the Zen of Communication.

I just performed a long overdue upgrade of WP to the latest rev.  I’ve put it off until now because I’ve spent so long customizing the pages, adding plugin sources to pages, changing layouts, etc, I was rather nervous about an updated install hosing something up that would take days to find and fix a comma out of place (been there, esp. with the PHP mods).  But, I have to admit it was much simpler than I’d anticipated. 

The instructions at http://codex.wordpress.org/Upgrading_WordPress make things very simple, and point out “don’t do this”.  I followed the guide for both my sites (Zen & Wings), and it worked quite instantly.  I backed up everything first though (including MySQL databases, as the new rev will make some changes) just as a precaution.  The new rev will also run automatic updates, saving me the trouble. 

So there’s a new login page, and a bunch of updated behind the scenes stuff.  If there are any issues, please let me know. 

And while I’m at it, is this site helpful?  Aside from more regular posts, I’m curious if there is anything you’d like to see added, more of, etc. 

Update: Turns out SemiSecure Login doesn’t like WP 2.7.1 .  After logging out, I was locked out again.  If you run into this, just rename the plugin directory to disable it, and then deactivate it.  I’ve replaced it with SemiSecure Login Reimagined which uses RSA keys over OpenSSL, which is much better anyway.

People talk about getting into the stock market… consumer electronics man, that’s where the money is.  What a ‘Super Deal’. 

Just bought a series of HP DL360s from a firesale.  AOL was refreshing a datacenter, these things were dirt cheap.  I’ve outfitted one with a pair of UW320 hotswap 72gb drives, but I’m figuring out a mod to put SATA drives in – cheaper, readily available, and don’t require ubercash and ebay to pick up if one dies.  It looks straight forward enough.  From my initial pokings, the SCSI backplane just lifts out.  The power connector is a single molex to the backplane that distributes it to the two drives, so I need a y-cable.

Empty drive trays are $10 a pop, so I’ll use those to lock the drives in place.  I have one outfitted with 4gb ram already which should be enough for most ops.  They’re dual-proc Xeons (single core, no VT) at 2.8ghz, and should make nice dogfood boxes for labs w/ VMWare GSX server.  Once I load test them, know they’re stable and won’t crap out on me, I may replace my dual p3-800 server which hosts my critical stuff.  At the very least, with a cheap SATA raid array, great media and file server.

www.nautilusnet.com was the company.  The chassis were $20 a pop, came with the procs and 1gb ram, no drives.  They had a 3.04ghz model for $30, same outfit (240 mhz doesn’t make that much diff. to me).  The company has everything else needed to outfit them – drives (36 or 72gb), memory kits, and redundant power supplies.  I’ve put in three orders with them now, and they’re awesome to work with.

Disclaimer: I’m not paid nor do I benefit in any way from this plug.  I don’t get kickbacks, gift cards, taken out for free drinks by the sales staff, free gear, logo’d jackets, tote bags, bumper stickers, or any special sale price on equipment.  They’re good people that do a good job and are worth a mention.

I also just bought a Linksys WMP300N PCI Wifi N card, and a WRT600N “Ultra RangePlus Dual-Band Wireless-N Gigabit Router” .  I installed them last night in hopes of getting better “reception” with my home-theater box (which I use for Netflix On Demand, and MS Flight Simulator – rest in peace – on my TV), but ran into a few hurdles configuring the 5ghz N signal.  A post will be forthcoming about that and some mild insanity once I stop foaming at the mouth about the Linksys wifi manager software.

I’m writing this up now so I don’t forget it – I’ve got about a dozen posts that I’ve started writing, but haven’t finished, and I want to get this one out there…

I’m preparing for an SCCM deployment for a client.  Instead of going through (yet again) the 10 prep worksheets from TechNet, I decided to combine them into an Excel spreadsheet.  It’s got pretty colors and nifty layouts.  I just wish I could get it to do bar graphs, as it would be perfect for executive presentations then…

The SCCM Planning Worksheet Compilation (link is the file) is a combination of all the worksheets, and will (hopefully) streamline the process of planning and preparing from an SCCM deployment in your org.  Feel free to post comments, let me know how it worked for you, or if there’s anything you’d suggest be added or changed.

