Monday 29 October 2012

Migrating DHCP scopes from Windows 2003 to Windows 2008 R2 server

In order to successfully migrate a DHCP server without disrupting the clients, you need to let the new server know about the current leases on the old server, otherwise it will lease the IPs that may already be leased by the old server. So it’s important to migrate the current leases as well as all the reservations.

If you configured IP Helper address on your switches, don’t forget to change it. On Cisco switches, it can be set by typing:

[no] ip helper-address ip_address

In order to migrate a DHCP server database with all leases and reservations between 2 Windows servers (e.g. the old one running Windows 2003 and the new one running Windows 2008 R2), simply export the entire DHCP database and import it to the new server.

On the old DHCP server run:
netsh dhcp server export c:\dhcp_config all

Copy the file over to the new server.

On the new DHCP server run:
netsh dhcp server import c:\dhcp_config all

Executing the netsh command will stop and restart the dhcp service.

If you get an error while importing the dhcp database “Error while importing option "6."”, just delete the existing options from the new server. 

If the new server is already hosting some scopes that don’t exist on the old server, or there are scopes on the old server that you don’t need on the new server, it’s possible to migrate only scopes you need on the new server.

On the old server, for each scope run:
netsh dhcp server export c:\scope_name scope_ip_address

Copy the file(s) over to the new server.

On the new server run:
netsh dhcp server import c:\scope_name scope_ip_address


More info:
Cisco Routing IP
How to move a DHCP database from a computer that is running Windows NT Server 4.0, Windows 2000, or Windows Server 2003 to a computer that is running Windows Server 2003
How to move a DHCP database from a computer that is running Windows Server 2003 to Windows Server 2008
Migrating DHCP scopes from server 2003 to 2008

Saturday 15 September 2012

Limiting available RAM for AOS (AX32Serve.exe) on Microsoft Dynamics AX 2012

Several users reported issues with Dynamics server being unresponsive while certain processes are running. On the application server, I found the AOS process AX32Serv.exe utilising almost all available RAM, which affected the OS and user’s sessions. Since the guys who were hired to deploy and customise the system were not able to help with this, I asked on Dynamics community forum and got a response from Tommy who advised to limit the available RAM for AOS.

Infrastructure: vSphere v5
OS: Windows 2008 R2 SP1
Application: MS Dynamics AX 2012

Basically, there are several ways to do this. I used the server configuration tool to create a new configuration instance and modify it by editing its configuration file.

Creating and loading a new configuration instance requires a reboot of AOS service, so a short outage needs to be planned.

Importing a new configuration file does not cause any outage.

Steps:

Open Microsoft Dynamics AX Server Configuration Utility > Manage > Save configuration as file > and make a backup of the running config.

Manage > Create configuration > name it > select Copy configuration from: Active configuration > OK > Apply > click Yes to restart the service.

Once the new configuration is shown under “Configuration:” field > Manage > Save configuration as file.

Edit the file and at the end of it, add the configuration command – e.g. to limit the available RAM for AOS to 75% of the total available RAM on the server, add the following line:

MaxMemLoad,Text,75

Note: It's important you use the config file of the new config instance as these files have some kind of a header at the beginning (a line of text with the config instance name), so if you try to reuse the file from the original config, it will pop-up an error saying "you cannot modify the original config". You could probably change the header, but I haven't tried this. So, create a new config instance and load it, save config file, edit it, and import back to the active config instance.

More info:
Application Object Server (AOS) configuration commands [AX 2012]

Thursday 4 August 2011

Setting up a DR site for drive and printer mapping

In case you need to prepare your DR site for testing that includes drive and printer re-mapping based on user and/or computer group membership, you can choose between GPO and VBScript. Windows 2008 GPO features for drive and printer mapping and item level targeting support group based filtering for both users and computers and there is no need for scripting. Otherwise you might need to script it in VBS.

