Thursday, November 19, 2009

Live Migration, Cluster Shared Volumes and Pass-through disk

One thing to note that with CSV is not required for Live Migration in Windows Server 2008 R2 but..... "one VM per LUN "
Live Migration - How it works?
- A new VM is created on the target server.
- The initial memory state is copied from the source to the targer over the live migration network (can be configure from Failover Cluster Management)
- Memory pages that were changed during the copy process are marked, and the pages are copied over as well. This process continues until the number of pages is relatively small
- The VM is paused on the source node, and the state of the VM is copied to the target node.
- The VM is resumed on the target node, the VM on the source is removed.

Cluster Shared Volumes is come in-place to solve the problem of one VM per LUN so don't confusing that CSV is required for Live Migraiton...

You can do Live Migration on the VM that using pass-through also.. just required some more step to enable it but first make sure that pass-through LUN must present to all the hosts in cluster.
Stop VM from Failover Cluster and adding the pass-through disk to the VM then click on the "Refresh virtual machine configuration" then turn on the VM... that's it..

Tuesday, November 17, 2009

EMC "RBAC authorization returns Access Denied"
David Strome, MSFT

Because we’ve seen this issue come up a couple of times on the forums, I’m going to outline the steps that correct it below. If you encounter a permissions issue, please read this post in its entirety before perform any steps. Performing the steps below is at your own risk.

There’s an issue where, if setup fails at a specific point, subsequent attempts to install Exchange 2010 could result in the administrative management role assignments not being created. If this happens, you will receive errors saying you don’t have permissions to use the Exchange Management Console or Shell. If you look at the roles assigned to the Organization Management role group, you’ll see only roles that begin with “My”.

IMPORTANT – If you receive permissions errors when attempting to open the console or the shell, the most common cause of this is the use of an application on the Exchange 2010 server that uses credentials other than the administrative credentials used to install Exchange 2010. To test whether this is the cause any permissions problems you’re experiencing, follow the New-PSSession instructions in the “EMC Permissions Gone” thread to open a manual shell connection. If you receive the correct permissions using this manual connection method, you have conflicting credentials in the Windows credential cache. Clear out those credentials and try again. If this doesn’t resolve your issue, please continue reading.

To determine whether this issue is the reason you are missing permissions, perform the following steps on the Exchange 2010 server:

(This procedure requires that you search in specific directions using the Find feature of your text editor. If your text editor doesn’t have a direction option with the Find feature, use Notepad)

1. Open the ExchangeSetup.Log file in a text editor. This file is located in x:\ExchangeSetupLogs where x is the Exchange 2010 installation drive.

2. Search from the top of the file in the down direction for the string Install-CannedRbacRoleAssignments

3. You should find a line that starts with the following (note: this line may indicate a failure, that can be ignored for the purpose of this discussion):

[] [1] Executing 'Install-CannedRbacRoleAssignments -InvocationMode $RoleInstallationMode –DomainController…

4. Then search from this line in the up direction for the string $RoleInstallationMode

5. Look for “BuildToBuildUpgrade” in the following line:

[] [2] Launching sub-task '$error.Clear(); $RoleInstallationMode = "BuildToBuildUpgrade"'.

If you see BuildToBuildUpgrade on the RoleInstallationMode line, then a previous installation failure has caused this issue and the steps below should resolve it. If you see Install in the RoleInstallationMode line, do not perform the steps below. Your issue may have another cause. Start a new thread and we’ll help you investigate your issue.

WARNING – The Install-CannedRbacRoleAssignments cmdlet could result in the loss of role assignment customizations in the Exchange 2010 organization. This cmdlet should only be run in association with the following procedure on new installations of Exchange 2010.

IMPORTANT – The following procedure should only be performed if you’re experiencing this exact issue. Do not run the Install-CannedRbacRoleAssignments cmdlet or any other Exchange setup cmdlet (available only by using the Add-PSSnapin cmdlet below) without direction from Microsoft. Doing so could irreparably damage your Exchange installation.

Do the following on the Exchange 2010 server using the same account used to install Exchange 2010.

