Dark Developments Where Knowledge Meets Power

5Apr/130

DPM – Redirected Access “Backup In Progress”

Posted by Dark#Basics

DPM - Redirected Access "Backup In Progress"

Today I had an issue where our Hyper-V Cluster Volumes were staying in Redirected Access. In this state, the CSV is available to all nodes in the cluster as part of the ClusterStorage namespace, but all nodes in the cluster except the coordinator node perform their IO via the coordinator node. The redirected access is used for example when running a backup using DPM.

As it turns out the DPM Agent running on both HyperV owners was stuck, and thus restarting the DPMRA service made sure that the volumes were back online.

3Feb/130

IIS – Move InetPub

Posted by Dark#Basics

After installing IIS it's default location is the system drive. For smaller websites and services that does not result in a problem, but when you're a hosting company or going to provide storage for a large number of websites you'll have to move the inetpub folder. When you don't have any websites installed this is quite easily done by copying the files to the new location and changing the settings on your website in IIS. But what if you already have more then one and are lazy just as me ?

Well I came across the following script that alows you to move inetpub to another drive without doing anything manually expect running the script using CLI.

 

Select All Code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
REM PLEASE BE AWARE: SERVICING (I.E. HOTFIXES AND SERVICE PACKS) WILL STILL REPLACE FILES 
REM IN THE ORIGINAL DIRECTORIES. THE LIKELIHOOD THAT FILES IN THE INETPUB DIRECTORIES HAVE 
REM TO BE REPLACED BY SERVICING IS LOW BUT FOR THIS REASON DELETING THE ORIGINAL DIRECTORIES
REM IS NOT POSSIBLE. 
 
@echo off
IF "%1" == "" goto err
setlocal
set MOVETO=%1:\
 
REM simple error handling if drive does not exist or argument is wrong 
IF NOT EXIST %MOVETO% goto err
 
REM Backup IIS config before we start changing config to point to the new path
%windir%\system32\inetsrv\appcmd add backup beforeRootMove
 
REM Stop all IIS services
iisreset /stop
 
REM Copy all content 
REM /O - copy ACLs
REM /E - copy sub directories including empty ones
REM /I - assume destination is a directory
REM /Q - quiet
 
REM echo on, because user will be prompted if content already exists.
echo on
xcopy %systemdrive%\inetpub %MOVETO%inetpub /O /E /I /Q
@echo off
REM Move AppPool isolation directory 
reg add HKLM\System\CurrentControlSet\Services\WAS\Parameters /v ConfigIsolationPath /t REG_SZ /d %MOVETO%inetpub\temp\appPools /f
 
REM Move logfile directories
%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/sites -siteDefaults.traceFailedRequestsLogging.directory:"%MOVETO%inetpub\logs\FailedReqLogFiles"
%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/sites -siteDefaults.logfile.directory:"%MOVETO%inetpub\logs\logfiles"
%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/log -centralBinaryLogFile.directory:"%MOVETO%inetpub\logs\logfiles"
%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/log -centralW3CLogFile.directory:"%MOVETO%inetpub\logs\logfiles"
 
REM Move config history location, temporary files, the path for the Default Web Site and the custom error locations
%windir%\system32\inetsrv\appcmd set config -section:system.applicationhost/configHistory -path:%MOVETO%inetpub\history
%windir%\system32\inetsrv\appcmd set config -section:system.webServer/asp -cache.disktemplateCacheDirectory:"%MOVETO%inetpub\temp\ASP Compiled Templates"
%windir%\system32\inetsrv\appcmd set config -section:system.webServer/httpCompression -directory:"%MOVETO%inetpub\temp\IIS Temporary Compressed Files"
%windir%\system32\inetsrv\appcmd set vdir "Default Web Site/" -physicalPath:%MOVETO%inetpub\wwwroot
%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='401'].prefixLanguageFilePath:%MOVETO%inetpub\custerr
%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='403'].prefixLanguageFilePath:%MOVETO%inetpub\custerr
%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='404'].prefixLanguageFilePath:%MOVETO%inetpub\custerr
%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='405'].prefixLanguageFilePath:%MOVETO%inetpub\custerr
%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='406'].prefixLanguageFilePath:%MOVETO%inetpub\custerr
%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='412'].prefixLanguageFilePath:%MOVETO%inetpub\custerr
%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='500'].prefixLanguageFilePath:%MOVETO%inetpub\custerr
%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='501'].prefixLanguageFilePath:%MOVETO%inetpub\custerr
%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='502'].prefixLanguageFilePath:%MOVETO%inetpub\custerr
 
