IT Core Blog

Never stop questioning. Curiosity has its own reason for existing…

Archive for April 2010

SCVMM Comprehensive/Recomended Updates

leave a comment »

Many “Recommended”¬†updates are available for SCVMM and the technologies it manages, staying up to date can be hard, fortunately there is a tool called VMMCA that will check the configuration and updates installed on the SCVMM Server and any Hosts specified and produce a simple report.

What about all updates that have been released since the VMMCA was last released?
Here’s a list of all of the updates the VMMCA checks and another one that you will have to verify on your own.

Updates the VMMCA verifies
Install on the SCVMM Server
961983
971244
Install on SCVMM Hosts
950050
956589
956774
958124
954563
955805
Hyper-V updates for SCVMM Hosts
952247
956697
957967
958184
959978
971677
Failover Cluster Management updates for SCVMM Hosts
951308
958065

New updates, not verified by the VMMCA
WinRM
-Win2003
936059 An update is available for the Windows Remote Management feature in Windows Server 2003 and in Windows XP
WMI – Win2008, SP2
968936 Memory corruption may occur with the Windows Management Instrumentation (WMI) service on a computer that is running Windows Server 2008 or Windows Vista Service Pack 1
WMI – Win2008, SP2
971403 A rollup hotfix package for Windows Server 2008 Failover Clustering WMI provider
WMI – Win2008, SP2
970520 The Wmiprvse.exe process creates a memory leak on a computer that is running Windows Server 2008 if you remotely monitor this process by using the WMI interface on a computer that is running Windows Server 2003 or Windows XP
WMI – Win2008R2
974930 An application or service that queries information about a failover cluster by using the WMI provider may experience low performance or a time-out exception
WMI – Win2008R2
981314 The “Win32_Service” WMI class leaks memory in Windows Server 2008 R2 and in Windows 7
Hyper-V – Win2008R2
981618 The computer stops responding or restarts during the Hyper-V Live Migration process in Windows Server 2008 R2
P2V – Win2000
834010 A deadlock occurs when a program that uses WMI calls the LoadLibrary() or the FreeLibrary() function in Windows 2000
P2V – Win2000, 2003
892294 A WMI event notification query does not detect a user permissions change on Windows 2000 or Windows Server 2003
P2V – Win2000
843527 The Win32_SCSIController WMI class cannot obtain SCSI controller information after you install the MS04-011 security update
P2V – SCVMM2008
959596 Description of the System Center Virtual Machine Manager 2008 update to address physical to virtual (P2V) issues
P2V – SCVMM2008
971816 Using P2V together with System Center Virtual Machine Manager 2008 may fail with error 3154 (0x8099319E) or error 13252 (0x809933C4)
VMM Rollup – SCVMM 2008R2
976244 Description of the System Center Virtual Machine Manager 2008 R2 hotfix rollup package: November 10, 2009
VMM Rollup – SCVMM 2008R2
978560 Description of the System Center Virtual Machine Manager 2008 R2 hotfix rollup package: February 9, 2010
Other – SCVMM2008R2
976246 When you remove a virtual hard disk from a virtual machine in System Center Virtual Machine Manager 2008 R2, the .vhd file on the Hyper-V server is deleted without warning

Advertisements

Update for Best Practices Analyzer for HYPER-V for Windows Server 2008 R2 x64 Edition

leave a comment »

You can use Hyper-V Best Practices Analyzer to scan a server that is running the Hyper-V role, and help identify configurations that do not comply with the best practices of Microsoft for this role. BPA scans the configuration of the physical computer, the virtual machines, and other resources such as virtual networking and virtual storage. Scan results are displayed as a list of issues that you can sort by severity, and include recommendations for fixing issues and links to instructions. No configuration changes are made by running the scan.

The Hyper-V BPA is available is as download package and also available through Windows Update.

Get it here

Also check TechNet Documentation for Hyper-V BPA

Written by IT Core

April 28, 2010 at 8:07 PM

HP Virtual Connect for Dummies

leave a comment »

Like other Dummies books it is a easy reference tool that you can refer back to whenever you need to learn more about what HP Virtual Connect

So what does HP Virtual Connect do? Well it simplifies the setup of server connections to both LANs and SANs, thus allowing IT Professionals to quickly add or replace servers and move workloads without needing to involve network and storage teams.

