VMWare Server functionality

I suspect that like many of you VMware plays a big part in testing new apps/systems and other fun toys that are released on an almost daily basis.

For sometime now I've been using VMWare workstation. The ability of workstation to be able to create network teams and multiple snapshots can be quite invaluable. The only functionality missing is the ability to run workstation on a server and be able to connect to it via a console or web page.

GSX (now VMWare Server) has this functionality and is freely available. Taking the plunge I removed VMWare workstation and have started using the free VMWare server. For me, the ability to be able to connect to the server via a webpage and control my machines outweighs the very small disadvantages.

In fact, because of the way VMWare networking can be configured using custom adapters it's quite easy to create a VERY similar level of functionality in VMWare as already exists in VMWare workstation.

I use VMWare to do a lot of scenario based testing, What happens if X occurs on a network and so on. VMWare server will continue to allow me to do this but I also want to build a test network inside VMWare linked to my production network via a firewalled linux server (also a vmware box). It should be an interesting exercise and provide plenty of material for this blog!!

Deploy MS06-025 if you have not done so

Microsoft have just issued an official security advisory telling folk to install MS06-025 if they have not done so.

Exploit code for this vulnerability has been released and is publicly available.

MS06-025 patches a couple of security holes that are found in the RRAS service on Windows 2000, XP and 2003 machines. There are some caveats to be aware of and these are documented in Microsoft KB 911280

This patch replaces some interesting files such as ipsec.sys so if your using RRAS for VPN style work you will need to do some additional testing.

More information as it comes.....

Password Policies on Domain Controllers

Many times now I have seen the same errornous answer to the question of "How can I give people in different OU's different password policies?"

You cannot.

Password policy is function of the DOMAIN policy and not an OU policy therefore you need to think carefully about your password policies because this will affect your Active Directory design considerations.

Newsgroups

I often wonder just how many people who 'found' the net after Tim Berners-Lee brought us the web actually know about newsgroups?

Well, Newsgroups are still very much alive and well. There are several companies they have public news servers to allow folk to talk about specialist topics. I'm amazed just how many of these companies decide to host thier newsgroups on IIS.

Whilst IIS does the job it severly lacks functionality, has a VERY annoying bug and its clunky to migrate - even between the same version of IIS!!!

Hamster Classic is a free NNTP server for Windows that will sit quite nicely on your network and connect to multiple NNTP servers. It is very handy where you want to distribute a subset of external news groups (e.g. the public Microsoft ones) and host your own internal groups.

Hamster can do all this and more but it does have several down sides:

• It doesn't install as a service.
• It has no scheduling mechasim so you need an external application to 'force' it to collect data from news servers and purge old data.
• Most configuration is via text files.

Deepsite these annoyances it's actually a very nice piece of software that once configured just sits there and works.

Tips for Active Directory Restores

Over the past few weeks I have had the chance to play with Active Directory Restoration and various failure scenarios. During this I have come up with a set of tips that I thought it would be worth sharing. If you have any more then please add them into the comments.

1. You should always have a MINIMUM of two domain controllers doing replication between them and they should be at different sites.

2. Should you ever need to restore the system state you should only restore the system state to the machine it was backed up FROM. This is because the system state contains more than just active directory, it contains all the registry settings and more therefore restoring
system state to a different machine will overwrite the settings on that machine.

3. The only exception to rule 2 is when you restore system state to a DIFFERENT location in order to promote a domain controller from another domain controllers system state.

4. DCPROMO /ADV is the command that will allow you to point the DCPROMO process at a restored system state. This is called a non-authoritative restore.

5. An authoritative restore cheats. It just increments the USN (Unique Sequence Number) of all objects that you are restoring by a huge amount (20 to 100 thousand) .

6. The Active Directory Database is called NTDS.DIT

7. It's helpful to understand Active Directories replication model - A domain controller will look in it's NTDS.DIT database and THEN ask the server running the PDC Emulator if it has a recorded with a higher USN.

8. Dependent on how your replication environment is configured it MAY be possible to jump onto another DC and mark the object you want recovered authoritative. This way, when the replication occurs it will be ignored because the USN's have changed.

