Home arrow Paul's Blog
New blog Print E-mail

After quite a lot of inactivity, mainly due to being very busy in work but also because of the dreadful platform on which this blog sits, I've created a new blog and have started blogging again. The new blog is http://blog.msresource.net and the new focus is around Microsoft Identity Management, specifically in and around the prouduct Microsoft Forefront Identity Manager, as this is the area I now work in.

How to move the WINS database in Windows Server 2008 Print E-mail
I appreciate that this topic isn’t going to be too high on people’s lists given that most of us believe WINS is dead and don’t want to deal with it, but it is still there and if you’re refreshing your infrastructure to Windows Server 2008 it makes sense to move WINS to as few central Windows Server 2008 machines as you can manage. If you are in this situation, please allow me to provide this little hint on an approach to moving the WINS database to a different location.
  • Install WINS (it’s a server feature) and can either be installed on a full 2008 machine by typing servermanagercmd –install wins-server or on a server core machine by typing start /w ocsetup wins-sc.
  • Fire up the management snap-in, right-click on the WINS server and choose properties. Select the advanced tab and enter a new path for the WINS database (the default is %windir%\system32\wins). Click OK to close the properties and select no when asked do you want to restart the service.
  • Stop the service and create the folder structure that you typed for the new location of the WINS database. Pull up the properties of the folder that the WINS database will reside in and select the security tab, followed by the advanced button. Click the edit button, followed by add and then type NT SERVICE\WINS into the “enter the object name to select” area and click check names. Accept WINS and grant it full control permissions. Click OK as many times as it takes to close all of the properties boxes.
  • Copy the contents of %systemroot%\system32\wins to the new location and start the WINS service.

The point of this blog post is that you can now grant permissions to services, and that’s what you have to do to get this to work. WINS, when displayed in the security UI, is a built in security principal but isn’t found by simply typing WINS and hitting check names. You have to enter NT SERVICE\WINS for the object picker to realise what object you actually want to work with.

Hope this helps, obviously there’s the command line options too, but it took me several minutes longer than it should have to work out what was going on here, so I figured I’d post it...
Initialising a new disk with DISKPART Print E-mail
If you’ve been using Windows Server 2008 Server Core you’ll notice that some of the mundane, simple tasks that you take for granted are no longer quite so simple. One such example is the way that the disk management snap-in automatically discovers a new disk and runs a wizard that allows you to initialise the disk. Without disk management initialising this disk isn’t quite as straight forward. There's no INITIALIZE command in DISKPART that’s for sure!

So, how then, do we initialise a new disk so that we can create a partition (or volume) on it? We mark it as read/write (it defaults to read only) using the ATTRIBUTES context. Like so:
DISKPART> attributes disk clear readonly

Before we can do this we need to select a disk, which we do with the SELECT DISK command after viewing the available disks using the LIST DISK command, like so:
DISKPART> list disk

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 93 GB 0 B
Disk 1 Online 3900 MB 0 B
Disk 2 Online 149 GB 0 B

DISKPART> select disk 2

Disk 2 is now the selected disk.
DISKPART> attributes disk clear readonly

Disk attributes cleared successfully.

Hope this helps! If you’d rather use the disk management UI (MMC snap-in), see this post for information on how to configure that to work.
Remotely managing the disk management snap-in in Windows Server 2008 Print E-mail
You might have noticed, particularly if you’re working with Server Core, that even when your Windows Server 2008 machines are members of a domain that you get an RPC server unavailable type message when attempting to connect to the Disk management snap-in of a remote machine. While this isn’t specific to server core, it has been noticed because a remote instance of disk management is preferable to DISKPART to many people.

The reason you cannot connect to the disk management snap-in, or more specifically why the disk management snap-in cannot connect to the virtual disk service is simply a matter of the firewall rules. The firewall is enabled by default on Windows Server 2008 systems.

The interesting aspect of this is that simply enabling the rules in the “Remote Volume Management” firewall group on the target isn’t enough to allow this to work either. In addition, you need to have the “Remote Volume Management – Virtual Disk Service Loader (RPC)” firewall rule enabled on the source system too.

Summarised, if you’re trying to manage win2008svr06 with win2008svr03 you need the following rules enabled (minimum required to configure this):

Win2008svr06 (target machine)

  • Remote Volume Management - Virtual Disk Service (RPC)
  • Remote Volume Management - Virtual Disk Service Loader (RPC)
  • Remote Volume Management (RPC-EPMAP)

Win2008svr03 (source machine)

  • Remote Volume Management - Virtual Disk Service Loader (RPC)

Realistically, you need to ensure that all Windows Server 2008 member servers have all three rules in the Remote Volume Management group enabled, thus allowing any Windows Server 2008 server to remotely manage any other Windows Server 2008 server’s disk configuration (permissions permitting).

