tag:blogger.com,1999:blog-49842120320101948872024-03-14T09:08:00.737+00:00IT isnt a hobbyMarchttp://www.blogger.com/profile/09731120314870792316noreply@blogger.comBlogger28125tag:blogger.com,1999:blog-4984212032010194887.post-34924780466486054302015-08-27T16:51:00.004+01:002015-08-27T16:53:50.427+01:00Find Hyper V Virtual Machine by IP AddressSometimes you need to find a VM by IP address. This could be because of various reasons, maybe the end user of a VM doesn't know what the machine is called in Hyper-V for example<br />
<br />
I wrote the function in this script to do just that. simply load the function and call<br />
<br />
find-vmip 10.20.30.40<br />
<br />
and the VM that has this IP will be returned.<br />
<br />
<br />
find-vmIP -ip 10.20.30.40<br />
<span style="font-family: "Courier New", Courier, monospace;"></span><br />
<span style="font-family: "Courier New", Courier, monospace;">VMName Status IPAddresses</span><br />
<span style="font-family: "Courier New", Courier, monospace;"></span><br />
<span style="font-family: "Courier New", Courier, monospace;"> ------ ------ ----------- </span><br />
<span style="font-family: "Courier New", Courier, monospace;"></span><br />
<span style="font-family: "Courier New", Courier, monospace;"> (244) - Marc Turner Lab - DC {Ok} {10.20.30.40, fe80::851a:7585:a4bd:ce93}</span><br />
<br />
<br />
<div class="code">
function find-vmIP<br />{<br /> <#<br /> .Synopsis<br /> <br /> Finds the virtual machine on a Hyper-V server that has the IP address specified<br />
.Description<br />
.Example<br />
find-vmIP -ip 10.20.30.40<br />
VMName Status IPAddresses<br /> ------ ------ ----------- <br /> (244) - Marc Turner Lab - DC {Ok} {10.20.30.40, fe80::851a:7585:a4bd:ce93}<br />
<br /><br /> AUTHOR: Marc Turner<br />
LASTEDIT: 26/08/2015<br />
.Link<br />
http://www.marcturner.co.uk<br /> #><br />
param($IP)<br /> <br /> # Clear variables used previously<br /> $vms = $null<br /> $FoundHost = $null<br />
# if the IP address was specified, carry on, otherwise throw an error<br /> if ($IP)<br /> {<br /> # Get a list of all VM's, pipe it to get network adapter details<br /> try<br /> {<br /> $vms = get-vm | Get-VMNetworkAdapter<br /> }<br /> catch<br /> {<br /> throw {$_.exception.message}<br /> }<br /> <br /> # if VM's were found carry on, otherwise throw an error (could be being ran on a client without Hyper-V)<br /> if ($vms)<br /> {<br /> # Search through list of VM's and find the match for the IP address, warn user if not found.<br /> try<br /> {<br /> $FoundHost = $vms | where {$_.ipaddresses -like "$IP"} | select vmname,status,ipaddresses<br /> }<br /> catch<br /> {<br /> throw {$_.exception.message}<br /> }<br /> <br /> if ($FoundHost)<br /> {<br /> return $FoundHost<br /> }<br /> else<br /> {<br /> Write-Warning "VM with the IP address '$IP' Was not found"<br /> } <br /> }<br /> else<br /> {<br /> throw {"No Virtual machines were found on this host"}<br /> }<br /> }<br /> else<br /> {<br /> throw {"The IP address to search for was not specified, use find-vmIP -ip 10.20.30.40"}<br /> }<br />}<br />
<br />
</div>Marchttp://www.blogger.com/profile/09731120314870792316noreply@blogger.com1tag:blogger.com,1999:blog-4984212032010194887.post-43414352600555629992015-07-02T12:18:00.001+01:002015-07-02T19:40:06.766+01:00Does the Active Directory user have an Exchange Mailbox?<span style="font-family: Verdana, sans-serif;">Part of a script I built to deal with starters and leavers is to hide a leavers mailbox from the GAL.</span><br />
<span style="font-family: Verdana, sans-serif;"><br />I do this because</span><br />
<span style="font-family: Verdana, sans-serif;">• We do not re use user objects, we keep them in a disabled state so references to sAMAccountNames in audit logs are valid.</span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">• Leaver’s mailboxes stay online for 3 months after a leave date, as frequently the line manager may require access.</span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">• After 3 months we archive and remove leavers exchange mailboxes, but as above the user object stays.</span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">All leavers accounts are in a generic “leavers OU”</span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">To hide the account from the GAL, the script loops through each user in the leavers OU and if the hidden from GAL attribute on the mailbox isn’t true, it sets it.</span><br />
<span style="font-family: Verdana, sans-serif;"><br />Simple enough, but there will be users in there who no longer have Exchange mailboxes as they have been archived. So the script errors all over the place because the <span style="font-family: "Courier New", Courier, monospace;">get-mailbox $user</span> part of the script fails for those objects.</span><br />
<span style="font-family: Verdana, sans-serif;">S</span><span style="font-family: Verdana, sans-serif;">o, I want to wrap an IF statement in the loop to only look for the variable if the user has an exchange mailbox.</span><br />
<span style="font-family: Verdana, sans-serif;"><br />How would I know? There are lots of obvious attributes I can think of, but how do I know that they are removed when the mailbox is disabled / gone.</span><br />
<span style="font-family: Verdana, sans-serif;"><br />So quite simply, I took a dump of <span style="font-family: "Courier New", Courier, monospace;">get-aduser $user</span> BEFORE disabling the mailbox, and then after and compared them.</span><br />
<span style="font-family: Verdana, sans-serif;"><br />The following attributes have data in them when a mailbox is present, and are null when a mailbox is disabled.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /><span style="font-family: "Courier New", Courier, monospace;">EmailAddress<br />homeMDB<br />legacyExchangeDN<br />mail<br />mailNickname<br />mDBUseDefaults<br />msExchDumpsterQuota<br />msExchDumpsterWarningQuota<br />msExchELCMailboxFlags<br />msExchHomeServerName<br />msExchMailboxGuid<br />msExchMailboxSecurityDescriptor<br />msExchMailboxTemplateLink<br />msExchMobileAllowedDeviceIDs<br />msExchMobileMailboxFlags<br />msExchOWAPolicy<br />msExchPoliciesIncluded<br />msExchRBACPolicyLink<br />msExchRecipientDisplayType<br />msExchRecipientTypeDetails<br />msExchTextMessagingState<br />msExchUserAccountControl<br />msExchVersion <br />proxyAddresses<br />showInAddressBook<br />textEncodedORAddress</span> </span><br />
<span style="font-family: Verdana;"></span><br />
<span style="font-family: Verdana;"></span><br />
<span style="font-family: Verdana, sans-serif;">I used msExchMailboxGuid in my script</span><br />
<span style="font-family: Verdana;"></span><br />
<span style="font-family: Verdana;"></span><br />
<div class="code">
<span style="font-family: Verdana, sans-serif;">Foreach ($user in $leavers)<br />{<br /> If ($user.msExchMailboxGuid)<br /> {<br /> $mailbox = Get-mailbox $user.samacountname<br /> If ($mailbox. HiddenFromAddressListsEnabled -eq $False)<br /> {<br /> Try<br /> {<br /> Set-Mailbox -Identity $User.SamAccountName -HiddenFromAddressListsEnabled $True<br /> }<br /> Catch<br /> {<br /> $_.exception.message<br /> }<br /> }<br /> }<br />}</span>
</div>
Marchttp://www.blogger.com/profile/09731120314870792316noreply@blogger.com5tag:blogger.com,1999:blog-4984212032010194887.post-53081589403600010492014-10-12T01:04:00.000+01:002014-10-12T01:07:43.128+01:00Hyper-V Memory and Disk Allocations - Common Values<span style="font-family: Arial, Helvetica, sans-serif;">This post Is more of a reminder for myself opposed to something you will struggle to find elsewhere on the internet.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br />I work with Hyper-V a lot, bizarrely memory allocation is done in MB (who assigns less than a gig of RAM nowadays!) and disk space in GB (Fair enough, but I find myself creating 1tb+ VHD’s more often than less than a TB)</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br />The table below lists some common conversions</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><strong>MB to GB</strong></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><em><span style="font-size: x-small;">Typical RAM allocations</span></em></span><br />
<br />
<span style="font-family: Arial;"><span style="font-family: Times New Roman;"></span><br />
<span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span><span style="font-family: Times New Roman;">
</span>
<br />
<span style="font-family: Times New Roman;">
<br />
<table border="1" cellpadding="0" cellspacing="0" class="MsoTableGrid" style="border-collapse: collapse; border: currentColor; mso-border-alt: solid windowtext .5pt; mso-padding-alt: 0cm 5.4pt 0cm 5.4pt; mso-yfti-tbllook: 1184;">
<tbody>
<tr style="mso-yfti-firstrow: yes; mso-yfti-irow: 0;">
<td style="background: rgb(68, 114, 196); border: 1pt solid windowtext; mso-background-themecolor: accent5; mso-border-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301">
<div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="color: white; mso-themecolor: background1;"><span style="font-family: Calibri;">MB<o:p></o:p></span></span></div>
</td>
<td style="background: rgb(68, 114, 196); border-color: windowtext windowtext windowtext rgb(0, 0, 0); border-style: solid solid solid none; border-width: 1pt 1pt 1pt 0px; mso-background-themecolor: accent5; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301">
<div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="color: white; mso-themecolor: background1;"><span style="font-family: Calibri;">GB<o:p></o:p></span></span></div>
</td>
</tr>
<tr style="mso-yfti-irow: 1;">
<td style="background-color: transparent; border-color: rgb(0, 0, 0) windowtext windowtext; border-style: none solid solid; border-width: 0px 1pt 1pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301">
<div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">1024</span></div>
</td>
<td style="background-color: transparent; border-color: rgb(0, 0, 0) windowtext windowtext rgb(0, 0, 0); border-style: none solid solid none; border-width: 0px 1pt 1pt 0px; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301">
<div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">1</span></div>
</td>
</tr>
<tr style="mso-yfti-irow: 2;">
<td style="background-color: transparent; border-color: rgb(0, 0, 0) windowtext windowtext; border-style: none solid solid; border-width: 0px 1pt 1pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301">
<div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">2048</span></div>
</td>
<td style="background-color: transparent; border-color: rgb(0, 0, 0) windowtext windowtext rgb(0, 0, 0); border-style: none solid solid none; border-width: 0px 1pt 1pt 0px; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301">
<div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">2</span></div>
</td>
</tr>
<tr style="mso-yfti-irow: 3;">
<td style="background-color: transparent; border-color: rgb(0, 0, 0) windowtext windowtext; border-style: none solid solid; border-width: 0px 1pt 1pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301">
<div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">4096</span></div>
</td>
<td style="background-color: transparent; border-color: rgb(0, 0, 0) windowtext windowtext rgb(0, 0, 0); border-style: none solid solid none; border-width: 0px 1pt 1pt 0px; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301">
<div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">4</span></div>
</td>
</tr>
<tr style="mso-yfti-irow: 4;">
<td style="background-color: transparent; border-color: rgb(0, 0, 0) windowtext windowtext; border-style: none solid solid; border-width: 0px 1pt 1pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301">
<div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">8192</span></div>
</td>
<td style="background-color: transparent; border-color: rgb(0, 0, 0) windowtext windowtext rgb(0, 0, 0); border-style: none solid solid none; border-width: 0px 1pt 1pt 0px; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301">
