Thursday, November 19, 2009

Live Migration, Cluster Shared Volumes and Pass-through disk

One thing to note that with CSV is not required for Live Migration in Windows Server 2008 R2 but..... "one VM per LUN "
Live Migration - How it works?
- A new VM is created on the target server.
- The initial memory state is copied from the source to the targer over the live migration network (can be configure from Failover Cluster Management)
- Memory pages that were changed during the copy process are marked, and the pages are copied over as well. This process continues until the number of pages is relatively small
- The VM is paused on the source node, and the state of the VM is copied to the target node.
- The VM is resumed on the target node, the VM on the source is removed.

Cluster Shared Volumes is come in-place to solve the problem of one VM per LUN so don't confusing that CSV is required for Live Migraiton...

You can do Live Migration on the VM that using pass-through also.. just required some more step to enable it but first make sure that pass-through LUN must present to all the hosts in cluster.
Stop VM from Failover Cluster and adding the pass-through disk to the VM then click on the "Refresh virtual machine configuration" then turn on the VM... that's it..

Tuesday, November 17, 2009

EMC "RBAC authorization returns Access Denied"
David Strome, MSFT

Because we’ve seen this issue come up a couple of times on the forums, I’m going to outline the steps that correct it below. If you encounter a permissions issue, please read this post in its entirety before perform any steps. Performing the steps below is at your own risk.

There’s an issue where, if setup fails at a specific point, subsequent attempts to install Exchange 2010 could result in the administrative management role assignments not being created. If this happens, you will receive errors saying you don’t have permissions to use the Exchange Management Console or Shell. If you look at the roles assigned to the Organization Management role group, you’ll see only roles that begin with “My”.

IMPORTANT – If you receive permissions errors when attempting to open the console or the shell, the most common cause of this is the use of an application on the Exchange 2010 server that uses credentials other than the administrative credentials used to install Exchange 2010. To test whether this is the cause any permissions problems you’re experiencing, follow the New-PSSession instructions in the “EMC Permissions Gone” thread to open a manual shell connection. If you receive the correct permissions using this manual connection method, you have conflicting credentials in the Windows credential cache. Clear out those credentials and try again. If this doesn’t resolve your issue, please continue reading.

To determine whether this issue is the reason you are missing permissions, perform the following steps on the Exchange 2010 server:

(This procedure requires that you search in specific directions using the Find feature of your text editor. If your text editor doesn’t have a direction option with the Find feature, use Notepad)

1. Open the ExchangeSetup.Log file in a text editor. This file is located in x:\ExchangeSetupLogs where x is the Exchange 2010 installation drive.

2. Search from the top of the file in the down direction for the string Install-CannedRbacRoleAssignments

3. You should find a line that starts with the following (note: this line may indicate a failure, that can be ignored for the purpose of this discussion):

[] [1] Executing 'Install-CannedRbacRoleAssignments -InvocationMode $RoleInstallationMode –DomainController…

4. Then search from this line in the up direction for the string $RoleInstallationMode

5. Look for “BuildToBuildUpgrade” in the following line:

[] [2] Launching sub-task '$error.Clear(); $RoleInstallationMode = "BuildToBuildUpgrade"'.

If you see BuildToBuildUpgrade on the RoleInstallationMode line, then a previous installation failure has caused this issue and the steps below should resolve it. If you see Install in the RoleInstallationMode line, do not perform the steps below. Your issue may have another cause. Start a new thread and we’ll help you investigate your issue.

WARNING – The Install-CannedRbacRoleAssignments cmdlet could result in the loss of role assignment customizations in the Exchange 2010 organization. This cmdlet should only be run in association with the following procedure on new installations of Exchange 2010.

IMPORTANT – The following procedure should only be performed if you’re experiencing this exact issue. Do not run the Install-CannedRbacRoleAssignments cmdlet or any other Exchange setup cmdlet (available only by using the Add-PSSnapin cmdlet below) without direction from Microsoft. Doing so could irreparably damage your Exchange installation.

Do the following on the Exchange 2010 server using the same account used to install Exchange 2010.

1) Open Windows PowerShell (not the Exchange Management Shell)

a. If you have UAC enabled, right click Windows PowerShell and click Run as administrator.