Thanks and good luck

(If you missed it the first time, here’s the file: SCCM Planning Worksheet Compilation)

Not too long ago I started using OneNote for organizing documents, thoughts, presentations, plans, and notes. I know it’s been out for more than a little while, and I’ve not been using it for long, but I’ve been rather impressed so far…

So I got to thinking – is there an app for my smartphone that would let me use OneNote on my phone? Sure enough, a quick Google search later and I discovered Microsoft already thought of that. So I dug out my USB cable for my phone and found the installation instructions. They’re rather straight forward –

1. From OneNote, Click the tools menu
2. Select Options
3. Select OneNote Mobile
4. Click “Install OneNote Mobile…”

In theory, as long as you have a device supporting ActiveSync 4.5, it should work fine. Except mine didn’t. ActiveSync gave me an error:

“Error Copying File

Cannot copy the file. Make sure the mobile device is connected, that the mobile device has space available and is not write protected, and that all setup programs on the device have been completed.”

I checked the device space – 12mb free (the app is about 600k), checked any other setup programs – nothing.  Rebooted the phone.  Rebooted my computer.  After every step, the programs listing within ActiveSync have the program listed, but not selected. Every time I rechecked it for installation and synched, I got the same error, and no application.

For Office 2007 users with OneNote, the mobile program gets installed by way of a .cab file. A quick search of “C:\Program Files\Microsoft Office\” for *.cab yielded:

C:\Program Files\Microsoft Office\Office12\1033\OneNoteMobile.CAB

So, quick and easy fix: copy this cab file to the mobile phone (I put it on my storage card), use File Explorer to select it, and run the installer (the .cab file). It installed pdq, and presto – I have OneNote Mobile.

Here’s the scenario:

We’re attempting to set up a trust between two domains – Source.com, and Domain-Baker.com.  But there’s a catch.  We’ll exclude the how’s and why’s, but creating the trust is more complicated than usual because of the routing on the network.  Source.com and Domain-Baker.com can’t ping each other directly, however a domain controller (BridgeDC.Domain-Baker.com) has been placed on a subnet segment that can reach both.  The picture below draws this out a bit – (green = ping, black = network route, red = can not ping)

So the DCs in Source.com can’t reach the DCs at the main site across the map, but they can reach the Bridge DC in the middle.  The BridgeDC can, in turn, reach both sites.

Typically, when you’re creating a trust, you’d create a secondary DNS zone in Domain A (in this case the zone Domain-Baker.com hosted on the DNS server for Source.com, with a master of DNS.Domain-Baker.com), and vice versa (zone Source.com hosted on the DNS server of Domain-Baker.com).  (Diagram:)

This way both domains see the domain controllers available on either side of the networks, the trust gets established using one of the DCs located through DNS, and the trust comes up happily.

Except it fails.  It says it can’t find the domain.  In fact, the error itself was:

The New Trust Wizard cannot continue because the specified domain cannot be contacted.  Either the domain does not exist, or network or other problems are preventing the connection.

But DNS is in place, both zones are replicated, why did it fail?

Only one DC of Domain-Baker.com is reachable by Source.com -  BridgeDC.Domain-Baker.com (see the first diagram).  When Source.com queries “domain-baker.com” from the records that it’s just copied down, it gets a whole slew of resource records and DNS servers that simply aren’t available to it.  It looks something like -

But we know we have the BridgeDC for Domain-Baker.com sitting right there, why won’t it talk to it?  The answer is, it might – it’s a shot in the dark.  One out of 20 or 30 times it might work, because that would be the DC that gets resolved for Domain-Baker.com .  But the timing would have to be just right, and you’d never know when it was lined up.  Obviously a trust that only works one in 30 (or more) doesn’t help anyone.

So how do we force Source.com to only use BridgeDC.domain-baker.com to create the trust?  DNS.