REM Make sure Service Pack and Hotfix Installers know where the IIS root directories are
reg add HKLM\Software\Microsoft\inetstp /v PathWWWRoot /t REG_SZ /d %mOVETO%\inetpub\wwwroot /f 
reg add HKLM\Software\Microsoft\inetstp /v PathFTPRoot /t REG_SZ /d %MOVETO%\inetpub\ftproot /f
REM Do the same for x64 directories
if not "%ProgramFiles(x86)%" == "" reg add HKLM\Software\Wow6432Node\Microsoft\inetstp /v PathWWWRoot /t REG_EXPAND_SZ /d %MOVETO%inetpub\wwwroot /f 
if not "%ProgramFiles(x86)%" == "" reg add HKLM\Software\Wow6432Node\Microsoft\inetstp /v PathFTPRoot /t REG_EXPAND_SZ /d %MOVETO%inetpub\ftproot /f
 
REM Restart all IIS services
iisreset /start
echo.
echo.
echo ===============================================================================
echo Moved IIS7 root directory from %systemdrive%\ to %MOVETO%.
echo.
echo Please verify if the move worked. If so you can delete the %systemdrive%\inetpub directory.
echo If something went wrong you can restore the old settings via 
echo     "APPCMD restore backup beforeRootMove" 
echo and 
echo     "REG delete HKLM\System\CurrentControlSet\Services\WAS\Parameters\ConfigIsolationPath"
echo You also have to reset the PathWWWRoot and PathFTPRoot registry values
echo in HKEY_LOCAL_MACHINE\Software\Microsoft\InetStp.
echo ===============================================================================
echo.
echo.
endlocal
goto success
 
REM error message if no argument or drive does not exist
:err
echo. 
echo New root drive letter required. 
echo Here an example how to move the IIS root to the F:\ drive:
echo. 
echo MOVEIISROOT.BAT F
echo.
echo. 
 
:success

Source: http://blogs.iis.net/thomad/archive/2008/02/10/moving-the-iis7-inetpub-directory-to-a-different-drive.aspx

7Dec/120

APPV – Registry from Sequenced Application

Posted by Dark#Basics

Sometimes you'll need to access the registry of an application. But what if the application is virtualized and sequenced ? Well the solution is the spawn a commandline within the package using sfttray.

Select All Code:
1
Sfttray.exe  /exe cmd.exe "APPNAME"
1Dec/120

WIN2012 – Microsoft Office

Posted by Dark#Basics

We had some issues on our Windows Server 2012 running RDS. with both Office 2007 and Office 2010 installed.

Every time you alternate between one Word version and the other, you get an error message saying “An error occurred and this feature is no longer functioning properly. Please run Setup and select Repair to restore this application". Although the application runs fine without any issues.

If this first happens with Word 2007 and you repair Office 2007, launching Word 2007 again would work fine. But, if we then open Word 2010, the same error pops up. If you repair Office 2010 and launch Word 2010, all is fine. But then if you open Word 2007, the same issue comes up.

When you try to launch Word with /s switch and this works. But after disabling all add-ins and global templates, the issue remains.

After contacting Microsoft is seems it's an issue that 'sometimes' happens with Office installations on RDS Servers. A registry fix is available for this issue at support.microsoft.com/kb/2121447 .

Select All Code:
1
2
3
4
5
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Options]
"NoReReg"=dword:00000001
 
[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options]
"NoReReg"=dword:00000001
7Nov/120

AD – Active Directory, What is it ?

Posted by Dark#Basics

ActiveDirectory

What is it ?

Active Directory enables administrators to force policies and settings in a company network.  You can think of AD as a certain catalogue or a book that holds all the information regarding users, computers, resources, etc. but also settings for the company domain. It makes it possible to provide access and set permission based on that information stored in the catalogue by using different methods like for example a security group.

The most important role of Active Directory is providing the authentication information for users, computers and the resources that are part of the network.

Forests and Domains

When installing Active Directory the first time you need to think of Domains and Forests. A forest is a security boundary. Objects in separate forests are not able to interact with each other, unless the administrators of each separate forest create a trust between them. For example, an Enterprise Administrator account for domain1.com, which is normally the most privileged account of a forest, will have, no permissions at all in a second forest named domain2.com, even if those forests exist within the same LAN, unless there is a trust in place.