Download it free ūüôā

 

Written by IT Core

April 28, 2010 at 7:29 PM

HP BladeSystem Matrix Application Template for Microsoft Hyper-V R2 Test and Development Environment White Paper

leave a comment »

This white paper describes an HP Insight Dynamics infrastructure orchestration (IO) template for provisioning the infrastructure resources needed to support test and development environments using Microsoft¬ģ Windows¬ģ Server 2008 R2 Hyper-V (Hyper-V R2) in a cluster configuration for live migration and Cluster Shared Volume (CSV). This template, ‚ÄúHyper-V R2 Cluster.xml,‚ÄĚ is specifically designed to provision the server, storage, and network infrastructure resources necessary to support a small test and development environments for VMs. The document also details some specific areas of the template that you will need to modify in order to successfully import and deploy the template.

Read more here
Download it here

Written by IT Core

April 28, 2010 at 7:22 PM

Posted in Documentation, How to..., HP, Virtualization

Tagged with

Domain Controllers and Active Directory Domains Part 7

with one comment

Click if you want to review part 1, part 2, part 3, part 4, Part5 or part 6 of Domain Controllers and Active Directory Domains series.

“How to deploy a Read-only Domain Controller in a Windows 2003 domain”

In part 7 of this series, we’re going to discuss a new type of domain controllers, the Read-only domain controllers (RODCs).

Read-only domain controllers (RODCs) are additional domain controllers that host read-only partitions of the Active¬†Directory database. RODCs were introduced in Windows 2008 as new feature of Active Directory Domain Services. This new type of domain controllers are the Microsoft solution to clients that had the need to deploy domain controllers at locations where security could not be 100% guaranteed (e.g. branch offices, perimeter networks). With RODCs Microsoft “offers” a solution that may help to resolve a number of security or manageability issues that existed in older operating system versions .

¬†So what make the RODCs so especial and what do they have that Read/Writable Domain Controllers (RWDCs) don’t? RODCs have:

  • Read-only copy of Active Directory Database. (Applications can only read data from AD database on RODCs. RODCs will forward certain write operations to writable domain controllers, and they will also send referrals to writable domain controllers when necessary).
  • RODCs have a read-only copy of the SYSVOL folder contents.
  • Unidirectional Replication (RODCs get information from WRDCs, but RWDCs do NOT get information from RODCs, this applies to both AD database and SYSVOL data).
  • Administration Role Separation (ARS) – Domain administrators can delegate both the installation and the administration of RODCs to any domain user, without granting them any additional rights in the domain and without compromising the security of the rest of the domain.
  • Credential caching. By default an RODC does not store user credentials or computer credentials, except for its own computer account and a special krbtgt account for that RODC, this means that by default all authentication requests will be forwarded by RODCs to RWDCs).
  • Password Replication Policy (PRP) – Ability to configure which passwords that are allowed to be cached in a RODC.
  • Filtered Attribute Set (FAS) – Control which attributes are not replicated to RODCs – this allows you to protect sensitive data in scenarios where RODCs are stolen or compromised.

 Active Directory prerequisites to deploy the a RODC?

  • The Forest functional level (FFL) must be set to Windows Server 2003 or higher. FFL 2003 is needed because linked-value replication (LVR) and constrain delegation are only available at this FFL or latter. This also means that all domain controllers (DCs) in the forest must have windows 2003 or later Operating system installed.
  • Before introducing RODCs in a Forest, a¬† writable domain controller running Windows Server 2008 or Windows Server 2008 R2 MUST exist in the same domain as the RODC. The writable domain controller must be a DNS server that has registered a name server (NS) resource record for the relevant DNS zone. RODCs must be able to replicate domain updates from a writable domain controllers running Windows Server 2008 or Windows Server 2008 R2.
  • IF you’ve a Windows Server 2003 domains, you must also run adprep /rodcprep before introducing a RODC in that Forest. Note: The infrastructure master for each domain and for each application directory partition must be available within the environment for the operation to succeed. If these requirements are not met, you may experience the symptoms described at KB 949257. Also read (Known Issues for Deploying RODCs).
  • To learn how to introduce Windows 2008/2008 R2 Domain controllers in your domain/forest, check part 6 of this series.

