Tuesday, December 2, 2008

Backup Exec, ISA, and V-79-57344-65072 - The connection to target system has been lost

So out of the blue my backups started barfing when trying to backup one of my ISA servers. Which really sucks because it was working fine.

V-79-57344-65072 - The connection to target system has been lost. Backup set canceled

The only changes that were made recently were just the application of the latest security patches, etc from MS. (Of course, Symantec's support of ISA with Backup Exec has never been stellar so I can't rule out the possibility that it just stopped working randomly). I went ahead and checked the usual forums, KBs, etc and found a lot of references to the error. I did the usual logging on the ISA server to check the traffic flow, etc and did notice that the agent kept trying to use the external network adapter even though the initial connections were being handled from the internal adapter. For testing I even tried creating a bi directional full access rule between the ISA server and the backup exec server and it didn't fix it. The only thing that worked was to create a User Defined Selection and use that for the backup job definition instead of the server name as mentioned in this forum post here:

https://forums.symantec.com/syment/board/message?board.id=be11dOther&message.id=2121&query.id=62200#M2121


I created a new User Defined Selection and used the Internal IP address of that ISA server and the damn thing started working.

Tuesday, November 11, 2008

nortel i2050 and vista

So I had given up on getting the i2050 to work since I still have an ancient BCM 3.7 system. But then I found out some of my users had gotten hold of the V2 version of the software (build 255) and had been using it successfully for a couple of months. Of course, I've yet to find anything from Nortel that says it's supported on the 3.7 but heck it seems to work so we'll use it for now.



I've seen some references online that the V2 version of the i2050 CD can still be purchased but I haven't found it in stock anywhere yet. They're heavily pushing the new V3 but I'm pretty sure that won't work on my old 3.7 system.

Tuesday, October 28, 2008

Backup Exec 12.5

I was slightly hesitant when I got the upgrade emails from Symantec but I went ahead and downloaded it. The upgrade installation went through without a hitch, all my settings were retained, and the jobs are running properly. I'm not being sarcastic when I say that this is probably the best Backup Exec upgrade I've had in the past 4 years.

One of the reasons I wanted to roll this out is that I'm looking at rolling out a 2008 Hyper-V box next year and they've added a new agent specifically for Microsoft Virtual Servers. Now I'm not a licensing expert but it looks like they're going to focus more on licensing the Host Virtual server and not worry as much about how many virtual machines are on it. An Agent for VMWARE ESX is now available as well.

On top of that, they've released a new version of their System Recovery product (8.5) which like the previous version allows you to convert your backups into virtual machines. The new 8.5 version adds support for Hyper-V and scheduled conversions.
http://www.symantec.com/business/backup-exec-system-recovery-server-edition

So far so good with the new version. I'll keep my fingers crossed that it lasts...

Thursday, October 16, 2008

vmware 2 install - system administrator has set policies to prevent this installation error

Whilst trying to upgrade my VMWare server 1.0 to the new 2.0 version, I ran into a fun error.



So I tried a few resolutions I had found on the web which led me to this patch:
http://support.microsoft.com/kb/925336

Now granted, the title of that KB seems misleading but apparently it applies here too. Since VMWare made this big huge install file (500+ MB), you have to install this patch and reboot. Afterwards, the installer worked fine for me.

Friday, October 10, 2008

VMWare Server 2.0 problem with disconnected network cable

I ran into an interesting problem with VMWare Server 2.0 this week on a laptop. When the network cable is not plugged in and you're not on a wireless network, you can't open a browser to connect to the console of currently running virtual machines. (I really miss the old Console app).

The workaround I use is to create a Loopback Adapter on the host machine:
2003 instructions:
http://articles.techrepublic.com.com/5100-10878_11-5647584.html
XP instructions:
http://support.microsoft.com/kb/839013

Once created, assign a static IP like 172.16.180.1 or something similar. The loopback adapter is always on and always appears connected. Reboot and then use the loopback adapter's address to get into the VMWare admin web console. https://172.16.180.1:8333 or whatever address you chose to assign your loopback adapter. (Keep in mind you want to choose an address that isn't likely to conflict with other networks when you travel. Using the loopback adapter is perfectly safe and won't affect how your virtual machines operate. This workaround just pertains to how the web console is bound to IIS.

Thursday, September 25, 2008

copy user - parameter is incorrect error

So recently I've been trying to fix an issue that was preventing me from copying existing user accounts. You'd get to the final step and click finish and be rewarded with an error box stating: Windows cannot create the object such and such because: The parameter is incorrect.



As it turns out, this error is caused by bad data in one of the user Attributes. The good news is that it can be fixed, the bad news is that it may require some perseverance to find it. The following steps and screenshots were done on a Win2k8 controller so some things might look different. The user and computers MMC is currently in 'advanced' mode (View-> Advanced Features)

Open up a known good user that you can copy and on another window or another dc open up the problem user. Go to the Attributes Tab and set the Filter in the bottom right to "Show only attributes that have values" and repeat in the other window. (That is unless you like spending LOTS more time doing this). This will narrow the search down considerably.



Now do a side by side comparison and look for values that either exist in only one user or that look odd.



In my case, when I went to Edit the msRADIUSCallbackNumber attribute, I found that it had garbage in it. Just hit the Clear button and OK out.



After I torched the msRADIUS values on mine, I was able to copy the user without any problems. And due to a shortage of time, I didn't get around to writing a powershell script to dump it out to excel but maybe if I get bored one day...

Saturday, September 13, 2008

Dell Latitude E6400 first impressions

Where to begin? It has a completely redesigned exterior and IMHO looks a bit more like the stinkpad laptops. That aside, the slick black top does look nice. The battery has been relocated to the rear of the unit and they added firewire, usb powershare (which allows you to charge devices off of it while it's off), HDMI output, SD Card slot, eSATA port, and an optional built in webcam for the lid. It also feels lighter but I'm haven't decided yet if it feels as sturdy as the D630 series that it replaced. The only downside so far is that it only has 3 USB ports but honestly it's a fair trade. The power cord has a glowing blue light near the plug which is probably just for bling but to me it's a power system troubleshooting tool (confirming power is getting there).

