Musings of a sysadmin
Uncategorized
Resolving Xenapp 6 fundamental's installation failures
1377 days
Xenapp 6 seems to be a tricky little customer to install, when following the instructions from the administrators guide I was receiving random failures but all pointing me to helpfully look into a certain %userprofile% directory in order to view the details. The log file always contained nothing but the most generic of information that really is not of any help.
Then I discovered something. the administrators guide “lies” it says that xenapp will look for missing components and install them as needed (except .net 3.5 which was a pre-req) but it does not.
If your xenapp is on a VM, make liberal use of snapshotting ( i did this before installing any roles just to make sure). So in order to install “xenapp 6 fun” you will need to do the following:
1/ Build a clean server 2008 R2 server and DO NOT INSTALL ANY UPDATES (I included av into my fix just to make sure).
2/ Add to AD and create a xenapp service user account
3/ Add the following roles.
4/ .net 3.5 (application server)
5/ IIS 7 (web server)
6/ Remote session host and licensing server (RDP)
7/ then run the xenapp setup program as administrator, you should be able to install it without any issues. If something goes wrong revert you vm snapshot back to the point before you installed any roles (so you have basically a clean new server without having to reinstall the OS).
After the install has completed and you have set up xenapp as you would like it, create another snapshot and start installing AV and updates, check xenapp for functionality at each update to make sure nothing bad happens (if it does just revert to previous snap shot and don’t install that update).
Remotely Wiping Iphone Exchange accounts
0394 days
With the proliferation of the jesusphone and related pad, more and more people want to connect they devices to their work email accounts this can be done very simply through the apple devices. However it can be a little hard to track the spread of such devices in small companies. There is a handy little Exchange shell command you can use in order to discover what devices are connected to your exchange server.
The shell command is “Export-ActiveSyncLog” which creates a series of csv files one of which users.csv holds the data on connected devices. By default the command would look like this:
Export-ActiveSynclog –filename c:\windows\system32\logfiles\w3svc*\exYYMMDD.log –outputpath “output path req”
The above command assumes that your IIS log files are in the default location and you will need to substitute the w3svc* with whatever is relevant within your setup.
This will create 6 csv files and if you open the users.csv it will list the connected activesync devices and what they are.
Now the one problem I have with iphones etc is that there appears to be no way of totally trashing the device remotely like you can with blackberries, however you can remotely wipe the corporate email account from the device by performing the below:
1: Open the Exchange Management Console
2: Expand the Recipient Configuration node and click on the Mailbox subheading.
3: Single click the user in question and in the pane on the right hand side of the console select Manage Mobile Devices (this option is not available if the user does not have a device registered).
4: You will have two options in this screen firstly select the correct lost device (if there is more than one associated with the user) and check the “Perform a remote wipe to clear mobile device data”
5: The information in the same screen will tell you when the wipe was requested (i.e. when you pressed the button) and also when the device received the remote wipe request (Acknowledge).
6: Once the remote wipe has been performed you will need to go through the above again and select “Remove mobile device partnership” when you get to step 4 otherwise the device will be continually wiped when the user goes through setting up the account again should they find the device down the back of the sofa etc.
£99 vmware lab offer
0418 days
Hi all,
I thought i’d alert you to a deal doing the rounds at the moment which HP are running, they are offering an HP proliant microserver at £199 with £100 cashback (making the server £99). The offer can be found here and the server is supplied with a 160GB hard disk 1GB ram and an Athlon 1300 processor and gigabit networking. Now obviously its not the most highly specced out of the box, but it does come with 4 sata connections and hardware support for RAID 0,1 which means that this could be a nice little vsphere lab server with little extra work, or you could stick freenas (or your own favourite media server OS) on it and have a nice small media server.
This deal runs to near the end of this year 2010 so hurry and snap one or two up.
The worst button in virtualization
0480 days
by admin
in Uncategorized
Yep its those above, I am of course talking about vmware snapshots with these dangerously entitled buttons.
The idea of snapshots in vmware is to provide you a complete point of rollback for a virtual machine, not just rollback of files on the vm but the entire system state. For example if you had a Windows XP vm installed with service pack 2 installed and some custom in-house developed critical application hosted on it how do you know that installing service pack 3 onto the vm wont entirely foobar the custom app. You could of course uninstall service pack 3 if you really had to but that would involve more probably downtime and there would be no guarantee that either the custom app or the xp installation itself would be working after the removal of the service pack.
This is where vmware snapshotting is an absolute godsend and I’ll explain why. Anyone who has played with any virtualization product even for a short while will know that vm’s are actually only files on a server/SAN or NAS themselves. Vmware vm’s are encased in files with the vmdk extension and snapshot files have the vmsn file extensions.
