IT Core Blog

Never stop questioning. Curiosity has its own reason for existing…

Archive for January 2010

Cloud Computing Security Considerations

leave a comment »

Microsoft document for cloud computing security:

A high-level discussion of the fundamental challenges and benefits of cloud computing security, plus some of the questions that cloud service providers and organisations using cloud services need to consider when evaluating a new move, or expansion of existing services, to the cloud. This document presumes that the reader is familiar with the core concepts of cloud computing and basic principles of cloud security. It is not the goal of this paper to provide all the answers to the questions of security in the cloud or to provide an exhaustive framework for cloud security.”

Written by IT Core

January 29, 2010 at 12:03 AM

Posted in Documentation

Tagged with

Licensing Microsoft Server Products in Virtual Environments

leave a comment »

For those of you that have Virtual environments with Microsoft Solutions, check the updated Microsoft Documentation to Licensing Microsoft Server Products in Virtual Environments.

This white paper describes Microsoft licensing models for the server operating systems and server applications under virtual environments. It can help you understand how to use Microsoft server products with virtualization technologies, such as Microsoft Hyper-V technology, Microsoft Virtual Server 2005 R2, or third-party virtualization solutions that are provided by VMWare and Parallels.

Although much of the information in this white paper also applies to licenses that are purchased from channels other than Microsoft Volume Licensing, some differences exist. If you acquired licenses through a means other than a Microsoft Volume Licensing agreement, we recommend that you review the license terms that accompanied your software.

Written by IT Core

January 28, 2010 at 11:56 PM

Restoring Windows XP and 2003 to Windows 7 and 2008

leave a comment »

Many people have asked to Microsoft a tool/update like this one. The reason for that is simple, they need to restore backups from Windows XP/2003 to the new Windows7/2008 R2. As usual, Microsoft gave them what they asked for. Now it’s even simpler to do the migration from XP/2003 to the Windows7/2008 R2.

Utility for restoring backups made on Windows XP and Windows Server 2003 to computers that are running Windows 7 and Microsoft Windows Server 2008 R2.

– Download the 32Bit version of KB974674
– Check the 64Bit version of KB974674

Go for it… 🙂

Written by IT Core

January 28, 2010 at 11:49 PM

Domain Controllers and Active Directory Domains Part 2

with 12 comments

After the “How to create the first domain controller in Active Directory Part1”, it’s time to consider an additional domain controller to your domain.

Why should you to consider that?

Redundancy: If you have more than one DC for a given domain you can provide better redundancy for users, computers and apps. Apart to active directory redundancy, you may also have additional roles in those DCs that you want to keep available in case of a DC failure or DC overload. Roles commonly used in DCs are DNS server role and the Global Catalog.

Workload distribution: With multiple DCs you can “load balance” requests from users, apps, computers, etc… This is particularly important when those services/servers are across sites over WAN links, when that happens you can place a DC or more on those sites and take advantage of local authentication/requests without having them across the WAN link.

Domain hierarchy: The first domain that is created is the Root Domain of the forest. If you lose that domain you lose the entire forest. In a scenario where you have multiple domains within a forest, if you have only one DC for that top Root Domain and you lose that DC forever, you may say goodbye to your entire forest. Hum… that’s not good is it?!! As you already guessed domain hierarchy is very important in Active Directory.

Recovery/Availability: Consider the following scenario. Your DC suffers a hardware failure, and to recover from that hardware failure you’ll have to wait some time. If you have only one DC, you may have a problem, the domain apps may need that DC and may stop working until that DC is back online again, the users that use those apps will also stop working and your company will lose money because of that down time. Anyway, you recover that DC from hardware failure, but then you discover that the DC cannot start (BSoD-More down time), no problem (you think), you start the Backup Recovery process, but you discover that the backup isn’t enough to recover that DC. Now you’ve a big problem, no one is working and the company isn’t making money because that. Everyone will have to wait until you replace the domain controller with a new one. With a second DC, you can reduce that problem, and the dead DC could be replaced easily without affecting users or apps that depend on it.

And if I lose both DCs?
It’s true, you can lose both DCs and you’ll be “dead” anyway, but that is another story with a different planning to a different blog post. The point that I’m trying to make clear is with 2 DCs per domain “at the minimum” you will get a good chance to recover from down times (with good percentage of success) plus better redundancy and distributed workload. I could give you a lot more reasons to have additional DCs, but keep those in mind and hopefully they should be enough to make you think twice before consider only one DC for your Domain.

Ok, back to the beginning, How to create the second domain controller in Active Directory. Actually is a very simple process, we just need to have healthy domain (run dcdiag tools to check if everything is ok), and if everything is working correctly you are ready to add the 2nd DC to your domain.

