Category: Windows Server 2003

Categories
Windows Server 2003

Windows 2003 Cluster :  MPIO Issues

Windows 2003 Cluster :  MPIO Issues

I came across an odd issue not that long ago, with an Exchange 2007 SP1 CCR cluster running on Windows Server 2003 R2 SP2 x64.Hardware specifications for this issue were as follows:

  • The hardware was HP C-Class BL680c Blades in a C7000 chassis.
  • Network connectivity for the chassis was handled by dual HP Virtual Connect (VC) modules
  • Fibre connectivity supplied by HP VC 4G/B Fibre Modules using NPIV.
  • Approx 25 EVA 3000 disks were presented to each node, the HP EVA DSM was installed on the cluster nodes.

Symptoms

The following events would be reported in the event log:

  • Event ID 129  : ql2300 Warning “Reset to device, \Device\RaidPort0, was issued
  • Event ID 11    : ql2300 Error “The driver detected a controller error on \Device\RaidPort0.”

  

With no patter, or discernable cause the cluster would either:

  • Fail-over to the passive node.
  • The cluster service on the passive node woud stop, along with all Exchnage resources

This would happen several times a week.

The following events would be logged in the event log:

  • Event ID 1118  : clusNet Error “Cluster service was terminated as requested by Node 1.”
  • Event ID 1026 : hpevadsm Error “The Driver has detected a path failur/removal to LUN ID

  

Fainlly, MPIO errors were logged in the event log and disk paths would be missing:

  • Event ID 17 : mpio Warning \Device\MPIODisk1 is currently in a degraded state. Once or more paths have failed, thoughthe process is now complete.
  • Event ID 16 :mpio Warning “A fail-over on\Device\MPIODisk24 occurred”

  

These errors would be rported for multiple EVA disks at a time.

Cause

This is caused by thethe HP VC module firmware versions (both the Ethernet and F/C modules require updating – however this entails several more updates!)

Solution

  1. Update all of the individual server firmware in the chassi using the HP Firmware Maint. CD 
  2. Update the HP Onboard Administrator
  3. Update th HP Virtual Connect Modules

 Since following this ‘action plan’ from HP the issue wasresolved – no re-occurance in 7 weeks.

 

 

 

 

Categories
Windows Server 2003

Powershell : Export Active Directory Group Members

Powershell : Export Active Directory Group Members

First you will need to obtain the ‘ActiveRoles Management Shell for Active Directory’ from the following link: http://www.quest.com/powershell/activeroles-server.aspx

Next save the following code into a new ‘.ps1’ script file:

$data = @()
foreach ($grp in Get-QADGroup -SearchRoot “internal.local/UK” | select-object Name,DN ) {$data += get-qadgroupmember -identity $grp.DN | select @{n=”GroupName”;e={$grp.Name}},@{n=”GroupDN”;e={$grp.DN}},Name,@{n=”DistinguishedName”;e={$_.DN}},type}

$data | sort-object “GroupName” | export-csv C:\UK_GroupExport.csv

Modify the search root so that it reflects the domain name/OU you wish to enumerate groups and group members from. This should be in canonical form, for example “my.domain/myOU”.

On execution, this script will create a new csv file containing groups and all members, including nested groups.

Categories
Windows Server 2003

Windows 2003 : DNS Scavenging

Configuring DNS Scavenging

In trawling through one of our reverse DNS zones I noticed several duplicate RR entries for DHCP IP addresses; most of which had a time stamp that was several weeks old. In our environment we use DHCP DNS Dynamic Updates for client registration.

At the same time we noticed that McAfee EPO was reporting strange client names and UNIX systems that perform reverse DNS when using SSH would report the incorrect FQDN for remote connections.

 
Scavenging Options

To resolve all of the above symptoms we neded to implement DNS Scavenging. The internal DNS infrastructure runs from AD-Integrated zones on Windows 2003 R2 x64 Domain Controllers.

DNS Scavenging Terminology

    * No-Refresh Interval; prohibits updates for a specific period.
    * Refresh Interval; allows updates for a specific period after which a record can be deleted.