 Some considerations to be aware of with RODCs:

  • As discussed before, RODCs need at least one 2008 RWDC, this requirement is due the nature of RODCs context in AD. Write operations, DNs updates, Authentication (non-cached accounts), will be forwarded to RWDCs/ authoritative DNS servers. With these operations in mind is generally a good idea to have enough (more than 1) windows 2008 DC available to serve RODCs requests. To learn how to introduce Windows 2008/2008 R2 Domain controllers in your domain/forest, check part 6 of this series.
  • When a RODC that runs 2008 R2 is added to a domain that has RWDC that runs Windows Server 2008, the RODC logs Event ID 2916.This error can be disregarded, and it will not be logged if there is a RWDC that runs Windows Server 2008 R2 in the domain.
  • Cross-domain authentication will fail if the WAN is offline. RODC domain authentication for cached accounts (including User and Computer accounts) succeeds even if the WAN is offline. RODC domain authentication for accounts that are not cached will fail if the WAN is offline.
  • RODCs can only synchronize their time from a RWDCs that run Windows Server 2008, they are restricted from synchronizing with other RODCs and they are restricted from synchronizing with domain controllers outside their own domain (Client computers can synchronize time from any domain controller, including an RODC).
  • Do not use highly privileged accounts (like members of domain admins) to logon in RODCs.
  • Microsoft Exchange Server does not use RODCs. However, you can configure Outlook clients in a branch office that is serviced by a read-only global catalog server to use the read-only global catalog server for global address book lookups (Applications That Are Known to Work with RODCs).
  • Perform staged RODC Installations. The first stage of the installation (requires Domain Admin credentials) is to create an account for the RODC in AD. The second stage of the installation attaches the actual server that will be the RODC in a remote location, such as a branch office, to the account that was previously created for it. You can delegate the ability to attach the server to a non-administrative group or user.
  • When you upgrade a Windows Server 2003 domain controller it always remains a writable domain controller. You cannot make a Windows Server 2003 domain controller an RODC during the upgrade. If you want to upgrade a Windows Server 2003 domain controller and make it an RODC, you must remove Active Directory Domain Services (AD DS). You can remove AD DS either just before or just after you upgrade the operating system. After you upgrade the server and it is no longer a domain controller, reinstall AD DS and choose the RODC option during the AD DS installation.
  • You cannot convert from a full installation to a Server Core installation, or the reverse.

 Deploy RODCs:

Currently there are, at least, 2 ways to deploy RODCs, Staged installation and Direct installation.

Direct installation is the “normal” way to deploy any Domain Controller, basically you complete a full promotion of an RODC as a member of the Domain Admins group or as a member of an additional group with equivalent delegated permissions.

In this blog post I’m going to show you the Staged installation because I think that makes more sense due the nature of the RODCs security context (RODCs are normally placed at unsecure/un-trusted locations, right :)).

 The Staged Installation is divided in 2 stages:

  1. The Domain Admin prepares the Active Directory to receive the new RODC and delegates the final stage of an RODC installation to any user or group.
  2. The delegated user or group installs the RODC at the remote site and adds the RODC to the domain without the need to have a highly privileged account.

¬†I suggest the use of the IFM installation option in conjunction with a Staged installation (I’ll show you how during the video).¬†Using the Install from Media (IFM) option, you can minimize the replication of directory data over the network. This helps you install additional domain controllers in remote sites more efficiently. After you create the IFM installation media for a RODC, you can secure the installation media before transporting it to the branch office by removing secrets such as user account passwords from it. If the installation media is lost or stolen while it is being transported, it cannot be compromised to reveal passwords. This is valid for RODCs because the RODC does not cache any passwords by default, they do not need to be present in the RODC installation media.¬†

That said, let’s check “How to deploy a Read-only Domain Controller in a Windows 2003 domain
(Note: Before introducing RODCs into 2003 domains, you must have at least 1 Windows 2008/2008R2 DC, to learn how to introduce Windows 2008/2008 R2 DCs in an existing 2003 Forest/domain check part 6 of this series).

Final Notes:
Do not use highly privileged accounts (like members of domain admins) to logon in RODCs.

– Consider the RODC installation in Windows Server Core.

– Consider the use of Bit Locker on RODCs to protect data more efficiently.

– Unless you’re using DFS Replication, any changes in the RODC SYSVOL¬† will not be replicated to RWDCs and this change can affect any computer that obtains Group Policy objects or logon scripts from that RODC, not only computers that are defined in the PRP.¬† To synchronize the contents of the SYSVOL folder again, you can make a change on a writable domain controller to force the directory or file to replicate to the RODC, or you can set the Burflags registry setting to D2, check KB315457 for more information. This behavior is by design because FRS provides limited support for read-only SYSVOL on an RODC.