<div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">8</span></div>
</td>
</tr>
<tr style="mso-yfti-irow: 5;">
<td style="background-color: transparent; border-color: rgb(0, 0, 0) windowtext windowtext; border-style: none solid solid; border-width: 0px 1pt 1pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301">
<div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">12288</span></div>
</td>
<td style="background-color: transparent; border-color: rgb(0, 0, 0) windowtext windowtext rgb(0, 0, 0); border-style: none solid solid none; border-width: 0px 1pt 1pt 0px; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301">
<div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">12</span></div>
</td>
</tr>
<tr style="mso-yfti-irow: 6;">
<td style="background-color: transparent; border-color: rgb(0, 0, 0) windowtext windowtext; border-style: none solid solid; border-width: 0px 1pt 1pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301">
<div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">16384</span></div>
</td>
<td style="background-color: transparent; border-color: rgb(0, 0, 0) windowtext windowtext rgb(0, 0, 0); border-style: none solid solid none; border-width: 0px 1pt 1pt 0px; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301">
<div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">16</span></div>
</td>
</tr>
<tr style="mso-yfti-irow: 7;">
<td style="background-color: transparent; border-color: rgb(0, 0, 0) windowtext windowtext; border-style: none solid solid; border-width: 0px 1pt 1pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301">
<div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">32768</span></div>
</td>
<td style="background-color: transparent; border-color: rgb(0, 0, 0) windowtext windowtext rgb(0, 0, 0); border-style: none solid solid none; border-width: 0px 1pt 1pt 0px; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301">
<div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">32</span></div>
</td>
</tr>
<tr style="mso-yfti-irow: 8; mso-yfti-lastrow: yes;">
<td style="background-color: transparent; border-color: rgb(0, 0, 0) windowtext windowtext; border-style: none solid solid; border-width: 0px 1pt 1pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301">
<div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">65536</span></div>
</td>
<td style="background-color: transparent; border-color: rgb(0, 0, 0) windowtext windowtext rgb(0, 0, 0); border-style: none solid solid none; border-width: 0px 1pt 1pt 0px; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301">
<div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">64</span></div>
</td>
</tr>
</tbody></table>
</span> </span><span style="font-family: Arial;"></span><br />
<span style="font-family: Arial;"><span style="font-family: Arial, Helvetica, sans-serif;"><strong>GB to TB</strong></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><em><span style="font-size: x-small;">Typical Disk allocations</span></em></span></span><br />
<br />
<table border="1" cellpadding="0" cellspacing="0" class="MsoTableGrid" style="border-collapse: collapse; border: currentColor; mso-border-alt: solid windowtext .5pt; mso-padding-alt: 0cm 5.4pt 0cm 5.4pt; mso-yfti-tbllook: 1184;">
<tbody>
<tr style="mso-yfti-firstrow: yes; mso-yfti-irow: 0;">
<td style="background: rgb(68, 114, 196); border: 1pt solid windowtext; mso-background-themecolor: accent5; mso-border-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301"><div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="color: white; mso-themecolor: background1;"><span style="font-family: Calibri;">GB<o:p></o:p></span></span></div>
</td>
<td style="background: rgb(68, 114, 196); border-color: windowtext windowtext windowtext rgb(0, 0, 0); border-style: solid solid solid none; border-width: 1pt 1pt 1pt 0px; mso-background-themecolor: accent5; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301"><div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="color: white; mso-themecolor: background1;"><span style="font-family: Calibri;">TB<o:p></o:p></span></span></div>
</td>
</tr>
<tr style="mso-yfti-irow: 1;">
<td style="background-color: transparent; border-color: rgb(0, 0, 0) windowtext windowtext; border-style: none solid solid; border-width: 0px 1pt 1pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301"><div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">1024<o:p></o:p></span></div>
</td>
<td style="background-color: transparent; border-color: rgb(0, 0, 0) windowtext windowtext rgb(0, 0, 0); border-style: none solid solid none; border-width: 0px 1pt 1pt 0px; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301"><div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">1<o:p></o:p></span></div>
</td>
</tr>
<tr style="mso-yfti-irow: 2;">
<td style="background-color: transparent; border-color: rgb(0, 0, 0) windowtext windowtext; border-style: none solid solid; border-width: 0px 1pt 1pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301"><div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">2048<o:p></o:p></span></div>
</td>
<td style="background-color: transparent; border-color: rgb(0, 0, 0) windowtext windowtext rgb(0, 0, 0); border-style: none solid solid none; border-width: 0px 1pt 1pt 0px; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301"><div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">2<o:p></o:p></span></div>
</td>
</tr>
<tr style="mso-yfti-irow: 3;">
<td style="background-color: transparent; border-color: rgb(0, 0, 0) windowtext windowtext; border-style: none solid solid; border-width: 0px 1pt 1pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301"><div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">3072<o:p></o:p></span></div>
</td>
<td style="background-color: transparent; border-color: rgb(0, 0, 0) windowtext windowtext rgb(0, 0, 0); border-style: none solid solid none; border-width: 0px 1pt 1pt 0px; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301"><div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">3<o:p></o:p></span></div>
</td>
</tr>
<tr style="mso-yfti-irow: 4;">
<td style="background-color: transparent; border-color: rgb(0, 0, 0) windowtext windowtext; border-style: none solid solid; border-width: 0px 1pt 1pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301"><div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">4096<o:p></o:p></span></div>
</td>
<td style="background-color: transparent; border-color: rgb(0, 0, 0) windowtext windowtext rgb(0, 0, 0); border-style: none solid solid none; border-width: 0px 1pt 1pt 0px; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301"><div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">4<o:p></o:p></span></div>
</td>
</tr>
<tr style="mso-yfti-irow: 5;">
<td style="background-color: transparent; border-color: rgb(0, 0, 0) windowtext windowtext; border-style: none solid solid; border-width: 0px 1pt 1pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301"><div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">5120<o:p></o:p></span></div>
</td>
<td style="background-color: transparent; border-color: rgb(0, 0, 0) windowtext windowtext rgb(0, 0, 0); border-style: none solid solid none; border-width: 0px 1pt 1pt 0px; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301"><div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">5<o:p></o:p></span></div>
</td>
</tr>
<tr style="mso-yfti-irow: 6;">
<td style="background-color: transparent; border-color: rgb(0, 0, 0) windowtext windowtext; border-style: none solid solid; border-width: 0px 1pt 1pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301"><div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">10240<o:p></o:p></span></div>
</td>
<td style="background-color: transparent; border-color: rgb(0, 0, 0) windowtext windowtext rgb(0, 0, 0); border-style: none solid solid none; border-width: 0px 1pt 1pt 0px; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301"><div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">10<o:p></o:p></span></div>
</td>
</tr>
<tr style="mso-yfti-irow: 7;">
<td style="background-color: transparent; border-color: rgb(0, 0, 0) windowtext windowtext; border-style: none solid solid; border-width: 0px 1pt 1pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301"><div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">15360<o:p></o:p></span></div>
</td>
<td style="background-color: transparent; border-color: rgb(0, 0, 0) windowtext windowtext rgb(0, 0, 0); border-style: none solid solid none; border-width: 0px 1pt 1pt 0px; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301"><div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">15<o:p></o:p></span></div>
</td>
</tr>
<tr style="mso-yfti-irow: 8; mso-yfti-lastrow: yes;">
<td style="background-color: transparent; border-color: rgb(0, 0, 0) windowtext windowtext; border-style: none solid solid; border-width: 0px 1pt 1pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301"><div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">20480<o:p></o:p></span></div>
</td>
<td style="background-color: transparent; border-color: rgb(0, 0, 0) windowtext windowtext rgb(0, 0, 0); border-style: none solid solid none; border-width: 0px 1pt 1pt 0px; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt; width: 225.4pt;" valign="top" width="301"><div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">20<o:p></o:p></span></div>
</td>
</tr>
</tbody></table>
Marchttp://www.blogger.com/profile/09731120314870792316noreply@blogger.com1tag:blogger.com,1999:blog-4984212032010194887.post-43095192562375269402013-05-17T10:37:00.000+01:002013-05-17T10:37:06.865+01:00ASP.NET fails to detect internet explorer 10 – The patches<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 8pt;">
<span style="font-family: Verdana, sans-serif;">We all know about the bug in .net 2 and .net4 browser definition
files that prevents it from recognising certain browser types (namely IE10)<o:p></o:p></span></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 8pt;">
<span style="font-family: Verdana, sans-serif;">There are hotfixes available for this, but not via Microsoft
update – you have to request them and the link is emailed to you.<o:p></o:p></span></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 8pt;">
<span style="font-family: Verdana, sans-serif;">This is an easy enough process and can be requested from:<o:p></o:p></span></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 8pt;">
<span style="font-family: Verdana, sans-serif;"><strong>.NET 4</strong> - </span><a href="http://support.microsoft.com/kb/2600088"><span style="color: #0563c1; font-family: Verdana, sans-serif;">http://support.microsoft.com/kb/2600088</span></a><o:p></o:p></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 8pt;">
<span style="font-family: Verdana, sans-serif;"><strong>.NET 2.0</strong> <o:p></o:p></span></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 8pt;">
<a href="http://support.microsoft.com/kb/2600100"><span style="color: #0563c1; font-family: Verdana, sans-serif;">http://support.microsoft.com/kb/2600100</span></a><span style="font-family: Verdana, sans-serif;">
- <em>for Win7 SP1/Windows Server 2008 R2 SP1, Windows Vista/Server 2008, Windows
XP/Server 2003<o:p></o:p></em></span></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 8pt;">
<a href="http://support.microsoft.com/kb/2608565"><span style="color: #0563c1; font-family: Verdana, sans-serif;">http://support.microsoft.com/kb/2608565</span></a><span style="font-family: Verdana, sans-serif;">
- <em>for Win7/Windows Server 2008 R2 RTM</em></span></div>
<span style="font-family: Verdana, sans-serif;">
</span><o:p><span style="font-family: Verdana, sans-serif;"> </span></o:p><br />
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 8pt;">
<span style="font-family: Verdana, sans-serif;">Or, if you run Server 2008 R2 SP1, here are the direct
