ConfigMgr : Download Setup ConfigMgr Updates in Advance for Offline Install
The commands below facilitate deployment of SCCM / ConfigMgr in an offline environment by allowing you to download the setup required updates from another machine.
Exchange 2010 : Troubleshooting Inter-Exchange Organistaion Mailflow
We recently got caught out by the introduction of an Exchange Server to a relatively new AD site. Prior to the deployment of the server the AD DS site was not an Exchange Site.
After a few hours we started to get calls regarding mail stuck in a queue with the nexthop set as the AD DS site where the new Exchange Server had been deployed. We confirmed this using the Exchange Shell command: get-queue
So we knew that the new Exchange AD DS Site was the root cuase, but why? Next port of call was the Exchange Routing Log Viewer, available from the Exchange Management Console, under Toolbox.
First things first you’ll need to edit the file. From the File menu select ‘Open log file…’ Enter a HT server name then click ‘Browse server files.” Right-click the filw you wish to open and select ‘Open with…’ then select ‘Notepad.’ Now remove all of the lines that read ‘<SourceOrTargetServers />‘ – if you do not complete this step you wont be able to view the log files.
Now open the file in the Routing Log Viewer, expand Active Directory Sites and then a site where delivery of mail to has been affected. You should be able to verify the a) next hop and b) cost of delivery.
You can also compare logs using ‘File’ > ‘Compare log file…’ (remember to edit the file as before). This outlined the changes in routing caused by the site – changes we were unaware would be triggered by deployment of Exchange.
The next step was to acertain where the AD DS site link cost was coming from, there was a IP site link that we were unaware existed. It turned out to be the DefaultIPSiteLink contained this site and another key site – thus skewing the Exchange Routing Table once Exchange had been deployed to this site. This left us three options:
We went with option 1, the problem then cleared up within a few minutes; moral of the story – when deploying Exchange into an Active Directory site where it has not previously been installed check any and all site links where the AD DS site is defined as a member.
AD DS : DCPROMO fails with A domain controller for the specified domain could not be located.
Check the DCPROMO log files located under: C:\Windows\Debug.
Perform the following test on the server: nltest /dsgetdc:<fqdn of a functioning domain controller>
You can also confirm, that you can lookup srv records in DNS, execute the following from a command prompt:
If SRV records are returned then it is more than likle this is a firewall related issue. Check logs for blocked traffic, specifically on UDP and TCP port 389.
Active Directory: Firewalled Domain Controller Issues
In implementing a new child domain recently I encountered some strange and typically unhelpful error messages which turned out to be firewall related. Moral of the story, ensure that all of your domain controllers can communicate with each other on all of the ports listed here: http://social.technet.microsoft.com/wiki/contents/articles/active-directory-replication-over-firewalls.aspx
Also, ensure that all of your clients can also communicate on these ports.
Symptoms
When trying to create a new account using dsa.msc:
Windows cannot verify that the user name is unique because the following error occurred while contacting the global catalog: a local error has occurred.
When trying to modify group membership via dsa.msc:
The following Active Directory Domain Services error occurred: The system detected a possible attempt to compromise security.
When browsing the GC using adsiedit.msc:
Operation failed: Error code: 0x80090350. The system detected a possible attempt to compromise security.
Confirm time is the same on all Domain Controllers in the forest, this is especially important if you domain is a child domain.
Test srv records for GC:
Confirm replication is working as expected: repadmin /showreps
GC is browsabel via ADSIedit connecting on port 3268
QLogic 10Gb CNA for IBM System x and IBM Power : Connectivity Issues
I ran into an isse with a couple of X3650 M3 servers recently where after connetcing the Cisco TwinAx cables, linking the CNA’s to a Nexus 5000 switch, the cards did not seem to function properly:
After rebuiling the OS on the servers, installing newer driovers (1.0.1.3) and the most recent firmware I eventually started to look further down the stack.
I eventually set my sights on the physical cables; using the following command we were able to identify the cable in use (it was at a remote site): sh interface e1/30 transceiver calibrations
Ethernet1/30
transceiver is present
type is SFP-H10GB-CU5M
name is CISCO-MOLEX
part number is 74752-9047
revision is 07
serial number is MOC15144945
nominal bitrate is 10300 MBit/sec
Link length supported for copper is 5 m
cisco id is —
cisco extended id number is 4
The part number relates to a passive 10GB TwinAx cable, note passive. After some more digging it was identified that the IBM card only supported active cables as identified in the supported IBM Cables here: http://www.redbooks.ibm.com/abstracts/tips0720.html
The cables have now been swapped for active cables and the issues above have all disappeared.
Sophos AV : The user is not assigned to any sub-estates
I came across this today on a fresh install of Sophos 4.7 on Windows Server 2008 R2. I confirmed:
User was a member (indirectly) of the SophosAdministrator group in AD DS, and a member (indirectly) of the the local security group “Sophos Full Administrators.” Note indirect. The issue here was caused by nested group membership; the user was a member of a role-based group which was in turn member of a service type group which was used to delegate permissions in Sophos.
There is a known issue where launching the Sophos Enterprise Console as a user who inherits membership of the Sophos Full Administrators group via nested groups fails. Ensure the launching user is a direct member of the group.
More information available here: http://www.sophos.com/support/knowledgebase/article/67106.html
Windows Server 2008 : Storage Migration No Impact!
The following process is useful when migrating from one storage platform to another.In summary it uses Windows Software RAID to mirror data to the other storage device, once completed the mirror is broken in a way that leaves only the new storage with the correct drive letter / mount points and data.
Present the new LUN, on the new storage to your host. The drive should contain no partitions.
Right-click the volume you want to mirror and select ‘Add Mirror…’
Select the disk you wish to mirror the volume on to and click ‘Add Mirror…’:
Click Yes to acknowledge that both drives will be converted to dynamic disks.
Wait for the mirror to sync:
You can either break or remove the mirror:
This can be performed in diskpart using the following commands:
Taskkill : Kill Mutiple Processes at Once
The following command is really useful if you have multiple copies of an exe that are not responding, Internet Explorer is a good example here. This command will forcefull terminate all processes with the name iexplore.exe:
taskkill /im iexplore.exe /f
XCOPY : Copy Folders and Files with Permissions
Use the following command to copy a folder/subfiles to a new destination maintaining all of the attributes, owevership and ACL’s:
xcopy c:\olddocs c:\newdocs /O /X /E /H /K
RDP : Black Logon Screen
Came across an odd one the other day where when trying to logon via RDP I was greeted with an RDP logon Window that was pretty much all black; Text Input boxes (username/password/domain) were all black, the logon window was all black, blackground was black. Everything was black other than the Windows 2003 logo.
Once logged in everything was fine however.
When it’s broken down like that you may see where I’m going with this…
Check out the Colour values under: HKEY_USERS\.DEFAULT\Control Panel\Colors
On the affected server these were all “0 0 0” – i.e. black. You can simply export this key from another (working) Windows 2003 server and iomport it to the affected box.