Cincinnerdi Tech Stuff

The end of a long marathon, migrating to SBS 2008

Running SBS 2008 migration on a virtual server takes us on a detour down memory lane

Working on a migration of Windows Small Business Server (SBS) 2003 to SBS 2008, I had jumped thru the previous 283 migration hoops (I exaggerate, but just a little) and was ready to boot the 2008 installer DVD with my handy SBSAnswerFile which Microsoft wants me to put on “…the root of a USB drive, floppy disk or a partition on the destination server.” Hmmm….

- USB drive is a no-go on the ESX server.
- Let’s put it on a 2nd virtual hard disk. No, the migration installer didn’t “see” it.
- OK, let’s put it on a virtual CD drive. No. It didn’t see it again.
- Finally, I went to the extra hassle of putting it on a virtual floppy. Success!

The blow by blow follows:

Read the rest of this entry »

Administration Tools Pack gets a refresh

and Server Administration Tools

Another eNerd called me yesterday wondering how to let a non-admin user at his client’s business have access to their virtualized server. The hope was to have the vSphere Client locked down in some way.

When I asked what the user needed to do, it was “Manage users and reset passwords and such.”  I realized then that this was not a VMware access issue at all, but a Windows Server rights issue.

In fact, this can readily be handled by the Microsoft Management Console (MMC) which can be installed on the user’s workstation – no need to give the user login to the Windows or VMware server at all.

This is not a new trick by any means, but is one worth remembering.

Also, I’ll add that there is now a version for Windows 7 (Win7) and Vista, in both 32 and 64 bit flavors. (Sorry, they don’t let this run on “Home” editions of Windows.)  The following give some details.

Summary:
While installing Level Platforms (LPI) Onsite Manager onto a Windows Server 2003 (a member server running on as and ESXi guest and added to a SBS 2003 domain) all went well, but one service would not start. Final, solution was that the MWService account did not have sufficient permissions. LPI tech support said to add that account to Administrators, Domain Administrators and Enterprise Administrators. This solved the problem.

Details:
Read the rest of this entry »

Having set up my SBS server some time ago, I couldn’t remember where I had set the incoming port number (falsely called 65535 here.) I find the button that pops open the dialog box for this quite forgettable, so I’ll document this here hoping to help someone — me included — in the future.

Running TCPView from SysInternals shows that inetinfo.exe is listening on port 65535.

This was set in Exchange System Manager, drilling down seven levels to the SMTP-Default, right-clicking Properties, Advanced and editing the incoming port number. By default, this is port 25 for SMTP.

Some fellow Nerds were discussing the problem of Windows Updates having patches that refused to install, Nerds Todd Myles and Barry Ball suggested Dial-a-fix http://wiki.djlizard.net/Dial-a-fix.

I had been having the same issue with an install of Small Business Server 2003, so I decided to try this out. It worked quite well and took very little time. A great utility.

Below are the screen shots showing the blow-by-blow. Read the rest of this entry »

In this post, I tell how to detect if a Windows installation CD is bad using the CRC305.EXE.

Recently I again downloaded Microsoft’s Small Business Server 2003 CD ISO images and began burning them to CD on my laptop. To be sure they’re good, The MS download manager checks that the CRC values check. I have the Sonic software verify the CD after the burn to make sure it’s burned properly. Should be okay, right?

Nope.

Ran through two complete installations of SBS only to find during and after CD #4 there are setup errors. The first indicates that a file for what appears to be a Korean help file just doesn’t exist. It’s one of two files, so I tried just copying and renaming the one file to be the name it wanted for the second file. I knew this was cheating, but what are the chances I’ll ever want help in Korean. It continues on until a final error indicates it cannot proceed. The errorlog.txt file showed numerous errors besides this one.

After re-burning CD 1 at a slower speed, I found I had the same error. I downloaded and ran CRC305.EXE from Microsoft’s web site and ran it against the CD on my laptop. It indicated that it was good. However, running it on the server on which I was trying to load the CDs indicated that ALL of the CDs had an error after the 99% point!

So I burned the CDs on THAT machine (yes there was a lot of time involved with this!), ran CRC205.EXE on that machine and it showed that the disks passed. I was able to install the complete system with the new CDs without errors.

For posterity sake, here are the screen shots for setting up client computers from an SBS server. I decided to include the initial user setup which provides for an automatic “next step” of setting up the computer. So there are two “push” parts: User setup and client computer setup and two “pull” parts: Assigning user to the computer / migrating their profiles and installing software via the Client Setup Wizard

Part I

Read the rest of this entry »

All updates applied late last night and it’s a new sunny day with the light glimmering through the ice on the trees. So before I head out for a nature walk, lets try this WSUS (is this pronounced “wuss”?) again.

First off, there is no indication that it’s been added by looking through the Admin Tools. Let’s add that MMC 3.0 update label obscurly enough WindowsServer2003-KB907265-x86-ENU.exe Even when you run it, there’s no mention what it’s doing. The KB 907265 article does have this note:

How to enable the new Add/Remove snap-in dialog box
Note The registry settings that are listed in this procedure to enable the new snap-in dialog box are optional. The old snap-in dialog box works fine if the new one is not enabled by using these registry settings.
1. Click Start, click Run, type regedit, and then click OK.
2. In the left pane, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC
3. On the Edit menu, point to New, and then click Key.
4. Type UseNewUI as the new name, and then press ENTER.