1) Open Windows PowerShell (not the Exchange Management Shell)

a. If you have UAC enabled, right click Windows PowerShell and click Run as administrator.

2) Run Start-Transcript c:\RBAC.txt and press enter

a. This will start logging all commands and output you type to a text file.

3) Run Add-PSSnapin *setup and press enter

a. This adds the setup snap-in which contains the setup cmdlets used by Exchange during install. You may see errors about loading a format data file. You can ignore those errors.
DO NOT run any other cmdlets in this snap-in without direction from Microsoft. Doing so could irreparably damage your Exchange installation.

4) Run Install-CannedRbacRoleAssignments -InvocationMode Install -Verbose and press enter.

a. This cmdlet should create the required role assignments between the role groups and roles that should have been created during setup.

b. Be sure you run with the Verbose switch so we can capture what the cmdlet does.

5) Run Remove-PSSnapin *setup and press enter

6) Run $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http:///PowerShell/ -Authentication Kerberos and press enter

a. Be sure to replace with the FQDN of your server.

7) Run Import-PSSession $Session and press enter

8) Run Get-ManagementRoleAssignment and press enter

9) Run Stop-Transcript and press enter

When you ran the Get-ManagementRoleAssignment cmdlet above, several dozen assignments should have been shown. If yes, try opening the EMC and see if you have permissions to do anything, such as create a new mailbox. If yes, then you’re set. If not, please start a new thread and indicate that you’ve already performed this procedure. We’ll try and help you investigate your issue. Save your setup logs and the RBAC.txt file to help with the investigation.



Restore deleted user accounts from AD

In my case i have 2 DC
- Primary AD is Windows Server 2003
- Additional AD is Windows Server 2008 R2 and running Exchange 2010 also
Luckily that i have a full backup of Additional AD before my stupid mistake to delete 3 users .. so restart to directory service restore mode and restore the system state .
* Using wbadmin to do a full backup
wbadmin start backup -backupTarget:\\\SLBA181M -allCritical -vssFull -quiet
then follow this limk to restore that deleted user accounts
My case i'm using ldp method to restore the account

Wednesday, November 11, 2009

Upgrading Domain Controller to Windows Server 2008
- adprep /forestprep
- adprep /rodcprep (if you are planning to user RODC)
- adprep /domainprep /gpprep
then use dcpromo to join to existing Domain Controller and transfer the role to new DC

one more important thing is
"Modify Default Security Policies"
Microsoft network server: Digitally sign communications (always)
Domain member: Digitally encrypt or sign secure channel data (always)

Exchange 2010 Prerequisites


Windows Server 2008 R2
- Microsoft Filter Pack
- All Programs -> Accessories -> Windows PowerShell
- Import-Module ServerManager
Role -> Mailbox
- Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server -Restart
Role -> Client Access
- Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy -Restart
Role -> Hub Transport
- Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server -Restart
Role -> Unified Messaging
- Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Desktop-Experience -Restart
Role -> Edge Transport
- Add-WindowsFeature NET-Framework,RSAT-ADDS,ADLDS -Restart
After it's done
- Windows PowerShell -> Set-Service NetTcpPortSharing -StartupType Automatic

SharePoint with Remote SQL and DPM

- KB941422 is required (WSS hotfix)
- KB940349 is required (VSS Hotfix)
- Microsoft .NET Framework 2.0 should be SP1 as a minimum.
- Required another SharePoint Farm for restoration
- Create web application call DPMRecoveryWebApplication and don't create site collection list
- WSS FE (required admin account of sharepoint farm)
- > ConfigureSharepoint -EnableSharePointProtection
After it's done use dcomcnfg to check DCOM Config -> WSSCmdletsWrapper and account for the service "Windows SharePoint Services VSS Writer"
- > ConfigureSharepoint -EnableSPSearchProtection (new in DPM 2007 SP1)
-> Change the service "SQL Server VSS Writer" to use same account that configure for FE

One more thing. By Design, DPM 2007 won't allow protection on data that already been protected by another protection group. If you already create protection group on remote SQL you will not able to protect SharePoint anymore so remove SQL Protection first then you will be able to back it up.