Now say taking the above as an example you rock up too work monday morning and you xp based critical application on virtualcenter is working lovely, your security bod rolls up at your desk and says “hey you upgraded that xp box to sp3 yet” and of course you say “nope if I did that I think it might break”. Naturally the security guy doesn’t care he just wants his pie charts that he shows management to be an entirely pretty green colour.
So the unenviable task of installing the service pack begin, users are notified of downtime (remembering to add on a couple of hours the the estimate) and sp3 downloaded and converted to an iso file. before you begin you remember to press the create snapshot button, behind the scene this does several things, firstly it locks the vmdk file for the vm so no further changes can be made to it, then it creates the vmsn file which is a delta file that all further changes to the vm are written.
So off you go installing sp3 knowing that this could quite easily go either way for your critical app. So from your actions 2 things might happen:
1: An unholy mess occurs and critical app is sent spilling into the abyss
2: Nothing, your critical app is fine and you get to go home on time
If 1 occurs then you need a way of getting the vm back to the way it was before, now say for example you were a bit green around vmware products and you were presented with the above buttons, the natural assumption is that the delete snapshot means exactly that DELETE. However in vmware delete is actually means something ever so slightly but crucially different. Delete means remove snapshot file, Not remove snapshot data. So the Delete and Delete All buttons should actually read COMMIT.
So as I’ve mentioned above the sysadmin is fairly new to vmware and uses common sense to work out that he wants to revert to the previous state of the vm so he needs to delete the snapshot therefore deleting all the changes made to the vm since the snapshots creation.
Uh-oh!
Not good, what he’s actually done is commit the changes to the original vmdk file, panic ensues and the misses perfectly cooked tea starts going tepid due to the amount of extra hours that have been put in.
What should have happened was through the snapshot manager the point previous to the creation of the snapshot should have been selected and then they should have clicked the GOTO button to revert to the machines previous state, then the snapshots can be safely deleted.
If 2 had occurred then the admin could quite have happily deleted the snapshot to commit the changes and gone on his way.
I really do think that vmware should change the title of those buttons to be a little less incorrect in their meaning.
Swing-o-blog
0490 days
by admin
in Uncategorized
Well all, I’ve manage to land myself a new job, which I’m very pleased about. They run exchange as their mail server so I’l; guess I’ll be blogging a bit about that as its been a while since I’ve actually managed an exchange server. So as usual I will be blogging about stuff as I learn about it.
Dell Poweredge SC440 and esxi 4.1
0508 days
by admin
in Uncategorized
This isn’t really a post more of a info bulletin that esxi 4.1 works perfectly on a dell sc440 server. The sc440 isn’t currently on vmwares hcl and I found little info on compatibility when trying to find out myself.
For information I used the vihostupdate pearl script which comes with vsphere command line interface and the upgrade zip file to perform my update (see previous blog entry).
updating ESXI 4 to 4.1 without update manager
0509 days
Hi all,
So you have one or more esxi boxes at home doing various tasks and they are currently running esxi 4, your tempted to update to 4.1 but do not have update manager installed and do not want the hassle of configuring esxi again.
No Problem good old command line to the rescue again. To upgrade 4 to 4.1 you need the esxi 4.1 upgrade installation as a zip file and the vcli (vsphere command line interface) both are available from the vmware site (I wont post links as I dont know how quickly the links will age), Once you have downloaded the VCLI and installed it you will have a new program item in your start\programs\vmware folder called “vmware Vcli\command prompt”. Click on that and it will dump you in the the old familiar black and white screen. Ensure any vm’s on the server are either powered off or migrated and put the host into maintenance mode.
Navigate your way to the “bin” directory (currently “c:\program files\vmware\vsphere cli\bin” on my computer and run the following:
“vihostupdate.pl –server 0.0.0.0 –install –bundle c:\zipfilelocation”
Press return and enter the esxi servers admin credentials (probably the root account in a home environment.) in a few minutes the command will complete and tell you that it needs to reboot the server before the process finishes, do this and when it comes back up exit maintenance mode.
WARNING: Before updating be sure to have consulted the vmware HCL (hardware compatibility list) to ensure that your server is compatible with the version you are trying to install. If your server is not specifically listed then you can check out the individual components compatibility either through the hcl or the community driven hcl. the hcl is currently located HERE
Ebook readers for technical manuals
0529 days
by admin
in Uncategorized
I’d thought I’d post a little ditty about ebook readers, I’ve had one for a while now and thought I’d post my experiences.
Firstly my ereader is a sony pocket reader (prs-300) and to be honest its not a useful as I thought it might be. I had looked around before I bought it and understood that the technical diagrams might come out a bit funky but the issues I have with the device are more substantial than that.
The pocket reader seems to be only actually of use for say novels, that is to say a large amount of unformatted text, which technical manuals do not have. As you know tech books normally have maybe a paragraph or two like that then it’ll have boxout’s and diagrams which normally normally go hideously wrong on my pocket reader, also when you turn to a page that includes a picture of some description the time to process and display that page increases dramatically to 15+ seconds which is a lifetime compared to turning the pages of a book.
