Thursday, 31 July 2008

Windows 2008 Active Directory, deleting OUs

Today I found some new default permissions on Windows 2008 Active Directory Organizational Units (OU). I had created an OU in my nice new Windows 2008 Active Directory to provision servers into. Now that I have created my OU structure I tried to delete my redundant OU and received the error message –

You do not have sufficient privileges to delete MyOUName, or this object is protected from accidental deletion.

So I immediately switched on Advanced Features in Active Directory Users and Computers so that I can access the Security tab of the OU. When I clicked Advanced there was one explicit Deny permission set for Everyone with Special permissions. These Special permissions were Deny Delete and Deny Delete Subtree. Of course by un-checking these options I could delete the OU.

I think this is an awesome subtle improvement. I have actually worked for a company were a user with Administrative permissions accidently deleted an enormous OU with thousands of users, computers, printers and customisations. By denying delete permissions to Everyone by default is means that you can no longer accidently delete an OU. You need to be fully aware of what you are doing to have to go and remove this permission each time. Kudos MS.

Wednesday, 30 July 2008

Microsoft Provisioning Services, Locales

I am currently setting up the Microsoft Provisioning Services(MPS)components as part of the HMC4.5 installation for my Hosted Exchange POC. When attempting to assign some of the core MPS components to a server I received the following error message - The server xxxxx either does not exist, is offline or fails one or more prerequisite checks. Do you want to assign the server anyway? Now is that a cover-all error message or what!? When I click on details I found a much more explanatory reason, but a very frustrating one too

Exception: Microsoft.Provisioning.DeploymentTool.Engine.ServerPrerequisiteException
Message: Default server locale is 2057, should be one of: 1033


It turns out that Microsoft have only tested the MPS on the English (United States) locale only and therefore that is the only locale that I can install MPS onto! So after ensuring I had installed every locale configuration as English (United Kingdom) for my MPS servers, I now have to change them all back. Joy.

Side note - when you have changed all the locales on your servers to English (United States) you will need to close the Provisioning Deployment Tool and open it again. For some reason it still seemed to think the servers had the wrong default until the application was restarted.

Active Directory “List Object Mode”

Active Directory normally has three visible READ permissions; List Contents, Read All Properties and Read Permissions. These permissions cover the majority of Active Directories READing related permissions. There is however a fourth READ permission not enabled by default; List Object.

The List Contents permission would normally list all immediate child objects. With the List Object permission enabled Active Directory has the ability to hide objects returned by the List Contents function.

Why is the useful?

In the shared Active Directory configuration of a multi-tenancy hosting solution, different organizations share the same domain. In this shared hosting environment, it is important to ensure that only authorized users can access the information and configuration settings for a given organization.

To set Active Directory to List Object mode open ADSIEdit.msc. Expand the Configuration container, CN=Services , CN=Windows NT. Right-click Directory Service, and click Properties. Change the dsHeuristics attribute to 001.

Tuesday, 29 July 2008

Windows 2008 Hibernation

Why on earth would anyone want the ability to hibernate their server? It seems that Windows 2008 server (Standard, Enterprise and Core) all have hibernation enabled by default. I found this strange setting out when trying to figure out where all my system volume disk space was being utilised and came across Hiberfil.sys in the root of the system volume.

Of course this file is a hidden system file, so the easiest way to see it is to open a CMD prompt and enter Dir C:\ /A:SH

Now when I say Hibernation is enabled – it is not enabled in any of my Power Options in the control panel. If I select the currently selected power plan and navigate to the options to change the advanced settings the Hibernate After setting is disabled (as is Sleep after). It seems the only way to safely get rid of this large file (assuming you do not want to hibernate your servers?!) is to run the following command

Powercfg /Hibernate off

Monday, 28 July 2008

Windows 2008 Activation (KMS)

This morning I went to work with my new POC environment which contains 8 Windows Server 2008 machines installed using my company Volume License Key. They all had a warning message:

Windows could not be activated.
Key management services (KMS) could not be located in Domain name system (DNS), please have your system administrator verify that a KMS is published correctly in DNS.

I think these kinds of error messages from MS are amusing. Who is this higher entity known as “System Administrator”? He seems to be the oracle of all knowledge according to all my Operating System errors! Oh yeah, that is supposed to be me? Well, I have not configured anything to do with KMS in my DNS just yet. I am aware that the licensing and activation of Windows Server 2008 is different. Guess I better RTFM...

