Problems accessing the Virtual Server administration website on a Windows Server 2003 domain controller

Posted on By Mark Wilson

Although I have several computers at home, most of my server roles are running on a single PC. That means Active Directory (AD) domain controller (DC), DNS, DHCP, RIS, WSUS, and print services are all on one box (file services are on my NSLU2) so I figured that adding Virtual Server 2005 R2 to the mix shouldn’t be too big a problem. It’s certainly not good practice, but it works.

Another bad practice is to run internet information services (IIS) on a DC, but I already have IIS installed for WSUS, so adding the Virtual Server administration website should have been reasonably straightforward. Following installation, existing websites on the server were working as expected but any attempt to access the Virtual Server 2005 administration website resulted in an HTTP Error 403 – Forbidden: Access is denied. message, despite entering the domain administrator credentials when prompted (and already being logged on as the domain administrator).

From checking the event log, I found that Virtual Server was logging the following event on startup:

Event Type: Warning
Event Source: Virtual Server
Event Category: Virtual Server
Event ID: 1130
Date: 01/05/2006
Time: 15:28:23
User: NT AUTHORITY\NETWORK SERVICE
Computer: SERVER1
Description:
The service principal names for Virtual Server could not be registered. Constrained delegation cannot be used until the SPNs have been registered manually. Error 0x80072098 – Insufficient access rights to perform the operation.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I tried the steps in Microsoft knowledge base article 890893 but adding the appropriate SPNs to AD didn’t seem to make any difference.

A bit of Googling turned up a blog entry from David Wang which although not completely relevant, contained a reference to a similar problem in the comments. Sure enough, when I checked the IIS logs, the error code was 403 19, as shown below:

#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2006-05-01 21:29:39 W3SVC2 ipaddress GET /VirtualServer/VSWebApp.exe view=1 1024 domainname\Administrator ipaddress Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 403 19 1314

I tried David’s advice of switching the IIS DefaultAppPool identity to LocalSystem and that worked (LocalSystem is a very highly-privileged account), but (despite my lackadaisical approach to co-hosting services and the probably security implications) I didn’t really feel that it was an ideal solution and I switched back to Network Service. I then set about trying to work out why the Network Service account (NT AUTHORITY\NETWORK SERVICE) didn’t have the appropriate permissions. Microsoft knowledge base article 332097 looked as if it might be relevant (Microsoft knowledge base article 842493 is similar) but didn’t seem to solve the problem (in any case the IIS_WPG group already had the correct permissions) so I fired up the Local Security Settings MMC snap-in and checked out the user rights assignment in the local security policy.

Because my IIS server is also a DC, many of the user rights normally associated with the Network Service account had been removed (and were overridden by the Default Domain Controllers Policy). NT AUTHORITY\NETWORK SERVICE was also missing from the IIS worker process group (IIS_WPG) membership (and could not be added as it is a local account) so I edited the local security policy and the Default Domain Controllers Policy (another bad practice – I should really have created a new policy for DCs running IIS) as follows:

  • Replace a process-level token (Default Domain Controllers Policy).
  • Adjust memory quotas for a process (Default Domain Controllers Policy).
  • Generate security audits (Default Domain Controllers Policy).
  • Log on as a batch job (Default Domain Controllers Policy).
  • Impersonate a client after authentication (local security policy).

The following user rights were already in existence:

  • Bypass traverse checking (inherited from Everyone).
  • Access this computer from the network (inherited from Everyone).
  • Log on as a service (Default Domain Controllers Policy).

