Is anyone out there really doing this? I recently started looking at the docs for it and the output from a trace and I can’t say that it is very friendly output nor is the documentation very friendly in general.
joeware - never stop exploring... :)
Information about joeware mixed with wild and crazy opinions...
5/16/2007
Customer Success Story
The people who use my free utilities and/or read my posts aren’t truly customers since they don’t pay for the goods I supply but I still consider them customers when I think about them or get pinged by them.
Well one “customer” sent me a nice success email today and I wanted to share it with everyone else. Enjoy:
Just thought I’d let you know that I did a network trace to troubleshoot an AD issue for the first time yesterday. After contemplating what was going wrong for a few minutes, your repeated requests for a trace echoed in my head. While I’ve done a few traces for other issues in the past, this was my first for AD. Sure enough, it revealed that Websense, when building a DN, mistakenly assumed that “folder†was a container, so I got cn=username,cn=staff,dc=domain,dc=edu instead of cn=username,OU=staff,dc=domain,dc=edu…it’s always the little things.
Thanks.
Network traces are a GOOD thing. It is amazing how many problems you can quickly and easily troubleshoot if you just get off the couch and do the trace and look at it. You don’t have to be a network protocol guru in order to get good info from a trace, the parsers built into Wireshark are generally more than enough for at least basic LDAP traffic. RPC traffic, I understand, that stuff is a pain to wade through an LDAP query though… simple stuff.
I responded and congratulated the customer on the successful operation and he further pointed out issues in the WebSense app that others may find beneficial to hear.
Yeah, you’re more than welcome to post this [I requested permission to post the email on the blog to help others – joe]. If you want to turn it into a list of why Websense is the devil, you can add their request to increase the MaxPageSize, the alleged requirement for a domain admin [1], and the clear text transmission of those credentials, as discovered in the aforementioned trace.
[1] I’m not really sure if they’re saying the user needs to be an admin on the Websense box or on the domain, but in any case, it works with a standard user. Also note that the password listed there [customer included a screen shot of the websense dialog – joe] IS the actual password, replaces by asterisks. So, for instance if there password was P@$$word1 and I change it in AD to P@$$word2, I can go back into this page, delete the last * and type 2 and the password will be updated. Not sure that that’s a real big deal, but it just doesn’t sit well with me 🙂
Blog software updated
I have updated the blog server software so if you notice any issues, please let me know!
Wow now that is some turnaround speed…
I submitted a bug for Longhorn this last Saturday, Microsoft turned it around two days later and it is listed as fixed. It was an issue I found with LH activation. Gotta love that turnaround speed…
Type
Bug
ID
276936
Status
Closed (Fixed)
Access Restriction
Private
Opened By
jricha34
Blocking Issue
No
Opened
5/12/2007
Submission Language
English
Resolved
Closed
5/14/2007 10:04:11 AM
5/13/2007
Survivor Finale – Dreamz (Andria Herd) you have no honor.
You knew this was going to happen when Dreamz said it was the hardest decision he had to make. If he actually had any honor whatsoever, it wouldn’t have been a difficult decision, it wouldn’t even be a decision. You don’t accept a piece of gum in exchange for a promise let alone a Ford F350 unless you intend to fulfill that promise.
Happy Mother’s Day
Happy Mom’s Day to all the Mom’s out there!
5/12/2007
Basic Initial Server Core Tasks
Along with the requests for how is Server Core less resource intensive, there were requests for more info on how to do various things in Server Core that you tend to do right off when setting it up to test. I will admit I am by far not the expert here, lots of other folks have spent a lot more time working on this stuff so I highly recommend using google to go look, but right off, book mark this blog if you haven’t already:
Server Core – http://blogs.technet.com/server_core/default.aspx
So let’s assume you don’t use an unattend file to build your server core, you pop in the CD, you enter your license key and select Server Core, what next? All sorts of things, here are some of the things I do, note I don’t guarantee any of this, it isn’t official documentation, it is just stuff that I have worked through or found and work for me.
1. The first thing I do is install VMWare Tools. You will click on VM | Install VMWare Tools. Normally you will see a MSI file take off and start the installation process. You likely won’t see that on Server Core, at least I have yet to have seen that in I don’t know how many installs I have done. So what do you do?
Switch to D: Drive (or whatever drive if your CD/DVD is another drive)
Type “VMWare Tools.msi”
Walk through the prompts and reboot when it asks
2. Next, I recommend increasing screen res if you are going to do much from the VMWare Client. If you plan on doing everything through RDP, go ahead and skip this. I never did this until some recent testing forced me to.