The nice thing with Windows Server 2008 is that you can configure these firewall rules using Group Policy. So rolling this setting to all your machines is nice and easy.

You use the following portion of group policy:
Computer Configuration | Policies | Windows Settings | Security Settings | Windows 
Firewall with Advanced Security | Windows Firewall with Advanced Security | Inbound Rules
Right clicking on “Inbound Rules” and choosing “New Rule” results in the “New Inbound Rule wizard”. Selecting “Remote Volume Management” from the “predefined” list, followed by “Next”, “Next” again (accepting the defaults) and then Next again (accepting the default “Allow the connection”) followed by “Finish” results in the necessary settings being configured.

Hope this helps!
So how do I know what drive letters apply to what disks in Server Core? Print E-mail
So how do I know what drive letters apply to what disks in Server Core? The “My Computer” or, “Computer”, as it’s now called Window provides some useful information that isn’t immediately available to someone faced with a command Window, i.e. a Windows Server 2008 Server Core user.

When faced with that lovely C:\Documents\paulw-a> prompt, how does one go about ascertaining the drive letter of the DVDROM drive, the USB stick and the USB HDD that are plugged into the server without simply guessing and randomly typing d: e: l: etc.?

The answer isn’t as obvious as it could be, but it is pretty trivial with the DISKPART “shell”: LIST VOLUME is the command, here’s me running this against my laptop to illustrate its use (no cut and paste in Hyper-V so Windows Vista SP1 DISKPART will have to do!).


Microsoft DiskPart version 6.0.6001
Copyright (C) 1999-2007 Microsoft Corporation.
On computer: x64vistasp1-01

DISKPART> list volume

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
Volume 0 D LIONS_FOR_L UDF DVD-ROM 5166 MB Healthy
Volume 1 X DVD-ROM 0 B No Media
Volume 2 C OS NTFS Partition 93 GB Healthy System
Volume 3 U 4GBSD NTFS Removable 3896 MB Healthy
Volume 4 T FC160GBUSB2 NTFS Partition 149 GB Healthy


Leaving DiskPart...

Better than nothing right?
Troubleshooting Microsoft Application Virtualization/ SoftGrid error 0060922C-800736B1 Print E-mail

I’ve been evaluating Microsoft Application Virtualization, a.k.a. SoftGrid, which is now part of the Microsoft Desktop Optimization Pack (MDOP) and, like all technical people, I just dived in at the deep end without reading anything and tried to get it all working myself. I’m a seasoned technical consultant for crying out loud, what do I need instructions for right?


Well, suffice to say I had a problem or two. One of which looked like this in the log file (default location of C:\Program Files\Softricity\SoftGrid for Windows Desktops\SFTLOG.TXT):
[05/01/2008 13:36:09.396 VSCM INF] {tid=47C}
Starting automatic service 'MDM'.

[05/01/2008 13:36:26.488 SWAP INF] {hap=13:app=Microsoft Office Word 2007 12.0.4518.1014:tid=47C:usr=olliew}
Elapsed time for upload: 23.434 seconds

[05/01/2008 13:36:26.799 ???? ERR] {tid=47C:usr=olliew}
Unable to CreateProcess (rc 0060922C-800736B1)

[05/01/2008 13:36:26.799 SWAP ERR] {hap=13:app=Microsoft Office Word 2007 12.0.4518.1014:tid=47C:usr=olliew}
The client could not launch Q:\Microsoft Office\Office12\WINWORD.EXE (rc 0060922C-800736B1, last error 0).

[05/01/2008 13:39:45.230 VSCM INF] {tid=F98}
Starting automatic service 'MDM'.

[05/01/2008 13:39:47.155 SWAP INF] {hap=14:app=Microsoft Office Word 2007 12.0.4518.1014:tid=F98:usr=olliew}
Elapsed time for upload: 2.313 seconds

[05/01/2008 13:39:47.165 ???? ERR] {tid=F98:usr=olliew}
Unable to CreateProcess (rc 0060922C-800736B1)

[05/01/2008 13:39:47.165 SWAP ERR] {hap=14:app=Microsoft Office Word 2007 12.0.4518.1014:tid=F98:usr=olliew}
The client could not launch Q:\Microsoft Office\Office12\WINWORD.EXE (rc 0060922C-800736B1, last error 0).