– Extend the RODC FAS to include any attributes that you want to prevent from replicating to any RODC in the forest. When the attributes are prevented from replicating to RODCs, they cannot be exposed unnecessarily if an RODC is stolen or compromised. (As a best practice, make sure that the forest functional level is Windows Server 2008 or latter if you plan to configure the RODC FAS)

– Use remote management tools to administer RODCs (Microsoft Remote Server Administration Tools (RSAT) – Windows Remote Management (WinRM) protocol and Windows Remote Shell (WinRS))

Reliable time synchronization is required for Kerberos authentication. Client computers can synchronize time from any domain controller, including an RODC. An RODC can synchronize time only from a writable domain controller that runs Windows Server 2008 or later.

After 1,500 security principals are in the Allowed List and the RODC stops caching passwords, if you attempt to cache the password for a user in the Allowed List‚ÄĒusing repadmin /rodcpwdrepl for example‚ÄĒyou will see the following error message (Check: Administering the Password Replication Policy):
“Unable to replicate secrets for user CN=user… on read-only DC dsp17a30 from full DC <GUID=126c27dc-cbb2-41b0-b847-71e5d6b69ea2>.
Error: Replication access was denied. (8453)
‚ÄĚ

 Additional Documentation:
Read-Only Domain Controller Planning and Deployment Guide
RODC Technical Reference Topics
Known Issues for Deploying RODCs
Applications That Are Known to Work with RODCs
Read-only Domain Controllers Step-by-Step Guide
Understanding ‚ÄúRead Only Domain Controller‚ÄĚ authentication
Read-Only Domain Controllers and Account Lockouts
KB 944043: Description of the Windows Server 2008 read-only domain controller compatibility pack for Windows Server 2003 clients and for Windows XP clients and for Windows Vista
Active Directory and Active Directory Domain Services Port Requirements
To review all video demonstrations, check video section of Active Directory Windows 2008 and 2008 R2 Documentation

Written by IT Core

April 22, 2010 at 11:59 PM

Posted in Deployment, How to..., Videos

Tagged with

Free ebook: Introducing Microsoft SQL Server 2008 R2

leave a comment »

Introducing Microsoft SQL Server 2008 R2 is to point out both
the new and the improved in the latest version of SQL Server. Because this
version is Release 2 (R2) of SQL Server 2008, you might think the changes are
relatively minor‚ÄĒmore than a service pack, but not enough to justify an entirely
new version. However, as you read this book, we think you will find that there are a
lot of exciting enhancements and new capabilities engineered into SQL Server 2008 R2
that will have a positive impact on your applications, ranging from improvements
in operation to those in management. It is definitely not a minor release!

Read/Get it here

Written by IT Core

April 20, 2010 at 1:23 AM

Posted in Books, Documentation, News

Tagged with

Removing missing VMs from SCVMM DB

leave a comment »

Do you have missing Virtual machines in your SCVMM console? Learn how to remove them using Michael’s¬†scripts:

“it has come to our attention that there are some customer complaints with regards to missing virtual machines in the administrator console after a cluster failover. Since it is not easy to remove those VMs from the VMM administrator console, Gokcen from our team wrote a script that will allow you to clean those VMs up. Here are the steps to follow.”

1.First close the VMM Administrator Console
2.Then, stop the VMMService windows service on the VMM server computer
3.Take a FULL database backup of the VMM database [Just in case; this is a safety net in case something goes wrong]
4.Now you are ready to clean up any missing VMs. it is important to notice that all missing Virtual Machines in this VMM environment will be deleted from the VMM database. we are not deleting any virtual machines from any virtualization host computer. basically we are not touching anything on Hyper-V, Virtual Server, or VMware ESX computers
5.Install Microsoft SQL Server Management Studio Express on the same computer where the VMM database exists. This is a free download from microsoft and you can search for it on Bing.
6.Open SQL Management Studio, select the VMM database and run the SQL script below. That should delete all VMs that are in the missing state in the VMM database.
7.Once the sql script is completed, restart the VMMService and open the Administrator Console. All your missing VMs should now be “eliminated” ūüôā

<<

BEGIN TRANSACTION T1

DECLARE custom_cursor CURSOR FOR
SELECT ObjectId from
dbo.tbl_WLC_VObject WHERE [ObjectState] = 220

DECLARE @ObjectId uniqueidentifier

OPEN custom_cursor
FETCH NEXT FROM custom_cursor INTO @ObjectId

WHILE(@@fetch_status = 0)
 BEGIN

 DECLARE vdrive_cursor CURSOR FOR
 SELECT VDriveId, VHDId, ISOId from
 dbo.tbl_WLC_VDrive WHERE ParentId = @ObjectId

