tuesday, 19 June 2007
Event ID 8026 on Exchange Server
After the demise of our old DC and the pheonix from the flames rebirth of our new 2003 domain I thought I had better watch the logs of some of the servers to make sure they were all happy.
Simply choosing a new domain controller in both the top level domain and subdomain all was grand and another red cross was stricken from the event logs nevcer to return.
The DC's displayed the usual ignorable events but the Exchange server had this little beauty in the application log:
The server was still trying to communicate with the old now retired server. Microsofts knowledgebase took me straight to the solution: http://support.microsoft.com/kb/272552
Simply choosing a new domain controller in both the top level domain and subdomain all was grand and another red cross was stricken from the event logs nevcer to return.
Monday, 18 June 2007
A Snap Server Update
It appears that although our upgraded Snap Servers can now see the 2003 domain and its users in the access lists if I try to connect even with full admin rights it attempts to send my username with the additional DOMAIN\ on the front which means it fails.
Users on this forum have reported various issues and currently there are two fixes available.
The first is to run with EVERYONE with full rights, this solves any need to check on rights and henceforce just works but grants everyone access to copy all our installation points and programs etc. not overly alarming but we would rather not.
The second solution which we are now having to use is mapping the NAS to a drive letter and specifying credentials when we do it. This is done via a batch file from the logon script, its a fix but its not pretty and I am not really impressed. Here is the command for those in the same boat:
net use w: \\snapserver/sharename password /user:administrator
If anyone has a way of getting this to work please help! I hear its something to do with NTLM and Vista users have no hope at all.
Users on this forum have reported various issues and currently there are two fixes available.
The first is to run with EVERYONE with full rights, this solves any need to check on rights and henceforce just works but grants everyone access to copy all our installation points and programs etc. not overly alarming but we would rather not.
The second solution which we are now having to use is mapping the NAS to a drive letter and specifying credentials when we do it. This is done via a batch file from the logon script, its a fix but its not pretty and I am not really impressed. Here is the command for those in the same boat:
net use w: \\snapserver/sharename password /user:administrator
If anyone has a way of getting this to work please help! I hear its something to do with NTLM and Vista users have no hope at all.
Thursday, 14 June 2007
Remote Control of Console Session
This has been a bugbear of mine for a while but one I had never got round to fixing and using. I spent an awful lot of time logging off sessions and logging on afresh to a new session instead of taking control of the console session and using the existing one to read current application activity etc. on apps that had to stay running.
To enable the ability to take control you first need to enable taking over the session without input from the console session.
To do that:
To enable the ability to take control you first need to enable taking over the session without input from the console session.
To do that:
- On the server you want to take control of START - RUN - gpedit.msc
- Expand Computer Configuration - Administrative Templates - Windows Components
- Select Terminal Services, find the entry 'Sets rules for remote control of Terminal Services user sessions'
- Double-click it and click the enabled radio button
- In the drop down that appears select 'Full control without user's permission'
- Click OK and close gpedit.msc
Now to take control of a console session you can use two methods, log in via terminal services to the same server and then at the command prompt enter 'SHADOW 0' this will take control of the session 0 (the console) and drop your session in the process. If someone is logged on at the console it will lock the computer.
The other method is via the client. Type 'msdtc.exe /v:computername /console' and you will go straight into the console. If like us the admin has been disabled to prevent hacking you might only be able to use the first option.
Wednesday, 13 June 2007
.Net Security Settings
Microsoft in their infinite wisdom decided not to add the configuration tools for the .NET framework with the .NET framework itself. This has resulted in some rumblings on the forums and some headaches for admins but they did add something to ease the burden.
The configuration tool is in the SDK for the .NET framework and with it is the ability to make the changes you require and then export the changes out as an MSI file for installation elsewhere in the enterprise.
Our problem was due to the increased security that .NET imposes by default, no working from network drives. Easily fixed with the .NET framework configuration tools via the MMC (mscorcfg.msc). Pull up the MMC with the .NET Framework Configuration snap-in.
The configuration tool is in the SDK for the .NET framework and with it is the ability to make the changes you require and then export the changes out as an MSI file for installation elsewhere in the enterprise.
