Category Archives: Infrastructure

All things to do with infrastructure such as server software setup and configuration, network topology etc

Windows time out of sync (Hyper V)

Time server working but time is wrong

If you have ever come across a situation where your Domain Controller (DC) is syncing properly to its ntp source, but the time is incorrect, the likelihood is that you are operating a virtual server environment and your Primary Domain Controller (PDC) is a virtual machine.

The issue

This Microsoft article Virtual Active Directory Domain Controller explains clearly, uner the heading “Time Service” that you must remove the sync between the virtual machine and the host.

I was late for a gym session because of this

Time service
——————————————————————————–
For virtual machines that are configured as domain controllers, it is recommended that you disable time synchronization between the host system and guest operating system acting as a domain controller. This enables your guest domain controller to synchronize time from the domain hierarchy.

To disable the Hyper-V time synchronization provider, shut down the VM and clear the Time synchronization check box under Integration Services

Thinking about it, this makes perfect sense. With the option ticked, the PDC is set to get its time from the host, and if the host is part of the domain, it in turn is set to get its time from the nearest DC, who also in turn get their time from the PDC. A cyclic loop where no one gets the time from an external ntp source.

To configure the time server please visit here https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/

Un-tick the “Time synchrnoization” option from hyper v manager
hyperv-time-synchronization

Windows 8 to Windows 8.1 with redirected user profile folders

You’re here probably because you received this error

Sorry, it looks like this PC can’t run Windows 8.1. This might be because the Users or Program Files folder is being redirected to another partition

The Solution in a nutshell

  • Edit registry keys to re point to system drive
  • Add New Admin account to system
  • Login as new Admin account
  • edit user registry keys to re point to local system users folder
  • Run batch file to create junctions between local system user folders and redirected user folder
  • Restart, login as admin and run windows update to 8.1
  • Once complete edit registry to re point chosen user profile folders back across to redirected drive
  • The user folders that are redirected again must have the AppData hidden folder folder copied across to the redirected user folder fro the system drive

The solution in more detail
Basically we need to trick the updater that the profiles are local. We do this in a few steps

  1. Edit some registry keys
  2. Create a new admin account, restart and login to it
  3. Edit some more registry keys
  4. Create some junctions to point from local profiles to actual profiles
  5. Restart login again as the admin account and run updates

So let’s get started
You might want to save this page as a “.mht” file to the root of your C: so you can refer back to this as you progress
Edit registry
Run regedit as admin and goto
HKLM\SOFTWARE\Microsot\Windows NT\CurrentVersion\ProfileList
Mine looks like this
ProfileList HKLM
Edit the ProfilesDirectory Key back to “%SystemDrive%\Users”
ProfilesDirectory HKLM
Create a new account and mark is as administrator
Restart and login with the new account
Go back into an admin regedit and adjust the remaining keys so they look like this
RESET ProfileList keys HKLM

As you can see I have lots of local logins (I develop apps and as such lots of services login to my machine) so I built a batch file to create the junctions from local to actual user profile folders
For users with no gaps in their name
mklink /J C:\Users\Andre E:\Users\Andre
for users with gaps
mklink /J “C:\Users\.NET v4.5” “E:\Users\.NET v4.5”
My Batch file ended up here c:\MKLinks.bat and looked like this
mklink /J C:\Users\Mcx1-HOME-PC E:\Users\Mcx1-HOME-PC
mklink /J C:\Users\UpdatusUser E:\Users\UpdatusUser
mklink /J C:\Users\Andre E:\Users\Andre
mklink /J “C:\Users\Classic .NET AppPool” “E:\Users\Classic .NET AppPool”
mklink /J “C:\Users\.NET v4.5” “E:\Users\.NET v4.5”
mklink /J “C:\Users\.NET v2.0” “E:\Users\.NET v2.0”
mklink /J “C:\Users\.NET v4.5 Classic” “E:\Users\.NET v4.5 Classic”
mklink /J “C:\Users\.NET v2.0 Classic” “E:\Users\.NET v2.0 Classic”
mklink /J C:\Users\Default E:\Users\Default
mklink /J C:\Users\Public E:\Users\Public

Now we are ready to execute the batch file, so open an elevated command prompt, navigate to the location you saved the batch file and run it.

