DNS and operations master roles placement with Active Directory

Posted on By Mark Wilson

I had a call last night from a client who is implementing Active Directory (AD) in his organisation and was trying to resolve some replication issues. Like so many problems in AD the issue was related to the DNS configuration and once I had made a few configuration changes on the DNS servers to build a forwarding hierarchy from the remote sites to the head office and then on to the ISP, everything started to work.

Whilst I was looking over his domain I also noticed that there was only a single global catalog (GC) server – the first domain controller that he’d installed (the same DC that was holding all the operations master roles, although in his single domain forest the co-hosting of the infrastructure master and GC roles will not cause problems with phantom indexes as described in Microsoft knowledge base article 248047).

Microsoft knowledge base article 825036 describes best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003 whilst Microsoft knowledge base article 223346 discusses the placement and optimisation of operations master roles.

Keeping files synchronised between data sources with SyncToy

Posted on By Mark Wilson

Several months back, my mate Toffa told me about a tool called SyncToy that is great for keeping two disks synchronised (e.g. a primary and a backup). Last night I installed it (to make regular backups of my digital photos and music to my new external hard disk) and was very impressed. It’s actually a free Windows PowerToy and I was using v1.0 – SyncToy v1.2 is available and includes a number of enhancements.

The tool offers five modes of synchronisation between pairs of folders (left and right) and users can also preview the changes before running the synchronisation job:

  • Synchronise: New and updated files are copied both ways. Renames and deletes on either side are repeated on the other.
  • Echo: New and updated files are copied left to right. Renames and deletes on the left are repeated on the right.
  • Subscribe: Updated files on the right are copied to the left if the file name already exists on the left.
  • Contribute: New and updated files are copied left to right. Renames on the left are repeated on the right. No deletions.
  • Combine: New and updated files are copied both ways. Nothing happens to renamed and deleted files.

Microsoft are positioning this as a tool for photographers but to be honest it looks good for anyone who keeps data in multiple locations (like backing up a laptop to a server at home). I know people who swear by Novell iFolder (for keeping data synchronised, secure and available wherever they are) but SyncToy looks like a perfect synchronisation solution for many Windows users who just need to make sure that a second copy of their important files is available if the first one is lost or who want to synchronise files stored on multiple devices in a number of locations.

OWA 2003 ActiveX control issues from IE 6.0 and 7.0

Posted on By Mark Wilson

Since switching my everyday PC over to Windows Vista, I’ve been unable to reply to any e-mails using Outlook Web Access (OWA) whereby the reply pane opens, but the ActiveX control doesn’t load. I tried various browser settings before a bit of googling turned up a thread on the microsoft.public.exchange.admin newsgroup that seemed to describe an annoying “click to activate the control” message that I’d been experiencing with fully-patched Windows XP clients (caused by the Internet Explorer update described in Microsoft knowledge base article 912945).

Microsoft knowledge base article 911829 describes the problem as well as highlighting that Windows Vista does not support the ActiveX control used by OWA for HTML editing. Once I’d installed the associated hotfix on my Exchange Server 2003 server the issue was resolved for both my XP and Vista clients.

P2Ving my notebook PC: part 2

Posted on By Mark Wilson

Last week I wrote about how I’d lost most of my bank holiday weekend trying to perform a physical to virtual (P2V) conversion of my corporate notebook PC. Well, I’m pleased to say that I’ve resolved the remaining issues and I’m very happy with the results.

The last remaining problem after I’d used PlateSpin PowerConvert to carry out the conversion to Microsoft Virtual Server 2005 R2 was getting the Cisco Systems VPN Client to work. I spent two days trying various settings, removing and reinstalling the VPN software (and the Zone Labs Integrity Client that my corporate VPN connection also requires) but was getting nowhere.

With or without a VPN solution, my end goal was a VMware virtual machine, as Microsoft Virtual Server is intended as a remote/server virtualisation solution, and Microsoft Virtual PC only runs on Windows/Macintosh platforms (I needed a cross-platform solution as I intend to run my virtual machine as a guest on both Windows and Linux). That’s where VMware Server beta 3 came in useful, as I used its virtual machine importer feature to import the Virtual Server configuration before installing the VMware Tools and copying the whole virtual machine elsewhere to run it using the VMware Player.