It turns out this is a result of not having the Microsoft Visual C++ Runtime package installed on the client computer. Downloading and installing the runtime fixed this problem for me.
Moving and renaming Active Directory objects in LDIF using LDIFDE Print E-mail
I was in the middle of writing a post for this blog (on AD recovery and the new database mount tool, if you’re interested) the other day when I needed to make some quick changes to a reanimated tombstone using LDIFDE. I couldn’t remember the correct syntax as it had been ages since I last used MODRDN in LDIFDE, so I decided to search for what I needed. Well, when several minutes of frantic Google-ing didn’t yield an answer I had to really start messing around (with LDIFDE as well as more searching). Eventually I achieved what I needed to achieve but it took me a lot longer than it should have! While searching I realised that the LDIFDE documentation doesn’t really go into LDIF and there’s very little information on the Microsoft web site about LDIF. In fact, almost all LDIF information out there seems to be found in the RFCs or on the non-MS directory server documentation sites and forums. Because there’s so little information on the subject of moving and/ or renaming objects using LDIF in Active Directory I thought I’d better get some information about this “out there” as it were...
Windows Server 2008 Active Directory Domain Services Last Interactive Logon Information Feature Print E-mail
If you’ve been reading through the Windows Server 2008 documentation or attending events discussing Windows Server 2008 Active Directory Domain Services (AD DS) you might have noticed that one of the new features that is enabled with Windows Server 2008 Domain Functional Level (DFL3) is something referred to as “Last Interactive Logon Information”. Essentially, this is a Windows NT 6.x (Vista and Server 2008 at the moment) Winlogon feature. With this feature enabled, when you perform an interactive logon to an NT 6.x domain member Winlogon presents information depicting the last successful and unsuccessful logon times, as well as the number of unsuccessful interactive logon attempts.
Troubleshooting ILM (MIIS) Failed: Filter Rejection (rejected-by-filter) error Print E-mail
As stated in previous posts on the topic of troubleshooting ILM (a.k.a. MIIS) errors, I’m posting problems, resolutions and reasons on certain errors that I’ve hit in MIIS or, more specifically with this next one, ILM “2”.  While the other posts were quick and easy to work out what was happening this one took a lot more time and I couldn’t find much information on the web about it either.  Basically, the ILM2 MA wasn’t performing outbound synchronisation.  Now the actual MA is pretty irrelevant here, what’s important is that when I was previewing an object in the MAs CS I was getting a “synchronisation successful” status, however when I looked at the Provisioning summary “node” I was seeing a status of “rejected-by-filter”.  Expanding that and looking at the Connector Add “node” the MA was my AD MA, the object type was user and the status was Failed: Filter Rejection.
Troubleshooting the Microsoft.MetadirectoryServices.MissingParentObjectException Error Print E-mail
I’ve been re-acquainting myself with ILM of late and hit a couple of errors that had me stumped from anywhere between a couple of minutes and four hours! So, I thought I’d provide some brief information on the error and the reason I encountered it. I’ll post each error as a separate blog post to keep the entry concise and for search-engine reasons. The second error I hit was Microsoft.MetadirectoryServices.MissingParentObjectException. In my case the stack trace looked like this:
Troubleshooting the Microsoft.MetadirectoryServices.NoCompatiblePartitionFoundException Error Print E-mail
I’ve been re-acquainting myself with ILM of late and hit a couple of errors that had me stumped from anywhere between a couple of minutes and four hours! So, I thought I’d provide some brief information on the error and the reason I encountered it. I’ll post each error as a separate blog post to keep the entry concise and for search-engine reasons. The first error I hit was Microsoft.MetadirectoryServices.NoCompatiblePartitionFoundException. In my case, the stack trace looked like this:
Prompting for the computer name in an unattended installation of Windows Server 2008 Print E-mail
I mentioned in a previous post that I’d been working with some customers on Windows Server 2008 automated installations of the traditional kind, i.e. using an answer file as opposed to the newer technologies such as WDS and MS Deployment. Well, a question came up that wasn’t as easy to answer as you might think. It was something like this “Can we get it [Windows Server 2008 unattended installation] to prompt for a computer name during installation as opposed to performing the rename as a post installation task?” If any of you have been playing with Vista unattended installations you’ll no doubt shout “sure, that’s easy” or “I was getting Vista to do that when I didn’t want it to”, however Server 2008 doesn’t prompt for a computer name during a full unattended installation at all. You’ll be prompted if you simply wish to automate the Out of Box Experience (OOBE) after SYSPREP has been run, but ignoring the ComputerName property in the autounattend.xml file will result in a random name, just like using the wildcard value in Vista.
Mailbox-enabling many users with the Exchange 2007 management shell (PowerShell) Print E-mail
As you might have seen from some of my previous posts I’m doing some work with the ILM “2” beta. One of the pre-requisites for ILM “2” is Exchange 2007, so one of my test labs happens to consist of a 64-bit Windows Server 2003 R2 domain controller running Exchange 2007 SP1 (yeah, I know this isn’t really good practice, but this is a lab) and a 64-bit Windows Server 2008 running ILM and all its pre-requisite bits. Anyway, I created some sample users in the AD using good old CSVDE (as I wanted to use the names of characters from novels I’ve read recently) and needed to mailbox-enable these users. At this point I was running the RTM version of Exchange and there doesn’t appear to be a way to mailbox enable many users at once using the UI, so I had to drop into PowerShell (which I’ve been avoiding learning) and do this. Here’s how I did it.
Disabling custom errors in Windows SharePoint Services (WSS) 3.0 Print E-mail
You might have noticed from my previous post that, because of the ILM “2” beta, I’m having to get my hands a little dirty with SharePoint Services –specifically Windows SharePoint Services (WSS) 3.0 Service Pack 1 (SP1). Well, I hit a known bug in ILM “2” beta 2 (although it wasn’t known to me) and I couldn’t get anywhere with the ILM “2” Portal error messages. I needed to see the real error messages, and to do this you’ve got to disable Custom Errors and enable stack tracing in WSS. This is scattered all over the web, but I’m going to post it here too...
Disabling logging in Windows SharePoint Services (WSS) 3.0 Print E-mail
One of the pre-requisites for ILM “2” is SharePoint Services. SharePoint Services 3.0 is no longer part of Windows Server 2008 (it was during beta), but is available as a free download from Microsoft’s website. In order to install and run SharePoint services on Windows Server 2008 you need to install the SP1 version. This is available in both x86 and x64 flavours. If, like me, you don’t really know anything about SharePoint other than what it is and what it looks like then you’ll probably simply install it using the defaults. This is fine for ILM “2” however, a word of warning. Out of the box all of the logging is enabled. The default installation will write these logs to the following location:
Automating Windows Server 2008 installations Print E-mail
I’ve been working with a couple of customers on Windows Server 2008 automation, specifically non-Microsoft deployment and non-WDS automated builds. Seeing as I had quite a bit of fun, to put it mildly, getting these answer files working I thought I’d write a quick blog post or two on the subject.
Finding the Virtual Server Hosts in your domain Print E-mail
A customer asked me in passing how does one go about finding the Virtual Server hosts in a domain or an enterprise? Well, it just so happened that I’d been playing with Virtual Server 2005 R2 Service Pack 1 (SP1) and noticed that, due to me being offline, my computer (the host in this case) was having some problems registering a service connection point (SCP) object. The reason for that is nice and easy, I was sitting in my office in the house and I didn’t have a VPN established, but it did make me realise that there’s the answer to this persons question –query Active Directory for the Virtual Server 2005 SCPs...
Querying for an InvocationID in retiredReplDSASignatures yields more than one result Print E-mail