Friday, November 6, 2009

Backup Exchange with LCR by DPM 2007 Issues

Change the value to 0 (to disable it)

then restart "Microsoft Exchange Replication Service"

Sunday, October 25, 2009

Using SCOM 2007 R2 to monitor the level of coffee - so cool


This management packs can be used to keep track of the level of coffee in left in the pot.

With this management pack, you will never run dry of, what we all know, is the most important part of a productive environment!

This is mostly made as a proof of concept, as this technique can be transferred to other monitor types. It could be expanded with other types of sensors, like a weight to check the level of coffee instead of a camera, or a thermometer to check the temperature of the coffee.

This is the very first version. It has been tested in test environments.

By default, it will trigger a warning when under 50% is left, and a Critical Alert when under 20% is left.

Please do not hesitate to report any bugs and please send suggestions for the next version you might have.

This was developed by Jakob Gottlieb Svendsen with the help of Kåre Rude Andersen

Wednesday, October 21, 2009

Windows 2000 with Hyper-V

One requirement from customer is to p2v standalone SQL 2000 on Windows 2000 Advanced Server to Hyper-V and duplicate the image then building the cluster from this... seem to be it can be done.. .. but it's not gonna work at all.....
- server name change (2 new server name -> old server name will be use as db cluster name)
- application reconfiguration -> big problem...

so building new windows 2000 cluster and manually migrate it to new environment

hold on a second...

Check out this link ...

Hyper-V only support 1 vCPU for Windows 2000 Server
1 vCPU -> should be ok...

BUT the real problem is...

Hyper-V is not support SCSI Controller on Windows 2000 Server so stuck now
-> guest clustering is required SCSI Controller for shared disk... (can be either vhd or pass-through).. but hold on a second.....
What's about iSCSI... yeah... it should work fine ...

But... i would say.. building new cluster environment with Windows Server 2003 should be a better way...SQL Server 2000 Clustering on Windows Server 2003 is not an issue.

guest clustering with pass-through disk -> must be on the difference host...
But Microsoft only support using iSCSI for the guest clustering also

Monday, October 19, 2009

BSOD Intel Xeon 5500 Seires with Windows Server 2008 R2

0x00000101 (parameter1, 0000000000000000, parameter3, 000000000000000c)
Get the hotfix from here....

NetBackup - Bare Metal Restore - Failed to verify backup --rc(%1)

Got some issues to do bare metal restore at one of the customer and find out that the problem is come from valid client
The production server is still running and they try to restore it to another machine on the same network that i believe it's not gonna work ... hostname and ip address conflict....

Wednesday, October 14, 2009

Installing SQL Server 2008 on Windows Server 2008 R2

- .NET Framework v3.5.1 Features (it will pop up a dialog about required role (Web Server) just accept it
- Components that need to add for Web Server Roles
- Common HTTP Features
- Static Content
- Default Document
- Directory Browsing
- HTTP Errors
- HTTP Redirection
- Application Development
- .NET Extensibility
- ISAPI Extensions
- ISAPI Filters
- Health and Diagnostics
- HTTP Logging
- Request Monitor
- Security
- Basic Authentication (Optional)
- Windows Authentication
- Client Certificate Mapping Authentication (Optional)
- IIS Client Certificate Mapping Authentication (Optional)
- Request Filtering
- Performance
- Static Content Compression (Optional)
- Dynamic Content Compression (Optional)
- Management Tools
- IIS Management Console
- IIS 6 Management Compatibility (Optional)
- IIS 6 Metabase Compatibility (Optional)
- IIS 6 WMI Compatibility
- IIS 6 Scripting Tools
- IIS 6 Management Console

SQL Server SP 1 is required to run on Windows Server 2008 R2 also.