The new BIOS interface looks like it was designed by the guys who did the UI for the diagnostics CD. It has built in mouse support and a few menu tweaks. It didn't prompt with an option to go into BIOS from the boot Logo so I used the F12 boot menu option to get into it. One step backward is that it wouldn't let me use special characters in the admin password (ie $%^@). These type of things are common for major version changes and will probably be ironed out in a few patches.

The new docking station selection is pretty snazzy and come with multiple elevation options. The one I got has Dual DVI and HDMI ports as well as the base VGA port.

Overall the performance has been good so far.

Updated: 10/12/08 - Upon closer inspection, it's actually a DisplayPort in the back and not an HDMI, but you can buy an adapter from Dell. It appears they're still trying to push the DisplayPort technology even though the rest of the world is going HDMI.

Wednesday, August 27, 2008

Error when starting Data Collector Sets

So if you're like me and went overzealous in locking down your 2008 servers, you may run into a nice error message when trying to start your Data Collector Sets in the Reliability and Performance Monitor:

When attempting to start the Data Collector Set the following system error occured:

The service cannot be started, either because it is disabled or
because it has no enabled devices associated with it.


I finally figured out which service it was complaining about - "Performance Logs & Alerts". It was set to disabled which I believe occurred after I had locked it down with the Security and Configuration Wizard. Set this service to Manual and then your data collector sets will be able to run.



You'll also want to set Task Manager to Automatic if you want to be able to schedule your Data Collector sets to run on a schedule.

Friday, August 22, 2008

Microsoft Press Practice Test - Errors on Vista - application.WriteTestRecord

So I had just finished crawling through ye olde MCTS exam prep book and decided to install the Practice Tests. The installation went fine but when I tried to launch a Lesson Test, I kept getting errors.

An unacticipated error has occured in the application.WriteTestRecord

An unanticipated error has occured in the application.UpdateTimer


The latter was so much fun, I had to go and End Process Tree for MSLocalWare.exe to get rid of the endless error messages.

Since the practice tests were installed from a CD, I went to the C:\Program Files (x86)\Microsoft Press Training Kit Exam Prep folder and unchecked the Read Only checkbox. (The same thing happened on my 32 bit vista install as well). Sometimes you find that apps that have been copied from CDs love to retain their read-only flags on files. Just for overkill, I also added the Everyone Group as full control on the folder.

And voila, the practice tests have worked fine since.

Saturday, August 9, 2008

Migrating from SYSVOL to DFS-R in 2008

FRS will soon be obsolete. Microsoft has replaced it with DFS-R in 2k8 which offers better capacity, better performance, and is easier to troubleshoot.

First upgrade all domain controller to 2k8, then raise domain functional level to 2008.

Migration is done with DFSRMIG.EXE and consists of 4 states
0 - start
1 - copy SYSVOL to SYSVOL_DFSR. FRS still active
2 - SYSVOL redirected to SYSVOL_DFSR. all clients now use the new one
3 - SYSVOL replication stopped. original must be removed manually

To start, run dfsrmig /setglobalstate 1
then dfsrmig /getmigrationstate until it says that all domain controllers have been synched. It took 6 minutes on my single domain (3 DCs) but microsoft says allow up to an hour on larger setups. It's like watching grass grow so go get some coffee or something for a few minutes.
Then dfsrmig /setglobalstate 2
repeat the same /getmigrationstate

*Now you can rollback and go back to the way things were by running /setglobalstate 0 or 1. Once you change to state 3, you can't go back. You don't have to do step 3 yet in case you want to run it for a few days but keep in mind that you shouldn't do any changes to policies, etc until you complete this as replication to the old SYSVOL share isn't working anymore. I personally am only on step 2 and am going to give it a try for a few days this week. (checking event logs, listening for complaints, the usual). I'll update this post if anything goes wrong. :)

When you're ready to finish this, run dfsrmig /setglobalstate 3
Do the /getmigrationstate until it says you're done.

References (with much more detail):
http://blogs.technet.com/filecab/archive/2008/02/14/sysvol-migration-series-part-2-dfsrmig-exe-the-sysvol-migration-tool.aspx

http://redmondmag.com/features/article.asp?editorialsid=2516

Thursday, July 24, 2008

quick way to check if a mailbox has delegates - exchange 2007 SP1 - powershell

Sometimes you get those calls where a user is getting strange meeting invites and they just don't know why. Your first guess is that they're on another user's delegate list. So you go through the list of people on the meeting invite and try go figure out who the culprit is. Prior to Exch 2k7 SP1, you had to either track each one down or create a bunch of profiles and search. Now you can do it from powershell.

# script to check delegates for a particular mailbox
$UserToCheck = get-mailbox UserName
#check what users have access:
$result = $UserToCheck.GrantSendOnBehalfTo
#display results
$result

Monday, July 21, 2008

GlobalNames Zones - somewhat of a band-aid for phasing out WINS

So I've been reading up in preparation for my Microsoft upgrade exams and I noticed a new DNS feature. Since WINS doesn't support IPv6 they came up with the GlobalNames Zone as an interim solution. Their description is:
"The GlobalNames Zone is a new feature that provides single-label name resolution for large enterprise networks that do not deploy WINS and where using DNS name suffixes to provide single-label name resolution is not practical"

In other words, you don't want or can't use WINS anymore but you've still got these irksome boxes that have to be referenced by simple names like "Webserver1".

To set it up, you first have to be using Windows 2008 DNS servers. (Note that they say that it'll work if not all the AD servers are upgraded). Now from a command prompt run:
dnscmd servername /config /enableglobalnamessupport 1
and repeat on all your authoritative DNS servers. Reboot them for good measure.