Next we must adjust the “ProfileImagePath” string value in each user profile sub key of ProfileList (the keys typically start with S-1-5-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxx) so they point back to the local system drive (C:) like this one

Return Profiles back to system drive locations

Once you are sure you have completed these instructions restart once more, login as the admin account and run windows update.

Once completed, every profile will be put back onto the C:\Users and your folder junctions will have been replaced by these user folders.
There is a simple solution to bring things back across to your redirected drive, editing the users registry key and copying the hidden AppData folder from the C:\Users\Username folder to the target user profile folder on the redirected drive you are trying to use.

I ended up leaving all of my profiles on C and only redirected my profile, which incidentally was far too large to reside on the C:

Exchange Web Service (EWS) configuration

Exchange Web Service (EWS) configuration

The idea here is to create two groups within the Active Directory. The first group will contain the Mailbox accounts you wish to allow access and manipulation of objects within the mailbox (sgEWSImpersonatable). The second will contain the accounts you wish to allow access to the accounts within the first group (sgEWSImpersonate).

What we want to do is

  • AD – Create a security group (sgEWSImpersonateAble), this group will hold the accounts we want to be able to impersonate (eg testAccounts, devsystems etc etc)
  • AD – Create a security group (sgEWSImpersonate), this group will hold the accounts we want to allow impersonation of the accounts in the group sgEWSImpersonateAble
  • EX – Create a Scope (scopeEWSImpersonate), this scope we use to link the ApplicationImpersonation Exchange role to the security group created in the previous step. . Ie we assign the scope to the security group sgEWSImpersonateAble
  • EX – Create a RoleAssignment (mraEWSImpersonation) this Management Role Assignment will be used to tie the ApplicationImpersonation role to the scope. this then compeltes the loop between AD and Exchange

Follow these steps

  1. Create the Security Group in AD (it can be mail enable or not, it makes no difference)
    Group Name: sgEWSImpersonateAble
    Group Description: Exchange Web Service Impersonation, accounts in this group will grant members of the group sgEWSImpersonate impersonation ability via Exchange Web Service calls
    Group Members: TestAccounts, testsqlmailuser, etc,etc,etc
  2. Create the Security Group in AD (it can be mail enable or not, it makes no difference)
    Group Name: sgEWSImpersonate
    Group Description: Exchange Web Service Impersonation, accounts in this group be able to impersonate members of the group sgEWSImpersonateAble via Exchange Web Service (EWS) calls
    Group Members: Developer1,Developer2, Sysadmin1, svcAccount, etc,etc
  3. Create the Scope (This is a one time only requirement to run) In Exchange Management Powershell console run the following, this will link the scope to the groupGet the location of the security group we created for the accounts to impersonate

    >$sgEWSImpersonateAble = $(Get-DistributionGroup sgEWSImperonateAble).Identity.DistinguishedName

    verify we have it by looking at the vaariable
    >$sgEWSImpersonateAble
    CN=sgEWSImpersonateAble,OU=OrganisationalUnitContainingTheGroup,DC=DomainName,DC=local

    Now Create the Scope linking it to the group
    >New-ManagementScope -Name:scopeEWSImpersonate -RecipientRestrictionFilter:”MemberOfGroup -eq ‘$sgEWSImpersonateAble'”

  4. Create the Role Assignment (to link the scope to the group containing the accounts we want to allow impersonation to)>New-ManagementRoleAssignment –Name:mraEWSImpersonation –Role:ApplicationImpersonation –SecurityGroup “sgEWSImpersonate” –CustomRecipientWriteScope: scopeEWSImpersonate

For a long story short execute the following in the Exchange Management Powershell console. Replace the names to those you would prefer.

>$sgEWSImpersonateAble = $(Get-DistributionGroup sgEWSImperonateAble).Identity.DistinguishedName
>$sgEWSImpersonateAble
CN=sgEWSImpersonateAble,OU=OrganisationUnitContainingTheGroup,DC=Domain,DC=local
>New-ManagementScope -Name:scopeEWSImpersonate -RecipientRestrictionFilter:”MemberOfGroup -eq ‘$sgEWSImpersonateAble'”
>New-ManagementRoleAssignment –Name:mraEWSImpersonation –Role:ApplicationImpersonation –SecurityGroup “sgEWSImpersonate” –CustomRecipientWriteScope: scopeEWSImpersonate

Now you can add and remove people and mailboxes to and from the two groups to allow impersonation of mailboxes from accounts