These settings need to be configured in AD at the DR site level in order to ensure that only clients logging on at the DR site get the DR-related settings. The GPO needs to be enforced in order to override overlapping settings from GPOs set at the OU level.

Here are the steps to do it through GPO:

For drives go to GPO > User Configuration > Preferences > Windows Settings > Drive Maps and create a new object. Choose ‘replace’ for an action in order to remove the old drive and set the other options. Then go to the Common tab, put a tick mark in ‘Item-level targeting’, click the button ‘Targeting’, add a new item by clicking on New Item and choosing Security Group, specify either ‘user in group’ or ‘computer in group’, click on the button with dots and select the group you want.

For printers go to GPO > User Configuration > Preferences > Control Panel Settings > Printers and create a new object. Then go to the Common tab, put a tick mark in ‘Item-level targeting’, click the button ‘Targeting’, add a new item by clicking on New Item and choosing Security Group, specify either ‘user in group’ or ‘computer in group’, click on the button with dots and select the group you want.

Here is a VB script that does the same:

Note:
1.Some users and computers might be members of several groups and I haven’t tested what happens if a user/computer is a member of 2 groups and both groups are used for filtering and mapping.
2.The script reads group names that contain spaces without any issues



On Error Resume Next

Set objSysInfo = CreateObject("ADSystemInfo")
Set objNetwork = CreateObject("Wscript.Network")

‘get the user name
strUserName = objNetwork.UserName
strComputer = objSysInfo.ComputerName

‘get the user path
strUserPath = "LDAP://" & objSysInfo.UserName
Set objUser = GetObject(strUserPath)

‘get the computer name
Set objComputer = GetObject("LDAP://" & strComputer)
objmemberOf = objComputer.GetEx("memberOf")

Next

'map drives and printers based on user group membership
For Each strGroup in objUser.MemberOf
strGroupPath = "LDAP://" & strGroup
Set objGroup = GetObject(strGroupPath)
strGroupName = objGroup.CN

Select Case strGroupName
Case “group name 1"
objNetwork.RemoveNetworkDrive "G:", True, True
objNetwork.MapNetworkDrive "G:", "\\server\share"
objNetwork.RemoveNetworkDrive "H:", True, True
objNetwork.MapNetworkDrive "H:", "\\server\share" & "\" & strUserName
objNetwork.RemoveNetworkDrive "J:", True, True
objNetwork.MapNetworkDrive "J:", "\\server\share"
objNetwork.AddWindowsPrinterConnection "\\server\printer"

Case "group name 2"
objNetwork.RemoveNetworkDrive "G:", True, True
objNetwork.MapNetworkDrive "G:", "\\server\share"
objNetwork.RemoveNetworkDrive "H:", True, True
objNetwork.MapNetworkDrive "H:", "\\server\share" & "\" & strUserName
objNetwork.RemoveNetworkDrive "J:", True, True
objNetwork.MapNetworkDrive "J:", "\\server\share"
objNetwork.AddWindowsPrinterConnection "\\server\printer"

End Select

Next

'map drives based on computer group membership
Set objSysInfo = CreateObject("ADSystemInfo")
strComputer = objSysInfo.ComputerName
Set objComputer = GetObject("LDAP://" & strComputer)
objmemberOf = objComputer.GetEx("memberOf")

For Each objGroup in objmemberOf
groupCN = Split(objGroup, ",")
groupName = Mid(groupCN(0),4)

Select Case groupName
Case "group name 3"
objNetwork.RemoveNetworkDrive "X:", True, True
objNetwork.MapNetworkDrive "X:", "\\server\share"
objNetwork.AddWindowsPrinterConnection "\\server\printer"

Case "group name 4"
objNetwork.RemoveNetworkDrive "Y:", True, True
objNetwork.MapNetworkDrive "Y:", "\\server\share"

End Select

Next


Using Group Policy Preferences to Map Drives Based on Group Membership
How Can I Map Drives Based on Membership in a Group?
How Can I Use a Logon Script to Remove All Mapped Drives?
How Can I Map a Printer, But Only If the User Doesn’t Have a Local Printer?
Check Computer Object group membership in AD
Implementing powerful and flexible login scripts

Tuesday 7 June 2011

Windows Server 2008 R2 - Service Pack 1 installation failed with error code 0x800f0828

Installation of SP1 for Windows Server 2008 R2 fails with error “Service Pack installation failed with error code 0x800f0828“ and an event is logged in the System log: “Installation Failure: Windows failed to install the following update with error 0x80070643: Windows Server 2008 R2 Service Pack 1 for x64-based Systems (KB976932).”