Editing DNS Records to Specify Domain Controller

The goal will be to edit the DNS records hosted in Source.com so that it only knows about BridgeDC.domain-baker.com .  Now before you go jumping into the DNS console and start deleting records, hold on!  Things can get pretty ugly if they’re not handled right.

First you have to make sure you’re editing the right records.  Deleting all the other servers for the zone Domain-Baker.com in your production Active Directory (of Domain-Baker.com) would obviously wipe out half your network.  Yes, Source.com would transfer the updated zone with only the records for BridgeDC, but the ends don’t justify the means in that case.

So we have to make Domain-Baker.com editable within Source.com .  The easiest thing to do:

[I use my demonstration domain names here, obviously you'll have to substitute your domains in their place]

1) From the DNS console of a DNS server in Source.com, create a new secondary zone (yes, secondary) called Domain-Baker.com .

2) When it asks for the IP address to copy the zone from, put in the IP address of BridgeDC (or any other DNS server that has a copy of the target zone).

3) Confirm the zone, and watch it populate.

Now, this is going to be a complete copy of the zone, full of records for servers we can’t use.  So, lets get rid of them.

1) Open the properties of the zone.  Change the type of zone from Secondary to Primary (making the zone AD Integrated is your choice).

2) Under the Zone Transfers tab, turn OFF zone transfers.

3) Under the Name Servers tab, pull out the DNS servers listed for Domain-Baker.com.  We don’t want our other servers making queries on the complete copy of the zone!

Now, we’ve just made the zone Domain-Baker.com editable within Source.com, we’ve made sure our changes will NOT replicate to Domain-Baker.com (and thus screw up the network quite royally), and we’ve made sure that this will be the only server to host this record.  So lets get to wiping the other servers.

Expand the zone, and you’ll probably see a great number of records and servers.  Because of the way Active Directory works, there’s a lot of information in there about all of the AD Sites, servers at each site, workstations, etc etc.  DNS, you may not know, is one of the most crucial parts of Active Directory.  Because of this unique issue, we need to sort through those records and servers, and pull out the ones we don’t want. 

Go through each folder from the top down, and delete any Name Server (NS), Service Location (SRV) record, or a No Name A record (“Same as parent folder”), that is NOT the domain controller we want to use (in this case we want BridgeDC.domain-baker.com / IP 172.16.56.4, and don’t want the others).  You’ll have to go through each and every folder inside the Domain-Baker.com zone to delete the extraneous records.  The end result should look like:

Multiple DNS Servers in Source.com

Now, if you have multiple DNS servers within Source.com, you’ll need to set them to only query your DNS server which has the Domain-Baker.com zone, any time they run a lookup (unless your zone is AD Integrated, in which case skip this step).  On each other DNS server:

1) Open the server properties (DNS console, right click the Server, click Properties),

2) Open the Forwarders tab,

3) Create a new forwarder for Domain-Baker.com,

4) Put the IP address of the DNS server which we just edited the records on.

This ensures that only your edited copy of Domain-Baker.com is queried from your source domain.  After making changes to DNS servers, especially when they’re across the board, its good practice to restart each DNS service, and on each DC run

ipconfig /flushdns
and
ipconfig /registerdns

Creating the Trust

DNS should now be configured so that from any server in Source.com, you can ping Domain-Baker.com and only reach BridgeDC.domain-baker.com (again, substitute your hostnames/domains here).  You should also be able to nslookup domain-baker.com and only receive BridgeDC.domain-baker.com or its IP address.

Once that’s confirmed, create the trust.  I suggest you do this from the Source.com side – I tried to run it from Domain-Baker.com and discovered that it was asking one of the back-end DCs that couldn’t reach Source.com to establish the trust.  Once I ran it from Source, everything worked great.

You may receive an error indicating the trust could not be validated, because there isn’t a workstation or computer account created.  (Or words to that effect).

Open Microsoft Support Article 246264 (http://support.microsoft.com/kb/246264).  It says that the Trust may validate itself, even though it throws this error.  Sure enough, once I told it to validate, then got the error, had it reset the password, then told it to validate again (only reset the trust password once), it returned successful.