Course I had to do the regedit. There is a marked difference. It’s no longer a two step:
Notice that I’ve added the Update Services snap-in. That indeed is a new option since it’s not on redboot69. Seems like you can only add to Console Root. Wait, what’s that Advanced… button?
Ok. I think I will allow changing the parent snap-in. Now you use a snap-in called folder to add a folder. Odd! Still can’t see how you’d add another root node. Nor give “Folder” a new name!:
Aha! After you close this Add dialog, you can rename the folder, the Console and save it as an .msc file. This is an improvement, though there are some snap-ins, like GP Mngmnt, that need a whole screen and don’t lend themselves to being confined. Here’s how I’ve laid out the MMC with some common snap-ins, with the WSUS selected:
Now to add the ReportViewer (which is actually called ReportViewer.exe). Done. Why do I get the feeling they could have used a PDF reader. We’ll see…

Now to try the WSUS. A lot on the screen, I notice at the top about Options.
Holy cow! Do we have OPTIONS!:
You’d think it would be time to crack open the documentation, but wait… The LAST one is the WSUS Server Configuration Wizard which does all of them. Let’s try it…

Okay, I just clicked Next and accepted all defaults and now it’s trying to connect to the Upstream Windows Update server. It’s trying… I’m waiting… I’ll getting a snack… Kinda strange, it doesn’t say it’s done, but the Next button becomes active.

Choosing what products to include was thought-provoking. Not sure what some of these things are. Proceeding to change synchronize every day around 1 am. Then next gives me:
Guess I’ll have to start thinking about these things.

I looked at the synchronize screen and it had one success and then a failure. When I try a manual sync I get an error in 5 seconds. Can’t figure out why. The Step-by-step guide says that any firewall must be open to outbound 80 and 443 which of course is no problem. If I try to ping the listed sites (like windowsupdate.microsoft.com or even www.microsoft.com) I get no response (though it’s clear that DNS returns to IP). Apparently MS does not allow pinging as I get a response when I type these into IE.

Turns out this issue was mentioned in the last day or two on the forum I unchecked Office 2007 and clicked to manually sync and voila! Off it went. My disk lights been glowing ever since. Speaking of disk, right now the E:\WSUS folder is at 203MB and gaining a MB every 10 seconds.

The system speed is much slower. sqlserver.exe was using 165MB of memory and wsusservice.exe was using 43MB. (Total is 512MB) and were using a fair number of CPU cycles, too. Trying to change the process priority to below average was not allowed. System Idle Process was typically using ~75% of the cyles.

I wasn’t sure which updates to check since I was concerned that if I checked a classification that I didn’t need to, I’d be downloading gigabytes of junk. One type that I avoided was Update Rollups.
Turns out there is a almost Y2K issue with Daylight Savings Time being change this year. Most systems that accomodate DST hard coded the 1st weekend in April. But legislatures changed it to March. That’s going to screw up a lot of timekeeping devices. What’s this got to do with WSUS? Look at this recent post in from the WSUS blog:

Hi WSUS Admins – Just a reminder, the DST update made available to your WSUS servers today (KB931836) is classified as an update rollup so AU and SMS/ITMU pick it up too. For WSUS that means, you’ll want to make sure either to modify your auto approval rules (if you use them), or remember to approve this update manually.

So, I’ll need to check the Update Rollups (I think my mom used to make those) in order to get them automatically. Note the note in the image above, I can’t change classifications during a sync.

Yes, it’s patch Tuesday and what better time to investigate the yet-to-be-release Windows Server Update Services.
I found a blurb on this in Technet. It didn’t say much, so I went over to MS and turns out you have to apply and go thru a survey to be considered. They considered me worthy and I proceeded to download the code and documentation. When I tried to see the keys, they said there were none. Hmmm.

Trying to install, it says I needed IIS installed. So I did this and restarted. It says I should have MMC 3.0 and Report Viewer Control. I didn’t know there was an update for the former and can’t say I’ve heard about the latter. No suggestions were offered as to how I might obtain these. It seems to be letting me proceed. I looked and found these on the MS site and am downloading them (Patch Tuesday is a real slow time to try and download from MS!)

Next, it wants at least 6GB of space to store updates for client computers. Wouldn’t you know the server I’m setting this up on has the least disk space of them all, but I’ve got 13GB on a volume I can spare. I’ll let it default to E:\WSUS.

Now it want SQL Server installed or needs 2GB to setup an embedded version of SQL Server. I’ll let it do that in E:\WSUS (again, the default.)

NOW it’s getting into the IIS thing. (I was hoping to minimize the screenshots since I’m running the server over Remote Desktop, but was surprised to see that an Alt-PrtSc actually work pretty well.)
I’m leaving this as is for now. It went thru a setup for many minutes and finished successfully. Still when I clicked OK, I got a major error:
Could be it because the other user is doing Win Updates at the same time? I’ll finish those and reboot the server.