download links to save time:<o:p></o:p></span></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 8pt;">
<o:p><span style="font-family: Verdana, sans-serif;"> </span></o:p></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 8pt;">
<span style="font-family: Verdana, sans-serif;"><strong>.net 4<o:p></o:p></strong></span></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 8pt;">
<a href="http://hotfixv4.microsoft.com/.NET%20Framework%204.0%20-%20Windows%20XP,%20Windows%202003,%20Windows%20Vista,%20Windows%20Server%202008,%20Win7,%20Windows%20Server%202008%20R2%20(MSI)/nosp/DevDiv953277/30319.504/free/436907_intl_x64_zip.exe"><span style="color: #0563c1; font-family: Verdana, sans-serif;">http://hotfixv4.microsoft.com/.NET%20Framework%204.0%20-%20Windows%20XP,%20Windows%202003,%20Windows%20Vista,%20Windows%20Server%202008,%20Win7,%20Windows%20Server%202008%20R2%20(MSI)/nosp/DevDiv953277/30319.504/free/436907_intl_x64_zip.exe</span></a><o:p></o:p></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 8pt;">
<o:p><span style="font-family: Verdana, sans-serif;"> </span></o:p></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 8pt;">
<span style="font-family: Verdana, sans-serif;"><strong>.net 2.0<o:p></o:p></strong></span></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 8pt;">
<a href="http://hotfixv4.microsoft.com/.Net%20Framework%202.0%20–%20Win7%20SP1,%20Windows%20Server%202008%20R2%20SP1%20(CBS)/sp2/DevDiv953290/50727.5692/free/437212_intl_x64_zip.exe"><span style="color: #0563c1; font-family: Verdana, sans-serif;">http://hotfixv4.microsoft.com/.Net%20Framework%202.0%20–%20Win7%20SP1,%20Windows%20Server%202008%20R2%20SP1%20(CBS)/sp2/DevDiv953290/50727.5692/free/437212_intl_x64_zip.exe</span></a><o:p></o:p></div>
<span style="font-family: Verdana, sans-serif;">
</span>Marchttp://www.blogger.com/profile/09731120314870792316noreply@blogger.com0tag:blogger.com,1999:blog-4984212032010194887.post-39907937755514555182012-10-18T09:45:00.002+01:002012-10-18T09:45:35.223+01:00Granting users rights to run SQL profiler without SA rights<span style="font-family: Verdana, sans-serif;">If you have a group of users (say software developers) who may occasionally need to run SQL profiler but you do not wish to grant excessive rights such as SA, you can grant the “trace” right to a security group, or indeed a user. But why would you do that?!</span><br />
<span style="font-family: Verdana;"></span><br />
<span style="font-family: Verdana, sans-serif;">Personally, I create a security group called “SQL Profiler Users” and grant the trace permission to that group. If a user needs to run profiler they can simply be placed in this group.</span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">To grant the permission, run the following query:</span><br />
<div class="code">
<span style="font-family: Verdana;"></span><br />
<span style="font-family: Verdana, sans-serif;">Use master<br />Go<br />grant Alter Trace to [YourDomain\SQL Profiler Users]</span>
</div>
Marchttp://www.blogger.com/profile/09731120314870792316noreply@blogger.com0tag:blogger.com,1999:blog-4984212032010194887.post-30156531783524819032012-07-10T22:06:00.001+01:002012-07-10T22:31:36.647+01:00Changing IP Settings on an SQL Cluster<span style="font-family: Verdana, sans-serif;">This simple five minute job during an implementation really threw me.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">To paint a picture there is a three node SQL cluster with two instances (2 Active nodes, one Passive) these are isolated from clients behind a firewall.</span><br />
<span style="font-family: Verdana, sans-serif;"><br />To facilitate a hardened firewall policy to permit only TCP 1433 to the instance resource group IP addresses, as well as ensuring only the instance resource group IP address listens on that port (opposed to the default ALL IP’s setting) some changes are required to the network settings in SQL configuration manager.<br />
<br />On a standalone SQL server, it’s simply a matter of changing the settings using the Configuration Manager GUI, restarting the SQL service and the change takes effect. However when in a cluster the changes revert back to the previous ones immediately after clicking ok.<br />
<br />After venturing into this issue a bit more I discovered what I was trying to do wasn’t really documented any ware, but some other articles pointed me in the general direction of the joys of quorum in clustering. In a nutshell I was making a change on one box but as the registry settings being changed are managed by the cluster service the the other two nodes in the cluster won quorum and overwrote the settings.<br />
<br />
</span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;"><div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-5az2djGJIAc/T_yYaWawrAI/AAAAAAAAACc/X6N8GBKJQSw/s1600/SQLStandalone.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="315" src="http://2.bp.blogspot.com/-5az2djGJIAc/T_yYaWawrAI/AAAAAAAAACc/X6N8GBKJQSw/s400/SQLStandalone.jpg" width="400" /></a></div>
<br /><br />
<br />To change these settings the cluster the reservation checkpoint for the registry path needs to be removed, the changes made in the registry and then the cluster reservation checkpoint added again.<br />
<br />The first step is to get the checkpoint name of the instance you are going to modify, run the following command:<br />
<br />
<div class="code">
Cluster res /checkpoints </div>
<br />
</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-duyiffV49_U/T_yYnorhp7I/AAAAAAAAACk/GlKnHGqe5Fw/s1600/Cluster+Checkpoints.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="360" src="http://2.bp.blogspot.com/-duyiffV49_U/T_yYnorhp7I/AAAAAAAAACk/GlKnHGqe5Fw/s640/Cluster+Checkpoints.jpg" width="640" /></a></div>
<br />
<br />
<span style="font-family: Verdana, sans-serif;">Once you have the instance name, take the SQL server offline in failover cluster manager and run the following command:</span><br />
<br />
<div class="code">
cluster res "SQL Server (INSTANCENAME)" /removecheck: "Software\Microsoft\Microsoft SQL Server\MSSQL.INSTANCENAME\MSSQLSERVER" </div>
<br />
<span style="font-family: Verdana, sans-serif;"><br />
<br />
You should now edit the registry or use SQL configuration manager to make the changes you wish to make.<br />Personally I prefer to edit the registry as this enables you to delete the unused IP addresses and just leave the cluster IP in place, which is much tidyer.<br />The path to edit the registry settings is</span><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<br />
<div class="code">
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL10_50.INSTANCENAME\MSSQLServer\SuperSocketNetLib\Tcp\
</div>
<br />
<span style="font-family: Verdana, sans-serif;">Delete any of the IPx keys you don’t need but leave IPAll<br />To specify the port for the IP address to listen on, simply modify the TCPPort value, and remove the value from the TcpDynamicPorts</span><br />
<span style="font-family: Verdana, sans-serif;">Once you are happy with the changes, run the following command to add the checkpoit back into clustering</span><br />
<br />
<br />
<div class="code">
cluster res "SQL Server (INSTANCENAME)" /addcheck: "Software\Microsoft\Microsoft SQL Server\MSSQL.INSTANCENAME\MSSQLSERVER"
</div>
<br />
<span style="font-family: Verdana, sans-serif;"><br />Bring the SQL Server resource back online and check SQL configuration manager, the changes should have taken affect.<br />
<br />As a result of this change, your firewall rules will be more secure as the massive dynamic port range doesn’t need to be permitted and if need be both SQL instances can be failed over to the one server without ports comflicting. There is also the added bonus that the IP configuration in SQL configuration manager looks a whole lot tidyer.</span><br />
<br />
<br />Marchttp://www.blogger.com/profile/09731120314870792316noreply@blogger.com23tag:blogger.com,1999:blog-4984212032010194887.post-5680773105927912822012-01-26T20:58:00.001+00:002012-01-26T21:00:11.896+00:00Are SAN’s “old hat”? Bring on the DAS<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 10pt;">
<span style="font-family: Verdana, sans-serif;">Here goes my first “opinion” post opposed to one detailing a
useful command or script.<o:p></o:p></span></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 10pt;">
<span style="font-family: Verdana, sans-serif;">I’m in the middle of a greenfield infrastructure redesign at
the moment; a topic that has been playing on my mind is SAN vs. DAS. When I say
SAN, I’m talking about a storage area network. That’s several trays of disk
attached to a SAN head unit, which is then connected to a pair of fibre
switches, or to a 10gig switch via Ethernet. Servers are then connected to the
switches (via Fibre or Ethernet). When I say DAS, I’m talking about Direct
Attached Storage. That’s several trays of disk attached to a DAS head unit,
which is then connected to a number of servers via SAS cables, or indeed just a
dumb tray or trays of disk connected directly to the server.<o:p></o:p></span></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 10pt;">
<span style="font-family: Verdana, sans-serif;">So, what are SAN’s traditionally used for? In a basic sense
they present a large (or small) amount of scalable storage to a number of
servers. <span style="mso-spacerun: yes;"> </span>Why do these servers need this
storage? Either because the server hosting the application needs more disk
space or spindles than you can fit into the server chassis, or if you are
utilising clustering and need shared storage between two servers.<o:p></o:p></span></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 10pt;">
<span style="font-family: Verdana, sans-serif;">Clustering is what I think changes things. It has always
struck me that you build clusters with multiple nodes, NIC’s, power supplies etc
to offer high availability and yet the data is still in one place. Therefore<span style="mso-spacerun: yes;"> </span>the SAN <span style="mso-spacerun: yes;"> </span>is effectively a single point of failure. <o:p></o:p></span></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 10pt; text-align: center;">
<a href="http://1.bp.blogspot.com/-o8dI8Cr9k3A/TyG91--PmzI/AAAAAAAAACM/rP4t0hwGMEs/s1600/Cluster.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Verdana, sans-serif;"><img border="0" height="240" src="http://1.bp.blogspot.com/-o8dI8Cr9k3A/TyG91--PmzI/AAAAAAAAACM/rP4t0hwGMEs/s320/Cluster.jpg" width="320" /></span></a></div>
<div align="center" class="MsoNormal" style="margin: 0cm 0cm 10pt; text-align: center;">
<span style="font-family: Verdana, sans-serif;">Traditional Cluster<o:p></o:p></span></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 10pt;">
<span style="font-family: Verdana, sans-serif;">Although a SAN itself will have no single point of failure
(dual controllers, multiple paths etc.) the data is still on a single RAID
volume so could potentially be a victim of bitrot or the RAID group having a
hole punched in it. There is also the obvious risk that the physical file could
become corrupt. Software vendors are obviously thinking the same. <span style="mso-spacerun: yes;"> </span>Exchange 2003/2007 was made highly available
in the traditional cluster sense (multiple nodes with the DB on shared storage).
<o:p></o:p></span></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 10pt;">
<span style="font-family: Verdana, sans-serif;">In Exchange 2010 however you have the concept of DAG’s. With
DAG’s the database itself is replicated to nodes rather than being shared.<span style="mso-spacerun: yes;"> </span>This means a SAN is not required to provide a
highly available exchange environment.<span style="mso-spacerun: yes;"> </span>If
you can find a server with enough capacity you can run two (or three, or four)
exchange servers in a DAG and have mailbox databases failover between them.
