Rodney Fletcher’s Blog

I’ve recently purchased a new server for our production environment and went to our preferred provider of hardware for a new server. The one stipulation I had was that is was VMWare ESX certified. I did my research and selected all my components and then purchased the server. However, after purchasing, the vendor sent me an email stating they were substituting some of the components on me. Of course, I panicked about the VMWare issue, as drivers for VMWare are not like Windows – you can’t get them from hardware sites, more often than not. Anyway, the vendor assured me the subs would still be ok.

Long story short, although they kept to the letter of the law on that, they didn’t keep to the spirit of the law, so to speak. All the components are VMWare certified – except the very expensive hardware RAID card cannot be used on the VMWare ESX OS partition. In otherwords, VMWare can still have the guests in a mirror, but the OS will be outside the RAID.

This left me with 3 choices:

• 1. Have the VMWare OS outside the RAID and hope the disk doesn’t fail. Not a great idea on a production server.
• 2. Install Linux on the server and set up a RAID, then run VMWare Server 2 and put guests in that. Works ok but the disk I/O hit is significant and it’s not a bare metal solution.
• 3. Switch to Hyper-V.

I’ve always been meaning to try out Hyper-V but a production-acid-test is not what I had in mind. None the less, I am an impulsive idiot, so I am going to do it. While it’s production, it won’t directly effect any of our customers and I can wear the headache myself, for the time being, if it’s not great.

So anyway, back to the topic of the post.

I began the installation of Microsoft Hyper-V server on the box and got as far as being asked for the RAID card drivers. After providing these, I was dismayed to see that Windows was telling me it was able to see the disk, create the partitions and format them but was still “unable to install to the selected location”.

This didn’t seem fair. I have a driver and OS that can see the disks, I can work with the disks but I can’t use them? This sucks!

Being the old school guy I am, I of course went looking for newer drivers but it turns out I already had the newest. I was almost ready to give up and go for option 2 above, when I came across a little trick.

It turns out that this error message is kind of Windows’ weird way of saying “please put the Windows CD back in the drive and remove the driver CD”. It actually turns out all you need to do to continue is pull out the driver disk and put the Windows 2008 R2 DVD back in the drive, then rescan the disks. Hey Presto! You can now install to the partitions.

Personally, I find this a little silly but at least I can move on and try out my Hyper-V set up now.

I’ll let you know if I live to regret it.

PS: I understand this issue only effects 64bit installations of Windows 2008 / Windows 7. I may be wrong on this but have never tried a 32bit install and have no plans to do so.

• Leave a comment... (1)

It’s probably not a bad thing but if you’re a Windows 2000 Server (or Professional for that matter) user, it’s time to start thinking about upgrading because Windows 2000 is about to “end of life”.

Microsoft have put online a Windows 2000 End of Support Solution guide (which pretty much amounts to “please buy some more software”) here.

• Leave a comment... (0)

See this news over at Rustylime: Firefox 3 is now the #1 browser in the World.

Browser usage stats

Why not add your voice to their vote:

• Leave a comment... (0)

Giving elevated permissions to non administrative users can be a real pain, in Windows land. In fact, it can be so much of a pain that people often don’t bother, and just elevate users to have admin rights when they don’t need them.

A good example of this is when someone needs to be able to restart a service. Often, vendors need access to work on one of their applications on a server – and as part of that, they need to be able to restart a service. However, you don’t really want to hand them the keys to the server at the same time.

So instead of simply giving them local admin rights, or spending ages working with NTMon and NTRegmon to try to work out the specific reg keys and file permissions to change, how about just using Microsoft’s SubInACL tool?

It’s actually very easy to use. Basically, it allows you to modify the security settings directly related to just one service, giving an non-privileged user the ability to work with just that one application (although you can actually do much more with SubInACL than just services).

Here’s the syntax to give a user called “user1″ access to “service1″ on the server “\\domain1\server1″.

subinacl /service service1 /grant=domain1\user1 = TO
Here, T = start service and O = stop service.