Presto, trust completed, using one DC as the “gateway”.

Recap

I don’t normally do this, but in this case it’s easy to get confused.  So here’s the bullet points.

• Attempting to set a trust between Source.com and Domain-Baker.com using BridgeDC.domain-baker.com as a “gateway” or “bridge”
• First created a secondary DNS zone in Source.com of Domain-Baker.com, replicated a complete copy of the zone from BridgeDC.
• Changed Secondary Zone to Primary zone.  Disabled Zone transfers and updates.
• Deleted any other SRV, NS, or NoName-A records that weren’t BridgeDC.domain-baker.com
• This makes Source.com think that the only server in Domain-Baker.com is BridgeDC.
• Set up the trust, Source.com now uses Domain-Baker.com for the trust (because it doesn’t know any better).

And that oughta do it.

I run VMWare on my laptop.  I use it for older Windows distros (’95 and 2000 – ’95 is the only thing that will sync with my Newton!), and I have a couple of Linux distros which I run when I have time to work on them, or when I need special networking services.  The problem is, I don’t run VMware all day every day.  In fact, there are some weeks I don’t run it at all.

VMware (and Microsoft VirtualPC) runs services in the background to give it networking support – allowing both your VM guest and your host to share a network card, to set up the "virtual" network lab (where your guests are isolated from your actual network, but they can all talk to each other and the host), etc.  There are four main services that start automatically in total:

VMware Authorization Service
VMware DHCP Service
VMWare NAT Service
VMware Virtual Mount Manager Extended

There’s also the VMWare Agent Service, but this is set to manually start, and is probably invoked by VMWare itself (I’ve never seen it running, so I can’t say for certain).

These four started services probably don’t consume a lot of resources – I’ve rarely seen them above 3 or 4 mb of memory usage, and minimal proc usage.  But they do load drivers into the network stack.  If you take a look at your protocols and drivers in the Network Properties page you’ll see the VMWare Bridge Protocol (Virtual Machine Network Services is for VirtualPC, and is also required for networking support in VPC machines).  Again, these are only used for guest OSes, so they’re not required for typical network operations (getting a DHCP address, surfing the web, checking email, etc.). 

Every once in a while though, I’ve had a VMWare error pop up, even though VMware was never started.  So I decided to stop VMWare from starting automatically, and require my action to turn the services on.  This will keep the services from loading, chewing up memory, but most importantly prevent attaching unnecessary active services to the network card.

First set those four services to start up manually, rather than automatic.  (I’ll put screenshots up here when I have a moment, but it’s done from the Administrative Tools\Services MMC).  Once they’ve been changed to manual, either reboot or just stop them by hand (right click the service, stop).  Then I wrote the following script into a batch file that I named "Vmware-Start.bat"

net start vmauthdservice
net start vmnetdhcp
net start "vmware nat service"
net start vmount2

I didn’t write a full batch script with the echo cmds etc, mainly because I’m not a coder so I have little to no clue about proper syntax without an awful lot of googling, but secondarily because for net start and stop commands, it’s just not needed.  [Please post dissenting opinions if you have them, I'd like to get my scripting skills up a bit.]

So those four lines are used to start the VMware services, when I need to open VMware.  These next four lines were put into another batch file named (you guessed it) "VMware-Stop.bat"

net stop vmauthdservice
net stop vmnetdhcp
net stop "vmware nat service"
net stop vmount2

Save the scripts into the \Program Files\VMware\ directory, and create shortcuts to them.  Put the shortcuts on your desktop (I put mine into the VMware start menu group).  Each time you want to run VMware, you’ll need to run the Start batch file, and when you’re done with VMware you can run the Stop batch file.  This will give VMware everything it needs to run effectively, and keep services offline when you don’t need them. 