Note that if you run dnscmd /? or dnscmd /config /? you won't see this flag listed anywhere. Nothing gives you confidence like running switches that don't appear to be documented.

Once that's done, go into DNS Manager and create a new Forward Lookup Zone. The type will be Primary, and Stored in Active Directory. Name it GlobalNames

Now you should be able to start creating your single name records in the DNS Manager.
Since all the Microsoft examples I've seen so far use the command line to do this, I'll stick with that approach. Basically all we're going to do is attach a CNAME record to redirect requests for "HONEYPOT" to the FQDN "HONEYPOT.DECOY.LOCAL"

dnscmd /RecordAdd GlobalNames HONEYPOT CNAME HONEYPOT.DECOY.LOCAL

Now they don't view this as a complete WINS replacement since it doesn't do auto-registration from clients, etc but if you've got fairly static servers/resources and you're moving to IPv6 or away from WINS this should do the trick. I do recommend some caution as this is a pretty new feature and I'm going to wait awhile before trying this out in our production environment.

For more information:
Microsoft Paper: DNS Server GlobalNames Zone Deployment

Technet forum:
http://forums.technet.microsoft.com/en-US/winserverNIS/thread/8953820a-3f2f-4929-9a3e-2b0731b80e04

Monday, June 30, 2008

Exchange OWA 2007 Change Password Problem

Some of my users recently complained that they were having problems with the "Change Password" feature in OWA 2007. I wasn't able to replicate it myself when I tried it with my own account though. After some searching on the web I did find some issues people were having with password changes and OWA 2007 and it came down to 2 popular resolutions.

1. "regsvr32 C:\WINDOWS\system32\inetsrv\iisadmpwd\iispwchg.dll" and then reset the IIS with the command "iisreset /noforce".

2. Edit your active directory group policy for passwords and set
"Minimum password age" to "0" days. It's been reported that even if it's
been more than X days since the user changed their password that this policy will cause the "The password supplied does not meet the minimum security requirements. Please contact technical support" error to show up.
(Note: You may need to either Restart NetLogon or reboot the DC for changes to kick in faster)

Now nothing left to do but wait and see if the problem shows up again.

Friday, June 13, 2008

2008 Hyper-V first impressions

I've been playing around with the new Hyper-V (beta) that's included in server 2008 and I have to say it looks promising. Keep in mind that it's still in the beta stage so there are bound to be some kinks in it. I currently use VMWare Server in my production environments because it's a nice balance between cost and ease of management/maintenance as compared to the VMWareESX product. (It's a lot easier to train my techs to support vmware on a windows platform than to teach them how to support linux and vmware both). I know some of you will say that comparing VMWare Server to 2k8 Hyper-V is a bit of an apples and orange comparison since 2k8 has a Hypervisor but for me the comparison is more about running Virtualization on a Windows host platform.

I installed Win2k8 x64 standard edition on a dual core 2.6Ghz server with 2GB ram. Then I added the Hyper-V role, rebooted, then applied a hotfix related to it from windows update. Creating new Virtual images is a breeze, the wizard walks you through just like the vmware one does and provides you with all the usual options of how many processors, how much ram, disk space, etc. The very first thing I noticed was the absence of any noticeable I/O hit. The Hypervisor handles direct I/O calls very nicely and I only began to notice a performance dip after I started running 2 more Virtual machines at the same time.

Microsoft has updated all their licensing and Eula materials to cover virtualization. On 2008 Enterprise edition, you're allowed to have 4 virtual machines running with an OS that's covered by the host OS license. With the Datacenter Edition, it goes to Infinity! Which means that if you built out a monster cluster, and I do strongly recommend that you cluster your VM servers if you want high availability, then you could save a bundle on operating system licenses. Oh, and the standard edition allows you to run 1 virtual to match the 1 physical license. For the price difference, if you plan to have a few virtual machines on the box, just buy the enterprise edition.

I wish they would have just used the same key combinations that VMWare does. I'm used to using CTRL-ALT a lot and now I have to remember CTRL-ALT-Left Arrow. There are a few other like that in the interface. I do like that you can have them running without any active displays and that each one runs in a different window that's not embedded into the console.



You can read more about Hyper-V at:

http://www.microsoft.com/windowsserver2008/en/us/virtualization-consolidation.aspx

and

http://en.wikipedia.org/wiki/Hyper-V

Saturday, May 17, 2008

Enumerate all Email groups a user is a member of

Quick script to show all email distribution groups that a particular user is a member of:


#
# Cobbled together by Gnawgnu
# 5/17/08

#get the identity of the user by alias
$Username = (get-user gnawgnu).Identity

#search all groups for that user
$groups = get-group -Filter {Members -eq $username}

#display all groups that have an email address
#defined that's longer than 0 characters
$groups | Where-Object {$_.WindowsEmailAddress.Length -ne 0}

Wednesday, May 14, 2008

Review - Kensington DataTraveler BlackBox

I've always had good luck with the DataTraveler series and so far I'm pretty impressed with the new BlackBox edition. It's got a good solid feel and weight to it and it's even FIPS 140-2 certified. Unlike some of the new secure drives that have come out, this one does Not require Admin access to work properly. I tested it out as a normal User on an XP SP2 box and didn't have any problems at all. The drive setup is a breeze and it is configured to lock out your data after 10 invalid password attempts. After that, they say you have to completely format the drive to be able to use it again.



I'm too lazy to detail all the screen caps for setting it up, you can find them in the manual pdf on their website.

When done, it'll just settle into a nice task tray icon.





The only downside so far is that on my x64 Vista box, I get an error every time I plug it in but if I hit Retry after a few seconds it'll work fine afterwards.




Overall I'm giving this one a thumb's up. It's probably only a matter of time until someone publishes a hack for it but ain't that always the case.