If this sounds complicated, then there are some good reasons for taking the physical hardware – Microsoft Virtual Server – VMware Server – VMware Player route.

  • Firstly, PlateSpin PowerConvert didn’t recognise my VMware Server beta 3 server and I don’t have a licensed copy of VMware Workstation/GSX/ESX (except an old VMware Workstation 4 licence) so Microsoft Virtual Server 2005 R2 was my only viable route.
  • Secondly, whilst VMware claim that their Player supports Microsoft virtual machines, my experience is that the import fails.
  • Finally, VMware Player does not include VMware Tools. Although VMware Tools can be installed to a virtual machine within VMware Player, the use of VMware Server to carry out the import provided an ideal opportunity to install the tools.

Incidentally, VMware Server’s virtual machine importer was very impressive, giving me the option to use the existing Virtual Server disks or to copy them to VMware Server format (I chose the latter) as well as options for legacy or new VMware formats. It can also import from certain disk image files and that may well be a method of avoiding the use of the software that I used to carry out the P2V operation.

Once I’d rebuilt my notebook with a different base operating system (I’m using Windows Vista beta 2 at the moment), it was simply a case of installing the VMware Player. Although I don’t recall any errors on installation, I did need to manually configure the VMware Bridge Protocol on my Ethernet connection as VMnet 0 (and reboot), before VMware Player would allow the guest to connect to the network.

Plug and play dealt with the virtual hardware changes along the way and the VPN connection worked first time (without any obvious changes) – I can only assume that the VMware bridged network connection works in a different way to the Virtual Server network that was causing my VPN client to fail in a Virtual Server virtual machine.

After spending most of today working with my Windows XP virtual corporate client running as a guest under Windows Vista, the whole project seems to have been a success, although I’m still planning on dual-booting Windows Vista with Linux (keeping the virtual machine on a partition accessible from both operating systems) so there may well be a part three to this story yet.

Amazingly, excellent customer service in PC World!

Posted on By Mark Wilson

PC WorldI honestly never thought I’d see the day when I would praise PC World (or any DSG International store) for their customer service but, credit where credit’s due, tonight I was pleasantly surprised (although a Google search for DSG Retail will turn up many unhappy customers).

Toshiba PX1223E-1G32 320GB External Hard Disk

A few weeks back, I bought myself a Toshiba 320GB 7200 RPM external USB 2.0 hard drive with 8MB data buffer – a bargain at £109.99. It’s been so good that last night I dropped by on my way home to buy another one (to back up my data – disk is so much easier than tape). The price had increased to £119.99 but after making the effort to visit the store, I bought one anyway.

When I got home, I checked the web and found that the best online price was also from PC World, who were selling the same item online for £99.99 with free shipping (or collection from store). I understand that online prices should be lower than instore (lower overheads, etc.) but decided to return the disk and buy it again online at the lower price. Before I did that, I needed to call PC World and check the returns policy (for unwanted goods it is “at the manager’s discretion”) before committing to buy another.

Unfortunately for me, the Internet price increased overnight to £109.99 but that’s still a tenner less than I had paid, so this evening I returned the disk, explaining that there was nothing wrong with it – I’d just be saving myself a few quid by buying another one on the ‘net.

Unexpectedly, the staff member that I spoke to not only refunded my original purchase, but then ordered me one at the web price, which I then “collected” and paid for (of course, it was the same one I’d just taken back). She explained that they are not supposed to do that, but understood that it saved me from making another trip (or waiting for delivery). I won’t name the store or the staff member because I don’t want to get them into trouble; but if you’re reading this – thank you.

(I then drove home very carefully, watching out for flying pigs and an ice-skating Devil).

Using a temporary e-mail address to avoid spammers

Posted on By Mark Wilson

A colleague just sent me a link to Mailinator – a service for creating temporary mailboxes that are valid for just a few hours in order to receive (but not send) e-mail, e.g. when registering on a website and needing to see the initial registration e-mail, but wanting to guard against receiving unsolicited commercial e-mail (UCE – more commonly known as spam) afterwards.