Windows Firewall with SQL
Just an idea for the port required
Integration – 135
SRS – 80
Analyses – 1434
SQL - 1433

Slipstream an installation of SQL Server 2008

Exchange 2007 LCR with DPM 2007

You need to disable the VSS replica Writer on that LCR DB by registry and restart the services
add the EnableVssWriter key as a DWORD with a value of 0 under
then restart the Microsoft Exchange Replication Service

Tuesday, October 13, 2009

Shutdown Exchange Server 2007

Especially when you running on domain controller it will take a long time to shutdown and sometime the services have been kill without proper shutdown so it might end up your exchange database is corrupt so use this sequence to do a clean shutdown exchange....

net stop msexchangeadtopology /y
net stop msftesql-exchange /y
net stop msexchangeis /y
net stop msexchangesa /y
net stop iisadmin /y

In case you want to start exchange manually -> use this sequence to start up
net start "World Wide Web Publishing Service"
net start "Microsoft Exchange Information Store"
net start "Microsoft Exchange System Attendant"
net start "Microsoft Search (Exchange)"
net start "Microsoft Exchange Information Store"
net start "Microsoft Exchange Unified Messaging"
net start "Microsoft Exchange Transport Log Search"
net start "Microsoft Exchange Transport"
net start "Microsoft Exchange Service Host"
net start "Microsoft Exchange Search Indexer"
net start "Microsoft Exchange Replication Service"
net start "Microsoft Exchange Mail Submission"
net start "Microsoft Exchange Mailbox Assistants"
net start "Microsoft Exchange File Distribution"
net start "Microsoft Exchange EdgeSync"
net start "Microsoft Exchange Anti-spam Update

Monday, October 12, 2009

Network Teaming with Hyper-V

It's quite old news but yeah now it's already supported by Microsoft.

The thing is you need to Add Hyper-V Role and install all the hot fixes before you install teaming software / drivers. If not it might not working...

Manually add a VM Configuration to Hyper-V

1. Create the link to the xml file
mklink "%systemdrive%\ProgramData\Microsoft\Windows\Hyper-V\Virtual Machines\5A0EAC7A-2079-467B-A95D-7D1368DD6A35.xml" "E:\Virtual Machines\SXXXXXX\5A0EAC7A-2079-467B-A95D-7D1368DD6A35.xml"
2. Grant the Service SID to the xml file
icacls "%systemdrive%\ProgramData\Microsoft\Windows\Hyper-V\Virtual Machines\5A0EAC7A-2079-467B-A95D-7D1368DD6A35.xml" /grant "NT VIRTUAL MACHINE\5A0EAC7A-2079-467B-A95D-7D1368DD6A35":(F) /L
3. Grant the Service SID the all the file
icacls E:\Virtual Machines\SXXXXXX\ /T /grant "NT VIRTUAL MACHINE5A0EAC7A-2079-467B-A95D-7D1368DD6A35":(F)

Quite complicated... maybe create new one with existing disk is a better idea careful about new GUID and mac address also...

Sunday, October 11, 2009

Undocument about network properties for Cluster Shared Volumes with Hyper-V R2

Managed to setup Hyper-V R2 cluster on Cluster Shared Volumes with Windows Server 2008 R2 (Server Core) and everything is working fine... BUT... why when using Full Installation having an issues??????? Can't remember exactly the error message but......

DO NOT DISABLE - Client for Microsoft Networks and File and Print Sharing on Heartbeat network.. that's it...

on server core can't find the way to uncheck it so leave it as default.. that's why it's working without any problem...

Not sure that what is the recommend from Microsoft for other clustering i think should uncheck it if you are not using cluster shared volumes...

BTW -> Change the priority of network also
Heartbeat should be the lowest one 1,000

Live Migration -> 1,100

Production -> 10,000

By default if network is used for public it will start with 10,000, Internal start from 1,000
Use Powershell to check the priority

Get-ClusterNetwork | ft Name, Metric, AutoMetric
Name Metric
---- ------
Heartbeat 1000
LiveMigration 1100
Production 10000

Change the metric by using this command.
$cn = Get-ClusterNetwork ""
$cn.Metric =

Cluster Shared Volumes
-> Pass-through disk is not supported
-> GPT Partition is not supported so it the size is limit to 2TB per LUN
*** can't find the link about this anymore but seem to be now GPT already supported...***
-> All the LUNS will mount to C:\ClusterStorage\Volume1, C:\ClusterStorage\Volume2....
-> C:\ClusterStorage can't changed.
-> VolumeXX can be changed -> C:\ClusterStorage\LUN01-VMs
-> DPM 2007 SP1 not supported but DPM 2010 yes..
-> I heard that CA Arcserve Backup already supported.
-> Recommend to separate network for live migration -> tested with cross cable throughput is up to 130MB/sec (1Gbps)

will continue

SCOM 2007 "Unexpected Shutdown" where is it?