Link to the BlackBox page on Kingston's site:
http://www.kingston.com/flash/DTBlackBox.asp

Sunday, April 27, 2008

Win2k3 convert to dynamic grayed out - GPT and me

I decided to add another drive to an external vault that's attached to my backup exec system. It's used as an intermediary for disk to disk to tape backups and was getting a bit full. (1.9TB) So I added a disk to the array, let it rebuild and then went into computer management. Then I found that all options for adding or changing the drive were grayed out including "convert to dynamic", "convert to GPT", etc. This was puzzling but after some reseach I found out that I had hit a 2TB barrier that's caused by the old Master Boot Record (MBR) partitioning scheme. The solution Microsoft proposes is to go to the GPT paritioning scheme (GUID partitioning) which scales up to 2^64 logical blocks in length.
http://www.microsoft.com/whdc/device/storage/GPT_FAQ.mspx

Of course the hitch is that you have to wipe out everything on the drive before you can convert to GPT. Even if you try to do it from diskpart you'll get a "The disk you specified is not empty." "Please select an empty MBR disk to convert." So after whacking everything on the disk, it let me upgrade the partition scheme to GPT and I was then able to utilize all the space on the disk.



I have no idea how the performance is affected when you go from MBR to GPT as I haven't been able to find any reviews online. So far I haven't noticed any decrease in performance so that's good. Oh, and in case you're wondering, Symantec Ghost Solutions 2.0 and higher support ghosting GPT partitions.
http://www.symantec.com/business/products/newfeatures.jsp?pcid=2247&pvid=865_1

Thursday, April 24, 2008

Workaround for the BCM 3.6 and Vista/IE/Java

Previously I discussed how to get around this problem with the 3.7 version of the BCM software. But it's been brought to my attention that it doesn't work with the 3.6 version. So, after several permutations of playing around with Mozilla and IE I went with an entirely different option - Opera. http://www.opera.com

Step 1: Download it
Step 2: Install it
Step 3: Browse to your BCM and choose Install for the certificate



Step 4: Log in as normal, go to the Telephone Services Tree and Voila



Tested on Vista 32 bit with Opera 9.27

Monday, April 21, 2008

Upgrading a 2k3 domain to 2k8.

Decided to upgrade the old 2k3 AD domain this week to 2008 AD. First stop was the Microsoft Technet page - strongly recommend you read it first.
http://technet2.microsoft.com/windowsserver2008/en/library/9c91be5f-df14-40b2-b176-2b1852a51e611033.mspx?mfr=true

I opted to install a new domain controller to start with just to ease into the process. Prior to that, I ran the ADPREP /forestprep, adprep /domainprep /gpprep, and just for kicks adprep /rodcprep and let the changes propagate for a couple of hours just to be on the safe side.

I decided to go with a VM for the domain controller this time. It seemed like a good way to future proof it as far as hardware and since it's a small site I'm not really worried about performance issues. Windows 2008 Enterprise installed right on, vmware tools followed easily enough. Then I added the AD DS role through the new snazzy Server Manager. Last step - DCPROMO, which now defaults to dummy mode but there's still an option for 'Advanced' for real admins.

Once completed, I ran all the usual netdiag, dcdiag, etc and all was well and left it to stew overnight to see if any cool errors would manifest. The first thing to get used to is the new server manager likes to make you aware of *ALL* warnings and errors no matter how trivial they may be. One valid one was from IIS and complained about WAS and the IIS_IUSRS group. A long search pulled up a nifty script from Microsoft that fixed it.
http://support.microsoft.com/kb/946139

So with renewed confidence that all was well, I went ahead and upgraded the rest of the Domain controllers with little problems. Prior to upgrading the existing domain controllers, I had to uninstall things like powershell and antivirus and backup exec, etc. The powershell was mandatory and of course was hidden under a hotfix name
so uninstalling it was impossible without figuring out which hotfix it was under. The other software I uninstalled just as a precaution. One domain controller had the Exchange 2003 management tools installed which caused MMC issues post upgrade with the Active directory User and Computers snap-in. The resolution there was just to uninstall it.

Once all the DCs were upgraded and working, I reinstalled backup exec agents, symantec antivirus, and applied new Security Configuration Wizard policies. Then made backups, documentation, etc.

Since all my DC's were running windows 2008 server now, I went ahead and upgraded the Forest mode to 2008 functional level. (keep in mind, functional level changes are ONE WAY, no going back). The 2008 functional level comes with some cool features like AES encryption on Kerberos, better DFS replication, and last interactive logon. I went ahead and tried to enable the "last interactive logon" according to Microsoft's help pages and my test Vista workstation could not longer unlock the terminal. So after some searching it turns out that you have to enable the policy on All Your Domain Controllers First!. Thanks go out to Steven Bink for his article I found on google to solve it:
http://bink.nu/news/showing-last-logon-info-at-logon-in-windows-server-2008.aspx

And now happily, the feature works perfectly when you log into win2k8 or vista boxes that have the policy set on the domain.

Friday, April 18, 2008

Backup Exec 12 - upgraded and running

Okay, even this skeptic has to admit they're getting better. I upgraded my 11d server to version 12 this week.

Pros:
Now comes standard with Open file protection and the base level IDR option
New installer has a nicer layout
Win2k8 Support right off the bat
The new System Recovery agent looks cool and supports virtual machine conversions.

Cons:
Had a few hiccups getting the policy based jobs up and running again afterwards.

First off I like the new selection layout during the install. It breaks the modules up by what you're licensed for, then what you can eval, and then the stuff you can't even eval.


click for larger image

I went ahead and upgraded the antivirus to symantec endpoint prot 11 like it wanted. It also has a new antivirus integration but you have to install the full endpoint protection manager on the backup exec server. The upgrade itself went smoothly and I rebooted the server. Then I had to upgrade all the remote agents because it kept giving warnings about the old version.

