Rodney Fletcher’s Blog

I’ve recently purchased a new server for our production environment and went to our preferred provider of hardware for a new server. The one stipulation I had was that is was VMWare ESX certified. I did my research and selected all my components and then purchased the server. However, after purchasing, the vendor sent me an email stating they were substituting some of the components on me. Of course, I panicked about the VMWare issue, as drivers for VMWare are not like Windows – you can’t get them from hardware sites, more often than not. Anyway, the vendor assured me the subs would still be ok.

Long story short, although they kept to the letter of the law on that, they didn’t keep to the spirit of the law, so to speak. All the components are VMWare certified – except the very expensive hardware RAID card cannot be used on the VMWare ESX OS partition. In otherwords, VMWare can still have the guests in a mirror, but the OS will be outside the RAID.

This left me with 3 choices:

• 1. Have the VMWare OS outside the RAID and hope the disk doesn’t fail. Not a great idea on a production server.
• 2. Install Linux on the server and set up a RAID, then run VMWare Server 2 and put guests in that. Works ok but the disk I/O hit is significant and it’s not a bare metal solution.
• 3. Switch to Hyper-V.

I’ve always been meaning to try out Hyper-V but a production-acid-test is not what I had in mind. None the less, I am an impulsive idiot, so I am going to do it. While it’s production, it won’t directly effect any of our customers and I can wear the headache myself, for the time being, if it’s not great.

So anyway, back to the topic of the post.

I began the installation of Microsoft Hyper-V server on the box and got as far as being asked for the RAID card drivers. After providing these, I was dismayed to see that Windows was telling me it was able to see the disk, create the partitions and format them but was still “unable to install to the selected location”.

This didn’t seem fair. I have a driver and OS that can see the disks, I can work with the disks but I can’t use them? This sucks!

Being the old school guy I am, I of course went looking for newer drivers but it turns out I already had the newest. I was almost ready to give up and go for option 2 above, when I came across a little trick.

It turns out that this error message is kind of Windows’ weird way of saying “please put the Windows CD back in the drive and remove the driver CD”. It actually turns out all you need to do to continue is pull out the driver disk and put the Windows 2008 R2 DVD back in the drive, then rescan the disks. Hey Presto! You can now install to the partitions.

Personally, I find this a little silly but at least I can move on and try out my Hyper-V set up now.

I’ll let you know if I live to regret it.

PS: I understand this issue only effects 64bit installations of Windows 2008 / Windows 7. I may be wrong on this but have never tried a 32bit install and have no plans to do so.

• Leave a comment... (1)

Giving elevated permissions to non administrative users can be a real pain, in Windows land. In fact, it can be so much of a pain that people often don’t bother, and just elevate users to have admin rights when they don’t need them.

A good example of this is when someone needs to be able to restart a service. Often, vendors need access to work on one of their applications on a server – and as part of that, they need to be able to restart a service. However, you don’t really want to hand them the keys to the server at the same time.

So instead of simply giving them local admin rights, or spending ages working with NTMon and NTRegmon to try to work out the specific reg keys and file permissions to change, how about just using Microsoft’s SubInACL tool?

It’s actually very easy to use. Basically, it allows you to modify the security settings directly related to just one service, giving an non-privileged user the ability to work with just that one application (although you can actually do much more with SubInACL than just services).

Here’s the syntax to give a user called “user1″ access to “service1″ on the server “\\domain1\server1″.

subinacl /service service1 /grant=domain1\user1 = TO
Here, T = start service and O = stop service.

Other commands include:
F : Full Control
R : Generic Read
W : Generic Write
X : Generic eXecute
L : Read controL
Q : Query Service Configuration
S : Query Service Status
E : Enumerate Dependent Services
C : Service Change Configuration
T : Start Service
O : Stop Service
P : Pause/Continue Service
I : Interrogate Service
U : Service User-Defined Control Commands

SubInACL can be downloaded here.
Please note earlier versions from the original Windows 2003 Resource Kit will not work on patched / service packed Windows 2003 servers, so this is the new version.