This is actually more resilient than a traditional exchange cluster because the
databases are being replicated rather than shared, which means you have
protection against a corrupted database, as well as hardware failure.<o:p></o:p></span></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-75inbteD0ZM/TyG-AyjPrGI/AAAAAAAAACU/OykMzYeN-jI/s1600/DAG.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Verdana, sans-serif;"><img border="0" height="100" src="http://3.bp.blogspot.com/-75inbteD0ZM/TyG-AyjPrGI/AAAAAAAAACU/OykMzYeN-jI/s320/DAG.jpg" width="320" /></span></a></div>
<div align="center" class="MsoNormal" style="margin: 0cm 0cm 10pt; text-align: center;">
<span style="font-family: Verdana, sans-serif;">Exchange 2010 DAG.<o:p></o:p></span></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 10pt;">
<span style="font-family: Verdana, sans-serif;">The upcoming SQL 2012 “always on” feature works in a very
similar way to DAG’s. The selected databases are replicated between cluster
nodes.<span style="mso-spacerun: yes;"> </span>This means you can now have two
core business systems (Exchange and SQL) made highly available without needing
any kind of shared storage.<o:p></o:p></span></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 10pt;">
<span style="font-family: Verdana, sans-serif;">Failover clustering in itself is also moving forward with
“shared storage-less clusters”. You can create a cluster and use a file share
as a witness, which means that’s another requirement for shared storage out of
the window!<o:p></o:p></span></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 10pt;">
<span style="font-family: Verdana, sans-serif;">If you have services you would like to make highly available
and they don’t require a common area to write to, you can easily make them
highly available in failover clustering by using a file share witness. If a
service does require a common area to read or write data to, then you could
always create the directory locally on each server and use DFS replication to
keep them in sync.<o:p></o:p></span></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 10pt;">
<span style="font-family: Verdana, sans-serif;">This brings me on nicely to DAS. With applications moving to
a model where shared storage isn’t required, the only real reason you would
need a SAN is to present more storage or spindles to a server. <span style="mso-spacerun: yes;"> </span>Because there isn’t the need for multiple
servers to all access a common bit of storage, DAS comes into play. You can buy
a dumb tray of 12 disks that can have additional trays daisy chained off of it
to provide around 120ish disks for about<span style="mso-spacerun: yes;">
</span>£7k per tray (the Dell Powervault MD1200 for example) these can be dual
connected to a single host. Or if you want to connect more hosts to the DAS
solution, you can get an “intelligent” DAS head unit that can then have
multiple “dumb” trays connected to it to provide 192ish disks. These can
usually support four dual connected hosts and can be picked up for about £12k.
(the Dell Powervault MD3200 for example)<o:p></o:p></span></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 10pt;">
<span style="font-family: Verdana, sans-serif;">There are still applications that require shared storage,
such as Hyper-V or VMware for example. In this scenario the MD3200 (intelligent)
with a few MD1200’s (Dumb) connected to it would be ideal. You can have four
nodes in the cluster sharing the storage.<o:p></o:p></span></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 10pt;">
<span style="font-family: Verdana, sans-serif;">The initial reaction I get to this suggestion is that of
shock, as it’s not very scalable like a SAN. I understand the argument, but on
the flip side, do you really want 10 – 20 hosts sharing the backplane of your
SAN (6 – 12gig) with the DAS solution those four hosts are sharing the dual
6gig backplane. <span style="mso-spacerun: yes;"> </span>If you need more servers
then you’ll probably need more storage, so buy another head unit instead of a
dumb tray. This method leaves you with two clusters of four nodes each with
their own 12gig backplane (2x 6gig) opposed to potentially eight nodes sharing
the SAN’s backplane.<o:p></o:p></span></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 10pt;">
<span style="font-family: Verdana, sans-serif;">I’m a big fan of DAS over a SAN for several reasons:<o:p></o:p></span></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoListParagraphCxSpFirst" style="margin: 0cm 0cm 0pt 36pt; mso-list: l0 level1 lfo1; text-indent: -18pt;">
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font-family: "Times New Roman"; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
</span></span></span>The physical trays are cheaper than trays for a
SAN<o:p></o:p></span></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoListParagraphCxSpMiddle" style="margin: 0cm 0cm 0pt 36pt; mso-list: l0 level1 lfo1; text-indent: -18pt;">
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font-family: "Times New Roman"; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
</span></span></span>There is no requirement for fibre switches which
are eye wateringly expensive, not only for the tin but also the port licencing<o:p></o:p></span></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoListParagraphCxSpMiddle" style="margin: 0cm 0cm 0pt 36pt; mso-list: l0 level1 lfo1; text-indent: -18pt;">
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font-family: "Times New Roman"; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
</span></span></span>DAS is really simple as the cable goes from the
head unit to the server. Simple is fast and also easy to support and fix when
it goes wrong.<o:p></o:p></span></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoListParagraphCxSpLast" style="margin: 0cm 0cm 10pt 36pt; mso-list: l0 level1 lfo1; text-indent: -18pt;">
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font-family: "Times New Roman"; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
</span></span></span>DAS removes a single point of failure. It’s
affordable to build two SQL clusters attached to 2 DAS arrays. Unless you’re a
fortune 500 company you wouldn’t be able to do this with a SAN.<o:p></o:p></span></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 10pt;">
<span style="font-family: Verdana, sans-serif;">I can also see the downsides of DAS vs.SAN<o:p></o:p></span></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoListParagraphCxSpFirst" style="margin: 0cm 0cm 0pt 36pt; mso-list: l1 level1 lfo2; text-indent: -18pt;">
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font-family: "Times New Roman"; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
</span></span></span>Physical limit of SAS cables mean your servers
need to be near the DAS head unit.<o:p></o:p></span></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoListParagraphCxSpMiddle" style="margin: 0cm 0cm 0pt 36pt; mso-list: l1 level1 lfo2; text-indent: -18pt;">
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font-family: "Times New Roman"; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
</span></span></span>The administrative overhead of many storage arrays
vs one SAN.<o:p></o:p></span></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoListParagraphCxSpLast" style="margin: 0cm 0cm 10pt 36pt; mso-list: l1 level1 lfo2; text-indent: -18pt;">
<span style="font-family: Verdana, sans-serif;"><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font-family: "Times New Roman"; font-size-adjust: none; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
</span></span></span>DAS lacks some of the mirroring features that
SAN’s do.<o:p></o:p></span></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 10pt;">
<span style="font-family: Verdana, sans-serif;">Based on the above though, I think the cost savings by going
DAS in both financial terms and for simplicity, outweighs the disadvantages. <o:p></o:p></span></div>
<span style="font-family: Verdana, sans-serif;">
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 10pt;">
<span style="font-family: Verdana, sans-serif;">I’m open to constructive feedback on this; I still have an
open mind on the subject. However at the moment I think SAN’s are a thing of
the past in 90% of situations.</span></div>Marchttp://www.blogger.com/profile/09731120314870792316noreply@blogger.com1tag:blogger.com,1999:blog-4984212032010194887.post-63400797524969742382011-10-27T10:12:00.000+01:002011-10-27T10:12:39.168+01:00Getting service tag / bios info using powershell<span style="font-family: Verdana, sans-serif;">Following on from my post “<a href="http://blog.marcturner.co.uk/2011/09/script-to-get-service-tag-from-dell.html">script to get service tag from dell device</a>” I felt a bit “dirty” that I was using VB opposed to my new favourite thing in the world, powershell!</span><br />
<span style="font-family: Verdana, sans-serif;"><br />
You can use a cmdlet “get-wmiobject” to pull all sorts of info from WMI, including the bios.<br />
<br />
Therefore, this very simple one liner will return not only the service tag (or serial number for non dell devices), but bois version and a raft of other information.<br />
Here is the command<br />
<br />
<div class="code">Get-wmiobject win32_bios | fl *<br />
</div><br />
<br />
The result will look something like this<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-1CuBR5FkMKQ/Tqkf9Xmj_-I/AAAAAAAAACE/nTFw6ykdhnE/s1600/WMIBios.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://2.bp.blogspot.com/-1CuBR5FkMKQ/Tqkf9Xmj_-I/AAAAAAAAACE/nTFw6ykdhnE/s400/WMIBios.jpg" width="400" /></a></div><br />
<br />
If you have WinRM remoting configured, you can run this on a remote device by starting an interactive session, and then running the command<br />
<br />
<div class="code">PS> enter-pssession servername<br />
Server name: PS > get-wmiobject win32_bios | fl*<br />
</div><br />
If you don’t have WinRM remoting enabled, run this command on the host to enable it.<br />
<br />
<div class="code">PS > winrm quickconfig<br />
WinRM already is set up to receive requests on this machine.<br />
WinRM is not set up to allow remote access to this machine for management.<br />
The following changes must be made:<br />
<br />
Create a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.<br />
Enable the WinRM firewall exception.<br />
<br />
Make these changes [y/n]? y<br />
<br />
WinRM has been updated for remote management.<br />
<br />
Created a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.<br />
WinRM firewall exception enabled.<br />
</div><br />
<br />
<br />
</span>Marchttp://www.blogger.com/profile/09731120314870792316noreply@blogger.com0tag:blogger.com,1999:blog-4984212032010194887.post-26207249942359711522011-09-28T13:23:00.003+01:002011-09-28T13:25:26.484+01:00Script to get service tag from Dell device<span style="font-family: Verdana, sans-serif;">I needed to get the service tag off my Dell laptop today, but i was in the middle of doing a million things, so didn’t fancy undocking it to look underneath.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">So I put this quick vb script together to get the service tag.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">If you’re not running any kind of NMS like SCCM, SCOM or SCE (which would gather the service tags </span><span style="font-family: Verdana, sans-serif;">for you) this may be useful to use if you need the tag from a remote host.</span><br />
<span style="font-family: Verdana, sans-serif;">Enjoy!</span><br />
<br />
<div class="code">strComputer = "."<br />
Set objWMIService = GetObject("winmgmts:" _<br />
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")<br />
Set colSMBIOS = objWMIService.ExecQuery _<br />
("Select * from Win32_SystemEnclosure")<br />
For Each objSMBIOS in colSMBIOS<br />
Wscript.Echo "Dell Service Tag: " & objSMBIOS.SerialNumber<br />
Next</div>Marchttp://www.blogger.com/profile/09731120314870792316noreply@blogger.com3tag:blogger.com,1999:blog-4984212032010194887.post-82104150450189112422011-09-25T21:37:00.000+01:002011-09-25T21:37:58.072+01:00Configuring default FTP logon domain<span style="font-family: Verdana, sans-serif;">If you’re still stuck in the dark insecure age of the internet and using FTP, you may want users to login to your FTP site using their domain credentials.</span><br />
<span style="font-family: Verdana, sans-serif;"><br />
By default, the FTP service will use the local user database on the server itself (unless you enter your username in the domain\username format), you can however configure IIS to use a domain by default.<br />
<br />
Take caution in doing this though, if you’ve ever put an FTP server on the internet, take a look at the event logs, it will have a ton of brute force attacks on it within minutes. <br />
By default FTP will be trying to authenticate locally, which is a much smaller attack surface (fewer users) as soon as you point it at your domain, it’s going to have a much larger attack surface (more users)<br />
<br />
You need to make sure you don’t have any accounts such as “test” or users like “mary” with passwords of “password” or any dictionary word at all. You should also tie the FTP site down to the specific users that need access, so if an account does get compromised it can’t be used to put data in the FTP directory.<br />