As for my policy based backups, I had a few issues with the jobs not wanting to work - or cancel for that matter. So first I tried the old "Delete Jobs Created By Policy..." and recreating them but the Incremental parts kept failing. So I cancelled them and started the Full backup job part of the policy.



Once that finished successfully then the incrementals started working right again.
*Mental note to self, don't do upgrades in the middle of the week*

Overall I'm satisfied that Backup Exec is once again on the right track. The expanded feature set and those little extra UI tweaks really do help.

Monday, April 14, 2008

Separate VLANs for nortel ip phones and data

For this week's project, I decided to split up the network to give IP phone traffic it's own VLAN with the eventual goal of QoS and all that good stuff in mind. The first challenge of course was getting my Dell and Netgear routers to play together nicely which actually wasn't that bad. I already have a Layer 3 routing Switch from netgear (FSM7352S) in place which I previously configured to support routing between our existing network and an isolated vlan for the testing LAB. The plan was to use the i2002 and i2004 phones to use VLAN 20 and to pass through untagged packets to the PCs attached to them.

Steps:
1. Setup VLAN 20 on the switch.

2. Change the access mode of all the ports involved to 'General' which would allow them to handle traffic from multiple VLANs including the default 'VLAN 1'. Then make sure VLAN 20 is selected and set all ports to 'tagged'. When done, each port should still have a PVID of 1, be untagged for VLAN 1 and tagged for VLAN 20.

3. Changed the ports connecting my switches to TRUNK mode. On the ones where trunk mode was not available, I just set that port to be tagged for VLAN 20 and made sure the port was set to 'General' mode.

4. Turned on GVRP which I naively thought was a great feature that would propagate all my vlans to all my switches, solve all the world's problems, perform miracles, etc. Which to be truthful, it did advertise the VLANs and the other switches acknowledged their existense but I wasn't able to tag any ports on the switches that had dynamically received the VLAN info. I'm still not sure if that's a problem with the Dell switches or the monkey writing this blog.

5. Turned off GVRP and just setup VLAN 20 manually on all switches.

6. Tested that an IP phone on one switch in each building to make sure that VLAN 20 was routing properly.

7. I hard-coded a block of switch ports to 'Access Mode' with a PVID of 20 for the nortel BCM phone servers to lock them into VLAN 20. Then I set up one of the BCM servers to be a DHCP server for that VLAN and rebooted it to make sure changes took effect.

8. I setup option 191 and 128 on the win2k3 DHCP server on the Data lan with the high hopes that it would redirect the ip phones automatically to VLAN 20. Option 191 tells the phones to use VLAN X which in my case is 20 and option 128 is a string which tells the phones settings like the ip of the BCM, etc. HAHAHA, didn't work right - probably my fault. It seemed to get the right server address but just wasn't DHCP'ing on VLAN 20.

9. Manually went to each IP phone and set the server IP, and VLAN to 20.

10. Backed up all switch configurations.

Lo and behold, it all worked. All ip phones were able to DHCP to VLAN 20, and all PCs hooked up through them were able to DHCP to vlan 1. Now all my IP phones are isolated away from the data network. Next project will be QoS. Don't forget, anytime you add a new switch you'll need to configure VLAN 20 on it unless you've got GVRP working.

For more information on option 191, 128, and IP Phone settings, I found some Very helpful posts on McNamara's blog.

Option 128:
http://michaelfmcnamara.blogspot.com/2007/10/dhcp-options-voip.html
Option 191:
http://michaelfmcnamara.blogspot.com/2007/10/dhcp-options-voip-part-2.html
and Ip phone settings:
http://michaelfmcnamara.blogspot.com/2007/10/nortel-i2002i2004-internet-telephone.html
(I went with Partial DHCP because I still haven't gotten the Full to work yet.)

Wednesday, April 9, 2008

Vista command prompt eccentricies, elevation/run as administrator and path fun

First thing I like to do with the command prompt shortcut is to reduce the number of steps needed to open it and set it to have a unique font color so it's easier to track which command prompts are elevated and which aren't. To start, make a copy of the command prompt shortcut and rename it to something like "Elevated CMD". Then go into properties and click on the advanced button. Then check the box for "Run as Administrator".



Then click on the Colors tab and set a Screen Text color like Green, purple, whatever works for you.



Then just save your new shortcut.

Now for some fun things about command prompts in Vista. If you're using an elevated command prompt you can't change drives to mapped network resources. You can still access them by UNC but not by drive letter. And if you're using a non-elevated command prompt you can access network drives by drive letter but you don't get the same PATH variable as an elevated command prompt. So you have to manually run programs like Powershell from the full path. (C:\Windows\System32\WindowsPowerShell\v1.0>" So until I can crack this one, I've just got a batch file that I run that just contains:
path = %path%;C:\Windows\System32\WindowsPowerShell\v1.0

I can see how some of these annoyances are part of making it more secure but it can be a pain for power users or powershell coders to get up and running.

Monday, March 31, 2008

Vista - Admin tools (adminpak.msi) lost but now found

So you've gone and upgraded your desktop to Vista and tried to install ye olde adminpak.msi only to find that it don't work. To add insult to injury, for the past year there was no hope in sight for fixing this sad state. Fear not, Microsoft has released the RSAT package. (Remote System Administration Tools) which will allow you to use Admin tools from a Vista box with SP1 and is compatible with 2k3, and 2k8 servers!

Download 32 bit version:
http://www.microsoft.com/downloads/details.aspx?FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&displaylang=en

Download 64 bit version:
http://www.microsoft.com/downloads/details.aspx?FamilyId=D647A60B-63FD-4AC5-9243-BD3C497D2BC5&displaylang=en

*Note:
After installing, it'll add a help file to your local admin tools and you'll be wondering where the tools are. If you read the help file, it'll tell you to go into Programs and Features -> Turn Windows features on or off and check the box for "Remote Server Administration Tools"

Separate wallpapers for dual monitors in vista

You know, I really thought they'd have this feature built into Vista. It just seems like one of those nifty GUI things they need to keep up with Mac...