Our problem was due to the increased security that .NET imposes by default, no working from network drives. Easily fixed with the .NET framework configuration tools via the MMC (mscorcfg.msc). Pull up the MMC with the .NET Framework Configuration snap-in.
- Navigate My Computer - Runtime Security Policy - Machine - Code Groups - All_Code - LocalIntranet_Zone
- Right-click and click 'New...'
- Enter a name and description
- For the file location in our case a mapped network drive G: we use file://G:\* The * indicates all subfolders
- Next step select 'Full Trust' from the drop down list
- Retstart your development application
Now to export it as an MSI:
- Right-click on the 'Runtime Security Policy' subtree
- Left-click 'Create Deployment Package'
- Follow the wizard to create your MSI package
Thats it in a nutshell, it certainly saves installing a 350MB download on every PC that wants to run a development tool over the network.
Tuesday, 12 June 2007
LDAP and Digital Sending settings
Here is one that has been a pain to setup, digital sending using the Active Directory for mail addresses.
To set this up, open the web front end, go into the Digital Sending tab and then into the Addressing option on the sidebar.
The settings are as follows:
To set this up, open the web front end, go into the Digital Sending tab and then into the Addressing option on the sidebar.
The settings are as follows:
'Allow Device to directly access an LDAP Address Book' = Checked.
Accessing the LDAP Server:
'LDAP Server Bind Method' = Simple
'Use Public Credentials'
Username: -AccountwithreadrightstoLDAP-
Password: -password-
'LDAP Server' = -ADDomainController-
'Port' = Either 389 for LDAP or if the server is a Global Catalog you can use 3268Searching The Database:
'Search Root': dc=mydomain, dc=com (split your domain into sections seperated by the dot and then add dc= to the start and , to the end)
'Device user information retrieval'= Custom
'Match the name entered with the LDAP attribute of' = We use 'cn' for the container of the user to match the name against
'Retrieve the recipients email address using attribute of' = mail (the mail attribute specifies the E-mail address)
Monday, 11 June 2007
Windows 2003 domains and Snap Servers
It seems now the domain is fully 2003 that Snap Servers are not supported on old releases. Our 2 Snap Servers are purely used as installation points and driver stores to aid in day to day IT and save a lot of scrabbling around after CD's.
So basically we have no install points no drivers, no patches, no IT helpful stuff of any kind! Having looked around on various forums and Adaptec (the current owners of Snap Server) it seems that there is confusion over upgrading.
To go to Snap Server v4.0.860 in the USA it looks like there is $200 fee (although there is a free upgrade if you already run a current v4 build) but talk on the forums mentions no such fee if you call in Europe and there support folks will mail you the required access.
So to Tech Support we go......and wait.....and wait....finally giving up on the support line an E-mail was not replied to so off to Google for the file name. Shock! Horror! Google failed me! tis a black day indeed.
But joy of joys and the wonders of FTP search engines found this little beauty and on an Adaptec mirror of all places: . So thanks Adaptec for letting me have it for free.
So basically we have no install points no drivers, no patches, no IT helpful stuff of any kind! Having looked around on various forums and Adaptec (the current owners of Snap Server) it seems that there is confusion over upgrading.
To go to Snap Server v4.0.860 in the USA it looks like there is $200 fee (although there is a free upgrade if you already run a current v4 build) but talk on the forums mentions no such fee if you call in Europe and there support folks will mail you the required access.
So to Tech Support we go......and wait.....and wait....finally giving up on the support line an E-mail was not replied to so off to Google for the file name. Shock! Horror! Google failed me! tis a black day indeed.
But joy of joys and the wonders of FTP search engines found this little beauty and on an Adaptec mirror of all places: . So thanks Adaptec for letting me have it for free.
Thursday, 7 June 2007
Subdomain, crash and burn! EEEEK!
Yesterday we did the final DC upgrade to 2003. This was a DC running as a virtual machine on an ESX server. We thought this would be pretty painless as we had already done the same thing on 3 other domain controllers in this forest. How wrong we were!
Following the upgrade and on the reboot following the GUI install phase BANG! blue screen of death loop with a 0x0000007B error. It looked to have been related to the driver for the virtual SCSI controller.