 DECLARE @VDriveId uniqueidentifier
 DECLARE @VHDId uniqueidentifier
 DECLARE @ISOId uniqueidentifier

 OPEN vdrive_cursor
 FETCH NEXT FROM vdrive_cursor INTO @VDriveId, @VHDId, @ISOId
 WHILE(@@fetch_status = 0)
 BEGIN
  DELETE FROM dbo.tbl_WLC_VDrive
         WHERE VDriveId = @VDriveId
  if(@VHDId is NOT NULL)
  BEGIN
       
   DELETE FROM dbo.tbl_WLC_VHD
   WHERE VHDId = @VHDId
   DELETE FROM dbo.tbl_WLC_PhysicalObject
   WHERE PhysicalObjectId = @VHDId
  END
  if(@ISOId is NOT NULL)
  BEGIN
  
   DELETE FROM dbo.tbl_WLC_ISO
          WHERE ISOId = @ISOId
   DELETE FROM dbo.tbl_WLC_PhysicalObject
   WHERE PhysicalObjectId = @ISOId
  END
 
     FETCH NEXT FROM vdrive_cursor INTO @VDriveId, @VHDId, @ISOId
   END
 CLOSE vdrive_cursor
 DEALLOCATE vdrive_cursor

—————–
 DECLARE floppy_cursor CURSOR FOR
 SELECT VFDId, vFloppyId from
 dbo.tbl_WLC_VFloppy WHERE HWProfileId = @ObjectId

 DECLARE @vFloppyId uniqueidentifier
 DECLARE @vfdId uniqueidentifier

 OPEN floppy_cursor
 FETCH NEXT FROM floppy_cursor INTO @vfdId, @vFloppyId
 WHILE(@@fetch_status = 0)
 BEGIN
      DELETE FROM dbo.tbl_WLC_VFloppy 
  WHERE VFloppyId = @vFloppyId
  
  if(@vfdid is NOT NULL)
  BEGIN
   DELETE FROM dbo.tbl_WLC_VFD
   WHERE VFDId = @vfdId
   DELETE FROM dbo.tbl_WLC_PhysicalObject
   WHERE PhysicalObjectId = @vfdId
  
  END
 
     FETCH NEXT FROM floppy_cursor INTO @vfdId, @vFloppyId
   END
 CLOSE floppy_cursor
 DEALLOCATE floppy_cursor

—————-
 DECLARE checkpoint_cursor CURSOR FOR
 SELECT VMCheckpointId from
 dbo.tbl_WLC_VMCheckpoint WHERE VMId = @ObjectId

 DECLARE @vmCheckpointId uniqueidentifier

 OPEN checkpoint_cursor
 FETCH NEXT FROM checkpoint_cursor INTO @vmCheckpointId
 WHILE(@@fetch_status = 0)
 BEGIN
      DELETE FROM dbo.tbl_WLC_VMCheckpointRelation 
  WHERE VMCheckpointId = @vmCheckpointId
  
 
     FETCH NEXT FROM checkpoint_cursor INTO @vmCheckpointId
   END
 CLOSE checkpoint_cursor
 DEALLOCATE checkpoint_cursor

————————-
———Clean checkpoint

 DELETE FROM dbo.tbl_WLC_VMCheckpoint
 WHERE VMId = @ObjectID

        exec [dbo].[prc_VMMigration_Delete_VMInfoAndLUNMappings] @ObjectId

        DECLARE @RefreshId uniqueidentifier
        exec [dbo].[prc_RR_Refresher_Delete] @ObjectId, @RefreshId

        DELETE FROM dbo.tbl_WLC_VAdapter
 WHERE HWProfileId = @ObjectId

        DELETE FROM dbo.tbl_WLC_VNetworkAdapter
 WHERE HWProfileId = @ObjectId

               
        DELETE FROM dbo.tbl_WLC_VCOMPort
 WHERE HWProfileId = @ObjectId

        DELETE FROM dbo.tbl_WLC_HWProfile
        WHERE HWProfileId = @ObjectId

        DELETE FROM dbo.tbl_WLC_VMInstance
        WHERE VMInstanceId = @ObjectId

 DELETE FROM dbo.tbl_WLC_VObject
 WHERE ObjectId = @ObjectId

    FETCH NEXT FROM custom_cursor INTO @ObjectId
  END
CLOSE custom_cursor
DEALLOCATE custom_cursor

COMMIT TRANSACTION T1

>>

Written by IT Core

April 17, 2010 at 8:08 PM