Here's where DisplayFusion comes in. The basic version is free and will allow you to choose a different wallpaper image for each monitor. The app is pretty small (currently consuming 796K in RAM) and is really easy to use. Once installed, just launch it and it'll show up as an icon in the taskbar tray.



Go into the settings and then choose a monitor, then a background color (if needed) and the image you want to display on that monitor. Repeat for second monitor.



Download it here: http://www.binaryfortress.com/displayfusion/

Thursday, March 27, 2008

Head's up - Win2k3 SP2 may cause networking issues

There's a lot of buzz going around about problems being caused by SP2. By default it turns on a lot of features like TCP/IP Offloading (TOE), and Receive-side Scaling (RSS) which can play havok on older network cards and apparently some newer boxes as well. There's a really good write-up on the problem from the exchange team at http://msexchangeteam.com/archive/2007/07/18/446400.aspx
which goes into detail on what is happening. If you've got anything weird going on with your servers since applying SP2, there's a good chance it's because of this.

I personally haven't run into problems on my exch 2k7 box with win2k3 x64 sp2 but I'm going to update my drivers now anyway just in case.

Monday, March 24, 2008

FS116P Desktop POE switch review

Sometimes you've just got more devices in a room than ports and whether it's temporary or not, you just can't get approval for more LAN drops. And to make matters worse, they're IP phones that run on POE (Power Over Ethernet). Now in your big network closets you can install those new big howling POE switches for your backbone but for a small room, a quiet switch will keep mad users from coming to your office with torches. (I just installed a 24 port Dell POE switch on the backbone last week and it would make an aircraft carrier deck seem quiet.)

Enter the Netgear FS116P - 16 port 10/100 with 8 ports of POE.
http://www.netgear.com/Products/Switches/DesktopSwitches/FS116P.aspx
It's a fanless desktop switch and out of the 4 I got for our small rooms, only 1 had a discernable buzz but it was faint and after being stuffed behind the printer stand wasn't really noticable. As far as performance goes, it works just like any run of the mill 10/100 desktop switch - not noticeable either way for end users. Only the first 8 ports are POE enabled but for smaller rooms that's really all you need. This switched worked fine with my Nortel i2002 phones and the Cisco 1131AG.

Friday, March 14, 2008

Exchange 2007 Powershell Script - Emails owners of all email distribution groups

Last year I posted a generic script to enumerate all members of all email groups. My department was tasked with finding a way to keep all email groups updated for all departments. My solution has 2 parts:

Part 1 is configuring the "Managed By" field in Active directory or exchange for all distrubtion groups and checking the box for 'Manager can update member list'. This allows email distribution group owners to modify membership through their Outlook client directly. (via the Address book interface.)

Part 2 consists of the following Powershell script which finds all Email Distribution Groups in the forest and then sends an email for every email distribution group to that groups owner. The emails contain the primary SMTP address for reference and a list of all members of that group for quick viewing and confirmation.

# Enumerates all members of all Distribution Lists in Exchange 2007
# and all owners.
# Script will then proceed to email each owner a list of all
# members of each group.
# Uses cmdlets from exch2007
#
# 3/14/08
# By: Gnawgnu

#first get all distributionlists
$dl = get-distributiongroup

#then enumerate through them all and get all group members.
foreach ($group in $dl) {

#build group data
$groupName = "Group Name: " + $group.name
$groupAddr = "Email Address: " + $group.PrimarySMTPAddress
write-host $groupName -foregroundcolor Green
$dlgm = get-distributionGroupMember $group.name.ToString()
$gOwner = get-user $group.ManagedBy.Name

#setup email - make sure to add to your whitelist for
#antispam if applicable.
$sender = "PickASMTPSenderEmailAddress"
write-host $sender
#get Email Address of group owner
$recipient = $gOwner.WindowsEmailAddress
write-host $recipient
$server = "YourSMTPServerGoesHere"
write-host $server
$subject = "Monthly Review required - Email Group: " + $group.Name.ToString()
write-host $subject
#Note: `r`n is a carriage return
$bText1 = "`r`nOwner:" + $group.ManagedBy.Name.ToString() + "`r`n"
$bText2 = $groupAddr.ToString() + "`r`n"
$bText3 = "group members: `r`n"
$bText4 = $dlgm | fl Name | out-String
$bText5 = "Please use your Outlook Client to make changes if needed.`r`n"
$bText6 = "If you are no longer the manager of this group, please notify IT.`r`n"

$body = $bText1 + $bText2 + $bText3 +$bText4 +$bText5
write-host $body.ToString()
$msg = new-object System.Net.Mail.MailMessage $sender, $recipient, $subject, $body

#send email
$client = new-object System.Net.Mail.SmtpClient $server
$client.credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
$client.Send($msg)

}

Thursday, February 28, 2008

APC metered switches - remote power off

If you've got some old stubborn legacy hardware that sometimes stops working unless you fully unplug it and power it down then you can relate to the pain of having to physically go onsite or call someone else to unplug the device. This clunky but functional arrangement works fine during normal work hours but can be a pain at 10pm on a weekend. My solution was to get some APC metered switches. Give it an IP address and custom name each outlet port to match the device that's plugged into it through the built-in web interface. If you're offsite and you need a reboot, just vpn into work, open a web browser to the APC's IP, and give commands to the individual ports to power down, then 30 seconds later, tell them to power back on.
This also works well for servers if they bluescreen or run into a hardware failure and just won't restart.

And as a unrelated side bonus, the APC switch has an amperage meter which is useful for measuring how many amps those ancient devices are pulling.