• Leave a comment... (0)

I just came across a situation in a client site where an SQLExpress (2008) instance was stood up by an unknown person, who did not leave an SA password and removed the local admins from SA access. He then left the organisation and is no longer contactable.

So how to get back access to the SA account?

1. Firstly, we need to shutdown the SQL instance and set the system into SingleUser mode. This is done as follows:
a. Run the SQL Configuration Manager.
b. Right click on the relevant instance and select "properties".
c. Select the advanced tab.
d. Select the start up option and append ";-m" (no spaces and no ") to the end of the line.
e. Say ok.
f. Stop and start the instance.


2. Now go to the command prompt and reset the password:

a. Start > run > cmd
b. At the command prompt, run "osql -S Servername\SQLInstanceName –E".
c. This will open a prompt window with a "1>" in it. Use these commands.
d. 1> sp_password NULL,’new_password’,’sa’
e. 2> go
f. 3> quit


3. Now go back to the SQL Configuration Manager and undo the above change (stop the service, remove the “;-m” and restart the service.

4. Tada – SQL SA password is changed, even without the local admin group being SA enabled.

• Leave a comment... (4)

Windows XP used to allow you to remove hiberfil.sys from within the power management options, under control panel. There’s little point going over how to do this as it’s well known and well documented.

However in Vista (and therefore Windows 7), Microsoft push hibernation and sleep far more aggressively and don’t provide a GUI way of turning it off. This is a real pain in the butt, as the hiberfil.sys is likely to be about the size of your physical memory – in my case 16GB. So I am wasting 16GB of space on my system drive for a feature I will never use. Not cool.

None the less, it is easy to disable and get your disk space back.

Just open the command prompt and enter:
powercfg.exe -h off

That’s it. Hibernate should disappear from the shutdown menu and the disk space should be cleared up straight away.

• Leave a comment... (0)

Ok, it’s time to get 1990’s on yo’ ass. I admit this post is old news but sometimes it’s better late than never.

Anyway, on occasion, you may wish for the ability to log into to other Linux boxes or securely copy files between Linux boxes, using SSH, without being prompted for passwords. I.e. scripts. In my case, I wanted to copy the contents of my CentOS web development directory on a VM machine back to the VMWare Server 2 host system, so that I have an extra backup, that’s “not on the same machine” (it is actually a physically different disk and it’s not in the same config so despite sharing hardware, this is sort of true).

Anyway, enough background. Here’s the how.

Step 1. Log into the source computer. I.e. the computer that will run the script.

Step 2. Generate some SSH public keys as follows.
ssh-keygen -t dsa

Step 3. Load the newly created public key to the destination server, as follows.
ssh-copy-id -i ~/.ssh/id_dsa.pub user@destination.servername
Please note: user should be the same on both boxes.

Step 4. Test it out by trying to SSH to the destination server.

Step 5. Test copying your files. Here’s an example:
scp /backup/friday/* root@192.168.1.1:/u02/backup/webdev/friday

That’s it. You should now be able to use SCP to securely copy files between machines with no password prompts.

• Leave a comment... (0)

When you remotely connect to a computer on a slow link, the last thing you want is a high res vendor background, which takes minutes to load. Dell, HP, Compaq, etc all seem to do this.

Oddly enough, this background is unlikely to be related to the actual user’s own background so removing it shouldn’t be a problem. It’s also easy to do. Here’s how:

Step 1: Connect to the remote computer’s registry. You can either do this by logging into the computer, if you have to or if you are on the same network, as below:
1. Open regedit by clicking Start > Run, then typing Regedit.
2. Go to file and select Connect Network Registry.
3. Type in the PC name.

Step 2: Modify the following registry key:
HKEY_USERS\.DEFAULT\Control Panel\Desktop
by clearing the entry that is currently there.

That’s it. Now when you RDP to the computer, you won’t be slowed down by an overly large image.

• Leave a comment... (0)

Sometimes you find yourself on a server (probably one you have RDP’d to yourself), with the need to then RDP on to a client PC. However sometimes, the client has not enabled the “Allow Remote Desktop Connections” flag on their PC, so this poses a problem. We need to enable it remotely.