Before start:
Plan carefully your FQDN of the domain controller, make sure that follow the rules of your internal company documentation. Although it’s possible to rename DCs that are running Windows 2003 and latter, I would rather do it correctly at first time preventing latter changes. Check the Naming conventions at Microsoft KB909264.

Configure your NIC with a static IP address. Avoid the use of multiple NICs in DCs, this type of configuration may lead to errors and Active Directory communication might fail on multihomed domain controllers, check MS KB272294 and 191611 for more information.

Make sure that the Administrator account has a strong password. If possible, avoid using the Administrator account and use a dedicated account to perform your everyday work in AD. Think in Administrator account as the SOS account, and try to use it only for emergency situations.

You must have at least one drive formatted with NTFS.

Install the latest updates from Microsoft website.

Check your event log for errors and correct them before proceed.

Plan and test the Backup strategy for your Active directory Forest. After that take a full backup of the existing DC in case that you need to rollback.

At last check the date and time settings, make sure that are correct, and make sure that the existing DC is in sync with a trusted and valid authoritative time server. By Default the DC that holds the PDCe will be (by default) the authoritative time server for your forest and additional DCs will sync their time with this DC.

Don’t miss Part 3 – “How to add a Domain Controller in a Remote Site using the new Windows 2008 R2

To review all video demonstrations, check video section of Active Directory Windows 2008 and 2008 R2 Documentation


Written by IT Core

January 20, 2010 at 10:08 PM

Posted in Deployment, How to..., Videos

Tagged with

Domain Controllers and Active Directory Domains Part 1

with 9 comments

In this blog post I’ll show you an example of How to introduce the First Domain Controller in Active Directory Domain. This will be the first of many other blog posts that will help you with domain controllers configuration and related services across your forest, I’ll also show you how to introduce new domains and different ways to perform identical tasks. Let’s start qith a quick review about Domain Controllers basics:

A Domain controller (DC) is a server role that has the Active Directory service installed. Domain controllers have a database called “NTDS.dit” that stores information about Active Directory objects. This database is divided in different partitions. Domain partition has all information about the domain where that DC is located and is replicated between all DCs within the same domain, each DC has read/write permission to the domain partition. Schema and Configuration directory partitions that are common to the entire forest and replicated between all Domain Controllers within the same forest, it doesn’t matter if they belong to the same Domain or not, as long as they are in the same Forest they’ll need to have a Schema and Configuration directory partitions (which are only writable by their FSMO masters) + Domain Partition for the domain where the DCs were configured. Depending of the version that you’re running, DCs can also store one or more application directory partitions (this applies to Windows 2003 and later OS).

In addition to Active Directory database, DCs can also hold specific roles needed by Active Directory:
Flexible Single Master OperationFSMO” (pronounced Fiz-mo). Domain controllers that hold operations master roles are designated to perform specific tasks to ensure consistency and to eliminate the potential for conflicting entries in the Active Directory database. Active Directory defines 5 operations master roles (2 are Forest wide and the other 3 exist in each domain):

Forest operation masters:
– Schema master
– Domain naming master

Domain operation masters:
-Primary domain controller emulator (PDCe)
-Infrastructure master (IM)
-Relative ID master (RID)

Global Catalog (GC). A global catalog server is a domain controller that, in addition to its full writable domain directory partition replica (does not apply to RODC), also stores a partial, read-only replica of all other domain directory partitions in the forest. The attributes that are replicated to the global catalog are identified in the schema as the partial attribute set (PAS).
GCs are needed when: doing forest wide searches, User logons (when more than one domain exists in that forest), when a user principal name (UPN) is used at logon and the forest has more than one domain, to cache the user membership when is member of a Universal Group (Universal groups are only available when the domain is native mode or later), Exchange Address Book lookups and exchange clients also use global catalog servers to access the global address list (GAL). These are the most common scenarios, but you can also have specific apps that need to contact the GC to function properly.

DNS: Although DNS is not a component of Active Directory, Active Directory uses DNS as its domain controller location mechanism and leverages the namespace design of DNS in the design of Active Directory domain names. Is possible to have a non-Microsoft DNS solution to support Active Directory, but the DNS server must support service resource records (RFC 2782) and dynamic update protocol (RFC 2136). Active Directory uses DNS as the location mechanism for domain controllers, enabling computers on the network to obtain IP addresses of domain controllers. During the installation of Active Directory, the service (SRV) and address (A) resource records are dynamically registered in DNS. Both types of records are necessary for the functionality of the domain controller locator (Locator) mechanism among other functions.

That being said, now it’s time to setup of the First Domain Controller.