Somebody asked me in passing how querying retiredReplDSASignatures (Retired-Repl-DSA-Signatures) for a given invocationID (Invocation-ID) can yield more than one result. Well, says I, as interesting a question as that is I'm afraid the answer is rather simple - the duplicate retired invocationID is most likely a result of you having performed an IFM installation of a domain controller.
Creating an active directory test lab environment from your production AD forest Print E-mail

The question of how can one create a copy of the existing production active directory environment for testing purposes is a frequent one in the forums and groups. There are several ways of doing this: backup/restore, cloning, attribute import/ export, etc. but the easiest and probably one of the cleanest ways of doing this is to introduce a new server into the production environment, shut it down and move it to the test lab and clean up the production environment and the test environment. In this post Iíll explain a nice approach to doing this.
Group Policy Restricted Groups Print E-mail

Having spoken with customers and techies from the community I’ve been surprised as to a number of misconceptions around the Group Policy Restricted Groups security setting. This isn’t all the surprising I guess as the documentation is a little confusing and possible misleading. I’m going to try and set the record straight here. First off, we’ll start with a little background.
Creating a self signed SSL certificate for testing purposes Print E-mail

If you’re doing any kind of development work with ADAM (or IIS) it’s highly likely that your initial “sandpit” ADAM instance falls into one of three categories:
  • Local instance on your XP (or Vista) workstation
  • Instance(s) on a couple of stand-alone servers
  • Instance(s) on a couple of member servers in a very simple domain
The point being here is that there’s probably no Certification Authority (CA) to provide you with an SSL certificate. Now sure, you can test without SSL in the lab, but realistically at some point you find yourself needing SSL and not having a CA infrastructure is a pain.

So, what can we do about it? Well, the answer’s pretty simple really –create some self-signed [testing only] certificates and use SSL.