We tried the usual BartPE injection of 'LSI Logic' drivers into the installation but to no avail. Having tried a repair install and submitting the drivers using the floppy F6 option again we had the same problem.
Time was key and we had to decide wether we wanted to persevere with trying to resurrect the dead DC or move on with the DC we had left. The boss made the call that this server was dead.
First job was to get the other DC up and running as the master DC in the domain (read: carrying the FSMO roles) so with the aid of the handy bookmarked KB article we seized the roles:
A heads up on this is that once you have selected your server you have to 'go back one level' which is easily overlooked in the fear of losing the domain!
In brief:
The 5 roles in the forest are as follows (in terms of naming for the seizing): rid master, pdc, schema master, infrastructure master, domain naming master. This was the subdomain so we only required the seizing of the rid master, pdc and infrastruture master. Also of note is setting the global catalog, as we only had the one DC left this had to run on the infrastructure master (we moved it after we had a second DC back up).
We brought up a second virtual server image, dcpromo'd it up and got it as the GC using the 'Active Directory Sites and Services' tool:
A single checkbox on the NTDS Settings properties is all there is to set. Needless to say it was a long fretful night and today is still ongoing with changing IP's and DNS updates etc.
As far as I can tell DNS is the magic behind most of this, get that running and the network looks after itself.
Following the upgrade and on the reboot following the GUI install phase BANG! blue screen of death loop with a 0x0000007B error. It looked to have been related to the driver for the virtual SCSI controller.
We tried the usual BartPE injection of 'LSI Logic' drivers into the installation but to no avail. Having tried a repair install and submitting the drivers using the floppy F6 option again we had the same problem.
Time was key and we had to decide wether we wanted to persevere with trying to resurrect the dead DC or move on with the DC we had left. The boss made the call that this server was dead.
First job was to get the other DC up and running as the master DC in the domain (read: carrying the FSMO roles) so with the aid of the handy bookmarked KB article we seized the roles:
A heads up on this is that once you have selected your server you have to 'go back one level' which is easily overlooked in the fear of losing the domain!
In brief:
START - RUN - ntdsutil
roles
connections
connect to server MyDC
q
seize roletoseize
q
q
The 5 roles in the forest are as follows (in terms of naming for the seizing): rid master, pdc, schema master, infrastructure master, domain naming master. This was the subdomain so we only required the seizing of the rid master, pdc and infrastruture master. Also of note is setting the global catalog, as we only had the one DC left this had to run on the infrastructure master (we moved it after we had a second DC back up).
We brought up a second virtual server image, dcpromo'd it up and got it as the GC using the 'Active Directory Sites and Services' tool:
A single checkbox on the NTDS Settings properties is all there is to set. Needless to say it was a long fretful night and today is still ongoing with changing IP's and DNS updates etc.
As far as I can tell DNS is the magic behind most of this, get that running and the network looks after itself.
Tuesday, 5 June 2007
Top level domain now full 2003
The final DC in the top level domain was upgraded today which was pretty painless as this top level is simply in place for adding subdomains to if we require them in the future.
One little fun surprise was this error:
This popped up after we tried to do some uninstallation of bits we no longer needed, in this case the Windows 2000 administrative tools. Apparently this little gem comes up if you install 2003 over the top without uninstalling the tools first, thankfully installing the 2003 admin tools disposed of the 2000 tools in the process.
The second little beauty was the following error from the event viewer having installed 2003 SP1 we got this error in the system log:
This was a little worrying to start with and the only mention in the knowledgebase did nothing to calm our fears
some more probing on the net and it appears that I am not the only one. This error is one of those 'I am not ready' when starting errors that so often happen these days. I remember IIS and Exchange being famous for these. Basically whats happening is a check is being done too early in the startup and as a result is failing which means we get an error. Waiting another few seconds and the service does start and all is fine just a process getting a little ahead of itself.
No fix at present so just ignore that huge red error in your event viewer OK, its normal.
One little fun surprise was this error:
apphelp dialog cancelled thus preventing the application from
starting.
This popped up after we tried to do some uninstallation of bits we no longer needed, in this case the Windows 2000 administrative tools. Apparently this little gem comes up if you install 2003 over the top without uninstalling the tools first, thankfully installing the 2003 admin tools disposed of the 2000 tools in the process.