The first step is to find where the heck the key is that you need to modify. Since part of the key will have a randomly generated GUID, this isn’t the most straightforward, but hopefully the method I give here will be easy. It involves searching in the right branch for a specific registry key that only exists (to my knowledge) in the subbranch that you want to work on for this action.
reg query hklm\system\currentcontrolset\control\video /s | findstr /i volatile
That will result in one or more strings like
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\video\{F6E7436E-54D0-482E-87CD-DAB680AF6216}\0000\VolatileSettings
You need all of the reg path info prior to the \VolatileSettings. You can then run the following command to change your screen res to 1152×864 (what I tend to run in, if you want something else, change the hex values but be careful, you could dork it up and not get to see your screen on your monitor – remotely modify machine in that case).
reg add HKLM\system\currentcontrolset\control\video\{F6E7436E-54D0-482E-87CD-DAB680AF6216}\0000 /v DefaultSettings.XResolution /d 480 /f
reg add HKLM\system\currentcontrolset\control\video\{F6E7436E-54D0-482E-87CD-DAB680AF6216}\0000 /v DefaultSettings.YResolution /d 360 /f
While you are there, you might as well turn on the video hardware acceleration although I haven’t seen it doing much if anything yet… But just in case…
reg add HKLM\system\currentcontrolset\control\video\{F6E7436E-54D0-482E-87CD-DAB680AF6216}\0000 /v Acceleration.Level /d 0 /f
Obviously, starting with Beta 3, you can also use regedit to do this work.
3. I recommend changing the window drag format from full window to outline. This is easier… You do need quotes around the registry key though because some bright boy put a space in the name…
reg add “HKCU\Control Panel\Desktop /v DragFullWindows /d 0 /f
4. For my private lab environments I turn off the screen savers, they annoy me
reg add “HKCU\Control Panel\Desktop /v ScreenSaveActive /d 0 /f
If you prefer you can just change how long it takes for the screen saver to start. This is in seconds (decimal), here I am setting it to 1 hour. Again, not something I recommend for production.
reg add “HKCU\Control Panel\Desktop /v ScreenSaveTimeOut /d 3600 /f
5. Set up CSCRIPT to be your default WSH Script engine. Not sure why it isn’t the default on Server Core…
CSCRIPT //H:CSCRIPT
6. Set up your Server Core so you can RDP into it (including from back level RDP clients)… Assumes you followed Step 5
SCRegEdit.wsf /AR 0 /CS 0
netsh firewall set portopening tcp 3389
If you are a firewall lover and have been playing with netsh in Longhorn you know there is an advfirewall interface available and there are specific rules for RDP called “Remote Desktop (TCP-In)”. You can, if you want, go into advfirewall and enable that rule but you will type far more than using the basic firewall command above and the system is smart enough to know that the above command is enabling the public version of “Remote Desktop (TCP-In)”.
7. Rename server (not joined to domain)
netdom renamecomputer %computername% /newname:[insert new name here]
8. Restart computer ASAP
shutdown /g /t 1
9. Log off
logoff
10. Set time/date/timezone
timedate.cpl
11. Pull up task manager
CTRL-SHIFT-ESC
or
taskmgr
12. Check activation status… Assumes you followed Step 5
slmgr -xpr
13. To activate. You don’t have to do this right away, you have a month to play…
slmgr -ato
14. To get a list of some other things you can do
SCRegedit.wsf /cli
I could give more but this should be enough to get people moving forward and learning how to do things.
joe
More Server Core Fun Facts…
The response I have gotten from the Server Core posts has been pretty good, tons of emails and a several comments posted directly to the blog. Seems people are very interested; that is very good IMO. Some of the emails were asking questions like “We keep hearing it is so much lighter and uses less resources, can you say anything more about that?”