This is how the guys at Mailinator describe it:

“It’s like super-instant, always-ready, any-email-you-want email. Right now. It’s your personal disposable email account. Here is how it works: You are on the web, at a party, or talking to your favorite insurance salesman. Wherever you are, someone (or some webpage) asks for your email. You know if you give it, you’re gambling with your privacy. On the other hand, you do want at least one message from that person. The answer is to give them a mailinator address. You don’t need to sign-up. You just make it up on the spot[…] — pick anything you want.

Later, come to [the Mailinator] site and check that account. Its that easy. Mailinator accounts are created when mail arrives for them. No signup, no personal information, and when you’re done — you can walk away — an instant solution to one way spammers get your address. It’s an anti-spam solution for everyone. Your temporary email account will be automatically deleted for you after a few hours.

Let’em spam…”

I haven’t tried it yet, but it sounds like a great idea!

How to interpret Seagate disk drive model numbers

Posted on By Mark Wilson

A couple of weeks back, I was sent a replacement hard disk drive for my work PC. After backing up my data and opening up my notebook PC, I found that the replacement was actually a Seagate ST980825AS Serial ATA (SATA) drive, rather than an ST9808211A Ultra ATA (EIDE) disk. Although the new disk drive is much faster, unfortunately it won’t actually fit my laptop; but I did come across this useful guide to interpreting Seagate disk drive model numbers.

Using PlateSpin PowerConvert to P2V my notebook PC

Posted on By Mark Wilson

With Windows Vista and Office 2007 now at beta 2, I figured that it’s time to test them out on a decent PC. I’d also like to dual-boot with a Linux distro as the only way to really get to know an operating system is to use it on a daily basis but the problem is that I’m running out of hardware. Most of my PCs are around 3 years old, with 1.5GHz Pentium 4 CPUs and between 256MB and 512MB of memory. I could buy some more memory for the older PCs, but I’m hoping to buy two new machines later this year instead. Meanwhile, the Fujitsu Siemens Lifebook S7010D that my employer has provided for my work is a 1 year-old machine with 1GB RAM – plenty for my testing (although I haven’t checked if the graphics card will support the full Aero interface).

My problem is that I can’t just wipe my hard disk and start again. The Lifebook is joined to a corporate domain and has VPN client software installed so that I can access the network from wherever I happen to be. That’s where virtualisation comes in… I thought that by performing a physical to virtual (P2V) conversion, I could run my Windows XP build inside a virtual environment on a Windows Vista or Linux host.
Platespin
I’m also co-authoring my employer’s virtualisation strategy, so I called PlateSpin in Canada (because I’d missed the end of the business day in the UK) and they agreed to supply me with three evaluation licenses for their PowerConvert software. The good news is that I completed my P2V conversion. The bad news is that my experience of the product was not entirely smooth and it took a fair chunk of last week and most of my bank holiday weekend too.

The software installation was straightforward enough, detecting that there was no SQL server installation present and installing an MSDE instance. PowerConvert Server doesn’t show up as an application on the Start Menu as it is actually just a set of Microsoft .NET web services and a separate client is required to perform any operations, downloadable from http://servername/powerconvert/client.setup.exe.

Once everything was installed, I got to work on discovering my network infrastructure. PowerConvert automatically located the various domains and workgroups on the network and when I ran discover jobs it found my Microsoft Virtual Server 2005 R2 installation (but didn’t see my VMware Server beta 3 installation). It also struggled for a while with discovering server details for my Windows XP source machine (even after a reboot and with the client firewall disabled) – I never did find the cause of that particular issue (even after following PlateSpin knowledge base article 20350) but after taking the PC to work, hooking up to the corporate LAN and bringing it home again that night, everything jumped into life.

With all PCs discovered, I was ready to carry out a conversion. The basic process is as follows:

  1. Discover the source and target server details.
  2. Create a virtual machine on the target server.
  3. Boot the virtual machine into Windows PE and load the PowerConvert controller.
  4. Take control of the source server, boot this into Windows PE and load the PowerConvert controller.
  5. Copy files.
  6. Restart the target virtual machine, and finalise configuration.
  7. Tidy up.

That sounds simple enough, until considering that PowerConvert also handles the changes in the underlying hardware – something that’s not possible with simple disk duplication software.