The second little beauty was the following error from the event viewer having installed 2003 SP1 we got this error in the system log:
Event ID 7022: The Kerberos Key Distribution Center service hung on starting
This was a little worrying to start with and the only mention in the knowledgebase did nothing to calm our fears
some more probing on the net and it appears that I am not the only one. This error is one of those 'I am not ready' when starting errors that so often happen these days. I remember IIS and Exchange being famous for these. Basically whats happening is a check is being done too early in the startup and as a result is failing which means we get an error. Waiting another few seconds and the service does start and all is fine just a process getting a little ahead of itself.
No fix at present so just ignore that huge red error in your event viewer OK, its normal.
Monday, 4 June 2007
Word takes forever printing
Today we had an old Word problem come back to haunt us again. A few years back this came up and I thought 2 Word revisions on that this would now be solved.
The problem in question was a Word document of just over 2Mb when sent to the printer would take an age to then print. We started with the obvious removing all traces of images including Visio drawings and then as the problem stayed moved on to removing GIF images and then copying and pasting the document into a new file.
Nothing solved it, finally the user with the problem changed the borders on the table that ran almost the length of the document. Changing from a dotted line to a plain standard line and printing was as fast as ever.
It appears that Word hasn't been fixed of this issue and some searching of the KB found this old article on NT4 and LaserJet 5 printers: http://support.microsoft.com/kb/163599
Just goes to show you are better off taking note of these things as you can't rely on them getting fixed no matter how many revisions are made.
The problem in question was a Word document of just over 2Mb when sent to the printer would take an age to then print. We started with the obvious removing all traces of images including Visio drawings and then as the problem stayed moved on to removing GIF images and then copying and pasting the document into a new file.
Nothing solved it, finally the user with the problem changed the borders on the table that ran almost the length of the document. Changing from a dotted line to a plain standard line and printing was as fast as ever.
It appears that Word hasn't been fixed of this issue and some searching of the KB found this old article on NT4 and LaserJet 5 printers: http://support.microsoft.com/kb/163599
Just goes to show you are better off taking note of these things as you can't rely on them getting fixed no matter how many revisions are made.
No fix (yet) for McAfee and Outlook
Having had users complain of Outlook crashing with a runtime error from time to time I thought I should try and fix this problem rather than doing the Microsoft Fix which basically entails removing your E-mail virus checker from the desktop.
Having done some browsing round the rather helpful mcafeehelp.com forums it seems we are outta luck unless you fancy talking to a call centre guy who will then pass you on to 2nd line support who will then make you run some 'diagnosis tools' and then finally give you the file you asked for to start with.
Due to having done all this before and it nearly making me want to '/wrists' I think I will await the next patch that will come one day or until the complaints become more unbearable than call centres and begging for patches.
Having done some browsing round the rather helpful mcafeehelp.com forums it seems we are outta luck unless you fancy talking to a call centre guy who will then pass you on to 2nd line support who will then make you run some 'diagnosis tools' and then finally give you the file you asked for to start with.
Due to having done all this before and it nearly making me want to '/wrists' I think I will await the next patch that will come one day or until the complaints become more unbearable than call centres and begging for patches.
Friday, 1 June 2007
FREE SSL Certificates
We are currently looking at our email 'on the go' solution and thought you might like to hear this little bit of FREE-ness. Having had a Blackberry enterprise server for a while now and the contracts up on all our mobiles we are looking at alternative solutions.
Obviously the cheaper option is the Microsoft push email using Windows Mobile 5 AKU2 or greater handsets, so not to be held back with our fiddling ways me and the boss have a new handset for playing...erm....I mean testing this possible solution.
One of the fun joyous things is getting the damn thing working on Exchange 2003 (lets pray things are easier in 2007) which requires an SSL certificate to keep it nice and secure.
Well, the short story is we got it working, I will cover the struggle at some later date when we roll more out and I can document it in more detail but as SSL is useful for more than just email handsets I thought I would point you at startcom.org, these guys are the best with a nice forum full of helpful folks so if you are in need of a cert this is the place to start. Sadly they aren't certified with IE yet but noises on the forums suggest they are working on it.