Not really, but I will give it a shot… I just now built a bare bones Server Core guest and a bare bones Full Server guest (both Beta 3) to specifically gather some specs. I loaded the VMWare Tools on the virtuals as well because it annoys me when they aren’t running. Here are the specs:
Full Server
Dirs: 22009
Files: 38810
Bytes: 6,359,811,812
Full Reg Dump: 78,976,210 bytes
(From Task Manager – no load)
Physical Memory (MB)
Total: 510
Cached: 336
Free: 6
Kernel Memory (MB)
Total: 58
Paged: 38
Nonpaged: 19
System
Handles: 7740
Threads: 403
Processes: 37
Page File: 230M / 1509M
Server Core
Dirs: 9223
Files: 13022
Bytes: 1,803,802,566
Full Reg Dump: 39,926,858 bytes
(From Task Manager – no load)
Physical Memory (MB)
Total: 510
Cached: 185
Free: 191
Kernel Memory (MB)
Total: 42
Paged: 26
Nonpaged: 16
System
Handles: 5826
Threads: 306
Processes: 28
Page File: 169M / 1509M
Deltas
Dirs: -12786 (58.1% reduction)
Files: -25788 (66.4% reduction)
Bytes: -4556009246 (71.6% reduction)
Full Reg Dump: -39049352 bytes (49.4% reduction)
(From Task Manager – no load)
Physical Memory (MB)
Total: Same
Cached: -151 (44.9% reduction)
Free: +185 (3083.3% increase)
Kernel Memory (MB)
Total: -16 (27.6% reduction)
Paged: -12 (31.6% reduction)
Nonpaged: -3 (15.8% reduction)
System
Handles: -1914 (24.7% reduction)
Threads: -97 (24.1% reduction)
Processes: -9 (24.3% reduction)
Page File: -61 (26.5% reduction)
Longhorn Server Core Screen Resolution and Dragging Windows
Just so I don’t forget what I just worked out.
To change screen resolution on Longhorn Server Core, modify
HKLM\System\CurrentControlSet\Control\Video\[GUID]\0000\DefaultSettings.XResolution
HKLM\System\CurrentControlSet\Control\Video\[GUID]\0000\DefaultSettings.XResolution
On VMWare Server I am finding 1162×864 works out well. The value for [GUID] will depend on the installation. It seems under \Video\ there are usually multiple GUIDs listed, the first one enumerated usually seems to be the one you need to go in and work on. It is easy to tell (so far), because if you expand the \0000\ key, the right one will have a \VolatileSettings\ key under the \0000\ key. Plus it is the only \0000\ key that will have a value under it for Acceleration.Level. I need to write something to do this modification.
To change hardware acceleration, change
HKLM\System\CurrentControlSet\Control\Video\[GUID]\0000\Acceleration.Level
to the value 0. The thing is is that it doesn’t seem to really change anything. Mouse experience is still shaky.
To change the full window dragging (this helps a lot on VMWare), change
HKCU\Control Panel\Desktop\DragFullWindows
to the value 0.
joe
5/11/2007
Longhorn Server Core
Have you heard of this thing? Longhorn Server Core that is? Do you know what it is? Do you care? Yes mom, I know you don’t know and you don’t care, you can skip this posting… 🙂
Longhorn Server Core is a new version of Windows Server that looks something like the following image when you log on:
This is, of course not what most people are used to seeing and it very likely is going to confuse the hell out of many point and click admins.
For some of us, well a lot of us, this is an extremely exciting development, it represents Microsoft truly trying to embrace security and efficiency in their operating system. The Shell stuff is stripped out as well as just about anything else that isn’t critical to basic operations. This means you can’t use Media Player to play MP3s or use I.E. to web surf… but you know what, you shouldn’t be doing that stuff on servers anyway. Servers are for real work, not screwing around.
Recently though,yesterday in fact, Susan Bradley of SBS fame mentioned on the ActiveDir Org list that at the MVP Summit another MVP said, and I quote:
“I saw this server core product while I was up there… what were they thinking! No one will use that! I told them they were crazy to even built that.”
That scares me and makes me question the sheer number of people we have as MVPs at the moment but that is a whole other story. I will just assume that this MVP was an XBOX MVP or Flight Simulator MVP or an SBS MVP and doesn’t see the sheer beauty and intelligence behind Server Core.
Microsoft kind of looked around at all of the vulnerabilities they had to patch and realized that if they stripped servers down to the core components, something like 80%+ of the patches weren’t needed. I am sort of making that percentage up based on something I heard a couple of years ago when they first announced this but I think it is pretty darn close. So that makes you wonder, how many other things does that protect you again? My answer… a veritable shitload… especially if you combine this lockdown of the number of bins on the box with all of the great security advanced made in the Vista/Longhorn source tree. Sure some of the stuff is a pain in the ass and sure it is going to break a lot of programs but man it will be nice to feel relatively safe most of the time. Not living in constant fear of what is coming the second Tuesday of the month. Right now, if you religiously patch your servers, you are generally pretty lucky to have an uptime that exceeds a month. It isn’t that Windows Servers can’t do it, I used to do mad uptimes back in the 90’s on NT4 when the security environment wasn’t nearly so harsh, it is just that you have patches coming from the left right and center every month and nearly all of the good ones require a reboot. So Server Core should help with this considerably.