Anyone who’s used KDE, Gnome, or most any other Linux window manager (WM) will know about Desktop Paging, though maybe not by that name.  It’s a built in functionality which allows you to have several “virtual desktops”.  The programs remain running all the time, but you can arrange windows in certain ways, and move programs or windows from desktop to desktop.  Confusing?  I’ll bet.  Lets clarify:

I have four (4) “virtual desktops”.  On Desktop 1, I have Outlook open, with 3 emails in separate windows, and my calendar in a new window (thanks to Outlook 2007).  In this configuration this takes up my entire desktop real estate, but I need to keep them arranged this way.  And now, I want to open Sharepoint to pull down a Word document.  That’s two more windows, in an already crowded screen, with a configuration I don’t want to lose.  Add to that I’ll need to copy and paste some text between the Word doc and an email, and you start to have a problem.

So, I switch to Desktop 2.  I start with a blank canvas – a desktop that would look just as it would if I minimized everything, or had just restarted my computer.  From here, I open Firefox, browse to my Sharepoint site, and download my Word document.  I open my Word document, find my text, and copy it.  Now I need to get back to my open email to paste it in.

I push a hotkey and switch back to Desktop 1.

Desktop 2 is minimized, the arrangement is saved, and Desktop 1 is brought up just the way I left it! I paste what I want into Outlook, send the email, and now I want to open a remote desktop terminal session, but I need to keep Sharepoint accessible within Firefox.

I push a hotkey and switch to Desktop 3.

Desktop 2 is minimized, Desktop 3 is brought up as a blank canvas again, and I can open Terminals to start my TS connections.  I need to see an Email to retrieve an issue I’m working on?  Push my hotkeys, I’m back to Desktop 1, open my email, find what I’m looking for, and hotkey back to Desktop 3.  Just that quick.

So this is built into Linux, but how can Windows users incorporate such power-user-like glory?  A virtual desktop application known as VirtuaWin .  Designed to bring the same functionality Linux users enjoy, to the common Windows desktop.  It’s a small application that will sit in your system tray, and allow you to switch back and forth between your new “virtual desktops”.  You can download add-on modules to it, and view a mini-representation of your window layout, so you have a hint as to what desktop has what layout (several small windows on 1, that must be Outlook, big window on 2, oh that must be Remote Desktop, etc.).  As a SourceForge project it’s free, and I’ve been using it for several months with high stability.  You can move windows between desktops, create rules (always open Acrobat on Desktop 3, etc), and do almost anything else one could imagine wanting to do with a tool such as this.

I have four desktops open right now, each with applications running on them.  One desktop has Outlook, another Firefox, a third has IMs, and the fourth is my blog tool that I write this with.  While each application still uses the same amount of memory, VirtuaWin itself is presently using 5,624k , or just over 5 and a half megs, and I don’t even see it register on the CPU usage.  It’s a very lightweight app, but accomplishes an amazing amount in a very user-friendly way.

It’s not quite like having a quad-monitor setup, but it’s as close as I can come with a laptop, especially on the road.

I realized that for the first time since getting a new computer, I’d not run a deep-deep trace of what was actively running.  I’d run rootkit-revealer, I run virus sweeps, and I  run AdAware and Spybot regularly, but I was finding things like the GoogleUpdater app running, even though a) the entry for it under Startup in MSConfig is disabled, and b) the service in the Services MMC is also disabled.  So I started to get curious.

On a whim, I ran a Google (ironic, huh) for "advanced process manager" or some such query.  First thing that came back was a blogger linking to "ProcessScanner", software created by UniBlue (http://www.processlibrary.com/processscan/) – the folks behind www.processlibrary.com.  This particular blog entry went on about how it will give you detailed this and that about anything on your system, it’s quick, there’s no installation required, etc. etc.

Well allow me to say first hand, that’s all a load of bull.  The download itself was only 900k.  But it’s a full on installer that makes you accept a very lengthy EULA (including details about opening a CD-Rom package?  For a download?), and then installs itself.