With the above in mind, use an elevated command prompt to run the following on the FTP server</span><br />
<div class="code"><span style="font-family: Verdana, sans-serif;">adsutil set msftpsvc/DefaultLogonDomain "YourDomainName"</span><br />
</div><span style="font-family: Verdana, sans-serif;">This will set the default logon domain for all FTP sites.</span>Marchttp://www.blogger.com/profile/09731120314870792316noreply@blogger.com0tag:blogger.com,1999:blog-4984212032010194887.post-22710868441467146722011-09-21T12:21:00.000+01:002011-09-21T12:21:11.091+01:00Keeping up to date with technology (Specifically Microsoft)<span style="font-family: Verdana, sans-serif;">There is plenty going on with Microsoft Technology at the moment, Windows 8, Windows Server 8, cloud, Configuration Manager 2012, the list goes on.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Keeping up to date with these while still doing a dayjob is a struggle.<br />
I use the RSS feed functionality in outlook and I have feeds from a select few blogs, so when something interesting comes along, its dropped into my outlook.</span><br />
<span style="font-family: Verdana, sans-serif;">Below is a list of feeds that I use:</span><br />
<span style="font-family: Verdana, sans-serif;"><br />
Ctrl P - The Data Protection Manager Blog! - </span><br />
<a href="http://blogs.technet.com/b/dpm/rss.aspx"><span style="font-family: Verdana, sans-serif;">http://blogs.technet.com/b/dpm/rss.aspx</span></a><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Windows Server Division WebLog - </span><a href="http://blogs.technet.com/b/windowsserver/rss.aspx"><span style="font-family: Verdana, sans-serif;">http://blogs.technet.com/b/windowsserver/rss.aspx</span></a><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Windows Virtualization Team Blog - </span><a href="http://blogs.technet.com/b/virtualization/rss.aspx"><span style="font-family: Verdana, sans-serif;">http://blogs.technet.com/b/virtualization/rss.aspx</span></a><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Forefront Team Blog - </span><a href="http://blogs.technet.com/b/forefront/rss.aspx"><span style="font-family: Verdana, sans-serif;">http://blogs.technet.com/b/forefront/rss.aspx</span></a><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">System Center Configuration Manager Team Blog - </span><br />
<a href="http://blogs.technet.com/b/configmgrteam/rss.aspx"><span style="font-family: Verdana, sans-serif;">http://blogs.technet.com/b/configmgrteam/rss.aspx</span></a><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Microsoft Forefront Unified Access Gateway Product Team Blog - </span><br />
<a href="http://blogs.technet.com/b/edgeaccessblog/rss.aspx"><span style="font-family: Verdana, sans-serif;">http://blogs.technet.com/b/edgeaccessblog/rss.aspx</span></a><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Microsoft Server and Cloud Platform Blog - </span><a href="http://blogs.technet.com/b/server-cloud/rss.aspx"><span style="font-family: Verdana, sans-serif;">http://blogs.technet.com/b/server-cloud/rss.aspx</span></a><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">TechNet Blogs - </span><a href="http://blogs.technet.com/b/MainFeed.aspx?Type=BlogsOnly"><span style="font-family: Verdana, sans-serif;">http://blogs.technet.com/b/MainFeed.aspx?Type=BlogsOnly</span></a><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">The Configuration Manager Support Team Blog - </span><br />
<a href="http://blogs.technet.com/b/configurationmgr/rss.aspx"><span style="font-family: Verdana, sans-serif;">http://blogs.technet.com/b/configurationmgr/rss.aspx</span></a><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">The Microsoft Application Virtualization Blog - </span><a href="http://blogs.technet.com/b/appv/rss.aspx"><span style="font-family: Verdana, sans-serif;">http://blogs.technet.com/b/appv/rss.aspx</span></a><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">The WSUS Support Team Blog - </span><a href="http://blogs.technet.com/b/sus/rss.aspx"><span style="font-family: Verdana, sans-serif;">http://blogs.technet.com/b/sus/rss.aspx</span></a><br />
<span style="font-family: Verdana, sans-serif;"></span><br />
<span style="font-family: Verdana, sans-serif;">Enterprise Strategy UK - </span><a href="http://blogs.technet.com/b/enterprise_strategy_uk/rss.aspx"><span style="font-family: Verdana, sans-serif;">http://blogs.technet.com/b/enterprise_strategy_uk/rss.aspx</span></a>Marchttp://www.blogger.com/profile/09731120314870792316noreply@blogger.com0tag:blogger.com,1999:blog-4984212032010194887.post-25844207585918932622011-08-19T10:33:00.001+01:002011-08-19T10:34:36.868+01:00Viewing queues on all hub transport servers in one handy PowerShell command<span style="font-family: Verdana, sans-serif;">I can’t take any credit for this, a college and I came up with the idea that we needed a way of viewing the queues on all of our hub transport servers in once place, opposed to having to connect to each one individually, it just so happened that he came up with the goods quicker than I did!</span><br />
<span style="font-family: Verdana, sans-serif;"><br />
So what is the problem? Using the queue viewer in EMC, it will only display the queues on the server you have selected, the same goes for the PowerShell command get-queue; you have to specify a hub transport server.<br />
<br />
The solution, pipe the results of a get-exchangeserver cmdlet filtered to return hub transport servers into the get-queue command.<br />
Here it is – enjoy!<br />
<br />
<div class="code">get-exchangeserver | where {$_.ishubtransportserver -eq $true } | get-queue | sort messagecount –descending<br />
</div><br />
Thanks Jon!</span>Marchttp://www.blogger.com/profile/09731120314870792316noreply@blogger.com6tag:blogger.com,1999:blog-4984212032010194887.post-40766826570986869512011-08-01T14:54:00.002+01:002011-08-01T14:58:11.640+01:00Creating a dynamic distribution group based on any Active Directory attribute in exchange 2010<span style="font-family: Verdana, sans-serif;">A Common requirement I’m sure for most businesses is to be able to send a mail to all users who are located in a specific building.</span><br />
<span style="font-family: Verdana, sans-serif;"><br />
A dynamic distribution group based on the office attribute is surely the answer – well yes it is, but not using the Exchange Management Console.<br />
<br />
I have the office attribute set for each user within active directory<br />
<br />
</span><br />
<span style="font-family: Verdana, sans-serif;"><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-hYuHDeoTeoc/Tjavi15j07I/AAAAAAAAABQ/fWanlD1X3eU/s1600/AdAttrib.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://3.bp.blogspot.com/-hYuHDeoTeoc/Tjavi15j07I/AAAAAAAAABQ/fWanlD1X3eU/s320/AdAttrib.png" width="240" /></a></div><br />
<br />
However, if you use the exchange management console to build your query, its options are limited and does not include the office attribute.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-4pPegJEaYSA/Tjavm4DmU6I/AAAAAAAAABU/L_v1OC3CSVo/s1600/dynwizard.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="275" src="http://2.bp.blogspot.com/-4pPegJEaYSA/Tjavm4DmU6I/AAAAAAAAABU/L_v1OC3CSVo/s320/dynwizard.jpg" width="320" /></a></div><br />
<br />
Although using the EMC it isn’t possible, it can be done in powershell.<br />
<br />
The new-dynamicdistributiongroup cmdlet doesn’t natively support anything other than the attributes you see listed in the EMC, however you can use a recipientfilter to specify any attribute you like. <br />
<br />
The command below will create a dynamic distribution group called “Users in Example Office name” which will contain any user with the office location set to “Example office Name”<br />
<br />
<div class="code">New-DynamicDistributionGroup -Name "Users in Example Office Name" -OrganizationalUnit "domain.net\users" -RecipientFilter { ((RecipientType -eq 'UserMailbox') –and (Office -eq 'Users in example office name')) }<br />
<br />
</div>This command can be extended futher using the –and variable. The command below would create the same dynamic distribution group, only the members would be those who are in the “Example office name” building AND their manager is James Bond<br />
</span><br />
<br />
<div class="code"><br />
New-DynamicDistributionGroup -Name "Users in Example Office Name" -OrganizationalUnit "domain.net\users" -RecipientFilter { ((RecipientType -eq 'UserMailbox') -and (Manager –eq 'James Bond') –and (Office -eq 'Users in example office name')) }<br />
<br />
</div>Marchttp://www.blogger.com/profile/09731120314870792316noreply@blogger.com2tag:blogger.com,1999:blog-4984212032010194887.post-53563556420172269182011-06-01T12:02:00.006+01:002011-06-01T21:28:17.039+01:00A quick way to set calendar permissions using Powershell<span style="font-family: Verdana, sans-serif;">A Common request from users is to grant others access to their calendars.</span><br />
<span style="font-family: Verdana, sans-serif;">You can either talk the user through this, or setup a new outlook profile to open their mailbox and set it yourself using the GUI – both are time consuming.<br />
This simple powershell command allows you to set permissions with ease:</span><br />
<br />
<div class="code">add-mailboxfolderpermission -identity USERNAME:\calendar -user "Username of person who needs access" -accessrights reviewer<br />
</div><br />
<span style="font-family: "Courier New", Courier, monospace;"></span><br />
<br />
<span style="font-family: Verdana, sans-serif;">The Identity switch needs to be the username of the mailbox which you are </span><span style="font-family: Verdana, sans-serif;">giving access TO, the user switch is the user you are giving access FROM.<br />
The accessrights switch is the level of access you wish to grant the user, the link below lists some additional switches you can use:</span><br />
<br />
<a href="http://technet.microsoft.com/en-us/library/dd298062.aspx"><span style="font-family: Verdana, sans-serif;">http://technet.microsoft.com/en-us/library/dd298062.aspx</span></a>Marchttp://www.blogger.com/profile/09731120314870792316noreply@blogger.com5tag:blogger.com,1999:blog-4984212032010194887.post-78923066340509271582011-05-13T20:56:00.009+01:002011-06-01T21:29:49.064+01:00Using a PAC file to set proxy settings<span style="font-family: Verdana, sans-serif;">There are many ways to configure proxy settings, via a GPO, via a build, or an application.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Proxy settings can cause issues for mobile users if they use their device away from the corporate LAN as the proxy server will not be reachable, this will render the internet browser unusable (unless of course Direct Access has been implemented)</span><br />
<span style="font-family: Verdana, sans-serif;"><br />
There are many solutions to this problem, some common ones are:<br />
1. Teach users to enable and disable proxy settings, This is not the most elegant solution, is likely to cause a fair amount of support calls, and also means proxy settings cannot be enforced.</span><br />
<span style="font-family: Verdana, sans-serif;">2. Run a 3rd party app that users can click on and select proxy on or proxy off. Im not a fan of these types of applications that sit there and use up resources for no real reason.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">3. Run a login script that sets the proxy setting if you are connected to the corporate LAN, and doesn’t if you are not. This is a long winded way of doing it, and is not 100% effective.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">In my opinion, the most effective and efficient way of configuring proxy settings is to use a proxy auto config file (PAC)<br />
A PAC file contains a JavaScript function "FindProxyForURL(url, host)". This function returns a string with one or more access method specifications. These specifications cause the user agent to use a particular proxy server or to connect directly</span><br />
<span style="font-family: Verdana, sans-serif;">. <br />
You configure your browser (works in all popular browsers) to use a script to configure proxy settings, this setting remains in place permantly. If the PAC file is placed on a web server accessible only within the corporate LAN, if the user is away from the LAN, the config file is not found, so therefore a proxy is not used.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">When the user is within the LAN, the file is found, and proxy settings configured. <br />
Some say that a login script can achieve this too, however the login script requires you to login to take effect.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Take a scenario where a user is in the office, closes the lid on his or her laptop, gets on the train then opens the lid, and connects via 3G.<br />
If proxy settings were configured with a login script, the office proxy settings would still be present unless the user logged off and on again.<br />
With a PAC method in place, the browser looks for the settings each time a page is requested, therefore it would fail to find the config file and connect directly.</span><br />
<span style="font-family: Verdana, sans-serif;">Below is an example PAC file which can be modified to suit your needs. This could be further extended to look at the current IP of the client, and return a different proxy depending on where the client is. Eg if the client is within an IP range which is associated with the Paris office, the Paris proxy would be returned, or if the client is on a New York IP range, the New York proxy would be returned. </span><br />