Other commands include:
F : Full Control
R : Generic Read
W : Generic Write
X : Generic eXecute
L : Read controL
Q : Query Service Configuration
S : Query Service Status
E : Enumerate Dependent Services
C : Service Change Configuration
T : Start Service
O : Stop Service
P : Pause/Continue Service
I : Interrogate Service
U : Service User-Defined Control Commands

SubInACL can be downloaded here.
Please note earlier versions from the original Windows 2003 Resource Kit will not work on patched / service packed Windows 2003 servers, so this is the new version.

• Leave a comment... (0)

I just came across a situation in a client site where an SQLExpress (2008) instance was stood up by an unknown person, who did not leave an SA password and removed the local admins from SA access. He then left the organisation and is no longer contactable.

So how to get back access to the SA account?

1. Firstly, we need to shutdown the SQL instance and set the system into SingleUser mode. This is done as follows:
a. Run the SQL Configuration Manager.
b. Right click on the relevant instance and select "properties".
c. Select the advanced tab.
d. Select the start up option and append ";-m" (no spaces and no ") to the end of the line.
e. Say ok.
f. Stop and start the instance.


2. Now go to the command prompt and reset the password:

a. Start > run > cmd
b. At the command prompt, run "osql -S Servername\SQLInstanceName –E".
c. This will open a prompt window with a "1>" in it. Use these commands.
d. 1> sp_password NULL,’new_password’,’sa’
e. 2> go
f. 3> quit


3. Now go back to the SQL Configuration Manager and undo the above change (stop the service, remove the “;-m” and restart the service.

4. Tada – SQL SA password is changed, even without the local admin group being SA enabled.

• Leave a comment... (4)

Windows XP used to allow you to remove hiberfil.sys from within the power management options, under control panel. There’s little point going over how to do this as it’s well known and well documented.

However in Vista (and therefore Windows 7), Microsoft push hibernation and sleep far more aggressively and don’t provide a GUI way of turning it off. This is a real pain in the butt, as the hiberfil.sys is likely to be about the size of your physical memory – in my case 16GB. So I am wasting 16GB of space on my system drive for a feature I will never use. Not cool.

None the less, it is easy to disable and get your disk space back.

Just open the command prompt and enter:
powercfg.exe -h off

That’s it. Hibernate should disappear from the shutdown menu and the disk space should be cleared up straight away.

• Leave a comment... (0)

Ok, it’s time to get 1990’s on yo’ ass. I admit this post is old news but sometimes it’s better late than never.

Anyway, on occasion, you may wish for the ability to log into to other Linux boxes or securely copy files between Linux boxes, using SSH, without being prompted for passwords. I.e. scripts. In my case, I wanted to copy the contents of my CentOS web development directory on a VM machine back to the VMWare Server 2 host system, so that I have an extra backup, that’s “not on the same machine” (it is actually a physically different disk and it’s not in the same config so despite sharing hardware, this is sort of true).

Anyway, enough background. Here’s the how.

Step 1. Log into the source computer. I.e. the computer that will run the script.

Step 2. Generate some SSH public keys as follows.
ssh-keygen -t dsa

Step 3. Load the newly created public key to the destination server, as follows.
ssh-copy-id -i ~/.ssh/id_dsa.pub user@destination.servername
Please note: user should be the same on both boxes.

Step 4. Test it out by trying to SSH to the destination server.

Step 5. Test copying your files. Here’s an example:
scp /backup/friday/* root@192.168.1.1:/u02/backup/webdev/friday

That’s it. You should now be able to use SCP to securely copy files between machines with no password prompts.

• Leave a comment... (0)

When you remotely connect to a computer on a slow link, the last thing you want is a high res vendor background, which takes minutes to load. Dell, HP, Compaq, etc all seem to do this.