After forcing a group policy refresh (using gpupdate /force) and issuing the iisreset command, I was able to access the Virtual Server administration website as expected; although the event 1130 warnings are still being recorded in the event log, along with event 1129 since I enabled the virtual machine remote control (VMRC) server:

Event Type: Warning
Event Source: Virtual Server
Event Category: Remote Control
Event ID: 1029
Date: 04/05/2006
Time: 21:19:18
User: NT AUTHORITY\NETWORK SERVICE
Computer: SERVER1
Description:
The service principal name for the VMRC server could not be registered. Automatic authentication will always use NTLM authentication. Error 0x80072098 – Insufficient access rights to perform the operation.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I stress that running multiple services on a single PC (even with proper server hardware) is not a good idea; nor is running IIS on a DC; and neither is editing either the Default Domain Policy or the Default Domain Controllers Policy. If you need to do it though, hopefully these notes will help to work out why processes that rely on the Network Service account are not working as they should.

Does Windows Vista have more than just a pretty face?

Posted on By Mark Wilson

I’ve written a bit about Windows Vista on this blog previously but generally left the product reviews to people like Paul Thurrott (who has both the time to do a review justice and the readership to make it worthwhile). Yesterday, I saw yet another Windows Vista presentation and (with my corporate mindset) I’m still struggling to see why I should move from Windows XP. Maybe that’s because so much is being made of the new Aero interface and there’s not been much emphasis placed on some of the other functionality. At a first glance Windows Vista has lots of new features; but many of them fall into one of the following categories:

  1. Require modern graphics hardware and won’t make any real difference in a corporate setting.
  2. Implement a totally new interface (or at least new ways of working) and so will require additional end-user training (which most companies won’t invest in, so people will continue to use Windows as they have done since we first saw Explorer in Windows 95).

At least, that’s what I thought until I saw James O’Neill‘s presentation at the Microsoft Technical Roadshow. It turns out that there’s a lot of hidden functionality available in Vista (that doesn’t require new hardware) and the list below is probably just scraping the surface:

  • The startup/shutdown sequence is improved to allow for a more reliable sleep function/resume from hibernation.
  • There’s also an improved paging algorithm (known as superfetching) whereby the operating system learns the memory pages that are used frequently and keeps them in memory (avoiding the delay that occurs in Windows XP when returning from a meeting to find that Outlook takes a while to respond because an operating system process has swapped all of its memory out to disk).
  • Then there’s the ability to use a USB key as extra cache (faster than disk, slower than RAM, no problem if it’s removed suddenly because it’s just a cache, although there would be a slight performance hit for a cache rebuild).
  • The operating system is intended to be self tuning, with an API that allows PC components to be scored (opening up the possibility of warning users that they can run an application but it might run slowly due to the system having a poorly-specified processor or a lack of RAM).
  • The restart manager functionality allows a file to be unlocked (e.g. to apply a patch) without needing to restart the PC.
  • There are improved diagnostics (e.g. to report that a hard disk has bad sectors – often a sign that the disk is about to fail).
  • Security is a major area of improvement:
    • User account control/protection allows for least privileged user access, warning users where elevated privileges are requested. Unfortunately I have a feeling that most users will just ignore the warning (click the “yeah… whatever…” button) in the same way that firewall warnings are often not much help today.
    • There are anti-malware features provided through the integration of Windows Defender (it amazes me that so many of my clients are paranoid about virus protection yet don’t do anything about spyware).
    • Internet Explorer 7.0 is sandboxed (so malicious code is limited in its scope to do damage).
    • The Windows firewall is improved to allow for filtering of outbound traffic as well as inbound.
    • Client support for network access protection (NAP), allowing for quarantining of PCs when returning to the network.
    • Improved data protection (e.g. control over USB device connectivity).
    • BitLocker technology to encrypt the whole hard disk.
  • From a deployment perspective, everything that we know about unattended installation (which hasn’t changed much since Windows NT) changes with new file-based imaging tools that allow for compressed images with single instance storage of multiple build versions and non-destructive rebuilds.
  • Language support is handled via resource files (instead of multiple versions of the same DLL), allowing for creation of a singe worldwide operating system image.
  • The new Windows imaging (.WIM) format allows images to be mounted as a file system, then browsed and edited.
  • A new feature called Windows resource protection is provided to protect system settings. Meanwhile, the number of configuration items that can be controlled via group policy has increased from approximately 1800 to around 3000 (mostly control over printing, USB devices, and power management.
  • For legacy application support, the program files folder structure and the registry are virtualised. This means that programs that need (or assume) administrator permissions can still run as they have a virtual registry to write to.
  • The command prompt is also unprivileged by default, with the same user access control functionality as the GUI.
  • The “breadcrumb trail” that replaces an absolute path in Explorer windows allows me to jump straight to a particular folder in the path.
  • The ability to tag documents (including photos) and “stack” them based on the file metadata (e.g. view all documents by a particular author – although for many organisations the author will typically be something like “Any authorised user” or the company name because in my experience other people rarely set the document properties).
  • Within control panel, a shield next to an applet indicates that user access control applies.
  • The mobility center allows for quick application of different settings (e.g. turn of screensaver when presenting). There’s also easier file sharing with users on the same network and a new synchronisation engine for synchronising with mobile devices, or keeping files in sync with another PC (like backing up my work PC to a home file store).
  • Tabbed browsing in IE7 (something which, as a Firefox user, I now find very difficult to do without in IE6), RSS support and preview pages.