<br />
<div class="code"><br />
<span style="font-family: "Courier New", Courier, monospace;">function FindProxyForURL(url, host)<br />
{<br />
<br />
// Direct connections to Hosts<br />
if (isPlainHostName(host) ||<br />
(host == "127.0.0.1") ||<br />
(host == "<a href="http://www.a-whole-domain.com/">www.a-whole-domain.com</a>") ||<br />
(shExpMatch(host, "*.a-entire-domain.com")) ||<br />
(shExpMatch(host, "10.20.30.*"))) {<br />
return "DIRECT"<br />
} else {<br />
return "PROXY proxy-server.domain.com:8080"<br />
}<br />
}</span><br />
<br />
</div><br />
<span style="font-family: Verdana;">Within this file, access to the IP range 10.20.30.0 - 10.20.30.255 would be accessed directly (bypassing the proxy) aswell as the domain <a href="http://www.a-whole-domain.com/">www.a-whole-domain.com</a>. anything under the domain a-entire.domain.com would also bypass the proxy. everything else will be directed at the proxy server "proxy-server.domain.com" on port 8080.</span><br />
<span style="font-family: Verdana;">Add additional sites to the proxy bypass list by copying an existing line and pasting it below.</span><br />
<br />
<br />
<span style="font-family: Verdana, sans-serif;">Although a WPAD file could also offer similar functionality, in my experience a PAC file is much more flexible and will enable changes to take effect instantly.</span><br />
<span style="font-family: Verdana, sans-serif;"></span>Marchttp://www.blogger.com/profile/09731120314870792316noreply@blogger.com14tag:blogger.com,1999:blog-4984212032010194887.post-68873498869203959902011-01-25T22:48:00.007+00:002011-06-01T21:35:27.864+01:00Using Powershell to grant access to all user mailboxes, or a whole exchange database<span style="font-family: Verdana, sans-serif;">You may have a requirement to be able to open any users mailbox in your exchange 2010 environment.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">The first thing to consider, is how you will control access, will you add individual users, or a security group with users in it.</span><br />
<span style="font-family: Verdana, sans-serif;">A security group is the most efficient and tidiest by far, therefore this post will assume you are using a security group.</span><br />
<br />
<strong><span style="font-family: Verdana, sans-serif; font-size: large;">Method one</span></strong><br />
<br />
<span style="font-family: Verdana;">The first option is to give the security group full access to all user mailboxes</span> <br />
<br />
<span style="font-family: Verdana, sans-serif;"><strong>Advantage</strong></span><br />
<br />
<span style="font-family: Verdana, sans-serif;">The permissions will follow the mailbox around when it is moved between databases</span><br />
<br />
<span style="font-family: Verdana, sans-serif;"><strong>Disadvantage</strong></span><br />
<br />
<span style="font-family: Verdana, sans-serif;">You will have to apply the permission to all new users you create</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">To use this method, use the Exchange Management Shell (also known as Powershell or EMS)to get all the mailboxes in your organisation, and then pipe this into a command that set the permissions:</span><br />
<span style="font-family: Verdana, sans-serif;"><br />
</span><br />
<br />
<div class="code"><br />
Add-PSSnapin Microsoft.Exchange.Management.Powershell.Admin -erroraction silentlyContinue<br />
<br />
$userAccounts = get-mailbox -resultsize unlimited<br />
<br />
ForEach ($user in $userAccounts)<br />
<br />
{<br />
<br />
add-MailboxPermission -identity $user -user “Your Security Group Name” -AccessRights FullAccess<br />
<br />
}<br />
<br />
</div><br />
<strong><span style="font-family: Verdana, sans-serif; font-size: large;">Method two:</span></strong><span style="font-size: large;"></span><br />
<span style="font-size: large;"><span style="font-family: Verdana; font-size: small;">The second option is to apply the permissions to the exchange mailbox database, so all mailboxes within that database will inherit those permissions.</span></span><br />
<span style="font-size: large;"><span style="font-family: Verdana; font-size: small;"></span></span><span style="font-family: Verdana, sans-serif; font-size: small;"><strong>Advantage</strong></span><br />
<br />
<span style="font-family: Verdana, sans-serif;">All new users will automaticly inherit the permissions you set on the storage group</span><br />
<br />
<span style="font-family: Verdana, sans-serif;"><strong>Disadvantage</strong></span><br />
<br />
<span style="font-family: Verdana, sans-serif;">If different permissions are set on different databases, when users are moved between databases they will not be subject to the permissions that were assigned to the original database.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Use EMS to run the following command</span><br />
<br />
<div class="code"><br />
Add-ADPermission -identity YourDatabasename -user “Your Security Group Name” -AccessRights genericall<br />
<br />
</div>Marchttp://www.blogger.com/profile/09731120314870792316noreply@blogger.com0tag:blogger.com,1999:blog-4984212032010194887.post-54871139909795156992010-11-24T20:42:00.001+00:002011-04-05T21:30:17.256+01:00Draining sessions from Remote Desktop Session Hosts / Terminal Servers<div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Verdana, sans-serif;">Maintaining terminal servers (or remote desktop session hosts as they are known now) in today’s world when users require access 24/7 is a challenge. Setting up an RDS farm, with a session broker will give you load balancing and fault tolerance. (I will write more about remote desktop server farms and session brokers in another article)</span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Verdana, sans-serif;">However notice I say “Fault Tolerance” this doesn’t mean that you can reboot session hosts without affecting users, it just means that your system will tolerate the failure of a session host. The users who were connected to the rebooted (or failed) session host will lose what they were working on and will have to reconnect.</span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Verdana, sans-serif;">The nature of a session broker is that it will try to distribute sessions evenly across all members of a farm; this is great, apart from when you want to reboot a session host without annoying your users.</span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Verdana, sans-serif;">There is no “live migration” of RDS sessions, once a user is on a host, that’s where they will stay until they log off.<span style="mso-spacerun: yes;"> </span></span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Verdana, sans-serif;">So how do you free up a session host to perform maintenance on it? Firstly you will need to plan your work in advance.</span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Verdana, sans-serif;">You can then use the <span style="font-family: "Courier New", Courier, monospace;">“chglogon”</span> command to begin “draining” sessions. There are many ways sessions can be drained, but it basically means the session host will stop accepting new connections. Eventually once your users have logged off, they will not be able to establish a new log onto the draining session host, so will establish a new connection on another session host, which mean eventually the session host you are draining will have no users logged into it.</span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Verdana, sans-serif;">There are four switches for the chglogon command:</span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Verdana, sans-serif;"><span style="font-family: "Courier New", Courier, monospace;">/query</span> – this will tell you what mode the session host is currently in</span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Verdana, sans-serif;"><span style="font-family: "Courier New", Courier, monospace;">/enable</span> – allows users to establish connections to the session host</span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Verdana, sans-serif;"><span style="font-family: "Courier New", Courier, monospace;">/disable</span> – doesn’t allow any new connections, or reconnections to an existing session.</span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Verdana, sans-serif;"><span style="font-family: "Courier New", Courier, monospace;">/drain</span> – doesn’t allow any new connections, but does allow users to reconnect to an existing session</span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Verdana, sans-serif;"><span style="font-family: "Courier New", Courier, monospace;">/drainuntilrestart</span> – does the same as /drain, but reverts to /enable after a reboot</span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="color: red; font-family: Verdana, sans-serif;"><em>NOTE: when using the /disable switch, this will prevent you reconnecting to the server via RDP. You need to ensure you have access to the console via another method other than RDP, or use the RD configuration utility from another RDS server to change the setting.</em></span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Verdana, sans-serif;">These commands could be utilised to help with automated updates. You could configure RDS1 to automatically install updates on a Saturday at 6PM, then create a scheduled task to run on a Friday at 6AM to run the chglogon /drainuntilrestart command.</span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Verdana, sans-serif;">This would hopefully mean by Saturday at 6PM there were no users left on RDS1 and it would be safe to automatically reboot after an update installation.</span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Verdana, sans-serif;">You could then use the same method with RDS2, RDS3 etc, but on different days to ensure 100% uptime of your RDS farm</span></div>Marchttp://www.blogger.com/profile/09731120314870792316noreply@blogger.com1tag:blogger.com,1999:blog-4984212032010194887.post-12951251533338767212010-10-25T14:24:00.004+01:002010-10-25T14:31:49.189+01:00Using dsget and dsrm to delete users who are a member of a group from active directory.<span style="font-family: Verdana, sans-serif;">I use the “DS” set of commands almost daily, they are a very powerful set of tools, which allow the output to be piped between them.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">In this example, we are going to use the dsget command, to retrieve a list of users from a security group, then pipe the result into dsrm to delete them.<br />
This can be useful in an educational environment where lots of users leave at once, and hundreds of accounts need removing. Or in the current corprate climate, when an entire department disappears!</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Before jumping in at the deep end, I recommend seeing what results you are going to pipe into a dsrm, so run the dsget command on its own.</span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace;">Dsget group “cn=year13,ou=groups,ou=myschool,dc=domain,dc-suffix –members -expand</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">This will return the members of a group called “Year13” which is in an OU called “Groups”, which is within an OU called “myschool” which is in the domain domain.suffix.</span><br />
<div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: center;"><span style="font-family: Verdana, sans-serif;"></span></div><span style="font-family: Verdana, sans-serif;"><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/_Nt652Ln7nXk/TMWE1sPH0sI/AAAAAAAAAA8/FTDcs-Eywpw/s1600/dsgetcmd.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Verdana, sans-serif;"><img border="0" height="165" nx="true" src="http://3.bp.blogspot.com/_Nt652Ln7nXk/TMWE1sPH0sI/AAAAAAAAAA8/FTDcs-Eywpw/s400/dsgetcmd.png" width="400" /></span></a></div><span style="font-family: Verdana, sans-serif;"><br />
</span><br />
<span style="font-family: Verdana, sans-serif;">You are telling the dsget command that it is looking at a group by specifying “group” after dsget. the switches at the end are also important.</span><br />
<span style="font-family: Verdana, sans-serif;"><br />
</span><br />
<span style="font-family: Verdana, sans-serif;"><span style="font-family: "Courier New", Courier, monospace;">-members</span> tells dsget to return the members of the group</span><br />
<span style="font-family: Verdana, sans-serif;"><span style="font-family: "Courier New", Courier, monospace;">-expand</span> returns all members of the group, if this isn’t used it is limited to 100</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">If you are happy with the results returned, you can pipe the results into DSRM. Piping is just like typing something into a command yourself, only you’re letting the previous command do the work.</span><br />
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;"><br />
<span style="font-family: Verdana, sans-serif;">To get the pipe character, hold shift and press your backslash key</span></div><div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;"><br />
<span style="font-family: "Courier New", Courier, monospace;">Dsget group “cn=year13,ou=groups,ou=myschool,dc=domain,dc-suffix –members –expand | dsrm –noprompt</span></div><div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;"><br />