Obviously the cheaper option is the Microsoft push email using Windows Mobile 5 AKU2 or greater handsets, so not to be held back with our fiddling ways me and the boss have a new handset for playing...erm....I mean testing this possible solution.
One of the fun joyous things is getting the damn thing working on Exchange 2003 (lets pray things are easier in 2007) which requires an SSL certificate to keep it nice and secure.
Well, the short story is we got it working, I will cover the struggle at some later date when we roll more out and I can document it in more detail but as SSL is useful for more than just email handsets I thought I would point you at startcom.org, these guys are the best with a nice forum full of helpful folks so if you are in need of a cert this is the place to start. Sadly they aren't certified with IE yet but noises on the forums suggest they are working on it.
Thursday, 31 May 2007
SPEWed on!
SPEWS the 'have a go' hero of spamming has got us! Being a Telewest customer it was only a matter of time I guess but the upshot is that we are not getting through to some of our contacts as they are using the SPEWS list to keep spam to a minimum.
Having ranted a little at Telewest for not sorting out their customer base and fixing the problem they did give me a smart host I could use for routing my mail, an IP that wasn't in the blacklist. Previsouly we had tried to route as much mail directly using DNS but this has forced our hand so now we have to set a smart host.
Having ranted a little at Telewest for not sorting out their customer base and fixing the problem they did give me a smart host I could use for routing my mail, an IP that wasn't in the blacklist. Previsouly we had tried to route as much mail directly using DNS but this has forced our hand so now we have to set a smart host.
A quick change from 'Use DNS to route....' to 'Forward al mail through....' and setting the IP/DNS name in the field below and all mail was now going out through a new route and more importantly wasn't getting thrown into the big at the other end.
If only ISPs took a hard line on users closing open relays.
IE7 crashes Active Desktop
It appears now the WSUS is alive and kicking again we are playing catchup, some users have had this little beauty.
If IE7 doesnt manage to finish its install and cleanup process completely (usually because a user shuts down before completion) the .htt files used by active desktop are not upgraded to the new IE7 version. This results in the active desktop crash showing the recovery button. Clicking the button just throws up a script error.
To fix this you have to change a registry entry in the current user tree:
Save the text as a .vbs file and get any users with this error to run it and fix active desktop.
Why are we even using active desktop? Well we use it to display the company logo in the centre of the screen and prevent everyone having everything from hot babes to football logos on their desktop!
If IE7 doesnt manage to finish its install and cleanup process completely (usually because a user shuts down before completion) the .htt files used by active desktop are not upgraded to the new IE7 version. This results in the active desktop crash showing the recovery button. Clicking the button just throws up a script error.
To fix this you have to change a registry entry in the current user tree:
HKEY_CURRENT_USER = &H80000001
strComputer = "."
Set objReg = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")
strKeyPath = "Software\Microsoft\Internet Explorer\Desktop\SafeMode\Components"
strValue = "0"
ValueName = "DeskHtmlVersion"
objReg.SetDWORDValue HKEY_CURRENT_USER, strKeyPath, ValueName, strValue
Save the text as a .vbs file and get any users with this error to run it and fix active desktop.
Why are we even using active desktop? Well we use it to display the company logo in the centre of the screen and prevent everyone having everything from hot babes to football logos on their desktop!
Wednesday, 30 May 2007
McAfee Addins throw a wobbly
Here is a nice error thrown up by Mcafee today. Doing a staged upgrade of our old VirusScan software to the latest 8.5.0 enterprise version all appeared to be going well however on reboot several of our users were getting the following error:
Having logged on as myself I was not seeing this error. The extend.dat file is basically a copy of some registry settings that are put there to speed things up when opening Outlook. Upgrading over the network had done everything right in the registry but Outlook keeps going back to this file instead of copying the registry settings to a new one.
In the end an easy fix, delete the extend.dat in the path given in the error and Outlook recreates it the next time it is launched. Microsoft knowledgebase covers it here: http://support.microsoft.com/kb/204951
WSUS 3.0 - Client connectivity fixed!
Well the clients didn't do quite as I expected. Having rummaged through the IIS tree it seems that WSUS installs to BOTH websites.