A domain is a management boundary. Domains are part of a forest. The first domain in a forest is known as the forest root domain. In many small and medium organizations (and even some large ones), you will only find a single domain in a single forest. The forest root domain defines the default namespace for the forest. For example, if the first domain in a new forest is named domain1.com, then that is the forest root domain. If you have a business need for a child domain, for example - a branch office in Chicago, you might name the child domain chi. The FQDN of the child domain would be chi.domain1.com. You can see that the child domain's name was prepended forest root domain's name. This is typically how it works. You can have disjoint namespaces in the same forest, but that's a whole separate can of worms for a different time.

In most cases, you'll want to try and do everything possible to have a single AD domain. It simplifies management, and modern versions of AD make it very easy to delegate control based on OU, which lessens the need for child domains.

Domain Names

I can name my domain whatever I want, right? Not really. dcpromo.exe, the tool that handles the promotion of a server to a DC isn't idiot-proof. It does let you make bad decisions with your naming, so pay attention to this section if you are unsure.

First of all, don't use made up TLDs like .local, .lan, .corp, or any of that other crap. Those TLDs are not reserved. ICANN is selling TLDs now, so your mycompany.corp that you're using today could actually belong to someone tomorrow. If you own mycompany.com, then the smart thing to do is use something like internal.mycompany.com or ad.mycompany.com for your internal AD name. If you use mycompany.com as an externally resolvable website, you should avoid using that as your internal AD name as well, since you'll end up with a split-brain DNS.

FSMO Roles

When a user tries to log in to a computer that is joined to AD using their AD credentials, the salted and hashed username and password combination are sent to the DC for both the user account and the computer account that are logging in. Yes, the computer logs in too. This is important, because if something happens to the computer account in AD, like someone resets the account or deletes it, you may get an error that say that a trust relationship doesn't exist between the computer and the domain. Even though your network credentials are fine, the computer is no longer trusted to log into the domain.

A server that responds to authentication or authorization requests is a Domain Controller (DC). In most cases, a Domain Controller will hold a copy of the Global Catalog. A Global Catalog (GC) is a partial set of objects in all domains in a forest. It is directly searchable, which means that cross-domain queries can usually be performed on a GC without needing a referral to a DC in the target domain. If a DC is queried on port 3268 (3269 if using SSL), then the GC is being queried. If port 389 (636 if using SSL) is queried, then a standard LDAP query is being used and objects existing in other domains may require a referral.

In general there are five functions that are needed to provide a fully functional Active Directory. The 5 roles and their function are:

  • Domain Naming Master - There is only one Domain Naming Master per forest. The Domain Naming Master makes sure that when a new domain is added to a forest that it is unique. If the server holding this role is offline, you won't be able to make changes to the AD namespace, which includes things like adding new child domains.
  • Schema Master - There is only one Schema Operations Master in a forest. It is responsible for updating the Active Directory Schema. Tasks that require this, such as preparing AD for a new version of Windows Server functioning as a DC or the installation of Exchange, require Schema modifications. These modifications must be done from the Schema Master.
  • Infrastructure Master - There is one Infrastructure Master per domain. If you only have a single domain in your forest, you don't really need to worry about it. If you have multiple forests, then you should make sure that this role is not held by a server that is also a GC holder. The infrastructure master is responsible for making sure that cross-domain references are handled properly. If a user in one domain is added to a group in another domain, the infrastructure master for the domains in question make sure that it is handled properly. This role will not function correctly if it is on a global catalog.
  • RID Master - The Relative ID Master (RID Master) is responsible for issuing RID pools to DCs. There is one RID master per domain. Any object in an AD domain has a unique Security Identifier (SID). This is made up of a combination of the domain identifier and a relative identifier. Every object in a given domain has the same domain identifier, so the relative identifier is what makes objects unique. Each DC has a pool of relative IDs to use, so when that DC creates a new object, it appends a RID that it hasn't used yet. Since DCs are issued non-overlapping pools, each RID should remain unique for the duration of the life of the domain. When a DC gets to ~100 RIDs left in its pool, it requests a new pool from the RID master. If the RID master is offline for an extended period of time, object creation may fail.
  • PDC Emulator - Finally, we get to the most widely misunderstood role of them all, the PDC Emulator role. There is one PDC Emulator per domain. If there is a failed authentication attempt, it is forwarded to the PDC Emulator. The PDC Emulator functions as the "tie-breaker" if a password was updated on one DC and hasn't yet replicated to the others. The PDC Emulator is also the server that controls time sync across the domain. All other DCs sync their time from the PDC Emulator. All clients sync their time from the DC that they logged in to. It's important that everything remain within 5 minutes of each other, otherwise Kerberos breaks and when that happens, everyone cries.