The update report can be found in %windir%\logs\cbs\checksur.log and there might be some clues in it about the issue, something like:

Summary:
Seconds executed: 1043
Found 1 errors
CBS MUM Corrupt Total count: 1

Unavailable repair files:
servicing\packages\Package_for_KB2446709_RTM~31bf3856ad364e35~amd64~~6.1.1.2.mum
servicing\packages\Package_for_KB2446709_RTM~31bf3856ad364e35~amd64~~6.1.1.2.cat


Follow the instructions from "Advanced guidelines for diagnosing and fixing servicing corruption" in order to replace the corrupted files and then re-run the installation.

If you cannot find the log checksur.log, download and install Microsoft Update Readiness Tool and check again. Read more here.

Saturday 30 April 2011

Excluding files and processes from virus scanning

Important notes:

- You risk less by specifying files instead of folders.
- Wildcard symbols used in paths of files or folders will slow down the scanning process.
- In McAfee ePO, exclusions from parent policies have to be reset in child policies.
- It is recommended to exclude backup processes, either completely or just for on-read operations (in McAfee this is achieved by defining the processes in the Low-Risk policy).

Blackberry
Antivirus exclusions for the BlackBerry Enterprise Server

Citrix
Citrix Guidelines for Antivirus Software Configuration
Antivirus Software Configuration Guidelines for Access Essentials/XenApp
Required Antivirus Software Configuration for the EdgeSight Agent
Best Practices for Symantec Endpoint Protection on Citrix and Terminal Servers

IBM DB2
Mcafee & DB2
Files and folders to exclude from virus scanning and scheduled system backups

McAfee
How to manage file and folder exclusions in VirusScan Enterprise 8.x
Understanding High-Risk, Low-Risk, and Default processes configuration and usage

Microsoft products
Windows Anti-Virus Exclusion List

MOM/SCOM
Recommendations for antivirus exclusions that relate to MOM 2005 and to Operations Manager 2007

MS Dynamics/CRM

MS Exchange and Outlook
Exchange and antivirus software
File-Level Antivirus Scanning on Exchange 2010
MS Exchange 2003 - Anti-Virus folder exclusions have not been configured
MS Exchnage 2007 - Planning Antivirus Deployment
MS Outlook 2003/2007/2010
Plan antivirus scanning for Outlook 2010

MS IIS
Antivirus software may cause IIS to stop unexpectedly
A 0-byte file may be returned when compression is enabled on a server that is running IIS

MS Lync
Antivirus Scanning Exclusions for Lync Server 2013

MS SQL
Guidelines for choosing antivirus software to run on the computers that are running SQL Server

MS ISA/IAG/TMG/UAG
Considerations when using antivirus software on FF Edge Products
Event ID 5, event ID 14079, and event ID 14176 are logged in the Application log on your Internet Security and Acceleration Server computer

MS Virtualization
Virtual machines are missing in the Hyper-V Manager Console or when you create or start a virtual machine, you receive one of the following error codes: "0x800704C8", "0x80070037" or "0x800703E3"
Virtual machines run very slowly in Virtual PC 2004 or in Virtual Server 2005

MS Windows and Active Directory
Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows
Antivirus software that is not cluster-aware may cause problems with Cluster Services
How antivirus software and System Restore work together
Managing Antivirus Software on Active Directory Domain Controllers

SCSM
Configuring antivirus exclusions in a System Center Service Manager environment
 
