Windows Server

Looks like it's NOT 64-bit

Tim Robichaux — Wed, 29 Oct 2008 22:56:44 GMT

So, there's been all this hooplah (created by me) about the MacBook Pro that I'm using at the moment. I have been really enjoying my time spent with it, and I've been able to overlook some of the minor issues that I've run into. I do wish that it had more RAM. I do wish that Excel could open my timesheet. I do wish that I could easily sync offline files (Paul tipped me on a product, but I don't want to write about it until I've fully tested it).

Those are all small issues, but what I've run into now is bigger than that. Apparently, I am running a 32 bit operating system <pausing for the collective gasps>! I made the attempt to create a new virtual machine running Windows Server 2008, so that I could run a couple of the management tools that I can't run in OSX. My attempt resulted in this screen:

Shocking, I know. Now, I also understand that with a smaller amount of RAM in my system, it's really not a big deal to not have all 64 bits of addressable space, but the outrage is justified. In doing some research, I found out that the chip that was shipped was 64 bit CAPABLE, just not ENABLED. I'm not going to futz around and try and make it work, but that is something that I want to make sure my next hardware purchase can handle. I know this sounds silly, but I try to research these things, and I've walked away from buying hardware because it lacked a single feature that I wanted. NOTE: This should be taken with a hearty understanding that a) this is a WORK laptop and that I didn't pay for it and b) I am very grateful for the chance to use it and experience the goodness that is a MacBook Pro.

That all being said, I'm off to dig up my 32 bit version of Windows Server 2008 to install. Whee!

Mac Stuff

Microsoft ISA 2006

Tim Robichaux — Thu, 14 Aug 2008 23:01:57 GMT

Recently we picked up a big project in the Platform team. We were all excited about it, and pretty soon we were all working hard at making it a success. One of the things that was a little bit broken was that were trying to come up with a good way to make files available to customers and team members who were not local. Sure, the team members could VPN in, but the customers couldn't. We looked at a couple of solutions like Microsoft Groove and publishing a Sharepoint site, but everything seemed to have a problem or issue that we really didn't like. What we ended up deciding on as a solution was using our existing TeamPlain Web Access for Team System. We had used that solution before to give access to another client to access the bug tracking list for a code project and everyone seemed to be happy with how it turned out.

Projects were created, permissions assigned, and then the fun started.

It seemed that people were able to log into the system and navigate with no problem, but they couldn't download any of the files. I looked into TFS and TeamPlain and I couldn't find anything that would prevent this issue. Looking at the error that was coming up on the client, I thought that it looked a lot like an error tossed out by ISA 2006.

Error Code: 500 Internal Server Error. The request was rejected by the HTTP Security filter. Contact your ISA Server administrator. (12217)

After some googleing, I found that this error is often seen in OWA implementations behind ISA 2006 and there is an option in the HTTP configuration on the publishing rule in ISA that you can set to prevent this error. I whipped open the ISA Server Management tool and started right-clicking. The only problem was that the "Configure HTTP" option that should have been there on that rule was missing. When I opened up the rule, on the "Traffic" tab, I should have been able to click the "Filtering" button and get to the same setting (which the fix is, for the impatient, turning OFF the "Verify normalization" and "Block high bit characters"). This was something of a big problem since without that switch, I wouldn't be able to share these files in the way that we had decided.

Sidenote:
The problem with the file download, at it's root, seems to be that the title of the file has some extra characters in it. What is supposed to be a %20 in the URL gets converted to %2520 and ISA chokes on this and says, "Not YOURS, no file for YOU." As you can guess, this is a pretty big problem when trying to use the system to deliver documents and foster collaboration.

Back to ISA 2006. It didn't work. Now, I had been unhappy with our ISA server for quite a while. It never got patched right, and all sorts of odd things have happened with it. I couldn't troubleshoot it, since it was a production system, so I did the second best thing, I built a new one. I lovingly patched it, and coddled it and configured it the best I was able. The neat thing was that I created a bunch of test rules, and they DID have the options that I needed to configure. The final step was to import the rules from the old ISA server. Oddly, when I imported them, the RULE WAS BROKEN on the NEW server. After much swearing, I wiped ISA from the box and started over. This time, at the suggestion of our Head of IT, I took an exported set of the rules from the old (BAD) server and imported them into the (NEW) server AFTER making a backup of the rules that worked. This time, when I imported the rules from the old server, everything WORKED.

I've been working with Microsoft products for a number of years, and this kind of behavior is quite common. I remember installing Windows 2000 Professional on the same hardware a couple of different times and getting different configurations each time. I wasn't surprised, but I was just glad that it worked. After some more configuration, I thought that I had everything the same as the existing firewall, and after some convincing of the Head of IT, at 6:00PM we switched over to the new system. The only problem that I was able to find was this morning, VPN was broken and one of the sites (http://getsharp.3sharp.com) was unreachable.

Now, I don't have VPN totally ironed out (I just switched us back to PPTP which is FINE when you are using strong passwords, which we are), but it looks like everything is doing well. Just because I am so happy about these, I will now list the things that used to be broken that now work:

Pandora Internet radio.
Performance Monitor on the ISA machine
Updates and patches on the ISA machine
File transfers using the TeamPlain web access

So, next on my list of things to do is building a new Edge server for our OCS deployment. We have been having some issues with this and it's due to us running out of IP addresses. I just got 13 more, and I'm totally pumped about the stuff we'll be able to publish with them!

