Some of my users recently complained that they were having problems with the "Change Password" feature in OWA 2007. I wasn't able to replicate it myself when I tried it with my own account though. After some searching on the web I did find some issues people were having with password changes and OWA 2007 and it came down to 2 popular resolutions.
1. "regsvr32 C:\WINDOWS\system32\inetsrv\iisadmpwd\iispwchg.dll" and then reset the IIS with the command "iisreset /noforce".
2. Edit your active directory group policy for passwords and set
"Minimum password age" to "0" days. It's been reported that even if it's
been more than X days since the user changed their password that this policy will cause the "The password supplied does not meet the minimum security requirements. Please contact technical support" error to show up.
(Note: You may need to either Restart NetLogon or reboot the DC for changes to kick in faster)
Now nothing left to do but wait and see if the problem shows up again.
Monday, June 30, 2008
Friday, June 13, 2008
2008 Hyper-V first impressions
I've been playing around with the new Hyper-V (beta) that's included in server 2008 and I have to say it looks promising. Keep in mind that it's still in the beta stage so there are bound to be some kinks in it. I currently use VMWare Server in my production environments because it's a nice balance between cost and ease of management/maintenance as compared to the VMWareESX product. (It's a lot easier to train my techs to support vmware on a windows platform than to teach them how to support linux and vmware both). I know some of you will say that comparing VMWare Server to 2k8 Hyper-V is a bit of an apples and orange comparison since 2k8 has a Hypervisor but for me the comparison is more about running Virtualization on a Windows host platform.
I installed Win2k8 x64 standard edition on a dual core 2.6Ghz server with 2GB ram. Then I added the Hyper-V role, rebooted, then applied a hotfix related to it from windows update. Creating new Virtual images is a breeze, the wizard walks you through just like the vmware one does and provides you with all the usual options of how many processors, how much ram, disk space, etc. The very first thing I noticed was the absence of any noticeable I/O hit. The Hypervisor handles direct I/O calls very nicely and I only began to notice a performance dip after I started running 2 more Virtual machines at the same time.
Microsoft has updated all their licensing and Eula materials to cover virtualization. On 2008 Enterprise edition, you're allowed to have 4 virtual machines running with an OS that's covered by the host OS license. With the Datacenter Edition, it goes to Infinity! Which means that if you built out a monster cluster, and I do strongly recommend that you cluster your VM servers if you want high availability, then you could save a bundle on operating system licenses. Oh, and the standard edition allows you to run 1 virtual to match the 1 physical license. For the price difference, if you plan to have a few virtual machines on the box, just buy the enterprise edition.
I wish they would have just used the same key combinations that VMWare does. I'm used to using CTRL-ALT a lot and now I have to remember CTRL-ALT-Left Arrow. There are a few other like that in the interface. I do like that you can have them running without any active displays and that each one runs in a different window that's not embedded into the console.
You can read more about Hyper-V at:
http://www.microsoft.com/windowsserver2008/en/us/virtualization-consolidation.aspx
and
http://en.wikipedia.org/wiki/Hyper-V
I installed Win2k8 x64 standard edition on a dual core 2.6Ghz server with 2GB ram. Then I added the Hyper-V role, rebooted, then applied a hotfix related to it from windows update. Creating new Virtual images is a breeze, the wizard walks you through just like the vmware one does and provides you with all the usual options of how many processors, how much ram, disk space, etc. The very first thing I noticed was the absence of any noticeable I/O hit. The Hypervisor handles direct I/O calls very nicely and I only began to notice a performance dip after I started running 2 more Virtual machines at the same time.
Microsoft has updated all their licensing and Eula materials to cover virtualization. On 2008 Enterprise edition, you're allowed to have 4 virtual machines running with an OS that's covered by the host OS license. With the Datacenter Edition, it goes to Infinity! Which means that if you built out a monster cluster, and I do strongly recommend that you cluster your VM servers if you want high availability, then you could save a bundle on operating system licenses. Oh, and the standard edition allows you to run 1 virtual to match the 1 physical license. For the price difference, if you plan to have a few virtual machines on the box, just buy the enterprise edition.
I wish they would have just used the same key combinations that VMWare does. I'm used to using CTRL-ALT a lot and now I have to remember CTRL-ALT-Left Arrow. There are a few other like that in the interface. I do like that you can have them running without any active displays and that each one runs in a different window that's not embedded into the console.