Okay, after a bit of RTFM it seems that I use Volume Licensing Keys in my company, I need to become familiar with MS Volume Activation 2.0.
http://technet.microsoft.com/en-us/library/bb892849(TechNet.10).aspx .
Of the two methods, Key Management Service (KMS) or Multiple Activation Key (MAK), it seems KMS is more relevant to my requirements in a POC environment. KMS allows me to activate servers within my own network, whilst MAK activates servers MS’s hosted activation services.

To install KMS on one of my Windows Server 2008 machines

From the command prompt change the directory to C:\Windows\System32
Type slmgr.vbs /ipk %Insert your VLK% (i.e. slmgr.vbs /ipk ABCDE-12345- ABCDE-12345- ABCDE)
After a few minutes I get a message stating “Installed product key %My VLK% successfully"
Type slmgr.vbs /ato
After a few minutes I get a message stating “Product activated successfully”
Restart the Software Licensing service
Create a DNS SRV record in DNS
Open DNS Manager
Right-click the domain, and then click Other New Records.
Click Service Location (SRV), and then click
Type the following information:
Service: _VLMCS
Protocol: _TCP
Port number: 1688
Host offering the service:
Click and then click

Client side

In theory if all your other Windows 2008 servers requiring activation are domain members and can resolve the SRV record for KMS, they should self activate in the next 180 minutes. If you are like me, and you are impatient, you could use the switch slmgr.vbs /ato on each of the client machines. For the first five you will receive an error message. This is because KMS is for VOLUME licensing and is therefore not applicable until at least 5 machines attempt to activate. Once you have reached your fifth machine, all machines that have attempted to activate will then be activated.

Notes:

Slmgr.vbs /dli Displays all standard licensing information
Slmgr.vbs /dlv Displays verbose licensing information
Slmgr.vbs /xpr Displays the expiration date of the current key

KMS clients must renew their activation by connecting to the KMS host at least once every 180 days to stay activated. By default, KMS client computers attempt to renew their activation every 7 days

KMS has a minimum amount of physical (not virtual) computers that require activation before it works; this is called the activation threshold. For Windows 2008 it is 5. Below that number, activation will not occur.


There is obviously a wealth more information on KMS and MAK, but as this is all I require to carry on with my now licensed POC, that’s all from me, for now.

Friday, 25 July 2008

Windows 2008 (Standard) strange disk recommendation

Windows 2008 Server (Standard) has a system volume disk space recommendation of 12745Mb.

This value is not the same as any online documentation I have read. I disovered this obscure value as I was setting up some servers for my POC lab and setting the system volume as 12Gb (12288Mb) by default. Windows give me some friendly advice that it recommends it should be at least 12754Mb, it did let me carry on and install it.

Interestingly Microsoft's online documentation actually recommends 40Gb or more disk space, with a minimum requirement of 10Gb. What are they going to do with 40Gb of disk space? (Apart from make the Server Core footprint look comparatively small?).
Microsoft Windows 2008 requirements link

Thursday, 24 July 2008

Windows 2008, Server Core - DCPromo

To make a Windows 2008, Server Core a Domain Controller you need to run DCPromo and link it to an unattend.txt file. I am sure it is probably possible to accomplish this in one command line, but that would be a lot of switches to write!
One of the items in this unattend.txt file is the Safe Mode admin password. I thought this was a little dodgy as a large amount of folk will accidently leave that unattend.txt file on the computer and therefore accidently leave the password accessible in plain text. But it seems MS were thinking the same thing as I discovered when I copied contents to use on another server and realised the password was gone. DCPromo actually removes the password value in the text file as soon as it is run.
Here is a copy of my unattend.txt for my new Forest –

[DCINSTALL]
InstallDNS=Yes
NewDomain=Forest
NewDomainDNSName=BGibson.Internal
DomainNetBiosName=BGibson
ReplicaOrNewDomain=Domain
ForestLevel=3
DomainLevel=3
DatabasePath="D:\NTDS"
LogPath="E:\Logs"
SYSVOLPath="F:\Sysvol"
RebootOnCompletion=Yes
SafeModeAdminPassword=P@ssword1


Funny errors

To create my first unattend.txt file I plagiarised someone else’s file from the internet. It originally has RebootOnSuccess as one of the switches. Windows 2008 very helpfully give me some advice “Warning: RebootOnSuccess is deprecated, although it is still supported. Consider using RebootOnCompletion instead.” I thought this was quite amusing suggesting the syntax I was using was deprecated.