9. To recover Active Directory the server MUST be in Active Directory services Restore Mode. This mode is a variant on Safe Mode and means the Active Directory database is NOT loaded. You must login using a logon name of Administrator and the Active Directory services restore password you set during DCPROMO. This password is the ONLY password that is stored locally on the domain controller. It can be changed by following tip 16.

10. To recover the ENTIRE Active Directory database you type NTDSUTIL -> authoritative Restore -> Restore Database

11. To recover an OU you type NTDSUTIL -> Authoritative Restore > Restore Subtree "OU=X, OU=Y, DC=A, DC=B"

12. To recover a single object you type NTDSUTIL -> Authoritative Restore > Restore Object "OU=X, OU=Y, DC=A, DC=B"

13. When restoring objects you need to use the full distinguished Name. The distinguished Name is the CN=X, OU=Y, DC=Z as listed above.

14. Acronyms used in distinguished Names:
CN is Common Name
OU is Organizational Unit
DC is Domain Component

15. It's possible to perform an authoritative restore WITHOUT being in Active Directory Services Restore mode. To do so you need to set a flag with the following command:
SET SAFEBOOT_OPTION=DSREPAIR.
Attempting this type of restore is NOT recommended. It's much cleaner and safer to be in Active Directory services restore mode.

16. NTBACKUP has a bug. If your NTDS.DIT database is on any drive other than C: you must back up a file on the same drive NTDS.DIT lives on. For example, if NTDS.DIT lives on the G: drive then you must back up ONE OTHER file on G: otherwise it won't work.
The bug is documented here.

17. You can change the Active Directory Services Restore Mode password by using the following command:
NTDSUTIL -> SET DSRM PASSWORD -> RESET PASSWORD ON SERVER
you will then be prompted for a new Active Directory Services Restore Mode password.

TV Theme Music

Every now and then it's possible to come across a website that's pure nostalgic gold. TV Creams top 50 TV themes of all time is just one such site.
This site has things like an extended version of the Terrahawks theme on it. If you remember programmes such as Terrahawks, Tales of the Unexpected and Sapphire & Steel then you just might waste an evening at this site.

Windows 2000/XP can't see entire Hard Disk Space

Several times now I have used big (greater than 128GB) IDE hard disks in Windows 2000 and found that Windows cannot address more than 128GB. This is down to a limitation of the service pack (you need to be on service pack 4) and the simple fact that there is a registry value called EnableBigLBA that needs to be activated.

The required registry key is listed on Microsoft's support site. Click on this link to see the article.


This really is one of those tweaks that's handly to have in an automatic build or in a ghost image.

Bootable CD's in Nero

One of the really nice things about CD's is that they can be made bootable. Doing this is a slightly fiddly operation but worth the time.
Most of the autobuilds I create are written to an ISO file (for use in VMWare) or burnt to CD (for use on physical hardware.

One problem I have tripped over several times is that selecting 'Bootable CD' from the Nero menu will not give you a bootable CD that works for a Microsoft autobuild. The default Nero settings will screw with the filenames and so break the installation.

The fix is quite simple, select the 'ISO' tab before you burn your bootable CD and make sure it's configured as follows:

Data Mode: Mode 1
File System: ISO9960 Only
File name length: Max of 11= 8 + 3 chars (Level 1)
Allow path depth of more than 8 directories - TICKED
Allow more than 255 characters in path - UNTICKED
Do not add the ';1' ISO file version extension - UNTICKED

BETA's, BETA's everywhere!!

Microsoft have really been busy over the past month. We have had BETA's for office 2007 which looks GORGEOUS and I fully admit to being addicted to OneNote.

Vista is now in CTP and anyone can download it. I'm finding the front end a bit clunky and I have yet to find out where to turn off all the nice processor hungry fade effects but overall its, errm, well it's an operating system. I'm not sure what exactly it brings to the table in terms of an O/S. I guess time will tell.

Interesting enough, Vista doesn't use the unattend.txt file anymore. This time it's all pure XML. At some point this week I will be putting together a test autobuild. Will be interesting to see how that all works.

Three Months.....

When I first started blogging I had this grand plan to blog something ever few weeks and now I notice it's been three months since I blogged. Not good.

Hmmmm.

From now on I will be a good boy and blog more often!