Before start:
· Plan carefully your FQDN (fully qualify domain name), the NetBIOS name and the Domain controller name, this is very important to avoid changes that may crash your entire forest later. Check the Naming conventions at Microsoft KB909264.
· Configure your NIC with a static IP address. Avoid the use of multiple NICs in DCs, this type of configuration may lead to errors and Active Directory communication might fail on multihomed domain controllers, check MS KB 272294 and 191611 for more information.
· Configure the Administrator account with a strong password.
· Install the latest updates from Microsoft website.
· You need to have at least one hard drive formated with NTFS.
· Check your event log for errors and correct them before proceed.
· Consider the use of at least 2 DCs for each domain that you plan to have in your forest, this will give you better redundancy but also a fastest way to recover from server failures.
· Plan and test the Backup strategy for your Active directory Forest.
· At last check the date and time settings, make sure that are correct, and make sure that the server is in sync with a trusted and valid authoritative time server. By Default the first DC will be the authoritative time server for your forest and additional DCs will sync their time with this DC.

Now it’s time to install Active directory in your server, check the video and follow the steps bellow:

Check the next article : How to create the second domain controller in Active Directory

To review all video demonstrations, check video section of Active Directory Windows 2008 and 2008 R2 Documentation


Written by IT Core

January 19, 2010 at 11:34 PM

Posted in Deployment, How to..., Videos

Tagged with

Antivirus Settings for Microsoft OS

leave a comment »

Here’s a nice document from Microsoft that you should read before configuring your Anti-virus settings.

This document has recommendations that may help you protect a computer that is running Windows Server 2008, Windows Server 2003, Microsoft Windows 2000, Windows XP, or Windows Vista from viruses. This article also contains information to help you minimize the effect of antivirus software on system and network performance.

Click KB822158

From technet Managing Antivirus Software on Active Directory Domain Controllers

Written by IT Core

January 15, 2010 at 12:27 AM

Updated Read-Only Domain Controller (RODC) Branch Office Guide

leave a comment »

Planning for RODC?
Before any implementation have a look at this updated guide at:

RODC) Branch Office Guide
or using

This guide describes new features in Windows Server 2008 that can provide benefits for Active Directory deployments that include branch offices. It explains how to assess an existing deployment of domain controllers in branch offices to determine whether deploying read-only domain controllers (RODCs) in existing or future branch offices is appropriate for your organization. For more general information about how to install and configure an RODC, see Planning and Deploying Read-Only Domain Controllers. For more information about deploying an RODC in a perimeter network (also known as DMZ), see Active Directory Domain Services in the Perimeter Network (Windows Server 2008).

Written by IT Core

January 15, 2010 at 12:23 AM

SCOM Agent requirements and firewall ports…

leave a comment »

From time to time I find myself in scenarios where I do not remember of all requirements that are needed to install a certain piece of software. This happens because each new product has new requirements. The new software is not the issue, the issue is that we’re seeing lots and lots of new software coming and going and reviewed all the time, those changes come with new requirements, and those new requirements for of the Product yyy.y are not equal to previous versions of the same product. Multiply this by the number of different existing software versions within your company computers and this may become messy after a while…

So, what can we do? Bog it…
For this post I’ll note (for me and for yourself) the Firewall ports that are needed by OpsMgr Agent Push process. Additionally I’ll also  post some useful links that may clarify some doubts when doing agent deployment using System Center Operations Manager.
The following table lists the OpsMgr Agent push requirements for Firewall Ports:

Name Port Number Protocol
RPC endpoint mapper 135 TCP/UDP
RPC/DCOM High ports (Win 2K/2K3 OS) 1024-5000 TCP/UDP
RPC/DCOM High ports (Win 2K8) 49152-65535 TCP/UDP
NetBIOS name service 137 TCP/UDP
NetBIOS session service 139 TCP/UDP
SMB over IP 445 TCP
MOM Channel 5723 TCP/UDP

Useful Links
Operations Manager 2007 R2 Supported Configurations
Deploying Agents in Operations Manager 2007

How does Computer Discovery Work in OpsMgr 2007
OpsMgr 2007 Agent troubleshooting

Have Fun!!! 🙂

Written by IT Core

January 4, 2010 at 4:41 PM

P2V – Disk2vhd v1.4

leave a comment »

Disk2vhd is a utility that creates VHD (Virtual Hard Disk – Microsoft’s Virtual Machine disk format) versions of physical disks for use in Microsoft Virtual PC or Microsoft Hyper-V virtual machines (VMs). The difference between Disk2vhd and other physical-to-virtual tools is that you can run Disk2vhd on a system that’s online. Disk2vhd uses Windows’ Volume Snapshot capability, introduced in Windows XP, to create consistent point-in-time snapshots of the volumes you want to include in a conversion. You can even have Disk2vhd create the VHDs on local volumes, even ones being converted (though performance is better when the VHD is on a disk different than ones being converted).

Get it Now


Written by IT Core

January 2, 2010 at 11:01 PM

Hyper-V R2: Live Migration common problems

leave a comment »

Recently the ASKCORE Team wrote an excellent article about the most common problems that they receive from their clients regarding to Hyper-V R2 Live Migration.