Server Core is also a lot less .FAT than full blown Windows. It is Windows after Weight Watchers with a prom coming up and working to fit into that size 2 slinky dress… This is wonderful for virtualization. I shouldn’t need to list the reasoning behind that, exercise left to the class.
Now you have to keep in mind, with this stripped down version of Windows, not everything is going to run the same or possibly even at all on it. Right off, anything requiring IE is going to find a challenge here. Anything needing the .NET framework at least initially will be SOL. I have even seen bitching in various forums about apps that try to use the builtin ZIP functionality of Windows not working on Server Core… That would be because ZIP functionality isn’t core to the Windows OS… So before you think, I will run everything on this, you will need to be testing.
So joe, you ask with a coy look and a teasing flip of the hair… Who is going to use this thing?
Obviously I don’t agree with anonymous MVP guy and think it will be used but I also don’t think that everyone is going to go nuts and install it. I think eventually its use will be extremely high but it will take a bit to get there. I expect the initial deployers will be along these lines:
- Larger orgs with people who really dig into stuff and tend to understand how it works.
- Companies who are deploying crazy ass numbers of WAN sites (even if the overall company is small – company with 3000 people across 2000 branches).
- Admins who have multiplatform experience, i.e. Windows isn’t the only thing they ever professional worked on. \
- People seriously concerned about security exposure on their servers.
- People wanting to play with new cool stuff.
- Admins who want to keep certain servers safe from bad/clueless admins.
That last, #6, isn’t one I originally came up with when I posted this list to activedir.org earlier, but I fully concur with it. Thanks to Steve Evans for seeing I missed it and piped up with it.
Now who definitely won’t use Server Core? Right off, Admins who know nothing but the GUI and don’t have the ability to learn anything but the GUI. These people, IMO, need to be thinking that they may have a limited existence, certainly in larger orgs. I was also initially thinking SBS (Small Business Server) was straight out as well. But as I think about it more and more, I like Server Core in an SBS environment… My feelings are generally pretty well documented about how I am not a fan of extra services (read security exposure) on Domain Controllers. I mean, I don’t even like AV engines that have auto update capabilities or external interfaces to manage the software. Then you take an SBS server which is basically a Domain Controller with just about every other possible piece of Server Software that can possibly be installed without the box simply cutting its own throat. If you have a patch or something, say a critical DNS patch, that requires a reboot, in general, your whole domain, your file and print, your web server, your DB Apps, your mailboxes, your internet access, you name it, it all goes down because it is all on the same machine. Most people find that unacceptable. I know I do, if a domain goes down completely in a reboot I wonder what my chances are of it coming back up as well as the chances of me getting to some island before getting called back to fix it. It reminds me of the Disaster Recovery Plan I once heard from a guy who ran AD for a very large company… “We depend on the geographically distributed nature of our data centers and if that fails us we hope to be able to restore from a backup (but don’t test them). Plan B is a bag of cheese puffs and a one way ticket to Aruba.”
Err so where was I… Oh yeah, I segwayed from SBS with a 25 user count to a company approaching 200k users… how *do* I do that? So SBS… I think this would be a great place to run Server Core… You have some cool virtualization coming shortly after Longhorn called the Hypervisor or code name Viridian. Visualize your one physical SBS box running multiple virtuals, like for instance two virtual domain controllers, two virtual file servers, two virtual Exchange Servers, two virtual SQL Servers. Stuff clustered as necessary (AD obviously doesn’t need it) and voila you now have a single physical server in use for SBS but set up so that rebooting a single server for patching or issues you don’t lose the whole darn environment. You will still need to occasionally lose the whole thing but I would expect it to be far less often since it would only have to be if the “Host” or physical box needed it. There could be one control guest server on the machine which was full whiz bang GUI and it would be configured to easily manage all of the various virtual guests on the machine. The SBS team could do some amazing things with this I think.
Ok this is enough for me, I am about ready to fall out of my chair and sleep on the floor.
joe
[joeware – never stop exploring… :) is proudly powered by WordPress.]