Even though I’m unimpressed generally with Aero, there are some UI features that I may find useful:

Microsoft is caught between a rock and a hard place. They get criticised for a lack of original new features; but we accuse Windows of being bloated. They get criticised for a lack of security; on the other hand when they add new features (improved client firewall, anti-spyware, etc.) they are accused of being anti-competitive. Windows Vista has been a long time coming and whilst many of the features originally planned have since been removed it does include some great new technology.

Will Vista be worth the wait? Probably. Will corporates be keen to adopt the new operating system? That remains to be seen but I suspect there won’t be a big rush if the marketing message continues with the “clear, confident, connected, ooh – doesn’t it look pretty” message.

Looking forward to the 2007 Microsoft Office System

Posted on By Mark Wilson

Microsoft Office

I think I’ve been attending too many Microsoft events recently. Not only do the presenters know me personally, but I’m not hearing much that’s new. To be fair to Microsoft, that’s because two of the biggest product launches this year will be Windows Vista (for which I’m a beta tester) and Exchange Server 2007 (for which I was extremely fortunate to spend two days learning about in depth last month). There are many other products planned for launch in 2007 but those two are the ones that will mean most to me. I spent yesterday at the Microsoft Technical Roadshow – an event that I’ve enjoyed in previous years (although the multiple-track format has been dropped this year due to budget restrictions) – and even though much I’d seen much of the content at previous events, I was particularly impressed with Paul Brombley’s session on the 2007 Microsoft Office System (Office 2007 – formerly codenamed Office 12).

I’ve not done anything with the new version of Office (and can’t think of much that I do with Office 2003 that I didn’t already do with XP, 2000, 97 or even 95 – except that 95 didn’t have Outlook and that I could do more with 2003 if my employer made better use of SharePoint products and technologies) but I had heard of the new ribbon user interface.

Now maybe my comments about a lack of new features in recent Office versions were slightly disingenuous – the new features are there but it probably means that I still work in the same way I did in 1995. Whatever my thoughts are on Office 2003, what I saw and heard yesterday has inspired me to install the latest Office 2007 beta, if only to look more closely at the following features (which are just the ones that grabbed my attention – there are many more too):

In Outlook:

  • A new To-Do bar, which brings much of the old Outlook Today functionality into a sidebar, including upcoming appointments, tasks, and flagged items.
  • RSS integration.
  • Enhanced calendaring functionality (e.g. the ability to overlay multiple calendars – not many of my colleagues maintain their Exchange calendars, but I do keep separate work and personal diaries).
  • Tasks linked integrated with the calendar and assigned a time of day (including those from Project Server).
  • Improved search including query hit highlighting.

In PowerPoint:

  • Server-based slide libraries that can be tagged for use by others and alerts issued if updated versions of the slides are available.