It looks like if you already had WSUS/SUS of some description on your server and then upgrade WSUS will use another port for its site. The next port it will attempt to use is 8530. You can check the port in use by:
It looks like if you already had WSUS/SUS of some description on your server and then upgrade WSUS will use another port for its site. The next port it will attempt to use is 8530. You can check the port in use by:
- Open computer management
- Expand IIS near the bottom
- Expand the 'web sites' folder and highlight your WSUS site
- Right-click - Properties will show the general tab
- Look for the port field
Having spent some more time sifting through newsgroups and forum postings it seems there are a lot of people in the same boat. To fix this error simply point your Windows Update clients to the new URL:
Simply edit your existing group policy which holds your current WSUS info and change the URL in the two boxes shown in the picture to read: http://wsusserver:8530
Your clients will need to update their group policy settings: 'gpupdate /force' and then run a forced update on the Windows Update client 'wuauclt.exe /detectnow'
With luck your clients will update as normal and also report back to the WSUS server any changes, before you would have all the clients listed but the reporting times would not update.
WSUS 3.0 has arrived!
WSUS 3.0 is out and available for a free download. I must say this upgrade can only be classed as amusing. We originally used to use the old hfnetcheck command line tools to download our updates so when SUS came out we were quick to jump at the chance and with each new iteration it has been getting better and better.
The first thing you will notice is the new interface that uses MMC, why they didn't do this to start with I will never know. It works and with the download of the reporting pack it does some nice pretty stuff with pie charts.
So last week we thought we would upgrade and upgrade we did, all seemed to go OK and hey presto! we could connect with our new MMC tool (at the loss of the website). So there I am checking through the logs on the DC's after our new Win2k3 addition and what do I find but errors on not being able to contact the WSUS server.
To cut a long story short I am now an expert on WSUS error codes after several hours of Googling said codes. It appears that although the default website was stopped in IIS and not used the upgrade had put part of the new WSUS 3.0 by default into the default website (leaving the v2.0 piece in the WSUS site we created originally) so now it seems like our WSUS install is currently on 2 sites. Anyone care to explain why this happened?
The upshot is due to the default site being stopped all the clients couldn't connect to update the client part and throwing errors and basically failing miserably. Having started the site up I await the 3pm update to see if the clients are playing ball again.
Although we have a nice MMC tool now (you will have to go around isntalling it on any PC's you want to use for WSUS admin) they have removed the website which although a tad on the slow side was handy for checking things out from client PC's. Oh well the price of progress.
The first thing you will notice is the new interface that uses MMC, why they didn't do this to start with I will never know. It works and with the download of the reporting pack it does some nice pretty stuff with pie charts.
So last week we thought we would upgrade and upgrade we did, all seemed to go OK and hey presto! we could connect with our new MMC tool (at the loss of the website). So there I am checking through the logs on the DC's after our new Win2k3 addition and what do I find but errors on not being able to contact the WSUS server.
To cut a long story short I am now an expert on WSUS error codes after several hours of Googling said codes. It appears that although the default website was stopped in IIS and not used the upgrade had put part of the new WSUS 3.0 by default into the default website (leaving the v2.0 piece in the WSUS site we created originally) so now it seems like our WSUS install is currently on 2 sites. Anyone care to explain why this happened?
The upshot is due to the default site being stopped all the clients couldn't connect to update the client part and throwing errors and basically failing miserably. Having started the site up I await the 3pm update to see if the clients are playing ball again.
Although we have a nice MMC tool now (you will have to go around isntalling it on any PC's you want to use for WSUS admin) they have removed the website which although a tad on the slow side was handy for checking things out from client PC's. Oh well the price of progress.
Tuesday, 29 May 2007
Its Alive and multiple accounts event id 11.
Well the network managed to stay up and nothing untoward is appearing in the event logs regarding out Win2k3 changes so I am happy enough.
However....I did find something that was annoying me.
Event ID: 11
This error was appearing at random on the subdomain DC system log. Looking through I think this was ignored as it wasn't actually affecting the system and there were bigger fish to fry.
So here is the magic fix:
However....I did find something that was annoying me.
Event ID: 11
There are multiple accounts with name
MSSQLSvc/SQLSVR.uk.mydomain.local:1433
of type 10.