Oddly enough, this background is unlikely to be related to the actual user’s own background so removing it shouldn’t be a problem. It’s also easy to do. Here’s how:

Step 1: Connect to the remote computer’s registry. You can either do this by logging into the computer, if you have to or if you are on the same network, as below:
1. Open regedit by clicking Start > Run, then typing Regedit.
2. Go to file and select Connect Network Registry.
3. Type in the PC name.

Step 2: Modify the following registry key:
HKEY_USERS\.DEFAULT\Control Panel\Desktop
by clearing the entry that is currently there.

That’s it. Now when you RDP to the computer, you won’t be slowed down by an overly large image.

• Leave a comment... (0)

Sometimes you find yourself on a server (probably one you have RDP’d to yourself), with the need to then RDP on to a client PC. However sometimes, the client has not enabled the “Allow Remote Desktop Connections” flag on their PC, so this poses a problem. We need to enable it remotely.

Firstly, there are two roadblocks to overcome. One is remotely enabling RDP on the PC and the second is getting around the Windows Firewall, assuming it is enabled.

The Windows Firewall
Let’s assume the Windows Firewall is enabled on the remote machine and we need to get past it. Well, we could push out a new Group Policy (which will take time and ideally, some planning) or we could simply turn it off, temporarily (assuming it’s safe to do so in your environment). This is easiest done as follows.

1. Right click on My Computer and select Manage.
2. Right click on the top of the menu you now see Computer Management (local) and pick Connect to another computer.
3. Type the name of the computer you wish to connect to.
4. Expand the menu, look in Service and Applications for the service called Windows Firewall/Internet Connection Sharing (ICS) and stop it.


Leave the above open so you can easily turn the Windows Firewall back on, when you’re done. Now we’re ready to remotely enable RDP and use it.

Remotely enabling RDP
To enable RDP remotely, we simply edit the registry of the remote PC. It’s quick and easy.
1. Open regedit by clicking Start > Run, then typing Regedit.
2. Go to file and select Connect Network Registry.
3. Type in the PC name.
4. On the remote PC, expand the HKLM hive and go to this key:
hklm\system\currentcontrolset\control\terminal server\FdenyTSConnection=1
5. Change it from 1 to 0 (Hex - not that it matters).


That’s it. You should now be able to remotely connect to the other computer via RDP.

• Leave a comment... (0)

Recently, a client of mine who has a single Windows SBS server, had the urgent need for a SPAM filter to be installed. Having had lots of fantastic experience with ESVA in the past, coupled with knowing they had a very limited IT budget, I suggested firing up a VMWare appliance on their server (which is insanely over-powered for its task and can easily handle an ESVA VM session).

Installation went smoothly and would you believe in 4 days, the ESVA appliance has blocked… wait for it… 1,137,381 SPAM emails. A frikkin’ million! That’s over 250,000 a day!

After a day, however, people who work off site started to report they could no longer VPN in. It turns out that VMWare breaks Windows ICS, which in turn breaks RRAS (VPN).

I Googled around for a solution and went through the VMware forums but to no avail. Long story short – mail filter: good. VMWare on a SBS Domain Controller trying to run RRAS VPN: bad.

So tonight I decided I was going to resolve this one. And it turns out, a little trial and error was all it took. It’s actually very easy. Here’s how to get RRAS VPN working again, on a SBS 2003 Domain Controller, after installing VMWare Server 2.

1. Open the RRAS MMC Snap in.
Admin Tools > Routing and Remote Access

2. Right click on the server name and select properties.

3. Select the IP Tab

SBS 2003 RRAS Properties

4. Go to the adapter and change it from:
Allow RAS to select adapter
to the adapter which you require the VPN connections to be made to.

The problem is, with the VMWare virtual adapters created by VMWare for use with Host Only Networking, the RRAS server is trying to connect people to these adapters. Of course, they’re in virtual (and false) subnets, so they go nowhere. Forcing the connection to the correct adapter takes the guess work out of the equation and resolves this issue.

Hope that helps!

• Leave a comment... (0)