Once you’ve signed your life over and installed the app, then you run it.  Not only are there splashy graphics for such a simple app, but then … Well, for a meager "process scanner" this sucker starts to eat up around 20mb of memory.  The icing on the cake is – it phones home!  After running its scan, it will send details of the processes you’re running (probably just exe names and reg key entries, I didn’t run a packetsniff to be certain) back to the UniBlue servers, and presumably fetches details about each one from ProcessLibrary.com, and report the results back to you – what’s good, what’s not, what’s virii, what’s Windows, etc.  I, personally, never allowed it to get that far – My firewall alerted me, and I nixed it.  I’m just not OK with a list of my services/active reg-keys, and processes being dispatched over the internet to an unknown server for someone else to analyze.  But I’m a bit paranoid anyway.

Again, for a meager process scanner?  This app is seriously overkill, and not in a good way.  It’s got no huge or one-of-a-kind features to wow you, and on top of that it’s one great big ad for ProcessLibrary.com .  I’m all for self promotion, but if I wanted shareware-type crap, I’d have gone to C|Net’s download.com . 

So I went hunting again.  And lo and behold, my old friends SysInternals crop up in the results (http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx).  Knowing full well they produce 99% gold, I took a look.  Sure enough Process Monitor (ProcMon) was updated in August of ’08 to v1.37.  I downloaded it, and though the zip file was 1.1megs, you extract the file to a directory (in \Program Files or on your desktop, it doesn’t matter) and presto – your application is ready.  No installer, no 20 page contract (though it’s all implied from the SysInternals website, I’m sure), just your tool waiting to be used.  Shut up, Beavis. 

I won’t give you all the details about it, because it’s fairly self explanatory, and the screen-shots on the TechNet link will explain more than I could in 1000 words.  But in case you’ve never used it before – definitely give it a shot.  It’s functionally very similar to a PacketSniffer (like WireShark) in that it will give you a running history of every process, .exe, .dll, thread, and registry entry that’s accessed on your computer, as it’s happening, with timestamp, sequence, process, operation, and path.  Try just running it for one second, literally, and you’ll be amazed at everything your system is doing behind the scenes.  And we wonder why processors get so hot?

Once you run it for a while, you’ll see long long lists of things which you know are supposed to be there (firefox, explorer, outlook, etc.) so you can add filters to hide those entries, so they don’t fill up the few hundred thousand lines you have to gaze upon.  That just leaves … everything else.

Again, if you’ve never tried it before, give it a shot.  It’s quick, it’s free, it’s small, and I’m not paid by Microsoft.  And, I’ve been watching my firewall logs for several minutes and it’s never even so much as checked for an update, or pinged anyone at The Borg – and this is an instance where I’m OK with that.  Now I just need to find that damned GoogleUpdater exe…

Found an interesting little tidbit today.  When opening a folder that contains a Quicktime file (.mov or .qtw), Windows tries to load a handler – WLXQuickTimeControlHost.exe .  Nothing reports exactly what this is supposed to do. What it is doing is bringing the desktop, and often times the system itself, to a grinding halt sometimes using over 50% of available resources.

A quick search on your system, specifying c:\windows\ and c:\program files\ (or your %systemroot% and Program Files directories, respectively) should yield:

C:\Program Files\Windows Live\Photo Gallery\WLXQuickTimeControlHost.exe

as the culprit.  While it is rumored that actually uninstalling QuickTime will cure this (sounds like a Microsoft snipe at Apple if ever I’ve heard one), renaming this file to WLXQuickTimeControlHost.exe.nuked or whatnot, so that it’s no longer executable, will bring you an instant performance boost whenever you’re dealing with QuickTime files.  Miracles.

Recently, I did a test run of a migration from Live Communications Server (LCS) 2005 to OCS 2007. Some things we found out:

1) OCS 2007 doesn’t like SQL 2000 SP4. There’s nothing indicating that it would be unsupported, but we couldn’t get OCS to create the pool with a SQL 2000 SP4 backend for love or money. We eventually ditched it and went straight to SQL 2005, which worked seamlessly.

2) You can make a single-server deployment of OCS Enterprise. Microsoft doesn’t support it, technically. With Enterprise, the pool and the server have to be on separate IPs. The pool DNS record is intended to be pointed at the load balancer you’re using for all those servers (right?). Well, a load balancer for a single server is a bit silly. So, assign the server a second IP address, and change the pool A record to point to that second IP. Clients have to be able to resolve the IP of the pool, and the client MUST see this as a separate IP from the server). Presto – an Enterprise deployment on a single server. That begs the question, if you’re only using one box, why run Enterprise? Well, like I said earlier – it was a test run.