SMS/SCCM
SCCM 2007 - Performance Configuration Recommendations
Antivirus programs may contribute to file backlogs in SMS 2.0 and in SMS 2003

SPS/MOSS
Certain folders may have to be excluded from antivirus scanning when you use a file-level antivirus program in SharePoint
Microsoft's Position on Antivirus Solutions for Microsoft SharePoint Portal Server
Random errors may occur when antivirus software scans Microsoft Web Storage System in SharePoint Portal Server 2001 and in SharePoint Portal Server 2003

VMWare
Anti-Virus Practices for VMWare View
How to improve disk I/O performances with VMware Workstation

WSUS
Multiple symptoms occur if an antivirus scan occurs while the Wsusscan.cab file or the Wsusscn2.cab file is copied

Sunday 10 April 2011

MOSS 2007 - content level backup with Backup Exec 2010

Introduction:

Use Backup Exec Granular Recovery Technology (GRT) to enable a recovery of individual documents from the database backup. It enables the restore of individual documents, images, sites, sub-sites, lists, and list items from database backups. This option is only available when you perform full backups. The option is not available if differential back up database changes only has been selected as the backup method. You must have a current version of the Remote Agent for Windows Systems on the SharePoint server when you run the GRT-enabled backup job.

You can restore the following individual items:

Portal sites and their associated databases
Windows SharePoint Services sites and their associated databases
Document library stores (Web Storage System-based)
Individual documents that are contained in Document or Picture libraries (Web Storage System-based or Microsoft SQL Server-based)
Lists, sites, and sub-sites


Requirements:

The System Logon Account (a backupexec service account) is the owner of the MOSS_CONFIG database on the SQL server

Backup Exec agent is listening on the port TCP 10000 on Backup Exec, SQL and MOSS servers

The backupexec service account is a member of the local admins group on Backup Exec, SQL and MOSS servers

If these requirements are not met, you will probably get an error during creation of a backup job. I got this one:

"Failed to access ConfigurationV3-DB (SERVERNAME\MOSSProd_SharePoint_Config)
Logon account: System Logon Account"

Note: If TCP 10000 was assigned to something else, Backup Exec agent will get another port, but then it won’t be able to talk to the server (this was what happened in my case). If the BE agent was assigned another port, it will be recorded here:

Drive:\Windows\System32\Drivers\etc\services

as:

ndmp 11000/tcp #Network Data Management Protocol

In my case, the port was assigned to MOSS admin console and NDMP was auto-assigned TCP 11000. This prevented me from creating a backup job, so I assigned another port to MOSS admin console and NDMP switched back to its default port after I restarted the backupexec service.

In a KB article below, Symantec says that the BE media and agent servers can talk even if they were configured to listen on different ports, but that did not work in my case. However, the ports can be changed if needed, but it might be necessary to set the new port on all BE agents in order to avoid any potential issues caused by mismatching ports.


Create a backup job:

To create a backup job, simply select the INTRANET check box under Microsoft SharePoint Server Farms, then test if the selected account has access to the content, choose a device and media set, and make sure that the option “Use Backup Exec GRT…” is selected.


Restoring the content:

In case you need to restore something, run a restore wizard and search for the content under the INTRANET object. The files can be restored to an alternate location, such as a network share.


More info:
Change the port assigned to MOSS admin console
Choose what to protect (Office SharePoint Server)
Failed to access ConfigurationV3-DB (SERVERNAME\MOSSProd_SharePoint_Config) Logon account:DOMAIN\BESA
How to change the default port used by the Backup Exec Remote Agent for Windows Servers (RAWS)
Step-by-Step SharePoint Disaster Recovery
Unable to select the SharePoint Portal Server SQL databases under SharePoint Farm
What TCP/UDP ports does Backup Exec for Windows Servers 11d and above (including CPS - Continuous Protection Server and DLO - Desktop & Laptop Option) and Backup Exec System Recovery (BESR) use?