What the heck, let’s see what happens when I setup a VPN.
Here’s what DHCP leases looked like before:
RRAS is already installed and running since it’s been setup as a double headed server. I click Manage this remote access server and it just takes me to the Snap-In for RRAS.

On the Redboot68 server icon, I right click and select Properties. I click the checkbox to turn on the Remote access server.
Then I right click Ports and the Wan Miniport (PPTP) and Configure. I check the Remote access connections (inbound only) and click OK.
Nothing much is happening. I thought there was a Wizard for this.
I mess around with a few more things like the routing firewall. I think I’d better let this be and try to go through the RRAS Wizard for setting this up.

I want to try out the CrossLoop client stuff tonight and the ISA web filter, too.
But first, let’s get caught up on the crumby stuff I had to do to get here.

Well, that required password settings was getting pretty wearisome, so I disabled it, only to find that it was still in effect, despite running gpupdate. Man that’s irritating.

I setup a new GPO called “IE7 Settings” but couldn’t find a darn thing I wanted to set. I was going to force on the phishing filter, but that’s not an option (though turning it OFF is.)
I also, put in place a “Lockdown Desktop Features” GPO and tried setting only this:
But then it wouldn’t let me login! I turned off ALL of the Default Domain Account stuff and try to change otto’s password and I still get:
So I’ll try to turn it off directly from Default Domain Security Settings. The only thing left to turn off is the the Account Lockout. Let’s try the Default Domain Controller Security Settings. Nope, none there. Let’s try giving otto a goofy password. One that MEETS the requirements works! I’ll re-login and see if that makes a difference. Nope. Even resetting the server did NO GOOD. What finally worked was going in to the Password Complexity and changing it from “Not defined” to “Disabled.” I could then immediately change the otto password.

As to the GPO, once I logged in, an icon I purposely put on the desktop is still there. But then, the fast startup features sometimes require two logins to activate a GPO. Sure enough, when I logged otto out and in, the icon disappeared. Let’s try clicking “Enforced” on the OU’s GPO so it’s UNchecked. I run gpupdate and login back in. Nope, no icon. I logoff/on again. Still nothing. I run gpudate on the client and logoff/on. Still nothing. I notice that I can’t even right click on the desktop. These GPOs STICK! I’m going to try a reboot. Still STUCK. I’ll try unchecking the Link Enabled. That WORKED! Now I’ll try re-linking it. Yep, that activated it. So I STILL wonder what that “Enforced” means??? (Looks like that is a facility to prevent overriding at some level. Printing out more info on that now.) But I have proven that it is the “Enable Link” that is the key here. Unlinking seems to basically be a way to disable it and is one step short of deleting it from the OU (NOT the stockpile of available GPOs.)

I wanted to remove the default setting of audit logging all SUCCESFUL account logons. These seems a little odd since entries are being added continually, especially for the system loggin in/out all the time. I saw about 10 entries a minute last night and I wasn’t doing much. A user logging in seems to create about a dozen. So I turned it to audit Failure account logons. I noticed that there are many other success audit entries and I may have to zap these, too. By the way these are at the Domain Controller level.
Yikes, yes there are still WAY too many entries for my taste. Here is what the default setting WERE:
Now, the setting I think I’ll go with ARE:
To try it out, I went to the client and Ctrl-Alt-Deleted to try to change the password and got a Account Management failure Event 627 and gives me the user and the computer. Sweet!

I also tracked down a kb article titled “How to configure an authoritative time server in Windows Server 2003 at: http://support.microsoft.com/kb/816042
How confusing! In XP you click on a tab and a button and you’re done. Here they want you to edit a bunch of registry entries.

Notice I’m out of time and I didn’t get to the two things I wanted to. Oh, well!

First to install the GPMC. I have this on a CD for just such times. It installs quickly and put a Group Policy Management icon in the Administrative Tools menu.

The defaults that were setup are shown (though I had change the days from 1 to 0 for Minimum Password Age:
I printed all of this AND the Default Domain Controller to a paper log.I created two GPOs, one for the RIT Cptrs OU called “Require automatic updates daily” and one for the RIT Users OU called “Desktop efficiency.”

Yikes, so now I’ve added the computer account redboot67 and go to the PC to give it that name and it tells me it’s already setup so it will use the old name. Sheesh!

It went ahead and added this to the domain using this screwy name. Then I deleted the redboot67 computer from the RIT Cptrs OU and tried to change the computer name. I got no “Welcome to the risky.local domain” but then I got no message. But when I tried to re-add it I got a message saying the pre-2000 (NetBIOS I suppose) name still exists. There is no WINS server, so I wonder where this is stored?
Tried using nbtstat with various options and it didn’t show it anywhere. BUT, then I went back to the AD Users and Computers and pressed F5 and the garbage name changed to redboot67. So, I moved it to the OU. BUT, WHY wouldn’t it let me add the computer that had already been added thru AD Users and Computers???

Also, how can I give a domain admin full admin rights to any client XP workstation??