In Word:

  • A mini-bar (I do hope Microsoft changes that name), close to highlighted text, that provides shortcuts to common actions (e.g. increase font size).

In Excel:

  • A zoom slider on the bottom right of the main working area.
  • The ability to publish parts of a report and therefore protect the calculations.
  • Fast table formatting with automatically selected data, alternate shaded lines, frozen frames on the column names and auto-filters.
  • Simple pivot table creation with enhanced conditional formatting and data bars on values.

The new ribbon interface (or, as Microsoft like to refer to it, the “results-oriented user interface”), which provides:

  • Context-sensitive links to commands, expanding and contracting the visible functionality in accordance with window size.
  • A preview of the effects of a command before it is issued (saving many undo commands), e.g. when applying a new style.
  • The ability to insert a new section (e.g. a cover page) from a gallery as a single command.
  • A new graphics engine, which makes it easy to add and edit attractive graphics with impact (not clip-art).

Other changes include:

  • FrontPage is now called SharePoint Designer (possibly reflecting the fact that it’s useless for designing standards-compliant web pages for use on any other platform).
  • Support for Windows Workflow Foundation services to provide document approval workflow.
  • Integration with InfoPath forms to capture metadata as part of the document authoring process as well as InfoPath in a browser (and not just Internet Explorer) and within Outlook (e.g. as a custom form).
  • Windows SharePoint Services (WSS) integration:
    • The ability to create basic Gantt charts in WSS using a webpart and link back to Project Server.
    • Document repositories with records management.
    • The ability to publish Excel data in WSS and view it in a web browser, natively within Excel, or programmatically within a custom application.
    • Dashboards, personal report centres and enterprise-wide searches for business intelligence.
  • Integrated communications (i.e. Office Communicator).

Apart from the new interface, probably the most significant change is the new OpenXML document format. Despite being proposed as a royalty-free, open standard, OpenXML has been criticised by supporters of the competing open-source open document format (ODF). Compact and robust, the format is actually zipped XML, so can be easily integrated with many business applications. Microsoft will continue to support the binary formats but OpenXML is the way forwards, with migration tools for the new formats as well as free add-ins for Office 2000, 2002 (XP) and 2003 to allow legacy Office versions to use OpenXML files.Microsoft is currently predicting an October 2006 release date for Office 2007. That means that although volume licensing customers will be able to get hold of it sooner, general availability will be in early 2007. Initially available as a 32-bit product, there will be a 64-bit edition later (64-bit adoption on the desktop is still lagging behind servers). In the meantime, there’s a 2007 Microsoft Office system preview website with more information including a comparison between the various product suites.

More new product names under the System Center brand

Posted on By Mark Wilson

Two more Microsoft products in the management space got a new System Center branding last week. Whilst most of the System Center products have been new offerings, Microsoft announced that Microsoft Operations Manager v3 will be called System Center Operations Manager 2007 and Microsoft Systems Management Server v4 will become System Center Configuration Manager 2007 (these days, the acronym SMS is more often thought of in relation to the short message service in mobile telecommunications).

Introducing Exchange Server 2007

Posted on By Mark Wilson

Another new product name… bland as ever, but definitely preferable to something like Windows PowerShell is Exchange Server 2007. Actually, that one was pretty obvious back at the Exchange Server “12” Ignite training last month but as most of the information I was given there was protected by a non-disclosure agreement (NDA) I couldn’t say anything. At yesterday’s Microsoft Technical Forum event, the new product name was being used extensively (and Eileen Brown told me that my 4-week old E12 t-shirt was out of date… that’s Microsoft product names for you).

On a related note, I read on the Exchange team blog that Exchange Server is now ten years old. It seems like only yesterday I was one of the Microsoft partner representatives on the Exchange 4.0 Server UK launch tour (my first experience of working directly with Microsoft). Happy birthday Exchange Server.