The important thing to remember is that the servers that these roles run on is not set in stone. It's usually trivial to move these roles around, so while some DCs do slightly more than others, if they go down for short periods of time, everything will usually function normally.

Primary and Secondary DC’s

The concept of PDCs and BDCs died with Windows NT4. If you create a secondary DC it will also be capable of offering authentication services. It’s best practice to have atleast two DCs per domain. These DCs should both have a copy of the GC and should both be DNS servers so that the network resources (Clients, Computers,..) are still able to query the DC.

The DCs belonging to the same domain in the same site will replicate their data to each other at a 15 second interval. Do note that there are urgent event that trigger replication after the data has been changed. Think things like password resets, account lockouts.

How can clients find the domain ?

Client and other resources can find the DCs by using DNS. It’s the most critical role that needs to function properly to have a functioning AD. Do note that while it is possible to use any type of DNS service it’s best to stick with using AD integrated DNS zones to avoid any DNS related problems.

When adding a client to the domain the first thing you always need to check is the DNS servers that client is using. Make sure it’s using the in house DNS servers because when trying to add the client to the domain it will try to resolve the domain name to locate the domain controller.

Each FSMO role will have a SRV DNS record that will point to client to the correct DC.

  • _ldap._tcp.<DNSDomainName> - Enables a client to locate a W2K domain controller in the domain named by <DNSDomainName>. A client searching for a domain controller in the domain dpetri.net would query the DNS server for _ldap._tcp.domain1.com.
  •  _ldap._tcp.<SiteName>._sites.<DNSDomainName> - Enables a client to find a W2K domain controller in the domain and site specified (e.g., _ldap._tcp.lab._sites. domain1.com for a domain controller in the Lab site).
  • _ldap._tcp.pdc._ms-dcs.<DNSDomainName> - Enables a client to find the PDC flexible single master object (FSMO) role holder of a mixed-mode domain. Only the PDC of the domain registers this record.
  •  _ldap._tcp.gc._msdcs.<DNSTreeName> - Enables a client to find a Global Catalog (GC) server. Only domain controllers serving as GC servers for the tree will register this name. If a server ceases to be a GC server, the server will deregister the record.
  •  _ldap._tcp. ._sites.gc._msdcs.<DNSTreeName> - Enables a client to find a GC server in the specified site (e.g., _ldap._tcp.lab._sites.gc._msdcs. domain1.com).
  •  _ldap._tcp.<DomainGuid>.domains._msdcs.<DNSTreeName> - Enables a client to find a domain controller in a domain based on the domain controller’s globally unique ID. A GUID is a 128-bit (8 byte) number that generates automatically for referencing Active Directory objects.
  • <DNSDomainName> - Enables a client to find a domain controller through a normal Host record.

Installation and backup of Active Directory.

More information regarding installation of Active Directory can be found here darkdevelopments.org/2011/08/30/win2008-install-active-directory/. Regarding the backup procedure of Active Directory more information can be found here darkdevelopments.org/2011/07/18/db-backuprecovery-notes-part1-active-directory-2/

[1] serverfault.com/questions/402580/what-is-active-directory-and-how-does-it-work
[2] www.petri.co.il/active_directory_srv_records.htm

7Mar/120

IIS – Could not load file or assembly…

Posted by Dark#Basics

Could not load file or assembly 'Microsoft.Web.Extensions'
When adding a new website to IIS it is possible that you receive the following error message when browsing to the site.

Select All Code:
1
Could not load file or assembly 'Microsoft.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified.

In my case the solution was to change the application mode the classic instead of integrated (Default). This can be done by going to IIS Manager > Application Pools > Select Site > Edit Application Pool > Basic Settings... and changing the Managed Pipeline mode to Classic.