3) OCS works under VMWare Server. Microsoft swear up and down that OCS isn’t supported under a virtualized environment. Sure, they may not help you if you get in trouble, but it worked fine for us. We set up a 2 server pool and the SQL server, and connected several clients to it without any trouble, all under VMWare Server. Even the LCS 2005 pool we were migrating from (in the test lab) was under VMWare. No trouble. We didn’t try Microsoft’s Virtual Server, so that may have some quirks as well.

4) Beware of enhanced presence (EP). If you’re migrating, and looking to run your users concurrently on LCS 2005 and OCS 2007, DO NOT deploy Office Communicator 2007 until the last step. OC2007 when connected to OCS 2007 activates enhanced presence in Active Directory. EP USERS CAN NOT INTERACT WITH NON-EP USERS. This is true even if the users are on the same pool or server. One special quirk we found was that EP can be ticked in the Communications tab in ADUC, but unless the user connects with OC 2007, EP is never activated. Different wording: If you only use OC 2005, nobody uses EP, so you’re fine. So, when you’re doing your migration, save the rollout of OC 2007 till the very end, and everyone can talk to everyone else.

Some resources I found valuable during our testing:

http://forums.microsoft.com/unifiedcommunications/ – Microsoft’s Unified Comms forums. Sometimes slow to reply, but the search engine always has good info.

http://communicationsserverteam.com/ – The OCS team’s blog.

http://blogs.technet.com/toml/archive/2008/01/28/lcs-ocs-coexistence-and-migration-series-allow-block-list-not-in-mmc.aspx – LCSKid’s blog. Great content, helped us tremendously.

It may just be a USB drive…

I was working on a client’s Small Business Server today. It had been some time since they’d had updates run, so I installed Server 2003 SP1, SBS 2003 SP1, then rebooted to prepare for Server 2003 SP2. After I’d rebooted, the server posted, loaded Server 2k3, and just before the expected ‘Preparing network connections’ I got a message that ‘The Active Directory is Rebuilding Indices’. Assuming it was something to do with the Service Packs I’d just loaded, I let it sit for a short while. Well, 20 minutes later it hadn’t made any progress, the disks were still idle, and my client was understandably wondering how much more time they’d be billed for this screen saver equivalent.

Rather than hardboot the server while it was still loading, I began to research exactly what the problem could be. I found several posts about the message having to do with VSS, others explaining that pulling the power cable to shut down the server isn’t the most advantageous method (nice), others offering that it may be the AD catalog has gone belly up and would need restoring (makes sense, but I really hoped not), and some suggesting that RAID hardware may be failing – either the controller or a drive in the array.

Well, this server was on a RAID array, which made my pulse quicken. But I’d seen no other signs of failed hard drives – the controller booted fine, no errors with the disks, chkdsk wasn’t offering itself up for sacrifice upon every boot. Didn’t seem like a failing array.

This post made mention of a corrupted USB driver, and how the poster’s server rebooted fine when there wasn’t a USB hard drive. I instantly thought back to the time I gave myself a heart attack when a clients server displayed ‘OS Not Found’ after I tried to reboot it, inadvertantly with a USB hard drive attached. (I turned off Booting from a USB Device shortly after that).

Well, I looked at the server I was working on, and sure enough there was a USB hard drive attached that my client used for backing up data. The disks weren’t being read (either the RAID or the USB) while it was stalled, so I thought what the hell. I turned off the power to the USB drive, disconnected the USB cable, and within seconds the server moved on to ‘Preparing Network Connections’.

So in conclusion, the ‘Active Directory is Rebuilding Indices’ message during boot may be indicative of a stalled drive or accessory. Check for a USB peripheral, an external SCSI disk drive, or maybe something using firewire. If you have any such devices, try turning them off (little bit tougher with external SCSI drives, but feasible if there’s nothing critical), and then try rebooting. I didn’t run into the message again, and it saved me a complete AD restore from tape, let alone uninstalling and reinstalling service packs and hotfixes.