As a side note if you have the page size set to small then the formatting of the pages is generally acceptable however the font I am quite sure would be far too small for anyone to read at a comfortable distance.
Speaking to other IT bods a good ebook reader for technical manuals is the kindle DX as it has a much larger screen than mine so can display a properly formatted page at a decent font size. So I think I may be putting mine on ebay and saving up for a DX which at the moment I think is available in the UK.
If you want a pdf reader for technical manuals or anything that does not consist of one large block of text then a Sony Pocket Reader is not for you.
UPDATE: I’ve had a Kindle DX for a few months now and I must say I love it, its so much better than the smaller sony I’ve had (much quicker too), a great feature is the ability to email PDF’s to it which is useful for all those whitepapers and vewndor guides that you pick up along the way.
Security tool fake-AV
0536 days
by admin
in Uncategorized
Hi all,
Well today a staff member handed me their laptop to have a look at (a toshiba something with vista HP on it), it was infected with the security tool fake antivirus product. I am always really impressed with these types of infections they are very well written and can be a complete headache for anyone to try and remove. usually access to the command prompt and task manager is disabled, and the code is buried in all sorts of places so malware products find it tricky to remove, a reboot later and there it is still well and truly stuck on your computer.
Now the extra problem with this laptop is that it has never had any antivirus products installed on it and of course also had various p2p clients installed on it which is obviously just asking for trouble.
The fix for this one was simple as I was fairly sure that the infection must have been recent because the security tool is fairly prominent on an infected machine and generally causes a nuisance.
All I did was roll back to the last system restore point (type “system restore” into vista’s search function, this will work for any OS from XP upwards) and viola it was gone. Next I installed the Comodo internet security suite (free firewall and av product www.comodo.com ). I then disabled the system restore feature and rebooted the laptop so it removed the system restore backups. (as viri’s and trojans can reside in these locations and antivirus products cannot remove them, although they are generally only a risk if you use system restore to revert to a point where the viri’s reside).
A quick reboot later I began a full av scan with comodo and also installed malwarebytes http://www.malwarebytes.org/ and ran that, both came up clear, several reboots after that the security tool has not reappeared so all now seems to be well. Then re-enabled the system restore feature.
The laptop can now be handed back to the staff member with a scathing reminder to: not use p2p services, have and use av products, and never do general browsing as administrator and treat uac prompts whilst browsing with a very high amount of suspicion.
These type of events always take me back to my first IT job working for a repair workshop, I mostly repaired home users pc’s and they would phone up saying “my machines all messed up and doing weird things” OK I’d say, you’ve got AV haven’t you. ” yes of course I have”, Ok you better bring it in then.
80% of the time you could bet that they have norton or mcaffee installed and it was a year or two out of date at least. Then you go down the “well I take it you’ve got a backup of all your work ” (blink) blank stare fiasco.
ahh lovely!
RODC password replication
0551 days
Read Only Domain controllers in windows server 2008 are designed primarily for use in branch offices (satellite locations with no onsite IT staff and slower links back to HQ).
I have blogged previously about installing an RODC which is a nice straightforward dcpromo with an added tickbox at the end, and the purpose obviously of an RODC is to provide local authentication and if required a local DNS and global catalogue. One thing that is not stored within an RODC is passwords for user accounts which obviously results in WAN traffic when an authentication attempt is made.
However there are two ways in which local users passwords can be stored within the RODC’s db.
One way is to add the users at the branch office to the “allowed RODC password replication group” in a writable domain controller.
The other is to assign objects to the “password replication policy” tab in the RODC’s computer account in AD.
When I say object this can be a group or individual user accounts (although creating and assigning a group for this purpose if clearly easier).
It is quicker and easier to add the user accounts to the allowed RODC password replication policy group in AD however this presents a possible minor issue. By putting users into this group it will replicate the password data to all RODC’s in the domain. This is not a problem if you only have one branch office, but what about if you have more than one say you have 20 or more all over the world, and branch offices can have a decent number of staff in them. This could quickly balloon the Wan traffic in each branch office as they receive all the completely unnecessary password data for the other 19 branch offices in the organisation.
Of course even with a modest residential ADSL line it probably wont bring the connection crashing down around your ears but every meg counts.
So if you have more than one branch office or it seems expansion of the business is on the cards then taking a few extra minutes to set up new groups and assign them specifically to the RODC computer accounts.
Within the RODC’s computer account “PRP” tab you can also add other groups and accounts to the policy and also specify whether the group/user is allowed or denied the password replication policy, as always if a user is a member of several groups then a deny permission always over rides an allow.
Also dont forget that computer accounts also logon to the domain so adding computers to the policy is also a good idea as a prolonged wan outage may well cause issues for the computers if their passwords are not cached as well.
Recent Comments