Link the APC 7900 Switched PDU series:
http://www.apc.com/products/family/index.cfm?id=70

Saturday, February 23, 2008

Upgrading to Exchange 2007 SP1 with Symantec Mail Security

*UPDATED - Read all updates before trying this - See Below*

I'd been holding off on applying SP1 for Exch 2007 for a while now until I had upgraded my backup exec to version 12 and to see if there were any issues with Symantec Mail Security which I have running on the exchange server. So after I got BE 12 up and running I figured it was time.

The download of SP1 was much larger than I was expecting as it was around 870MB. In fact after running this upgrade I'm under the impression that it pretty much just reinstalled the whole server while retaining all my settings and data. Make sure you perform the usual precautions like backing up your data and have a recovery plan in place before starting. And of course, stop all antivirus, backup exec, automatic update services, etc prior to starting. (leave the exchange and IIS services running)

The first machine you should upgrade is the server(s) with the Client Access Role installed. During my upgrade, the pre-requisite check failed with a "you must be a member of the exchange organization administrators group" which occured because the user I was installing it as was not a member of the Exchange Organization Group. To remedy this, go into the Exchange Mgmt Console and under Organization, click on Add Exchange Administrator and add in the account you are installing as. Then restart all exchange services for changes to take effect. After the pre-req tests pass, click Next and the upgrade will start. You'll see a lot of disturbing messages like 'uninstalling files', 'pre-compiling binaries', etc and wonder if you're running the right installer or not. Fear not, this is normal behavior for the service pack. My Front-End server took about 17 minutes. (Server specs: Win2k3 x64 SP2, dual 2.0Ghz, 4GB ram)



At this time, I went ahead and re-installed the backup exec agents on the server just as a precaution.

Now with that roaring success beneath our belts, we move onto the back end server. Now if you got that exchange organization admin error earlier, make sure you rebooted the back end server too for changes to take effect. Repeat the same precautions of backup up, stopping unnecessary services, etc.



After that's done, you may want to change a registry key for a feature that's disabled by default as part of Microsoft's new security initiatives. The downside is that by turning off "Remote Streaming Backup" is that programs like Backup Exec will have problems. To Enable this key, go into Regedit and navigate to:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem

Create a DWORD key - "Enable Remote Streaming Backup" with a value of 1. At this time, I went ahead and re-installed the backup exec agents on the server just as a precaution. Reboot.

My Symantec Mail Security 6 appears to still be working properly and I tested my smtp server and it's still accepting messages so we're looking stable.

SP1 has some nice improvements such as being able to export a .pst file (very useful for archiving ex-employees for evidence), the rewritten OWA interface with lots of new features like server side rules, personal distribution lists, office 2007 support, etc.

And now you can change Send-As and Full Access rights from the GUI for those days when you just don't fell PowerShell-ish.



For details on the new changes, go to:
http://technet.microsoft.com/en-us/library/bb676323.aspx

Update 2/25/08: After applying SP1, the event logs are now starting to flood with Event ID:
8206 - EXCDO - "Calendaring agent failed with error code 0x8000ffff while saving appointmen". I went ahead and rebooted the server and that error went away. An odd issue occured with some recurring calendar entries. As users opened up invites and/or meeting entries in their calendar on monday, some of them ran into an error. This error triggered Exchange to do a repair/integrity check on their mailboxes and effectively locked them out of their calendar for a while. The corresponding error in the Application log looked like:

Event Type: Warning
Event Source: EXCDO
Event Category: General
Event ID: 8230
Date: 2/25/2008
Time: 4:49:12 PM
User: N/A
Computer: EXCHANGE_server_name_here
Description:
An inconsistency was detected in user@maildomain.com: /Calendar/Pinpoint Testing for blah blah.EML. The calendar is being repaired. If a problem persists, please recreate the calendar or the containing mailbox.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Everything appears to go back to normal after the ExchangeIS process finishes checking the mailbox out.

If this persists for a few days, I may have to take the Information Store down and run a manual Eseutil /G integrity check.
http://technet.microsoft.com/en-us/library/aa998361(EXCHG.80).aspx

Updated 2/27/08 - Calendar issues seem to have sorted themselves out during the first 2 days. Now I'm getting:
Unexpected error 0x50a occurred in "EcProcessVirusScanQueueItem"

After researching the web I see that it's not limited to Symantec as users of Trend, Forefront are also reporting the same error post SP1.

Friday, February 22, 2008

Dell Remote Console Switch 2161DS-2 and Vista SP1

Prior to SP1, I'd been having a heck of a time getting the Dell Remote console software for the kvm to work on Vista. Of course, this was to be expected as Vista wasn't even listed as a platform option for the downloads. Now after upgrading to SP1, the XP version of the software went right on and actually works properly. (version 3.1.0.320)

Wednesday, February 20, 2008

Tested - D630 Vista SP1

Test platform: Dell Latitude D630 BIOS A06. Fresh Vista build, latest intel drivers, AHCI enabled, Nvidia 135 vid chipset.

Prep - disabled Symantec A/V as a precaution. Downloaded RTM version of Vista Service Pack 1 from Technet Plus.

Total Time to apply SP1 - 34minutes including reboots.

Results: No apparent issues operating system issues, all device drivers appear to be working fine. No errors during upgrade. Symantec did not start after the final reboot but came back fine after another reboot.

Tuesday, February 19, 2008

Installing 2008 Server Core - VMWARE Server 1.0x

When you go to create the new virtual machine, choose the "Vista" option for OS type (It's about as close as you're going to get). Insert the 2008 CD or mount the ISO as a CD instead. Server Core installs without a hitch. Click Other when the GUI comes up, login as Administrator and it'll force you to choose a new password.

To get VMWARE Tools installed, do the usual step in the VMWARE console of clicking VM-> Install VMWARE Tools which will mount d:\ to the vmware tools iso. Go to the command prompt in the VM and cd to d: and then run VMWare Tools.msi (add a /qn for silent install).