2) Run Start-Transcript c:\RBAC.txt and press enter

a. This will start logging all commands and output you type to a text file.

3) Run Add-PSSnapin *setup and press enter

a. This adds the setup snap-in which contains the setup cmdlets used by Exchange during install. You may see errors about loading a format data file. You can ignore those errors.
DO NOT run any other cmdlets in this snap-in without direction from Microsoft. Doing so could irreparably damage your Exchange installation.

4) Run Install-CannedRbacRoleAssignments -InvocationMode Install -Verbose and press enter.

a. This cmdlet should create the required role assignments between the role groups and roles that should have been created during setup.

b. Be sure you run with the Verbose switch so we can capture what the cmdlet does.

5) Run Remove-PSSnapin *setup and press enter

6) Run $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http:///PowerShell/ -Authentication Kerberos and press enter

a. Be sure to replace with the FQDN of your server.

7) Run Import-PSSession $Session and press enter

8) Run Get-ManagementRoleAssignment and press enter

9) Run Stop-Transcript and press enter

When you ran the Get-ManagementRoleAssignment cmdlet above, several dozen assignments should have been shown. If yes, try opening the EMC and see if you have permissions to do anything, such as create a new mailbox. If yes, then you’re set. If not, please start a new thread and indicate that you’ve already performed this procedure. We’ll try and help you investigate your issue. Save your setup logs and the RBAC.txt file to help with the investigation.



Restore deleted user accounts from AD

In my case i have 2 DC
- Primary AD is Windows Server 2003
- Additional AD is Windows Server 2008 R2 and running Exchange 2010 also
Luckily that i have a full backup of Additional AD before my stupid mistake to delete 3 users .. so restart to directory service restore mode and restore the system state .
* Using wbadmin to do a full backup
wbadmin start backup -backupTarget:\\\SLBA181M -allCritical -vssFull -quiet
then follow this limk to restore that deleted user accounts
My case i'm using ldp method to restore the account

Wednesday, November 11, 2009

Upgrading Domain Controller to Windows Server 2008
- adprep /forestprep
- adprep /rodcprep (if you are planning to user RODC)
- adprep /domainprep /gpprep
then use dcpromo to join to existing Domain Controller and transfer the role to new DC

one more important thing is
"Modify Default Security Policies"
Microsoft network server: Digitally sign communications (always)
Domain member: Digitally encrypt or sign secure channel data (always)

Exchange 2010 Prerequisites


Windows Server 2008 R2
- Microsoft Filter Pack
- All Programs -> Accessories -> Windows PowerShell
- Import-Module ServerManager
Role -> Mailbox
- Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server -Restart
Role -> Client Access
- Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy -Restart
Role -> Hub Transport
- Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server -Restart
Role -> Unified Messaging
- Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Desktop-Experience -Restart
Role -> Edge Transport
- Add-WindowsFeature NET-Framework,RSAT-ADDS,ADLDS -Restart
After it's done
- Windows PowerShell -> Set-Service NetTcpPortSharing -StartupType Automatic

SharePoint with Remote SQL and DPM

- KB941422 is required (WSS hotfix)
- KB940349 is required (VSS Hotfix)
- Microsoft .NET Framework 2.0 should be SP1 as a minimum.
- Required another SharePoint Farm for restoration
- Create web application call DPMRecoveryWebApplication and don't create site collection list
- WSS FE (required admin account of sharepoint farm)
- > ConfigureSharepoint -EnableSharePointProtection
After it's done use dcomcnfg to check DCOM Config -> WSSCmdletsWrapper and account for the service "Windows SharePoint Services VSS Writer"
- > ConfigureSharepoint -EnableSPSearchProtection (new in DPM 2007 SP1)
-> Change the service "SQL Server VSS Writer" to use same account that configure for FE

One more thing. By Design, DPM 2007 won't allow protection on data that already been protected by another protection group. If you already create protection group on remote SQL you will not able to protect SharePoint anymore so remove SQL Protection first then you will be able to back it up.

Friday, November 6, 2009

Backup Exchange with LCR by DPM 2007 Issues

Change the value to 0 (to disable it)

then restart "Microsoft Exchange Replication Service"