References

http://msdn.microsoft.com/en-us/library/exchange/bb204095(v=exchg.140).aspx

Set-ManagementRoleAssignment
http://technet.microsoft.com/en-us/library/dd335173(v=exchg.141).aspx
New-ManagementRoleAssignment
http://technet.microsoft.com/en-us/library/dd335193(v=exchg.141).aspx
New-ManagementScope
http://technet.microsoft.com/en-us/library/dd335137(v=exchg.141).aspx
Set-ManagementScope
http://technet.microsoft.com/en-us/library/dd297996.aspx

SQL Server Monitor Changes to SCHEMA

If you need to prevent changes to your SQL Server Schema, or at least monitor them, then this post is worth reading

I needed to monitor/control changes made to SQL server databases at server instance level. There are plenty of ways of doing this but there is nothing as simple as a DDL level trigger. It’s clean, can be disabled quickly for rapid change implementation and its a central location which means deploying to sever SQL Servers or a server farm is that much easier.

So the basic requirements
1. We must be able to monitor CREATE,DROP and ALTER on Tables, Views, Stored Procedures, Triggers and Functions
2. We must be able to filter based on user, applying the rule or not
3. We must have a log of each schema change regardless of success or failure
4. We need to send an email when a change has been attempted and was disallowed

So how are we going to do this. Well we can use the ROLLBACK inside our trigger to prevent the changes from occurring, and we can use the RAISERROR to display the appropriate message we want to user/program to receive when the attempt fails. We can also take advantage of the code SQL Server query execution sequence such that after a rollback has been called in a trigger, the parent transaction has been dumped, but any further transactions will continue to be executed and committed. See here http://msdn.microsoft.com/en-us/library/ms187844(v=sql.105).aspx

Some Key fundamentals we are going to be using
First off the

, this will allow us to create the trigger at server level, so it affects all databases. It will hence be located in the Server Objects >> Triggers within SQL Server Management Studio
Next comes

which contains all the details we want about what is changing and who is trying to change it
We will be using “

” to identify the current logged in connection that is behind the event and also filter on this to make a decision to reject or approve the change.
Finally we use the

and

commands to initiate a rejection of the event, followed with our logging insert and in my case an email send method, I won’t get into the details of the mail sending in this article, however its worth mentioning that I have a fully fledged SSIS package driven mail sending engine integrated with MS Exchange, its possible to send from any mailbox to any mail group or address in the active directory or individual mail address book, you can attach files from the network or from binary within the database, you can send with importance in text format or html as this example demonstrates, Its a very powerful and very handy engine to have in the systems topology, took 3 days to write and about a month to fine tune, suddenly sending mail is very easy from anywhere in your infrastructure. Anyway I digress

Enough background, here’s the Code. You will obviously need to adjust bits to suite your needs before you use this
This should be executed against the master

unable to download web platform product list

Unable to download the Web Platform product list from . Check your network connection and try again. If the problem persists, report the issue on the Web Platform Installer forum at: http://go.microsoft.com/fwlink/?LinkId=145244.

Applies to Web platform installer 3 on server 2008

Verify you can browse to http://www.microsoft.com/web/webpi/3.0/WebProductList.xml

If you can then add the following registry key

HKLM\SOFTWARE|Microsoft\WebPlatformInstaller

Add string value (reg_sz) named “ProductXmlLocation”

Value http://www.microsoft.com/web/webpi/3.0/WebProductList.xml

Re run the Web Platform Installer and all should be well

Exchange 2010 and exchange 2003 there is currently no route to the mailbox database

As an Administrator, If during your Exchange 2010 install, when you migrated that single test mailbox from the old Exchange 2003 server into the nice shiny new Exchange 2010 mail server on that new MS Server 2008 64bit you have up and running. You found you couldn’t send mail internally or receive mail internally or in fact receive mail from an external source either, your not alone.

Reviewing the “Queue Viewer” on your Exchange 2010 bi you see there are mails in the queue trying to send with the following error

there is currently no route to the mailbox database

And you also see mails in the inbound queue on your exchange 2003 box.

Fear not, for there is a simple fix. You must Create A Routing Group Connector Between Exchange 2003 and Exchange 2010

According to Microsoft when you installed the new Exchange server 2010 despite the compatibility that exchange 2003 and exchange 2010 can coexist on your domain, they don’t quite let you know that the routing may not properly be configured, my guess is because there are too many permutations of network configurations you might have. So if your like me, you have a single Exchange 2003 server that you want to talk to your Exchange 2010 server then the solution is pretty simple.