Not so funny error

Now that I have one Domain Controller up and running, I went to my next Windows 2008, Server Core machine and tried to promote it to be a replica Domain Controller. Unfortunately I immediately received this error message “The wizard cannot access the list of domains in the forest. The error is:
Access is denied.”

After doing some research I became convinced it had to be DNS related. Back to the first Domain Controller and type NSLookup. Immediately got an error as it was trying to connect to ::1 first. Using similar syntax to my last post for adding DNS Servers, I removed this IPV6 reference: netsh int ipv6 delete dnsserver name=2 address=::1. Now when I run NSLookup it connects to its own DNS server as expected. DCPromo of the replica Domain Controller now completes successfully. Here is the unattend.txt I used;

[DCInstall]
InstallDNS=Yes
RebootOnCompletion=Yes
ReplicaDomainDNSName=HostedExchange.Internal
ReplicaOrNewDomain=replica
ReplicationSourceDC=HE-DC01.HostedExchange.Internal
SafeModeAdminPassword=**********
UserDomain=HostedExchange.Internal
UserName=administrator
Password=************
CreateDNSDelegation=No

Windows 2008, Server Core - First Installation

Windows 2008 Server Core

Today I performed my first installation of Windows 2008 Server Core....into a VMWare environment. As this is completely new to me I will probably blog about a lot simple RTFM tasks to start with as I get used to going back to the command line.

Speed

First thing I noticed was how incredibly quick it was. The Operating System installation took a matter of minutes, not the normal hour or so I have come to expect with Windows Server 2003. I guess this is down to the fact the Core platform installs only the necessary components only and not all the normal bloatware that comes with Operating Systems to date. In fact I was so impressed with the time I deleted my VMWare image and started again so I could time how long it took. (Sad I know). It took only 6 minutes to complete the installation.
So after being impressed with t he speed of installation, when I log on it takes 3 minutes “Preparing your desktop”. WHAT DESKTOP!? Surely the whole point of Server Core is there isn’t one, just the lonesome CMD.exe?

VMWare Tools


Okay, first thing you want to do once you have installed an OS into VMWare is install VMWare Tools. Challenge number 1 – Server Core does not have a GUI, so therefore the nice GUI installation of , , does not exist. So, I click VM > Install VMWare Tools, which of course appears to do nothing – except it has loaded the VMWare Tools ISO...Back to the command line and change my directory to D:\ and type MSIExec /i “VMWare Tools.msi” /passive. Hey presto, I have the VMWare Tools installation wizard.
Of course the install is not going to be that easy, I immediately receive two errors; Error loading tpvmmon.dll & Error loading printui.dll, The specified module could not be found. I click to both as this is my only options. After a reboot it seems that VMWare Tools are more or less installed, despite both the errors. However, I also installed VMWare Tools on my ESX environment, this produced no errors and installed seamlessly.


Display settings and Power Management

By default the screen resolution is not great (does it need to be for a CMD line only interface), but more annoying is the fact it has the automatic screensaver/power management turned on so it forces you to log on again after a period of inactivity. After a bit of RTFM, I found you have to change this in all in Regedit.

ScreenSaver settings:
HKCU\Control Panel\Desktop\


Resolution:
HKLM\System\CurrentControlSet\Control\Video\GUID\0000\DefaultSettings.XResolution
HKLM\System\CurrentControlSet\Control\Video\GUID\0000\DefaultSettings.YResolution

To determine which GUID it is, look in each of them at the Device Description. For me it was the GUID associated with VMWare SVGA II. Make sure you remember to change the Base to decimal too!

Simple Tasks

Next issue was how do achieve the things you take for granted with a GUI?

Reboot the server: Shutdown –r (Use shutdown /? to get all the other related tasks)
Set the IP Address:
· Get the interface IDX Number:
netsh int ipv4 show int
· Set IP Address: netsh int ipv4 set address name=%IDX% source=static address=%IP% mask=%SM% gateway=%DG%
· Set DNS Server: netsh int ipv4 add dnsserver name=%IDX% address=%DNS%