You can read more about Hyper-V at:
http://www.microsoft.com/windowsserver2008/en/us/virtualization-consolidation.aspx
and
http://en.wikipedia.org/wiki/Hyper-V
Saturday, May 17, 2008
Enumerate all Email groups a user is a member of
Quick script to show all email distribution groups that a particular user is a member of:
#
# Cobbled together by Gnawgnu
# 5/17/08
#get the identity of the user by alias
$Username = (get-user gnawgnu).Identity
#search all groups for that user
$groups = get-group -Filter {Members -eq $username}
#display all groups that have an email address
#defined that's longer than 0 characters
$groups | Where-Object {$_.WindowsEmailAddress.Length -ne 0}
#
# Cobbled together by Gnawgnu
# 5/17/08
#get the identity of the user by alias
$Username = (get-user gnawgnu).Identity
#search all groups for that user
$groups = get-group -Filter {Members -eq $username}
#display all groups that have an email address
#defined that's longer than 0 characters
$groups | Where-Object {$_.WindowsEmailAddress.Length -ne 0}
Wednesday, May 14, 2008
Review - Kensington DataTraveler BlackBox
I've always had good luck with the DataTraveler series and so far I'm pretty impressed with the new BlackBox edition. It's got a good solid feel and weight to it and it's even FIPS 140-2 certified. Unlike some of the new secure drives that have come out, this one does Not require Admin access to work properly. I tested it out as a normal User on an XP SP2 box and didn't have any problems at all. The drive setup is a breeze and it is configured to lock out your data after 10 invalid password attempts. After that, they say you have to completely format the drive to be able to use it again.
I'm too lazy to detail all the screen caps for setting it up, you can find them in the manual pdf on their website.
When done, it'll just settle into a nice task tray icon.
The only downside so far is that on my x64 Vista box, I get an error every time I plug it in but if I hit Retry after a few seconds it'll work fine afterwards.
Overall I'm giving this one a thumb's up. It's probably only a matter of time until someone publishes a hack for it but ain't that always the case.
Link to the BlackBox page on Kingston's site:
http://www.kingston.com/flash/DTBlackBox.asp
I'm too lazy to detail all the screen caps for setting it up, you can find them in the manual pdf on their website.
When done, it'll just settle into a nice task tray icon.
The only downside so far is that on my x64 Vista box, I get an error every time I plug it in but if I hit Retry after a few seconds it'll work fine afterwards.
Overall I'm giving this one a thumb's up. It's probably only a matter of time until someone publishes a hack for it but ain't that always the case.
Link to the BlackBox page on Kingston's site:
http://www.kingston.com/flash/DTBlackBox.asp
Sunday, April 27, 2008
Win2k3 convert to dynamic grayed out - GPT and me
I decided to add another drive to an external vault that's attached to my backup exec system. It's used as an intermediary for disk to disk to tape backups and was getting a bit full. (1.9TB) So I added a disk to the array, let it rebuild and then went into computer management. Then I found that all options for adding or changing the drive were grayed out including "convert to dynamic", "convert to GPT", etc. This was puzzling but after some reseach I found out that I had hit a 2TB barrier that's caused by the old Master Boot Record (MBR) partitioning scheme. The solution Microsoft proposes is to go to the GPT paritioning scheme (GUID partitioning) which scales up to 2^64 logical blocks in length.
http://www.microsoft.com/whdc/device/storage/GPT_FAQ.mspx
Of course the hitch is that you have to wipe out everything on the drive before you can convert to GPT. Even if you try to do it from diskpart you'll get a "The disk you specified is not empty." "Please select an empty MBR disk to convert." So after whacking everything on the disk, it let me upgrade the partition scheme to GPT and I was then able to utilize all the space on the disk.
I have no idea how the performance is affected when you go from MBR to GPT as I haven't been able to find any reviews online. So far I haven't noticed any decrease in performance so that's good. Oh, and in case you're wondering, Symantec Ghost Solutions 2.0 and higher support ghosting GPT partitions.
http://www.symantec.com/business/products/newfeatures.jsp?pcid=2247&pvid=865_1
http://www.microsoft.com/whdc/device/storage/GPT_FAQ.mspx
Of course the hitch is that you have to wipe out everything on the drive before you can convert to GPT. Even if you try to do it from diskpart you'll get a "The disk you specified is not empty." "Please select an empty MBR disk to convert." So after whacking everything on the disk, it let me upgrade the partition scheme to GPT and I was then able to utilize all the space on the disk.