Forum evangelism

Posted on By Mark Wilson

This example forum post history was stolen from James O’Neill. Given the comments I get whenever I write about Macs (like the prospect buying a Mac and installing an operating system that’s not OS X on it), it seemed kind of relevant:

A: I’m thinking of getting a new computer.
B: I’ve got a Mac, you should get one too.
C: Macs are pretty, but Windows is more flexible.
D: Windoze is evil man. Look at all the money M$ makes. You should get Linux [gives list of distributions].
B: Linux is hard. My granny can use a Mac, and she’s been dead for 10 years.
D: If she can’t build a kernel she shouldn’t have a computer, tree hugger.
C: Have you looked at Windows XP-Dead Grandparent Edition? It’s got lots of features [lists them. All of them].
E: Yeah, but that’s the problem XP DGE is so bloated. It’s been downhill since Windows 3.0, and we didn’t get viruses in those days.
D: And those features are just a cover for Micro$oft to steal your brain.
C: [Gives feature by feature justification, explains 15 years of changes in viruses. Denies brain stealing rumour. Misses meal].
A: None of you have given me a reason to choose one OS over another.
F-Z: WE DON’T CARE!
K: Why do you need a computer? In my day we did everything in the darkroom – computers are just cheating.
J: Hey, I’m new here and I’m not sure if this is the right place – does anyone have a recipe for pancakes?
L: Grab yourself a 3174 and run it green screen to an OS/390 host. If you’re short of cash then AS/400s are going for about £129 on eBay. Those fancy Mac things are really based on RS6000 technology anyway. Apple steal everything just like M$.
X: Nah – OS/390 hasn’t cut it since they renamed it Z/OS…

Sound familiar to anyone?

Love the PC – hate the technical support

Posted on By Mark Wilson

I love my IBM ThinkPad T40 – it’s easily the most solidly built of my three notebook PCs and whilst my everyday PC is a much more highly specified Fujitsu-Siemens Lifebook S7010D the ThinkPad is my machine of choice.

Unfortunately, a few weeks back, I accidentally deleted the hidden protected area (HPA) on my ThinkPad (also known as the Access IBM pre-desktop area).

My first experience of IBM’s technical support was great – once they had confirmed that the machine was in warranty, they were happy to send me recovery CDs free of charge but since then things have not been good. Even my less-than-satisfactory experiences of Dell and CA support via e-mail from India was better than my current experience of IBM. All I could get from IBM hardware support was a statement that the restore CD should bring back the pre-desktop area (it doesn’t) and a referral to the software support line. There lies the problem (via an e-mail from an obscure e-mail address that fell foul of Outlook’s junk e-mail filters) – IBM provides free hardware support during the computer’s warranty period and free software support for the first 30 days after the purchase of the computer, after which the software support becomes chargeable. Fair enough for operating system support, but for an IBM technology accessed via a hardware function key? My last e-mail asked them to clarify whether they consider a partition provided on the hard disk to be hardware or software. No response (although I suspect I know the answer to that one).

Surely it’s not unusual for a hard disk to be replaced in an IBM PC and for the Access IBM pre-desktop area to be restored? Grrr.

Turn off your PC at night and save the planet (well, at least the English countryside and some cash)

Posted on By Mark Wilson

I was interested to hear the following information in a presentation by Microsoft UK’s James O’Neill this afternoon:

  • A single personal computer PC draws 125W of power each hour (but 5W when in sleep mode).
  • Running that PC for 50 hours a week (instead of 24×7) saves 120W (0.12KW) x 6160 hours = 740 KWh per year.
  • Generating 740KWh of electricity represents 1/3 tonne of carbon dioxide (CO2) per PC per year.

Maybe if we all turned off our PCs at night we wouldn’t need to fill the English countryside with wind turbines

Oh yes – in case you don’t care about global warming, 740KWh of electricity costs around £45 a year [source: my domestic electricity bill from Powergen].