Firstly, there are two roadblocks to overcome. One is remotely enabling RDP on the PC and the second is getting around the Windows Firewall, assuming it is enabled.

The Windows Firewall
Let’s assume the Windows Firewall is enabled on the remote machine and we need to get past it. Well, we could push out a new Group Policy (which will take time and ideally, some planning) or we could simply turn it off, temporarily (assuming it’s safe to do so in your environment). This is easiest done as follows.

1. Right click on My Computer and select Manage.
2. Right click on the top of the menu you now see Computer Management (local) and pick Connect to another computer.
3. Type the name of the computer you wish to connect to.
4. Expand the menu, look in Service and Applications for the service called Windows Firewall/Internet Connection Sharing (ICS) and stop it.


Leave the above open so you can easily turn the Windows Firewall back on, when you’re done. Now we’re ready to remotely enable RDP and use it.

Remotely enabling RDP
To enable RDP remotely, we simply edit the registry of the remote PC. It’s quick and easy.
1. Open regedit by clicking Start > Run, then typing Regedit.
2. Go to file and select Connect Network Registry.
3. Type in the PC name.
4. On the remote PC, expand the HKLM hive and go to this key:
hklm\system\currentcontrolset\control\terminal server\FdenyTSConnection=1
5. Change it from 1 to 0 (Hex - not that it matters).


That’s it. You should now be able to remotely connect to the other computer via RDP.

• Leave a comment... (0)

Recently, a client of mine who has a single Windows SBS server, had the urgent need for a SPAM filter to be installed. Having had lots of fantastic experience with ESVA in the past, coupled with knowing they had a very limited IT budget, I suggested firing up a VMWare appliance on their server (which is insanely over-powered for its task and can easily handle an ESVA VM session).

Installation went smoothly and would you believe in 4 days, the ESVA appliance has blocked… wait for it… 1,137,381 SPAM emails. A frikkin’ million! That’s over 250,000 a day!

After a day, however, people who work off site started to report they could no longer VPN in. It turns out that VMWare breaks Windows ICS, which in turn breaks RRAS (VPN).

I Googled around for a solution and went through the VMware forums but to no avail. Long story short – mail filter: good. VMWare on a SBS Domain Controller trying to run RRAS VPN: bad.

So tonight I decided I was going to resolve this one. And it turns out, a little trial and error was all it took. It’s actually very easy. Here’s how to get RRAS VPN working again, on a SBS 2003 Domain Controller, after installing VMWare Server 2.

1. Open the RRAS MMC Snap in.
Admin Tools > Routing and Remote Access

2. Right click on the server name and select properties.

3. Select the IP Tab

SBS 2003 RRAS Properties

4. Go to the adapter and change it from:
Allow RAS to select adapter
to the adapter which you require the VPN connections to be made to.

The problem is, with the VMWare virtual adapters created by VMWare for use with Host Only Networking, the RRAS server is trying to connect people to these adapters. Of course, they’re in virtual (and false) subnets, so they go nowhere. Forcing the connection to the correct adapter takes the guess work out of the equation and resolves this issue.

Hope that helps!

• Leave a comment... (0)

In a previous post, we talked about increasing the size of the mail store in Exchange 2003, on Microsoft Small Business Server 2003. However this won’t necessarily clear all your Exchange storage woes. In fact, it’s very common for people to complain that although they have a 75GB limit, they’re finding that Exchange is telling them they are out of space when their storage file is only a few GB!

Event logs such as the following begin to appear in the Application Log on the server.
The database "First Storage Group\Public Folder Store (SERVERNAME)" has 1 megabyte of free space after online defragmentation has terminated.

In the example above, the Public Folder Store is in fact about 2MB – yet Exchange is complaining it has nearly filled the full 75GB. Below outlines the steps to correct this.

What to do about it
1. First you will need to bring the store offline. This means people cannot access it, so you have to think about timing. This is done as follows:

• Open Exchange System Manager
• Right click on the information store that you want to defrag and click Dismount Store.