I recently had a need to manually create some 400 AD-integrated stub zones for a client (~40 zones on 11 domains, and it was ten to midnight on a friday night). Because each domain was in a separate forest, AD integrated replication between forests and domains wasn’t an option, and secondary transfers would occupy too much bandwidth between sites, nor would they be as promptly updated as would be required. So I had two choices: 1) Create each record, specify the master servers, and configure replication, one by one, on each domain, all by hand (I think not). Or 2) Find some way to script it.

Off to Google I go.

Several searches for DNS scripting, server 2003 DNS command line, etc, later, and I’d been able to find references to dnscmd.exe (part of the Server Resource Kit – available from Microsoft here). There were several guides about the syntax, but it took several tries to get the CLI to work as I needed to. I figured I’d put this up to shave some time off the next poor sod’s research.

To create a record, open the Support Tools CLI. From the CLI, this string is the basic format:

dnscmd . /zoneadd domain1.com /DsStub 192.168.5.1 192.168.5.2 /DP /forest

This will open the local server you’re working on, create a new zone called domain1.com, store it as a stub in AD (/DsStub), use 192.168.5.1 and 192.168.5.2 as the master servers, put the zone in the directory partition of AD (the /DP switch), and set the zone to replicate to all DNS servers in the forest (the /forest switch). You can substitute another hostname for the “.” if you want to add records to another server, so “dnscmd dnsserver1 /zoneadd …”

That’s the basic CLI for creating a forward lookup zone. But I was actually interested in making reverse lookup zones, which has one more little trick to it. You have to put in the full in-addr.arpa addy of the reverse zone (you can see these in the DNS MMC console by right-clicking on your reverse zones, selecting ‘View’, and choosing ‘Advanced’). This made my string look like:

dnscmd . /zoneadd 5.168.192.in-addr.arpa /DsStub 192.168.5.1 192.168.5.2 /DP /forest

So this command is opening the local server (the ‘.’), creating a new zone (/zoneadd) that’s a reverse zone of 192.168.5.x (5.168.192.in-addr.arpa), specifying a Stub zone stored in AD (/DsStub) with master servers of 192.168.5.1 and 192.168.5.2, stored in the Directory Partition (/DP), with replication across all DNS servers in the forest (/forest).

After perfecting the syntax, I edited a text file with the appropriate IP addresses of the zones I was creating, which lead to a batch file with some 40 or 50 instances of dnscmd being called, each with different zones and IPs. I’m sure there’s some very clever way to run a perl script that calls dnscmd and pulls variables from a csv or text file, but that’s way beyond my abilities here and now.

So to point you in some other directions, there are many resources out there which cover dnscmd and its many capabilities – that’s beyond this post. Petri.co.il has a page here, Microsoft’s official TechNet page is here, and Google has many others. It’s a very powerful tool that can shave hours off of larger infrastructure management tasks, or simply allow you to bash in commands instead of clicking a mouse (fun for the old-schoolers).

So, just as an fyi, I’ve added some stuff on. Here’s a short list.

1) The posts now show who wrote them! That way I’m not getting all the credit for everybody else’s creativity – Bad Karma. However, given that it took me a week to find how to properly use the php show author tag, it will be a while before I make the author’s name a link to go to either a custom page, or a list of their other posts. But it will happen. That way someone can go “Who’s this guy? I’d like to see more of what they’ve written”.

2) Posts will automatically snip on the main page. It will link to “(::Read More… ::)” after the first paragraph. So write posts as lengthy as you want, and just include a paragraph break somewhere in there.

Very short list. But stuff none the less.

Found this file from a Chinese university. It’s the password recovery procedures for a Catalyst 2900XL. I’ve got a few more recovery guides I’ve dug up for some other routers, I’ll chuck those up in a bit.

Glen’s the man, going to work
Got his tie, got ambition Continue Reading »