Windows Server 2008 Core

Tim Robichaux — Thu, 19 Jun 2008 18:25:03 GMT

I just recently started on my journey to learn about and build a server based on Windows Server 2008 Core. I've installed the bits and I'm just now starting to get into the configuration. The first thing that I had to do was change the hostname:

netdom renamecomputer <OldName> /NewName:<NewName>

This gave me a much easier way to refer to the computer (the auto-generated name was WIN-<LongString>, the new name is griddle). The second thing I did was to enable remote administration by setting the firewall rules to allow the remote administration:

netsh advfirewall firewall set rule group="Remote Administration" new enable=yes

In my reading, I found that you can enable or disable the ability to remotely administer each set of servies individually (e.g. File Sharing, or Hyper-V), but since I'm just playing around, I opened them all up. The next part of the equation was to enable the Remote Desktop. I really haven't looked too far into this, but one of the things that I really like about the Linux distributions that I've worked with was that once I've set them up, I turn on ssh and then I can just connect directly to the command line in a secure and user friendly manner (well, friendly to me). I haven't found out how to do this in Server 2008 Core yet, so I'll stick to using a command prompt window in a GUI for now. To do this, we have to change the registry and then open the firewall:

cd C:\Windows\system32
cscript scregedit.wsf /ar 0
netsh firewall set service type=remotedesktop mode=enable

The main reason why I like to use ssh or Remote Desktop is because I spend a lot of time doing things that I'll only do once or twice to any particular machine. To make it easier, I like to plan out what commands I'm planning on running and then putting them in a text file. Then, I can just copy and paste, line by line, when I'm sure I have everything I need. That it a lot easier than trying to remember a sequence of commands and switches and options. The second (and to me, more important) reason why I do it this way is that I LOVE to multitask. It is quite rare that I ever have fewer than 3 remote server connections going at any time, along with a couple of instances of Internet Explorer, Excel and Word. Not to mention Outlook, Notepad++, Office Communicator, Pidgin, Powershell, and assorted others.

Well, that is the current setup of my Windows Server 2008 Core. The next steps will be to install Active Directory services, Hyper-V, and everything else I need for a little lab environment.

Note: I would prefer to have the AD server be running on a host, but I've been advised that it's not wise to have the host joined to a Domain Controller that is running as a guest. It's fine for the DC to be virtualized, but you want to make sure that you have a DIFFERENT DC running somewhere as well.

DPM - Pick Your Cleaning Tape Well

Tim Robichaux — Wed, 18 Jun 2008 18:51:14 GMT

Some important things to note when using DPM. If you are told that the drive needs to be cleaned, you need to make sure that you put the right cleaning tape in there. When we got our new Autoloader (Quantum SuperLoader 3 with a DLT-V4 drive), we ordered all of the tapes we needed, including several cleaning tapes. Once the SuperLoader was loaded, we started to run with DPM and configured Agents and Disks and all the assorted sundries that a good backup scheme needs. (If you want to know more about setting DPM, I recommend this book)

Once things were setup, I noticed that the drive was reporting that it was in need of cleaning. Loading a cleaning tape through the mailslot, I followed the standard procedure of attempting to clean the drive. For some reason it kept failing, and I couldn't figure out why. After three or four attempts, I pulled the tape out and took a really good look at it and then looked at the packaging. Almost at once I saw that it was not the right cleaning tape; we had been sent the wrong tapes. Wanting to get things up and running we RMA'ed the bad tapes and overnighted the good ones. It turned out that they only had one of the tapes we needed in stock, so we had them ship it anyway.

Now that I had the right tape, I ran the cleaning procedure again, and the gnarly orange light on the front panel went away, and the LCD reported that all was well. This was not the case, however, as every tape operation I tried in DPM failed. Erase, Clean, Create Restore Point On Tape, all returned errors that the device was not ready. I tried rescanning. I downloaded the diagnostics from Quantum. I tried power cycling. Nothing worked.

As I dug further into the problem, I found that there weren't many people who had similar problems so as a last resort, I started to look up the actual error codes that I was getting. Most of them appeared to be generic errors, but when I searched for one particular error (24052), the first result from Google caught my attention.

Google Search on the Error

Looking through the post, it seemed that this person was having the same problems that I was having, but with different hardware.

Forum post that contained the information

It appears that this is not a problem with the hardware or the tapes, but rather a bug in DPM. For some reason, it looks like what is happening is that in the DPM database, when you try to clean using an incorrect cleaning tape (or the cleaning fails, I suppose), the "OperationOccuring" state in the "tbl_MM_Drive" gets stuck in a state (state 3, whatever that is) that prevents DPM from seeing that device as ready to use, even though in the Management tab, the device is being reported as idle.

While I hate to hack a database to fix a problem, that seemed to be the quickest way, so taking the advice of the post, I whipped out my l33t SQL skillz and ran an update to that row that changed the state to "0".

UPDATE tbl_MM_Drive
SET OperationOccuring = 0
WHERE DriveID = '<My Device's GUID>'

Once this code was executed, I re-scanned the Library in DPM and then erased a tape as a test. It worked, and I danced around the office, just a bit (everyone else was gone by this point).

While this is not a thing that most people would come across in the day-to-day operation, it is something that was almost a show stopper for us. Backups are extremely important- I've already used DPM to restore some accidentally deleted files -and for our peace of mind we need those tapes for off-site archiving. This fix took me a while to find, simply for the fact that ruling out the autoloader and drive takes a lot of time. Now that it's out there, I hope that anyone else who has this problem has a quicker time!