2. Open the command prompt and use the eseutil in the Exchange bin folders, with the “/d” option. For example:

• “C:\program files\exchsrvr\bin\eseutil” /d “e:\exchsrvr\mdbdata\pub1.edb”

Be warned – for a really big store this could take hours.

3. Remount the Exchange store you dismounted.

• Open Exchange System Manager
• Right click on the information store that you want to defrag and click Mount Store.

4. Check your event logs. They should say something about having plenty of free space.

Why is this necessary?
An excellent question. Personally, I don’t think it should be necessary but it unfortunately often is. Exchange holds space in the database for deleted files and also uncompresses a lot of data. This causes the storage potential of the database to grow rapidly and outstrip the reality of the file sizes and actual storage requirements. Using eseutil actually creates a brand new, compressed database and replaces the original one. Here’s what Microsoft say on their website about it:

“…The defragmentation option makes used storage contiguous, eliminates unused storage, and compacts the database, which reduces the database’s size. Eseutil copies database records to a new database. When defragmentation is complete, the original database is deleted or saved to a user-specified location, and the new version is renamed as the original. If the utility encounters a bad record, the utility stops and displays an error message…”

After completing the above, you should have plenty of free space made available in your Exchange mail stores. You may also wish to create a batch file to run as a scheduled task to do this once a month or however often is needed, in the early hours of the morning, so it doesn’t interrupt users. The batch file would need to stop the exchange services, compress and defrag all the mail stores as above, then restart the Exchange services.

• Leave a comment... (1)

I recently came across a server, a domain controller no less, which had been infected with Virtumond (sometimes called Virtuamonde), Vundo and Smitfraud. These are particularly nasty pieces of work and if you read many blogs, you’ll see they’re a pain in the but to get rid of. Many people speak of the utter inability to get rid of the thing.

Ok, not to brag, but it’s not as hard as they’re making it. You can actually get rid of it fairly quickly. Here’s how.

Firstly, download a fresh copy of Spybot Search and Destroy, for later on.

1. You need to find where it is and start the removal process. You do this as follows:

• Go to c:\windows\system32.
• Sort by date with the newest files at the top.
• You should see a bunch of {random_string}.dll files.
• Take note of the oldest of these.
• Search the hard disk for files made at the same time and if directories or files have been created that are suspicious – quarantine them.
• Delete as many as you can – many will be in use and not deletable right now.

2. Now we want to stop the virus running so much. You can’t stop it yet but we can slow it down.

• Download a product called Process Explorer.
• Using Process Explorer, stop any processes called x.exe or msddll.exe, then delete the files.
• Noting from which {random_string}.dll files couldn’t be deleted, search the registry for those strings and remove the keys associated with them.
• You’ll find this location full of problems and you may not be able to delete them: HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\Notify.
• Sub keys in here based on the random string DLLs in c:\windows\system32\ must be deleted.

3. Now we need to get rid of the files that are still running and cannot be deleted. Virtumond is a pain in the butt and pretty clever. You can’t use pendmove and you can’t use safe mode to get rid of it. But you can use a Linux Live CD because Linux doesn’t have to respect Window’s rules.

4. Download a Linux Live CD. Fedora 10 is good because it natively handles your NTFS drives in read write. Boot off it and use it to browse to localdisk/WINDOWS/system32/ and sort by date. Delete those pesky {random_name}.dll files. Now they’re gone.

5. Boot Windows back up in safe mode.

• Remove the remaining registry keys from above.
• Install a fresh copy of Spybot Search and Destroy.
• Run a spyware cleaner, like Spybot Search and Destroy. Twice
• Check the hosts file: c:\windows\system32\drivers\etc\hosts.

6. Boot back up in normal mode and check for the presence of Virtumond. It shouldn’t be running any longer. For peace of mind, run a few more spyware checks, like Spybot, AdAware, Windows Defender and Bit Defender. It should be clean.

7. Get your Windows CD handy. Open the command prompt and run this command:
sfc /scannow
This takes ages but it checks the system files on the computer are genuine Windows files and replaces the ones that are not.

8. Reinstall your antivirus software, after removing it completely, and patch patch patch!

• Leave a comment... (1)