This error was appearing at random on the subdomain DC system log. Looking through I think this was ignored as it wasn't actually affecting the system and there were bigger fish to fry.
So here is the magic fix:
- Install the support tools pack from your Windows disk. This can be found in the Support\Tools folder.
- Run LDP from the run dialog box.
- Click CONNECTION - CONNECT - OK to connect to the LDAP.
- Click CONNECTION - BIND - OK, leaving fields empty again.
- Click BROWSE - SEARCH, in the Base DN box enter your domain in LDAP format: DC=uk,DC=mydomain,DC=local
- In the filter box enter serviceprincipalname=
- You will get a listing of where it exists, we need to lose one.
In our case we had the SQLSERVER service running as a local system account at one time so there was an entry under the computer name and an entry under the user account which was now running the service. So to remove the name from the computer account we brought up ADSIEDIT.MSC, browse through the domain tree and found our server in question in the listing (this will depend on where your server exists and your OU setup), right-clicking - properties gave us its detail and browsing down to SERVICEPRINCIPALNAME we found the entry for MSSQLSvc/SQLSVR.uk.mydomain.local:1433 still there. Deleting and rebooting and we no longer get the errors in the log.
Monday, 28 May 2007
Network Upgrade Time
It is no coincidence that my blog starts the week after we decide to upgrade the network. Its been an interesting week at work, we have a two tier domain with a master domain only holding 2 domain controllers with a subdomain which contains 2 DC's and everything else!
Last week we went and put in our first 2003 domain controller. All seemed to go well so I am awaiting the fallout on Tuesday when I return to work. With the boss away its going to be interesting on my own.
The DC went in on the subdomain and was dcpromo'd up with DHCP and integrated DNS on it. We then set all the static PC's to use the new DNS server with the other server holding the FSMO roles for the subdomain.
The other DC was then dcpromo'd down to leave the single DC with the FSMO roles running Win2K and the new Win2k3 server. We also made the Win2k3 server the global catalog for the subdomain. So far all seems to be OK.
Next step is to get a new Win2k3 DC in the top level domain so that they are all talking the some language so to speak. Ideally I would like to remove all the old Windows 2000 DC's by transferring the FSMO roles to the new servers and remove the old DC's as they have been upgraded and upgraded since NT 3.51 so they deserve retirement.
Last week we went and put in our first 2003 domain controller. All seemed to go well so I am awaiting the fallout on Tuesday when I return to work. With the boss away its going to be interesting on my own.
The DC went in on the subdomain and was dcpromo'd up with DHCP and integrated DNS on it. We then set all the static PC's to use the new DNS server with the other server holding the FSMO roles for the subdomain.
The other DC was then dcpromo'd down to leave the single DC with the FSMO roles running Win2K and the new Win2k3 server. We also made the Win2k3 server the global catalog for the subdomain. So far all seems to be OK.
Next step is to get a new Win2k3 DC in the top level domain so that they are all talking the some language so to speak. Ideally I would like to remove all the old Windows 2000 DC's by transferring the FSMO roles to the new servers and remove the old DC's as they have been upgraded and upgraded since NT 3.51 so they deserve retirement.
And So It Begins
Who am I? Well I am part of a 2-man IT team supporting a Windows 2000 network with over 130 Windows XP clients. The company I work for is a manaufacturing company so we have a wide range of users from 3D designers to packers and assembly line people.
Why this blog? This blog is mainly for me to follow how the network evolves and how we manage it as a team. I will put down here problems I face and links to how they were solved, the idea being that if other people have the same issues the fixes are easier to find, basically save some leg work for my fellow IT compatriots. Also I might tend to vent my spleen about the state of IT and where we are headed across all fields, its nice to give your opinion even if noone is reading.
....so now it begins....
Why this blog? This blog is mainly for me to follow how the network evolves and how we manage it as a team. I will put down here problems I face and links to how they were solved, the idea being that if other people have the same issues the fixes are easier to find, basically save some leg work for my fellow IT compatriots. Also I might tend to vent my spleen about the state of IT and where we are headed across all fields, its nice to give your opinion even if noone is reading.
....so now it begins....
Subscribe to:
Posts (Atom)