Everything looked good up to the point of loading the controller on my source machine which just couldn’t connect (and didn’t seem to recognise the network). I tried various conversion job settings and after various failed attempts, including stalled jobs which refused to be aborted (once an attempt is made to abort a job, PowerConvert doesn’t check to see if it was stopped successfully – it just refuses to allow a subsequent attempt to abort the job) and consequential removal and reinstallation of PowerConvert as detailed in PlateSpin knowledge base article 20324 (to free up the source machine and allow another attempt at conversion), I re-read the text file supplied with the installation. It turns out that the out-of-the-box installation didn’t recognise my Broadcom NetXtreme gigabit Ethernet card (not exactly an uncommon network interface) but once the physical target take control ISO packages were updated, that particular issue was resolved (as confirmed using the PlateSpin Analyzer tool – see PlateSpin knowledge base article 20478). Rather than having to manually apply updates, I’d prefer to see the installation routine check the PlateSpin website for updates and install them automatically.

It looked as if I finally had everything working and I left a conversion running overnight but came down the next morning to see the target machine rebooting with a STOP 0x0000007B error (blue screen of death). It turns out that although I’d configured the PowerConvert job to convert my single physical hard disk with two partitions into two dynamic virtual IDE disks, it had still configured a virtual SCSI controller on the target virtual machine and not surprisingly that couldn’t read the IDE disks. I tried various resolutions, including rebooting the virtual machine into the Windows XP Recovery Console but without the administrator password (I had access to an account in the Administrators group but not the Administrator), I couldn’t do much. Unfortunately, the software is licenced on a per-conversion basis (althere there are other options) and “PowerConvert will burn a license once the file transfer step of the job has been completed” (see PlateSpin knowledge base article 20357) so that was one of my evaluation licenses burned.

Accepting that my failed attempt was not recoverable, I aborted the job and tried again, this time converting my two physical partitions to two dynamic virtual SCSI disks. This time the job completed successfully.

I now have a working virtual corporate notebook, still joined to the domain, still with the same security identifiers and disk signatures but with a different set of underlying hardware. I still need to get my VPN client working inside the virtual environment but if I can clear that final hurdle then I’ll be ready to ditch the source machine and reach my dual-boot Vista/Linux goal.

In summary, PlateSpin PowerConvert tries to do something complex in a simple and elegant way, using modern technology (web services, the Microsoft .NET framework and Windows PE). Unfortunately, I didn’t find it to be very robust. I’m no developer but I am an experienced Windows systems administrator and infrastructure designer and this was hard work. The product may be better with VMware but I didn’t get a chance to try as it didn’t recognise my VMware Server beta 3 installation. One thing’s for sure – PowerConvert has stacks of potential – if PlateSpin can sort out the reliability issues. If not, then I might as well take a look at the VMware P2V assistant, or Microsoft’s Virtual Server migration toolkit (VSMT).

Migrating SMTP e-mail from my ISP’s servers to an internally-hosted Exchange server

Posted on By Mark Wilson

Over the last couple of days, I migrated my e-mail service to Microsoft Exchange Server. I’ve been meaning to do this since I first bought my own domain name in the late 1990s but a lack of suitable hardware to dedicate to the task has meant that until now it’s been easier to leave the service with my ISP and download it to Outlook using POP3. Using virtualisation technology has enabled me to build an e-mail infrastructure without using any extra hardware.

Phase 1 of the project was installing the mail service and connecting to my ISP’s servers. I wanted to use Microsoft Exchange Server 2003 but for various reasons I didn’t want to extend the schema for my Active Directory (AD), so I created a separate resource forest with an outgoing trust to the original domain and installed Exchange Server there. Following this, I was able to create disabled user accounts and associate the mailboxes with external accounts in the original forest, allowing me to authenticate to my mailbox in the resource forest using my normal account credentials from the original domain (as described in Marc Grote’s article on the MSExchange.org site, although assigning the external associated account is now much simplified using the Exchange Task wizard).