<span style="font-family: Verdana, sans-serif;">The <span style="font-family: "Courier New", Courier, monospace;">–noprompt</span> commant prevents dsrm from asking you to confirm before deleting each object. If your deleting a large amount of objects this well worth using (as long as you are confident the results being outputted by dsget are correct)</span></div>Marchttp://www.blogger.com/profile/09731120314870792316noreply@blogger.com0tag:blogger.com,1999:blog-4984212032010194887.post-67076897129567836142010-10-08T11:06:00.000+01:002010-10-08T11:06:40.950+01:00Error code 0xC004C020 when activating windows<span style="font-family: Verdana, sans-serif;">When activating windows using a MAK key, if you receive the error code 0xC004C020 it means you have ran out of activations using that key.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">You can login into the Microsoft licensing website to check how many activations you have remaining on your MAK keys, and also find the contact information to get additional keys if required.</span><br />
<a href="https://www.microsoft.com/licensing/servicecenter/"><span style="font-family: Verdana, sans-serif;">https://www.microsoft.com/licensing/servicecenter/</span></a><br />
<br />
<span style="font-family: Verdana, sans-serif;">Further information on activation error codes can be found here:</span><br />
<br />
<a href="http://support.microsoft.com/kb/938450"><span style="font-family: Verdana, sans-serif;">http://support.microsoft.com/kb/938450</span></a>Marchttp://www.blogger.com/profile/09731120314870792316noreply@blogger.com6tag:blogger.com,1999:blog-4984212032010194887.post-1077389380920929792010-10-04T21:44:00.001+01:002010-10-04T21:45:58.267+01:00Implementing AppLocker – some important steps before you start!<span style="font-family: Verdana, sans-serif;">AppLocker is a feature within Windows 7 and Server 2008 R2 which uses rules and properties of files to provide access control for applications.<br />
In an environment where you want to prevent the use of certain applications, or even to deny all applications and only allow the applications you name, AppLocker is the solution for you.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Before you get started, there are some pre requisites which aren’t so obvious. Without configuring the prerequisites detailed in this article, although your be able to configure AppLocker policy’s, and a gpresult will show them as being applied, they will not be.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">The first step is to enable AppLocker Rule enforcement. To do this, edit the group policy object which you wish to use to apply the AppLocker policys, and navigate to</span><br />
<br />
<span style="font-family: Verdana, sans-serif;"><span style="font-family: "Courier New", Courier, monospace;">Computer Configuration | Policies | Windows Settings | Security Settings | Application Control Policies | Applocker</span></span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Select “<span style="font-family: "Courier New", Courier, monospace;">Configure rule enforcement</span>”</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/_Nt652Ln7nXk/TKo5KyTmC-I/AAAAAAAAAAk/aT8X1ebSfIs/s1600/RuleEnforcement.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="322" px="true" src="http://1.bp.blogspot.com/_Nt652Ln7nXk/TKo5KyTmC-I/AAAAAAAAAAk/aT8X1ebSfIs/s400/RuleEnforcement.jpg" width="400" /></a></div><br />
<br />
<span style="font-family: Verdana, sans-serif;">Select all three configured boxes (ensuring that enforce rules is selected from the drop down boxes) and click ok. This now means any policies you put in place will be applied for executable applications, windows installers and scripts.</span><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/_Nt652Ln7nXk/TKo6ipaJhaI/AAAAAAAAAAs/fzwF5Q7j-Mc/s1600/AppLockerProperties.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" px="true" src="http://3.bp.blogspot.com/_Nt652Ln7nXk/TKo6ipaJhaI/AAAAAAAAAAs/fzwF5Q7j-Mc/s400/AppLockerProperties.jpg" width="268" /></a></div><br />
<br />
<span style="font-family: Verdana, sans-serif;">The next stage is to ensure the <span style="font-family: "Courier New", Courier, monospace;">“application identity service”</span> is running<br />
This can be done manually on all your workstations, as part of a generic build or via group policy preferences. Group policy is by far the most effective way of doing this so it is detailed here.</span> <br />
<br />
<span style="font-family: Verdana, sans-serif;">Edit the group policy object which you want to use to configure the service, this GPO must apply to all computers you wish to have AppLocker policies applied on</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Services can be configured by using Group Policy Preferences, to configure this navigate to:</span><br />
<span style="font-family: Verdana, sans-serif;"><span style="font-family: "Courier New", Courier, monospace;">Computer Configuration | Preferences | Control Panel Settings | Services</span></span><br />
<span style="font-family: Verdana, sans-serif;">Right click ion services and select </span><span style="font-family: "Courier New", Courier, monospace;">New | Service</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Modify the start-up to be <span style="font-family: "Courier New", Courier, monospace;">"Automatic"</span> and browse for the service named <span style="font-family: "Courier New", Courier, monospace;">“Application Identity”</span> ensure the service action is <span style="font-family: "Courier New", Courier, monospace;">“Start Service”</span> then click ok</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/_Nt652Ln7nXk/TKo8kMtL1YI/AAAAAAAAAAw/2Iou4kyJ7e0/s1600/AppLockerService.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="285" px="true" src="http://4.bp.blogspot.com/_Nt652Ln7nXk/TKo8kMtL1YI/AAAAAAAAAAw/2Iou4kyJ7e0/s400/AppLockerService.jpg" width="400" /></a></div><br />
<br />
<span style="font-family: Verdana, sans-serif;">Because these are all machine policies, the workstations may need to be rebooted twice for them to take effect.</span>Marchttp://www.blogger.com/profile/09731120314870792316noreply@blogger.com2tag:blogger.com,1999:blog-4984212032010194887.post-15965024260162048442010-09-27T15:16:00.000+01:002010-09-27T15:16:03.169+01:00Essential tools for today’s admins and where to download them<span style="font-family: Verdana, sans-serif;">These are the tools i use pretty much every day, so i thought i would share them and where to get them from:</span><br />
<span style="font-family: Verdana, sans-serif;">(click on the name to be taken to the download page)</span><br />
<br />
<a href="http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d"><span style="font-family: Verdana, sans-serif;">Remote Server Administration Tools</span></a><br />
<br />
<span style="font-family: Verdana, sans-serif;">Install these on your Windows 7 Client, within the turn windows features on or off feature in control panel, a new option called "remote server administration tools" will exist. install this to get tools such as Active Directory Users and Computers, Hyper-V Manager etc</span><br />
<br />
<a href="http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html"><span style="font-family: Verdana, sans-serif;">Putty</span></a><br />
<br />
<span style="font-family: Verdana, sans-serif;">A great SSH, Telnet and console client all in one</span><br />
<br />
<br />
<a href="http://www.microsoft.com/downloads/en/details.aspx?FamilyID=4603c621-6de7-4ccb-9f51-d53dc7e48047"><span style="font-family: Verdana, sans-serif;">Remote Desktop Connection Manager</span></a><br />
<br />
<span style="font-family: Verdana, sans-serif;">If you manage a lot of servers via RDP, this tool is a god send. you can add multiple computers to one console, and group them into different roles, you can also right click on an entire group of servers (e.g. Domain Controllers) and log into them all at once. Many clicks are saved!</span><br />
<br />
<a href="http://notepad-plus-plus.org/release/5.8"><span style="font-family: Verdana, sans-serif;">Notepad ++</span></a><br />
<br />
<span style="font-family: Verdana, sans-serif;">Does what it says on the tin. if you edit any kind of code (XML etc) this is essential</span><br />
<br />
<a href="http://www.imgburn.com/index.php?act=download"><span style="font-family: Verdana, sans-serif;">ImgBurn</span></a><br />
<br />
<span style="font-family: Verdana, sans-serif;">Although Windows 7 has burning features built in, it still lacks some of the required functionality. This tool has a tiny footprint, some great functionality and some cool sound effects!</span>Marchttp://www.blogger.com/profile/09731120314870792316noreply@blogger.com0tag:blogger.com,1999:blog-4984212032010194887.post-6241571094033571622010-09-23T09:52:00.000+01:002010-09-23T09:52:46.656+01:00Installing a System Centre Essentials 2010 agent manually<span style="font-family: Verdana, sans-serif;">You may come into a situation where you need to manually install the SCE agent, here is how.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Run setupsce.exe and click on install essentials agent</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Specify the FQDN of your SCE server, and the management group name (by default this is SCEServername_mg)</span><br />
<span style="font-family: Verdana, sans-serif;"><br />
You will also need the update services SSL certificate and the code signing certificate, you can find these on the SCE server in:<br />
<br />
<span style="font-family: Verdana, sans-serif;">C:\program files\system center essentials\certificates</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Copy these to the PC you are installing the agent on, and then browse to them in the installer setup window.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Once the agent is successfully installed, it will need to be manually approved in the SCE management console</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Launch the SCE management console and select the administration section, then expand device management | pending management</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Under pending management, you should see a section called “Manual Agent Install”, simply right click on the computer listed and click approve</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Your agent should now check in.</span></span>Marchttp://www.blogger.com/profile/09731120314870792316noreply@blogger.com1tag:blogger.com,1999:blog-4984212032010194887.post-7071853699048642932010-09-22T15:57:00.003+01:002010-09-23T09:53:32.301+01:00SAN Certificates – a great way to get more for your money<span style="font-family: Verdana, sans-serif;">When it comes to SSL certificates, you have two choices, go for a standard SSL certificate for a single domain, or get a wildcard cert for *.yourdomain.com</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">I’ve always been a fan of wildcard certificates; I believe in the long run these are cheaper as a single certificate will cater for all of your SSL needs; however wildcard certificates come at a price.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">When using IIS or ISA/TMG you have the ability to host multiple domains on a single IP address or Web listener using host headers, however this only applies to HTTP traffic. When using SSL only one SSL certificate can be applied to an IP address.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">This causes a problem, do you apply lots of different IP addresses to your web server or ISA/TMG server and use a certificate for each domain, or do you buy a wildcard certificate. </span><br />
<br />
<span style="font-family: Verdana, sans-serif;">In the environment I work in, we are able to get certificates for pennies, but this doesn’t cover wildcard certificates. This means its difficult to justify a wildcard certificate.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">However, there is a way! You can create what is known as “Subject Alternative Name” certificates. This is just like a normal certificate, but it is valid for any other domain you specify.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">For example, I could request a SAN cert for:</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Webmail.yourdomain.com<br />
Portal.yourdomain.com<br />
Crm.yourdomain.com<br />
Anythingelseyouwant.yourdomain.com</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">To request a SAN cert, open an mmc and add the certificates snap in to it (ensure you select local computer)</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Expand Certificates | Personal | Certificates</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Right click on certificates and select All Tasks | Advanced Operations | Create custom request</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Click next on the first two prompts, then select the web server template and click next.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Click the details button to expand the web server certificate template, and then click properties.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Add the normal subject names such as Organisation and country. Then add as many common names (domains) as you like!</span><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/_Nt652Ln7nXk/TJoY2SWlj9I/AAAAAAAAAAM/1btwgm8HBss/s1600/SANCert.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" px="true" src="http://3.bp.blogspot.com/_Nt652Ln7nXk/TJoY2SWlj9I/AAAAAAAAAAM/1btwgm8HBss/s320/SANCert.jpg" /></a></div><br />