Make sure you login to the exchange 2010 box with an account that has “GOD” privileges on your domain
1. Click start
2. in the search box type “Shell”
3. Right click and run “Exchange Management Shell”
4. Copy and paste the following line into notepad

New-RoutingGroupConnector -Name “Interop RGC” -SourceTransportServers “exchange2010FQDN” -TargetTransportServers “Exchange2003FQDN” -Cost 10 -Bidirectional $true -PublicFolderReferralsEnabled $true

Adjust the names accordingly and be sure the quotes are quotes and not some funky character that looks like quotes as is what sometimes happens when copying from the internet.
5. Paste the line into the Exchange Management Shell (EMS) and you should see something not too different from this.

response from adding route, and verifying route exists

6. Now you can verify the creation by running “Get-RoutingGroupConnector”
7. On your exchange 2003 box restart “Simple Mail Transport Protocol” Service
8. On your Exchange 2010 box restart “Mail Exchange Transport” Service

Hope this helped you all

References I used
Message Rerouting and the Unreachable Queue
http://technet.microsoft.com/en-us/library/bb232161.aspx

Routing group connector between an Exchange 2010 organization and Exchange 2003 organization doesn’t exist
A routing group connector between the Exchange 2010 routing group and Exchange 2003 routing groups hasn’t been configured, or the last routing group connector between the Exchange 2010 routing group and Exchange 2003 routing groups has been removed. No routing group connector exists to provide a routing path to the Exchange 2003 recipients. To resolve this problem, first verify that the routing group connector is missing. If that’s the case, you can create a routing group connector. For more information, see Create Additional Routing Group Connectors from Exchange 2010 to Exchange 2003. If a routing group connector does exist, the message is in the Unreachable queue for some other reason. Check the configuration of the routing group connector

Create Additional Routing Group Connectors from Exchange 2010 to Exchange 2003
http://technet.microsoft.com/en-us/library/aa997292.aspx

New-RoutingGroupConnector -Name “Interop RGC” -SourceTransportServers “Ex2010Hub1.contoso.com” -TargetTransportServers “Ex2003BH1.contoso.com” -Cost 10 -Bidirectional $true -PublicFolderReferralsEnabled $true

Upgrade from Exchange 2003 Transport
http://technet.microsoft.com/en-us/library/dd638103.aspx
Exchange Management Shell in Exchange 2010
http://technet.microsoft.com/en-us/library/dd795097.aspx

Tree ms dos command

ever needed to print a tree structure of a folder location, only to realise that you cannot see it all because the tree command doesnt have enough buffer space.

Well just tell tree to output the tree to a file like this

open a command prompt, then paste

tree c:\users /a > “%temp%\t1.txt” & start notepad “%temp%\t1.txt”

change accordingly

Execute denied for sp_send_dbmail

My backup email error handler noted a few errors in the windows event viewer, the specific error was

The EXECUTE permission was denied on the object ‘sp_send_dbmail’, database ‘msdb’, schema ‘dbo’.

If you have receieved this, then you need to add the user to the database by going to properties of the user and editing the “mapping” ensuring that said user is ticked next to the db “msdb”
Then run the follwing trasact against he msdb daabase replacing the word user here with the user you need to apply this to.

Offline Files and Folders not indexing or saving

Your are wondering why you cant add offline files to your seach index

When you look at your indexed locations and hover over your offline file locations you see the tooltip

indexing of offline files has been dsabled by your systems dministrator

or words to that effect

This implies that there is a policy restricting indexing of offline files being applied either locally or from the Domain Controller the computer is registered to (if at all).
Get your admin to check the group policies applied locally and from the DC, paying particular interest in the location
Computer Configuration/Administrative Templates/Windows Components/Windows Search

Ensure “Disable indexing of offline files cache” is not configured.

Another problem i encountered was, offline folder changes were not working, MS Excel and Word was hanging when trying to save to an offline location, yet notepad could happily save a txt doc to the location.
As it turns out, its an NT authentication issue, if you are able, set the security on the root folder of the offline folder so that Domain Users have full control, cascade these permissions to all child objects and then try your tests with excel word and folder changes. This worked for me.