According to them, the most common problems are related with some bad habits and bad decisions regarding to network configurations. The article also explain some techniques to increase the speed of the process (they’ve called it – Bonus Material :)).

Read more at “The devil may be in the networking details.”


Written by IT Core

January 2, 2010 at 10:53 PM

Cluster Validation Error due duplicate GUID information

leave a comment »

The ASK Core Team recently blogged about an error that may occur in clusters if you use imaging to deploy servers without using sysprep.

The error:
Failover Cluster Validation Firewall Error in Windows Server 2008 R2
“An error occurred while executing the test. There was an error verifying the firewall configuration. An item with the same key has already been added”

Lesson learned, always use supported methods (Like Sysprep) to deploy the servers, especially when using imaging or disk rollback procedures
Read more Here

Written by IT Core

January 2, 2010 at 10:30 PM

Posted in Tools, Troubleshooting

Tagged with

Windows Script 5.7 Setup Error

leave a comment »

You download the Windows Script 5.7 for Windows Server 2003, then you try to install it on windows 2003 64Bit version OS, when you do that you get the following error message:

Windows Script Setup Error
This Windows Script is for a different hardware platform.

This error is expected in windows 2003 64bit version since that the Windows Script 5.7 for Windows Server 2003 download is for Windows 2003/32Bit versions.

Request and download the hotfix from KB955360.
Install the hotfix and reboot the system. after reboot verify that you are on 5.7 version by typing from cmd:


Written by IT Core

January 2, 2010 at 12:00 PM

HP System Management Homepage Timeout Error

leave a comment »

From time to time, I get the following error when trying to load the HP System Management Homepage:

A timeout occurred when while loading data for the HP System Management Homepage which may result in missing or incomplete information. See the HP System Management Homepage log for additional information

How to solve this?
This is normally caused by bad SNMP settings, Community Strings and/or Version Control Agent on the problem host, make sure it is pointing to a valid version control repository manager.

Here are some samples….



Written by IT Core

January 2, 2010 at 10:22 AM

Domain Controllers Warning Event ID: 10154

with 10 comments

Log Name: System
Source:  Microsoft-Windows-WinRM
Date:  1/1/2010 1:22:43 PM
Event ID10154
Task Category: None
Level:  Warning
Keywords: Classic
User:  N/A
Computer: dcname.domain.tld
The WinRM service failed to create the following SPNs: WSMAN/dcname.domain.tld; WSMAN/dcname.
Additional Data
The error received was 8344: %%8344.
User Action
The SPNs can be created by an administrator using setspn.exe utility.

I was getting this error at startup in new 2008 R2 Domain Controllers. Apparently the WinRM attempts to create 2 SPNs (WSMAN/dcname.domain.tld and WSMAN/servername) after startup process.

Since that WinRM runs under “Network Service” account, I was able to fix this warning by granting the  “Validated Write to Service Principal Name” permission to the NETWORK SERVICE using the ADSIEDIT.msc. This will allow WinRM to auto create the necessary SPNs on that domain controller. After granting this permission, re-sync all DCs and do a reboot to each domain controller where you did the change, a couple of minutes after that reboot you’ll see that the warning is gone and the required SPNs were created successfully.

Note: I didn’t had the WinRM IIS Extension installed, but I still saw the warning message. If you plan to use WinRM IIS Extension, you need to use “Add features” from Server Manager, reboot the system and run WinRM from cmd to configure it (e.g: WinRM qc).

To learn more about SPNs, click here and here.
To learn more about WinRM, click here andf here.
To learn more about Network Service account click here and here.


Written by IT Core

January 2, 2010 at 12:00 AM

Core Configurator 2.0 is available for download

leave a comment »

Core Configurator 2.0 is available for download at CODEPLEX.

It is completely open source so it can be ammended and change to fit your requirements, this version has been a year in the making and has been written in powershell with a reference to Winforms so that a GUI format is displayed.

The primary focus of this project is to try and get feedback and contributions back from the community to make this a tool the best/ free tool everyone will want in there toolkit, so if you have some code or features that you might want included then please leave a comment and we will get in touch.

Core Configuration tasks include:
-Product Licencing
-Networking Features
-DCPromo Tool
-ISCSI Settings
-Server Roles and Features
-User and Group Permissions
-Share Creation and Deletion
-Dynamic Firewall settings
-Screensaver Settings
-Add & Remove Drivers
-Proxy settings
-Windows Updates (Including WSUS)
-Multipath I/O
-Hyper-V including virtual machine thumbnails
-JoinDomain and Computer rename
-Add/remove programs
-Complete logging of all commands executed

Written by IT Core

January 2, 2010 at 12:00 AM