<span style="font-family: Verdana, sans-serif;">Follow the rest of the wizard until completion; you will then have a CSR to upload to your certificate provider. This certificate will be valid for all of the domains you specified. If you think far enough in the future and specify some domains you think you may need in the future, it will save even more money!</span>Marchttp://www.blogger.com/profile/09731120314870792316noreply@blogger.com0tag:blogger.com,1999:blog-4984212032010194887.post-8659875232677530092010-09-22T10:45:00.003+01:002011-06-13T13:41:12.103+01:00Configuring shibboleth IdP to talk to an Active Directory<span style="font-family: Verdana, sans-serif;">For those of you implementing a shibboleth IdP in an Active Directory environment, here is how the login.config and LDAP configuration within attribute-resolver.xml should look<br />
When implementing our IdP I found lots of conflicting information on how it should be setup, we run a Windows Server 2008 R2 forest and domain functional level where all domain controllers are also global catalogues. I can confirm these settings work:</span><br />
<br />
<strong><span style="font-size: large;"><span style="font-family: Verdana, sans-serif; font-size: small;">LDAP configuration in attribute-resolver.xml</span></span></strong><br />
<div class="code"><br />
<span style="font-family: "Courier New", Courier, monospace;"> <!-- Example LDAP Connector --></span><br />
<span style="font-family: "Courier New", Courier, monospace;"> <resolver:DataConnector id="myLDAP" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"<br />
ldapURL="</span><a href="ldap://domain.suffix:3268/"><span style="font-family: "Courier New", Courier, monospace;">ldap://domain.suffix:3268</span></a><span style="font-family: "Courier New", Courier, monospace;">" baseDN="dc=domain,dc=suffix" principal="</span><a href="mailto:idpserviceaccount@domain.suffix"><span style="font-family: "Courier New", Courier, monospace;">idpserviceaccount@domain.suffix</span></a><span style="font-family: "Courier New", Courier, monospace;">"<br />
principalCredential="passwordgoeshere"><br />
<FilterTemplate><br />
<![CDATA[<br />
(samAccountName=$requestContext.principalName)<br />
]]><br />
</FilterTemplate><br />
</resolver:DataConnector></span><br />
</div><span style="font-family: Verdana, sans-serif;"><strong>LDAP authentication configuration in login.config</strong></span><br />
<div class="code"><span style="font-family: "Courier New", Courier, monospace;">// Example LDAP authentication<br />
// See: </span><a href="https://spaces.internet2.edu/display/SHIB2/IdPAuthUserPass"><span style="font-family: "Courier New", Courier, monospace;">https://spaces.internet2.edu/display/SHIB2/IdPAuthUserPass</span></a><br />
<span style="font-family: "Courier New", Courier, monospace;"> edu.vt.middleware.ldap.jaas.LdapLoginModule required<br />
host="domain.suffix"<br />
base="dc=domain,dc=suffix"<br />
port="3268"<br />
userField="sAMAccountName"<br />
subtreeSearch="true"<br />
serviceUser="</span><a href="mailto:serviceaccount@domain.suffix"><span style="font-family: "Courier New", Courier, monospace;">serviceaccount@domain.suffix</span></a><span style="font-family: "Courier New", Courier, monospace;">"<br />
ServiceCredential="passwordgoeshere";</span><br />
<br />
</div>Marchttp://www.blogger.com/profile/09731120314870792316noreply@blogger.com2tag:blogger.com,1999:blog-4984212032010194887.post-91556728022836959432010-09-15T21:48:00.002+01:002011-06-13T13:39:32.259+01:00Shibboleth IdP – Getting the eduPersonScopedAffiliation attribute from Active Directory using security groups<div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Calibri;">I have implemented a Shibboleth IdP which authenticates users against our Server 2008 R2 forest and domain functional level Active Directory</span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Calibri;">We are a member of the UK Access Management Federation for Education and Research, which require the following attributes to be available:</span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Calibri;">eduPersonScopedAffiliation: <span style="mso-tab-count: 2;"> </span>user's organisational affiliation </span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Calibri;">eduPersonTargetedID: <span style="mso-tab-count: 3;"> </span>persistent user pseudonym for personalisation </span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Calibri;">eduPersonPrincipalName: <span style="mso-tab-count: 2;"> </span>persistent user id across multiple services </span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Calibri;">eduPersonEntitlement: <span style="mso-tab-count: 3;"> </span>extensible list of URIs for extra properties</span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Calibri;">Using the attribute-resolver.xml file, eduPersonPrincipalName is linked to the sAMAccountName attribute in our directory service, and the eduPersonEntitlement is linked to an extension attribute in the directory. eduPersonTargetedID is a computed value using the objectGUID <span style="mso-spacerun: yes;"> </span>attribute in our directory and encrypted using a salt.</span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Calibri;">eduPersonScopedAffiliation is an interesting one. Originally we had planned to link it to another extension attribute in the directory, and reconfigure our management tool to add the staff or student value as well as the member value to the attribute. This worked as long as there was only one entry specified in the extension attribute, as soon as we tried any number of different combinations of staff and member for example, the attribute wasn’t released.</span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Calibri;">After extensive research and trying different methods I came up with, I contacted the UK federation service desk. They are really great guys and worked relentlessly to find a solution to our problem. Specifically Sara and Steve (thanks to the both of you!)</span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Calibri;">We found a script (link below) which will generate the eduPersonScopedAffiliation based on OU. This in most cases would be ideal (specify the students OU and the staff OU) unfortunately our directory structure doesn’t separate staff and students by OU (not my design!) therefore this would not work.</span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Calibri;">Never the less here is the link</span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><a href="https://spaces.internet2.edu/display/SHIB2/ResolverScriptAttributeDefinitionExamples#ResolverScriptAttributeDefinitionExamples-ex2"><span style="color: blue; font-family: Calibri;">https://spaces.internet2.edu/display/SHIB2/ResolverScriptAttributeDefinitionExamples#ResolverScriptAttributeDefinitionExamples-ex2</span></a></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Calibri;">What we do have, is a security group for staff, and a security group for students. Steve decided he would use the script as a template and modify it to look at groups instead. Steve made a good start and handed over to Sara when he went on vacation.</span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Calibri;">We were having problems getting the script to see the group membership, we come across this document which detailed how someone else had setup the eduPersonScopedAffiliation, although it wasn’t what we needed, <span style="mso-spacerun: yes;"> </span>it turned out their syntax was pretty useful and Sara go the script working!</span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Calibri;"><a href="http://wiki.rscwmsystems.org.uk/images/1/11/Shibboleth2_IdP_Setup_Win2k.pdf">http://wiki.rscwmsystems.org.uk/images/1/11/Shibboleth2_IdP_Setup_Win2k.pdf</a></span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Calibri;">This script looks for group membership that CONTAINS the specified words. Therefore your security groups only need to contain the words you specify.</span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Calibri;">The users need to be an explicit member of the group, unfortunately it doesn’t work for nested groups, however the script is pretty simple to expand by copying and pasting, so If you had two groups you wanted to use, <span style="mso-spacerun: yes;"> </span>instead of nesting them into one main group, just specify them both in the script.</span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Calibri;">The first step is to uncomment the eduPersonAffiliation attribute, this will be used as a source attribute for the eduPersonScopedAfailiation attribute and is where the script magic happens. It should be as follows:<br />
</span></div><div class="code"><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: "Courier New", Courier, monospace;"> <resolver:AttributeDefinition xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad"<br />
id="eduPersonAffiliation"></span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: "Courier New", Courier, monospace;"> <!-- Dependency that provides the source attribute. --><br />
<resolver:Dependency ref="myLDAP" /></span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: "Courier New", Courier, monospace;"> <!-- SAML 1 and 2 encoders for the attribute. --><br />
<resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"<br />
name="urn:mace:dir:attribute-def:eduPersonAffiliation" /><br />
<resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"<br />
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"<br />
friendlyName="eduPersonAffiliation" /></span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: "Courier New", Courier, monospace;"> <!-- The script, wrapped in a CDATA section so that special XML characters don't need to be removed --><br />
<Script><![CDATA[<br />
importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);</span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: "Courier New", Courier, monospace;"> eduPersonAffiliation = new BasicAttribute("eduPersonAffiliation");</span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: "Courier New", Courier, monospace;"> // If the user has group membership<br />
if (typeof memberOf != "undefined" && memberOf != null ){</span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: "Courier New", Courier, monospace;"> for (i=0; memberOf != null && i < memberOf.getValues().size(); i++) {</span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: "Courier New", Courier, monospace;"> value = memberOf.getValues().get(i).toLowerCase();</span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: "Courier New", Courier, monospace;"> if (value.contains("teachers")) {<br />
eduPersonAffiliation.getValues().add("staff");<br />
eduPersonAffiliation.getValues().add("member");<br />
}</span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: "Courier New", Courier, monospace;"> if (value.contains("students")) {<br />
eduPersonAffiliation.getValues().add("student");<br />
eduPersonAffiliation.getValues().add("member");<br />
}</span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: "Courier New", Courier, monospace;"> }<br />
}<br />
]]></Script><br />
</resolver:AttributeDefinition></span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"></div></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Calibri;">You then need to configure eduPersonScopedAffiliation to use eduPersonAffiliation as its source (uncomment it if need be)</span></div><div class="code"><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: "Courier New", Courier, monospace;"><resolver:AttributeDefinition id="eduPersonScopedAffiliation"<br />
xsi:type="Scoped" xmlns="urn:mace:shibboleth:2.0:resolver:ad"<br />
scope="yourdomain.com" sourceAttributeID="eduPersonAffiliation"></span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: "Courier New", Courier, monospace;"> <resolver:Dependency ref="eduPersonAffiliation" /></span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: "Courier New", Courier, monospace;"> <resolver:AttributeEncoder xsi:type="SAML1ScopedString" <br />
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"<br />
name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" /></span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: "Courier New", Courier, monospace;"> <resolver:AttributeEncoder xsi:type="SAML2ScopedString" <br />
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"<br />
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" <br />
friendlyName="eduPersonScopedAffiliation" /></span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: "Courier New", Courier, monospace;"></resolver:AttributeDefinition></span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"></div></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Calibri;">We then used the UK Federation test SP’s session dumper to see what had been released. </span></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><a href="https://sh2testsp1.iay.org.uk/index.html"><span style="font-family: Calibri;">https://sh2testsp1.iay.org.uk/index.html</span></a></div>Marchttp://www.blogger.com/profile/09731120314870792316noreply@blogger.com3