To rename the server, first run HOSTNAME to confirm the current name, then run
netdom renamecomputer InsertOldNameHere /NewName InsertNewNameHere
*Note, this will require a reboot to kick in fully. (Shutdown /r for those who still haven't gotten their old GUI-less legs back). Shutdown /r /t 0 for the impatient.

To update the license key for the server:
slmgr -ipk InsertKeyHereWithDashes

Then slmgr -ato to activate windows (may take several minutes)

To enable Remote Desktop (hehe, seems odd for a gui-less install but yet it does have its uses). This command should add firewall rules for RDP inbound for you.

"Cscript %windir%\system32\SCRegEdit.wsf /ar 0" Enable for vista/2k8 clients
"Cscript %windir%\system32\SCRegEdit.wsf /cs 0" Enable for older clients
This worked fine for me until I added it to a domain at which point RDP stopped accepting connections. So I added a manual rule for it:
netsh firewall set portopening tcp 3389 "Remote Desktop"

Now if you're like me and the 640 * 480 resolution is killing you and you're feeling brave there is a way to change it. Run regedit from the command prompt. . Navigate to the following keys:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Video\GUID\0000\DefaultSettings.XResolution
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Video\GUID\0000\DefaultSettings.YResolution

Just to make this confusing, there will be multiple GUIDs. Pretty much check them all and see which one has the XResolution set to Hex 280 and YRes set to 1e0. Figure out the Hex equivalent of what your desired resolution is (use calculator on another box if needed). I just went with 320*258 Hex (800*600 decimal) but you could probably run 400*300 (1024*768). Close out the registry editor and reboot for changes to kick in.

At this point you've got a good base VM image to backup and then start playing around with.

Tips from the guys at microsoft:
http://blogs.technet.com/server_core/

Tuesday, February 12, 2008

BCM, Internet Explorer 7, Java, and the disappearing Telephone menu tree

So for a while I'd been having problems with IE7 and the Management Interface on the BCM (3.7). The tree below 'Telephone' would completely disappear but would show up fine on a box with IE 6 or an older version of Java. While I was talking with a Nortel tech about an RCC problem, we got into discussing the java problems and he mentioned that there’s a way to get the latest java to work with IE 7 and the BCM management interface.

Close all browsers, then go into Control Panel -> Java -> Advanced Tab -> Default Java for Browsers and remove the checkbox for Microsoft Internet Explorer. Yeah, it seemed goofy but I changed that setting and went into the system and voila, works fine now.

*Updated* For those of you who've been asking about the 3.6 version, the only way I found to make that work without downgrading IE or Java is to use Opera. http://www.opera.com

Monday, January 28, 2008

Vista client VPN to an ISA 2004 server

New technologies, new woes. I was having problems getting access to resources over the VPN. I solved half of them by unchecking the IPv6 checkbox for the VPN connection and then restarting the laptop. I also went ahead and explicitly set the connection type to PPTP and made sure it was using the remote server as the Default Gateway under the Advanced tab of the IPv4 settings. For the old XP boxes we used to unset that to keep down crap traffic through our network from remote users. It's still a little flaky sometimes with mapping drives, etc but at least now I can get to internal web servers and RDP.

Monday, January 21, 2008

Netflix Instant Viewer and XP 64 bit fun

It all started out innocous enough, go to netflix's site, download the client, and roll film. Needless to say, murphy's law kicked in. Netflix's module tried to upgrade media player to 11 and by default tries to load the 32 bit version. After that failed, then my browsers started randomly crashing during use.

So I upgraded the box to WMP 11 64 bit edition, then ran the netflix DRM reset program. C:\Program Files (x86)\Netflix\Netflix Movie Viewer\ResetDRM.exe
Then went back to the site and ran the installer again. It's still a little flaky but it's running now and I can now watch vids on the box.

Friday, January 11, 2008

Virgin Mobile Phone Activation Hell

So I've been trying to activate my wife's virgin mobile phone for two weeks now. She's had the service for a few years now and every year we upgrade the phone to a newer model. This year they've made it so if you activate with a customer service representative you have to pay $10. But if you do it online, it's free. So we tried the online route and the POS web server kept rejecting the ESN number. Call number one which took over 45 minutes consisted of confirming that it was indeed the right ESN and that we did have enough IQ to use the web page. Yet the end result was that yes they understood it was their fault but for them to fix it would cost $10 as the computer would not let them override. Thus began the email rant to customer service. After a few volleys they said they'd fix it for us for free. Followed by a few more emails confirming information, then followed by a "We're sorry, you'll have to call us to fix this". Thus began Call number 2. Talked to friendly advisor who came to the same unfrigginbelievable response. I decided it was time to escalate and asked for a supervisor. After 15 minutes on hold I was beginning to wonder if Sir Richard Branson himself had been roused to come and defend his company's honor. Unfortunately no, just some low level supervisor who came up with pretty much the same rubbish and added - "it shows the computer has automatically launched an investigation." To which I asked well hasn't it been generating errors for two weeks now? What's the difference now?
Yeah, it's only $10 but at this point it's just the principle. Any good customer service company has to provide a way to fix issues that are caused by their own systems or they are worthless.

Saturday, January 5, 2008

D630 wakes itself up - aka the haunted latitude

So I have a latitude D630 running Vista that works fine, falls asleep and wakes up okay, etc. But if you leave it sleeping for about 18 hours you can hear it try to wake itself up. So I checked the usual suspects in bios, wake on lan was off, system turn on timer off, etc. I finally found the culprit to be hibernate. The laptop is set for high performance power mode which by default sets hibernate to occur after the laptop has been 'sleeping' for 1080 minutes. And of course, there's no GUI option to turn off hibernate in Vista so back to the old trusty command line.

powercfg.exe /hibernate off

I don't use hybrid sleep mode or any of those fancy functions so turning this off saves me disk space and the peace of mind knowing that the laptop will not try to wake itself up at a bad time and choke to death in a laptop bag.

For more info on turning off hibernate and turning it back on -