By default it's not enabled so you have to create it
New -> Monitor Objects -> Windows Events -> Simple Event Detection -> Manual Reset -> select System Log
- Event ID: 6008
- Event Source: EventLog

But you will get this alert after the server is online again NOT when the server is down the reason why is because this message will write to event log after the windows startup and when SCOM agent detect this message it will forward to SCOM Server.

Server down -> no SCOM agent -> no engine to detect message -> no communication between server and agents

Actually when the server is down you will get alert from SCOM Server about "Management software failed", "Failed to connect to the computer" and if your server running another applications (sql, exchange, etc) you will get alerts from application management pack also...

Another thing is for this 2 alerts ("Management software failed", "Failed to connect to the computer" it will automatic closed when the server is online again. You might not get this alerts if you are running on virtualization platform because when the server reboot it might take less than 1 min.....

SCOM 2007 -> Setup cannot locate the SC database

Check out the SQL Server Configuration Manager to enable "TCP/IP" and "Named Pipes" especially when using remote database and SPN Registration also...

Changed of service name in SCOM 2007 R2

SCOM 2007 SP1 -> SCOM 2007 R2
"OpsMgr SDK Service" -> "System Center Data Access"
"OpsMgr SDK Service" -> "System Center Management Configuration"
"OpsMgr Health Service" -> "System Center Management"

MOMCertImport.exe error: ‘The application failed to initialize properly (0xc0150002). Click OK to terminate the application.

Problem is some .NET components is required.
Open momcertimport.exe with notepad and go to the end of the file you will see this..
assemblyIdentify ........ "Microsoft.VC90.CRT" version="9.0.30729.1"

so you need to get this library install on the server (Microsoft Virtual C++ 2008 SP1)

Microsoft Virtual C++ 2008 SP1 -> 9.0.30729.1
Microsoft Virtual C++ 2008 -> 9.0.21022.8

Actually MOMCertImport.exe is just add an entry of certificate to the registry so it can be done manually..
1. Check the serial number of the certificates from Details tab (mmc -> certificates -> computer account)
2. Create new Binary Value "ChannelCertificateSerialNumber" -> HKLM\Software\Microsoft Operations Manager\3.0\Machine Settings but in the "REVERSE" order
Example : serial number is ab 12 cd 34 ef 56 -> enter it as 56 ef 34 cd 12 ab
Then restart health service
R1 -> "OpsMgr Health Service"
R2 -> "System Center Management"

Role-based authorization model for Hyper-V

azman.msc -> C:\ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml
- Allow Input to Virtual Machine
- Allow Output from Virtual Machine
- Bind External Ethernet Port
- Change Virtual Machine Authorization Scope
- Change VLAN Configuration on Port
- Connect Virtual Switch Port
- Create Internal Ethernet Port
- Create Virtual Machine
- Create Virtual Switch
- Create Virtual Switch Port
- Delete Internal Ethernet Port
- Delete Virtual Machine
- Delete Virtual Switch
- Delete Virtual Switch Port
- Disconnect Virtual Switch Port
- Modify Internal Ethernet Port
- Modify Switch Port Settings
- Modify Switch Settings
- Pause and Restart Virtual Machine
- Read Service Configuration
- Reconfigure Service
- Reconfigure Virtual Machine
- Start Virtual Machine
- Stop Virtual Machine
- Unbind External Ethernet Port
- View External Ethernet Ports
- View Internal Ethernet Ports
- View LAN Endpoints
- View Switch Ports
- View Switches
- View Virtual Machine Configuration
- View Virtual Switch Management Service
- View VLAN Settings

- Don't forget about file permission also....

- Using group from Authorization Manager itself is more secured -> pull the user from AD and grant access but... file permission....
- Using local group -> if someone got local admin access and add himself to appropriate group that's it

News it R2
- Allow Virtual Machine Snapshot