I have no idea how the performance is affected when you go from MBR to GPT as I haven't been able to find any reviews online. So far I haven't noticed any decrease in performance so that's good. Oh, and in case you're wondering, Symantec Ghost Solutions 2.0 and higher support ghosting GPT partitions.
http://www.symantec.com/business/products/newfeatures.jsp?pcid=2247&pvid=865_1
Thursday, April 24, 2008
Workaround for the BCM 3.6 and Vista/IE/Java
Previously I discussed how to get around this problem with the 3.7 version of the BCM software. But it's been brought to my attention that it doesn't work with the 3.6 version. So, after several permutations of playing around with Mozilla and IE I went with an entirely different option - Opera. http://www.opera.com
Step 1: Download it
Step 2: Install it
Step 3: Browse to your BCM and choose Install for the certificate
Step 4: Log in as normal, go to the Telephone Services Tree and Voila
Tested on Vista 32 bit with Opera 9.27
Step 1: Download it
Step 2: Install it
Step 3: Browse to your BCM and choose Install for the certificate
Step 4: Log in as normal, go to the Telephone Services Tree and Voila
Tested on Vista 32 bit with Opera 9.27
Monday, April 21, 2008
Upgrading a 2k3 domain to 2k8.
Decided to upgrade the old 2k3 AD domain this week to 2008 AD. First stop was the Microsoft Technet page - strongly recommend you read it first.
http://technet2.microsoft.com/windowsserver2008/en/library/9c91be5f-df14-40b2-b176-2b1852a51e611033.mspx?mfr=true
I opted to install a new domain controller to start with just to ease into the process. Prior to that, I ran the ADPREP /forestprep, adprep /domainprep /gpprep, and just for kicks adprep /rodcprep and let the changes propagate for a couple of hours just to be on the safe side.
I decided to go with a VM for the domain controller this time. It seemed like a good way to future proof it as far as hardware and since it's a small site I'm not really worried about performance issues. Windows 2008 Enterprise installed right on, vmware tools followed easily enough. Then I added the AD DS role through the new snazzy Server Manager. Last step - DCPROMO, which now defaults to dummy mode but there's still an option for 'Advanced' for real admins.
Once completed, I ran all the usual netdiag, dcdiag, etc and all was well and left it to stew overnight to see if any cool errors would manifest. The first thing to get used to is the new server manager likes to make you aware of *ALL* warnings and errors no matter how trivial they may be. One valid one was from IIS and complained about WAS and the IIS_IUSRS group. A long search pulled up a nifty script from Microsoft that fixed it.
http://support.microsoft.com/kb/946139
So with renewed confidence that all was well, I went ahead and upgraded the rest of the Domain controllers with little problems. Prior to upgrading the existing domain controllers, I had to uninstall things like powershell and antivirus and backup exec, etc. The powershell was mandatory and of course was hidden under a hotfix name
so uninstalling it was impossible without figuring out which hotfix it was under. The other software I uninstalled just as a precaution. One domain controller had the Exchange 2003 management tools installed which caused MMC issues post upgrade with the Active directory User and Computers snap-in. The resolution there was just to uninstall it.
Once all the DCs were upgraded and working, I reinstalled backup exec agents, symantec antivirus, and applied new Security Configuration Wizard policies. Then made backups, documentation, etc.
Since all my DC's were running windows 2008 server now, I went ahead and upgraded the Forest mode to 2008 functional level. (keep in mind, functional level changes are ONE WAY, no going back). The 2008 functional level comes with some cool features like AES encryption on Kerberos, better DFS replication, and last interactive logon. I went ahead and tried to enable the "last interactive logon" according to Microsoft's help pages and my test Vista workstation could not longer unlock the terminal. So after some searching it turns out that you have to enable the policy on All Your Domain Controllers First!. Thanks go out to Steven Bink for his article I found on google to solve it:
http://bink.nu/news/showing-last-logon-info-at-logon-in-windows-server-2008.aspx
And now happily, the feature works perfectly when you log into win2k8 or vista boxes that have the policy set on the domain.
http://technet2.microsoft.com/windowsserver2008/en/library/9c91be5f-df14-40b2-b176-2b1852a51e611033.mspx?mfr=true
I opted to install a new domain controller to start with just to ease into the process. Prior to that, I ran the ADPREP /forestprep, adprep /domainprep /gpprep, and just for kicks adprep /rodcprep and let the changes propagate for a couple of hours just to be on the safe side.
I decided to go with a VM for the domain controller this time. It seemed like a good way to future proof it as far as hardware and since it's a small site I'm not really worried about performance issues. Windows 2008 Enterprise installed right on, vmware tools followed easily enough. Then I added the AD DS role through the new snazzy Server Manager. Last step - DCPROMO, which now defaults to dummy mode but there's still an option for 'Advanced' for real admins.