 The *total sum* of this period should equate the DHCP scope lease expiration time as illustrated below:

 

For example, on an environment with a DHCP lease time of 3 days:
    * No-Refresh Interval: 1 Day
    * Refresh Interval: 2 Days

For a default DHCP environment with a lease time of 8 days:
    * No-Refresh Interval: 3 Day
    * Refresh Interval: 5 Days

Implementation of DNS Scavenging

Scavenging must be enabled at the server level and zone level.

Scavenging should only be enabled on a single DNS server within your environment, this makes troubleshooting much simpler in the event of scavenging failing – it also makes configuration far simpler.

On the server I have configured the following settings:

On the zonethe following setting are required – zone level settings override server level settings:

 

 

Categories
Windows Server 2003

Windows NTFS Compression : Decompress Entire Volume

Windows NTFS Filesystem Compressiopn: Uncompressing An Entire Volume

I recently came across a perofrmance issue on an old x86 WinTel server, The issue, after regular diagnosis showed no obvious cause, appeared to be that the root drive was compressed in order to increase available disk space.

The one problem with NTFS compression is this: 

‘When you open a compressed file, Windows automatically decompresses it for you, and when you close the file, Windows compresses it again. This process may decrease your computer performance'(http://support.microsoft.com/kb/307987)

Using the COMPACT command line tool it is possible to both identify all compressed files within a folder and its subfolders. This can be acheived using the command:

compact /I /S

To uncompress all files (assuming you have enough free disk space to do so) you can use the following command to uncompress all compressed files within the current folder and all subdirectories:

compact /U /I /S

After disabling file system compression on the root drive the server is now performing as-expected.

Categories
Windows Server 2003

Resetting iLO Administrator password on HP BL/Proliant Servers

Resetting iLO Administrator password on HP BL/Proliant Servers

The process below will allow you to reset the ILO/ILO2 Administrator account password from a Windows Operating system running on the server.

Obtain the HP Online ILO configuration tool from here: http://cb-net.co.uk/downloads/HPONCFG.rar

Execute the following command:

 HPONCFG.exe /f Administrator_reset_pw.xml


 

 

Categories
Windows Server 2003

Group Policy Disable Removable Storage Access

Nowadays all security audits will raise the issue of removable storage access. Are you restricting access to Floppy, LS120, CDROM and USB removable storage media? If the answer is no then the ADM file which is availble form this article will help you to resolve that.

Download the adm file here.

Simply add this ADM file to the computer administrative templatesto be able to restrict access to USB drives, CDROM, Floppy and LS-120 drives.

CLASS MACHINE
CATEGORY !!category
 CATEGORY !!categoryname
  POLICY !!policynameusb
   KEYNAME “SYSTEM\CurrentControlSet\Services\USBSTOR”
   EXPLAIN !!explaintextusb
     PART !!labeltextusb DROPDOWNLIST REQUIRED
 
       VALUENAME “Start”
       ITEMLIST
        NAME !!Disabled VALUE NUMERIC 3 DEFAULT
        NAME !!Enabled VALUE NUMERIC 4
       END ITEMLIST
     END PART
   END POLICY
  POLICY !!policynamecd
   KEYNAME “SYSTEM\CurrentControlSet\Services\Cdrom”
   EXPLAIN !!explaintextcd
     PART !!labeltextcd DROPDOWNLIST REQUIRED
 
       VALUENAME “Start”
       ITEMLIST
        NAME !!Disabled VALUE NUMERIC 1 DEFAULT
        NAME !!Enabled VALUE NUMERIC 4
       END ITEMLIST
     END PART
   END POLICY
  POLICY !!policynameflpy
   KEYNAME “SYSTEM\CurrentControlSet\Services\Flpydisk”
   EXPLAIN !!explaintextflpy
     PART !!labeltextflpy DROPDOWNLIST REQUIRED
 