6Mar/120

WSUS – Move WSUS Database Files to a Different Volume

Posted by Dark#Basics

WSUS - Move WSUS Database Files to a Different Volume

  1. Launch SQL Server Management Studio Express console as an administrator. It is located under Start > Programs > Microsoft SQL Server 2005 > SQL Server Management Studio Express.
  2. Fill in the following information and then click Connect
    • Server type: Database Engine
    • Servername: \\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query
    • Authentication: Windows Authentication

    clip_image004

  3. Expand Databases and right-click on SUSDB and select Tasks > Detach... from the context menu.
  4. clip_image006

  5. Select the "Drop Connection" checkbox and click OK. It is possible that you receive an error message that the database can't be detached. This is because the services IIS Admin Server and Update Services are still running. Make sure that the services are stopped and try to detach the SQL database again.
  6. clip_image008

  7. Open explorer and move the C:\WSUS\SUSDB folder to the <new drive>:\WSUS directory.
  8. To reattach the database, right-click on Database and select Attach… from the context menu.
  9. clip_image010

  10. On the Attach Databases page select the Addbutton.
  11. clip_image012

  12. Browse to the new location of the SUSDB.mdf database and select OK twice to complete the move.

www.geeklab.info/2010/05/how-to-move-your-susdb-wsus/

blogs.technet.com/b/sbs/archive/2009/09/23/how-to-move-wsus-content-and-database-files-to-a-different-partition.aspx

3Oct/110

EXCHANGE – Recovering a Disconnected MailBox

Posted by Dark#Basics

EXCHANGE - Recovering a Disconnected MailBox
After disabling a mailbox it will still be present in the mailbox store and it is marked for removal. During maintenance, the MSExchangeIS process will check for mailboxes marked for removal and which are past their retention period. The retention period is a configurable setting and by default it is set to 30 days, meaning you can recover deleted mailboxes within 30 days.

Perhaps unnecessary to say, but don’t select Remove to remove a mailbox. The Remove option will not only disconnect the mailbox but will also delete the associated user object. You will not be the first to accidentally remove the user object when you only intended to remove the mailbox selecting the Remove option. After all, you are in a Mailbox view so Remove implies removing a mailbox. The action Disable is also improper naming since it doesn’t disable the mailbox but marks the mailbox for deletion. After the retention period it will be deleted permanently. That’s not what “Disable” implies. After all, disabled user accounts are not deleted from the Active Directory after their tombstone expires.

To disable a mailbox from the Exchange Management Shell use the Disable-Mailbox:

Select All Code:
1
Disable-Mailbox <UserID>

Note that disconnected mailboxes may not show up immediately because of delays caused by replication or if the status of the mailbox hasn’t been updated in the store yet.

When a mailbox is disconnected you will be able to connect the mailbox again using the Exchange Management Console or by using the Exchange Management Shell.

Select All Code:
1
Connect-Mailbox –Identity <MailboxID> -Database <DatabaseID> -User < UserID>
28Sep/110

PS – PowerShell Service Check

Posted by Dark#Basics

Because of some recent issues regarding automatic services not starting up after a reboot, I wrote a small PowerShell script that checks a service if it's running.

Select All Code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
function CheckService{ param($ServiceName)
    $srvServiceDetails = Get-Service -Name $ServiceName
 
    if ($srvServiceDetails.Status -ne "Running"){
        SendMail -ServiceDetails $srvServiceDetails
    }
}
 
function SendMail{ param($ServiceDetails)
    $smtpServer = "out.darkdevelopments.com"
    $smtp = new-object Net.Mail.SmtpClient($smtpServer)
    $msg = new-object Net.Mail.MailMessage
    $strComputer = gc env:computername
    $smtpSubject = "[SYSMON] SERVICE ALERT @ " + $strComputer
    $msg.From = "sysmon@darkdevelopments.com"
    $msg.To.Add("darkbasics@darkdevelopments.com")
    $msg.Subject = $smtpSubject
    $msg.Body = "Hostname: " + $strComputer + "`nDisplayName: " + $ServiceDetails.displayname + "`nName: " + $ServiceDetails.name + "`nStatus: " + $ServiceDetails.status
    $smtp.Send($msg)
}
 
CheckService -ServiceName "TheServiceNameHere"
15Sep/110

SQL – Enable Remote Access for SQL Express and SQL Server Developer Edition

Posted by Dark#Basics

SQL - Enable Remote Access for SQL Express and SQL Server Developer Edition

By default, SQL Server 2005 Express Edition and SQL Server 2005 Developer Edition do not allow remote connections. To configure SQL Server 2005 to allow remote connections, complete all the following steps:

* Enable remote connections on the instance of SQL Server that you want to connect to from a remote computer.
* Turn on the SQL Server Browser service.
* Configure the firewall to allow network traffic that is related to SQL Server and to the SQL Server Browser service.