Once completed, I ran all the usual netdiag, dcdiag, etc and all was well and left it to stew overnight to see if any cool errors would manifest. The first thing to get used to is the new server manager likes to make you aware of *ALL* warnings and errors no matter how trivial they may be. One valid one was from IIS and complained about WAS and the IIS_IUSRS group. A long search pulled up a nifty script from Microsoft that fixed it.
http://support.microsoft.com/kb/946139
So with renewed confidence that all was well, I went ahead and upgraded the rest of the Domain controllers with little problems. Prior to upgrading the existing domain controllers, I had to uninstall things like powershell and antivirus and backup exec, etc. The powershell was mandatory and of course was hidden under a hotfix name
so uninstalling it was impossible without figuring out which hotfix it was under. The other software I uninstalled just as a precaution. One domain controller had the Exchange 2003 management tools installed which caused MMC issues post upgrade with the Active directory User and Computers snap-in. The resolution there was just to uninstall it.
Once all the DCs were upgraded and working, I reinstalled backup exec agents, symantec antivirus, and applied new Security Configuration Wizard policies. Then made backups, documentation, etc.
Since all my DC's were running windows 2008 server now, I went ahead and upgraded the Forest mode to 2008 functional level. (keep in mind, functional level changes are ONE WAY, no going back). The 2008 functional level comes with some cool features like AES encryption on Kerberos, better DFS replication, and last interactive logon. I went ahead and tried to enable the "last interactive logon" according to Microsoft's help pages and my test Vista workstation could not longer unlock the terminal. So after some searching it turns out that you have to enable the policy on All Your Domain Controllers First!. Thanks go out to Steven Bink for his article I found on google to solve it:
http://bink.nu/news/showing-last-logon-info-at-logon-in-windows-server-2008.aspx
And now happily, the feature works perfectly when you log into win2k8 or vista boxes that have the policy set on the domain.
Friday, April 18, 2008
Backup Exec 12 - upgraded and running
Okay, even this skeptic has to admit they're getting better. I upgraded my 11d server to version 12 this week.
Pros:
Now comes standard with Open file protection and the base level IDR option
New installer has a nicer layout
Win2k8 Support right off the bat
The new System Recovery agent looks cool and supports virtual machine conversions.
Cons:
Had a few hiccups getting the policy based jobs up and running again afterwards.
First off I like the new selection layout during the install. It breaks the modules up by what you're licensed for, then what you can eval, and then the stuff you can't even eval.
click for larger image
I went ahead and upgraded the antivirus to symantec endpoint prot 11 like it wanted. It also has a new antivirus integration but you have to install the full endpoint protection manager on the backup exec server. The upgrade itself went smoothly and I rebooted the server. Then I had to upgrade all the remote agents because it kept giving warnings about the old version.
As for my policy based backups, I had a few issues with the jobs not wanting to work - or cancel for that matter. So first I tried the old "Delete Jobs Created By Policy..." and recreating them but the Incremental parts kept failing. So I cancelled them and started the Full backup job part of the policy.
Once that finished successfully then the incrementals started working right again.
*Mental note to self, don't do upgrades in the middle of the week*
Overall I'm satisfied that Backup Exec is once again on the right track. The expanded feature set and those little extra UI tweaks really do help.
Pros:
Now comes standard with Open file protection and the base level IDR option
New installer has a nicer layout
Win2k8 Support right off the bat
The new System Recovery agent looks cool and supports virtual machine conversions.
Cons:
Had a few hiccups getting the policy based jobs up and running again afterwards.
First off I like the new selection layout during the install. It breaks the modules up by what you're licensed for, then what you can eval, and then the stuff you can't even eval.
click for larger image
I went ahead and upgraded the antivirus to symantec endpoint prot 11 like it wanted. It also has a new antivirus integration but you have to install the full endpoint protection manager on the backup exec server. The upgrade itself went smoothly and I rebooted the server. Then I had to upgrade all the remote agents because it kept giving warnings about the old version.
As for my policy based backups, I had a few issues with the jobs not wanting to work - or cancel for that matter. So first I tried the old "Delete Jobs Created By Policy..." and recreating them but the Incremental parts kept failing. So I cancelled them and started the Full backup job part of the policy.
Once that finished successfully then the incrementals started working right again.
*Mental note to self, don't do upgrades in the middle of the week*
Overall I'm satisfied that Backup Exec is once again on the right track. The expanded feature set and those little extra UI tweaks really do help.
Subscribe to:
Posts (Atom)
Posts