       VALUENAME “Start”
       ITEMLIST
        NAME !!Disabled VALUE NUMERIC 3 DEFAULT
        NAME !!Enabled VALUE NUMERIC 4
       END ITEMLIST
     END PART
   END POLICY
  POLICY !!policynamels120
   KEYNAME “SYSTEM\CurrentControlSet\Services\Sfloppy”
   EXPLAIN !!explaintextls120
     PART !!labeltextls120 DROPDOWNLIST REQUIRED
 
       VALUENAME “Start”
       ITEMLIST
        NAME !!Disabled VALUE NUMERIC 3 DEFAULT
        NAME !!Enabled VALUE NUMERIC 4
       END ITEMLIST
     END PART
   END POLICY
 END CATEGORY
END CATEGORY
 
[strings]
category=”Custom Policy Settings”
categoryname=”Restrict Drives”
policynameusb=”Disable USB”
policynamecd=”Disable CD-ROM”
policynameflpy=”Disable Floppy”
policynamels120=”Disable High Capacity Floppy”
explaintextusb=”Disables the computers USB ports by disabling the usbstor.sys driver”
explaintextcd=”Disables the computers CD-ROM Drive by disabling the cdrom.sys driver”
explaintextflpy=”Disables the computers Floppy Drive by disabling the flpydisk.sys driver”
explaintextls120=”Disables the computers High Capacity Floppy Drive by disabling the sfloppy.sys driver”
labeltextusb=”Disable USB Ports”
labeltextcd=”Disable CD-ROM Drive”
labeltextflpy=”Disable Floppy Drive”
labeltextls120=”Disable High Capacity Floppy Drive”
Enabled=”Enabled”
Disabled=”Disabled”

 

Categories
Windows Server 2003

MMC cannot open the file C:WINDOWSsystem32gpmc.msc : FIX

GPMC Error

MMC cannot open the file C:\WINDOWS\system32\gpmc.msc

If you are receiving the following error:

GPMC Error

Simply browse to the following directory, replacing *User_Name* with the affected users sAMAccountName:

C:\Documents and Settings\*User_Name*\Application Data\Microsoft\MMC

Then delete the ‘gpmc’ file. This will reset the gpmc console to its original configuration, but allow you to use it!

Categories
Windows Server 2003

Migration ; Quest Migration Manager – Query Switched Mailboxes

Quest Migration Manager – Query Switched Mailboxes

Quest migration Manager – SQL Query to ascertain current nuber of ‘switched’ user accounts. Simply replace the ‘#QMM_DB_NAME#’ with the name of the SQL database your QuestMigration tools are using. 

 

USE #QMM_DB_NAME#

GO

SELECT    [DISPLAYNAME], [ADSPATH], [STATUS]

FROM         MEMBERSOFCOLLECTION

WHERE     (STATUS = ‘1’)

ORDER BY    [DISPLAYNAME]

 

Categories
Windows Server 2003

FSMO Role Failure Symptoms

Symptoms of FSMO Problems

If one or more of your FSMO role holders has problems, bad things can happen. To help you troubleshoot such situations, the table below describes some of the symptoms that can occur when FSMO role holders go missing or don’t work properly.

Symptom Possible Role Involved Reason
Users can’t log on. PDC Emulator If system clocks become unsynchronized, Kerberos may fail.
Can’t change passwords. PDC Emulator Password changes need this role holder.
Account lockout not working. PDC Emulator Account lockout enforcement needs this role holder.
Can’t raise the functional level for a domain. PDC Emulator This role holder must be available when the raising the domain functional level.
Can’t create new users or groups. RID Master RID pool has been depleted.
Problems with universal group memberships. Infrastructure Master Cross-domain object references need this role holder.
Can’t add or remove a domain. Domain Naming Master Changes to the namespace need this role holder.
Can’t promote or demote a DC. Domain Naming Master Changes to the namespace need this role holder.
Can’t modify the schema. Schema Master Changes to the schema need this role holder.
Can’t raise the functional level for the forest. Schema Master This role holder must be available when the raising the forest functional level.
Categories
Windows Server 2003

Windows Vista Enable Administrator Account

Run the following command form a command prompt window

 net user administrator password /active:yes

This will enable the local administrator account on a Windows Vista Computer.