Next, I needed to tell my ISP’s servers to allow messages for my domain to be routed to my server. The ADSL connection that I use is not associated with my domain but it does have a static IP address (an alternative is to use a dynamic DNS service), so after opening up TCP port 25 on the firewall to allow inbound SMTP traffic I created two DNS records for each domain that I own:

  • Host (A) record to define a server name that resolves to my IP address.
  • Mail exchanger (MX) record for the domain that resolves to the A record created previously.

With the appropriate DNS records in place, that was all the configuration needed at the ISP’s end, but Exchange still needed to be configured to forward e-mail to the ISP’s SMTP relay – easily accomplished using the Exchange Server 2003 Internet Mail Wizard. The important thing to be sure of is that the server is not configured as an open relay (recent versions of Exchange Server lock this down by default). Once the SMTP connection was in place, e-mail started to flow (although for a while some mail was still being delivered to my ISP’s servers until the DNS entries had completely propagated around the Internet).

DNS Stuff is a mine of useful information, so I ran a DNS report on my domain name. This turned up various warnings about my ISP’s DNS configuration (which I can’t really do much about) but also a warning that my server’s SMTP greeting included an non-existent host name (the internal DNS name for the Exchange server):

220 hostname.internaldnsdomainname Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Thu, 25 May 2006 12:30:31 +0100

According to the warning, if the server sends e-mail using a non-existent host name in its EHLO or HELO, e-mail could be blocked by anti-spam software, as well as being a technical violation of RFC 821 section 4.3 and RFC 2821 section 4.3.1.

A spot of Googling turned up a forum post on changing the SMTP greeting which pointed me in the direction of Microsoft knowledge base article 266686, allowing me to change the fully qualified domain name for the SMTP virtual server so that the SMTP greeting now reads as follows:

220 mailserver.domainname Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Thu, 25 May 2006 13:18:44 +0100

Note that the hostname given in the SMTP greeting doesn’t have to be precise – it doesn’t matter that the SMTP server may handle e-mail for multiple domains (as mine does), as long as the host name given resolves to the correct IP address.

Phase 2 of the project will be to configure the intelligent message filter for Exchange Server 2003 (included as part of Exchange Server 2003 service pack 2) and hopefully cut out most of the spam that I receive (as the volume of spam hitting my server is much greater than the previous levels which were mostly handled by the Outlook junk e-mail filter). I’ll also be looking at enabling RPC over HTTP (see Microsoft knowledge base article 833401) to allow Outlook to access my mail servers using HTTP from behind my employer’s firewall.

ISA Server 2004 “gotchas”

Posted on By Mark Wilson

After having to abort last week’s attempt to replace an aging Microsoft Proxy Server 2.0 installation with Microsoft Internet Security and Acceleration (ISA) Server 2004, last night I had another go and I’m pleased to say that the ISA Server is now up and running. There are still some minor issues that I need to resolve, but here’s a summary of the key points that affected me:

  • It’s important to configure the underlying network correctly – i.e. check the binding order of the various network interfaces, disable unwanted services on the external interface, only configure one interface with a default gateway (the external interface), only configure one interface for DNS and check that there is a valid route configured back to each internal network. Jim Harrison has written an excellent article on configuring ISA Server interface settings.
  • By default, ISA Server 2004 will not let any traffic pass (on any interface) – i.e. it is secure by default.
  • Do not configure the ISA Server to use both internal and external DNS servers. The ideal solution is to configure DNS forwarding from the internal DNS server(s) to the ISP’s DNS servers and create an access rule to allow outbound DNS traffic. If DNS is configured incorrectly, then the server may have difficulties contacting Active Directory which will have a consequential effect on authentication.
  • Configure individual access rules to allow all required outbound network services and consider the order of the rules (i.e. is one rule denying access before another is processed). Multiple rules can be configured for different user sets and schedules.
  • In general, access rules are used to allow outbound access whilst internal resources are “published”.
  • When publishing HTTP(S) servers, make sure that there is an appropriate web listener configured.
  • When publishing SMTP (or other) servers, there is no web listener, but there must be an appropriate network listener configured. Generally, internal SMTP servers will be configured only to allow mail to be received from certain hosts, so it may be necessary to make the traffic appear as if it originated from the ISA Server. Thomas Shinder has written an excellent article on troubleshooting SMTP server publishing rules.
  • If restricting access to certain users, ensure that integrated authentication is enabled and authentication is required.