Musings of a sysadmin
Uncategorized
Cloned Template Hardware Bug in Vmware ESX 3.5 U2
0556 days
by admin
in Uncategorized
Today I’ve been wrestling with this http://xtravirt.com/xd10070 bug in ESX 3.5 u2.
The link provides a good insight into what causes it (basically when cloning a template and editing the hardware before the clone begins the source vmdk is actually used instead of the newly cloned vmdk).
This of course becomes a problem if you decide you dont need the template anymore and delete it, the flat file doesnt delete but everything else does and the next time you go to reboot the problem vm you get “a file not found” error and will not let you boot the vm back up again.
I managed to get round this problem by creating a blank vm with the same specifications (most importantly disk size and OS version).
Then copy the remaining flat file of the corrupted vm into the folder containing the newly created vm using the datastore browser.
Rename the newly created vm’s flat file either though ssh on a host to /vmfs/volumes/{your bit here} or through the datastore browser.
Rename the corrupted flat file to the newly created vm name (for example the corrupted flat file might be called vm1-flat.vmdk and the newly created vm might be called vm2, so rename vm1-flat.vmdk to vm2-flat.vmdk).
Then power on the vm and confirm that the os is still intact and working as it should.
I though it was best to copy the corrupted flat file just incase something went wrong as I was performing these actions so I would still have the actual vm os data to go back to.
TTFN.
Read Only Domain Controller for Windows Server 2008 R2
0578 days
RODC (Read Only Domain Controller’s) is a great new feature of server 2k8. A nice little light feature as well that does not require a great deal of setting up or babysitting.
RODC’s primary purpose is to provide local caching of the active directory database and DNS if required to remote branch offices. The main reasons for this could be that the link between the branch office and the domain controller at the head office is slow or prone to failures.
To implement a RODC there are several obvious pre-requisits:
Because its read only the RODC will need to be installed in an already established domain so all the fun stuff that goes with it is also required.
A RODC also has a couple of gotcha’s you will need to keep in mind, a RODC has a local administrator account….. Yep thats right it fly’s in he face of everything you know about domain controllers but it does, or at least a domain user or group is elected the local administrator of the RODC only. You can think of an RODC as not actually a full DC but maybe something along the lines of a a member server running a mini DC role. The handy thing with having a local administrator password is that maybe someone at your branch office has been given a little bit of power on the server, maybe they are allowed to reboot it for you if required or check something, They can without any fear of them being able to fiddle with any aspect of the DC service.
To install an RODC you will need to have added the server to the domain already as a member, it does not need to be added to the exact domain that the server will be an RODC for only a domain in the tree.
You would then need to run a DCpromo and follow the prompts as you would normally expect to until you get to the point of clicking the RODC option. You will also then have the choice of including DNS and global catalog as part of the RODC’s role. Now thinking back to the purpose of an RODC which is primarily to provide local authentication to branch office users without the constant game of ping pong across a WAN or some other slow means it sensible to leave DNS and global catalog so that it will be installed on the RODC as well. This will have the added bonus of allowing at least some backup and functionality on the branch site should the WAN link go down, this would leave the branch office at least some form of name resolution and authentication to any other servers or services in the branch site.
By default an RODC will not store password information from AD in its RODC role, this is controlled by 2 policies one allow and one denied. You may decide that it would be a good idea to allow password caching on the RODC for the users based at the branch office so they dont need to hop across the WAN for all authentication requests.
I will post another blog on administering an RODC once the role has been installed.
Control panel as admin under IE7 and above
0633 days
by admin
in Uncategorized
Hi all,
Here’s a quick little tip for you that hopefully may help you guys a bit. Most of us probably still support XP mainly in our enviroment and since IE7 you probably noticed that you cannot do the old right click runas admin and then entering “Control Panel” into the address bar. This was a nice and quick way to get to make administrative changes within the control panel without logging the user out (because all users only have user rights dont they!)
After a bit of digging I have found a way to get into the control panel as admin under as user account again.
What you need to do is whilst logged in as a normal user navigate your way to the c:\windows folder within that folder will be a hidden folder either called IE7 or IE8 (its hidden so you may have to show hidden files and folders). Within that folder you will find the old IE6 style exe and you can quite happily right click and runas on that. You will then open IE6 and will be able to navigate to the control panel as you used to.
Its really handy to still have that funcionality however I think it might rather be a security risk as Microsoft appear to have swept IE6 to the side of the OS rather than replaced it entirely with IE7 and above.
Windows 7 Applocker and Software Restriction Policies PT1
0730 days
by admin
in Uncategorized
Thought I’d knock out a quick blog post on my studies of Windows 7′s implimentation of Applocker and SRP’s. Now traditionally SRP’s have been good in theory but if you attempt to use them they will lead to a world of hurt. The same is still true so unless you REALLY REALLY need to lock down your systems that much then leave well alone. Still its covered in the exam objectives so I gotta study it in some form.
Software restriction policies are a way of limiting the applications that can be executed on windows 7. These policies are set in group policy so they can be set on the local workstation or as part of an AD GPO distribution. Applocker does the same thing but in a slightly different way (and it also overides a clashing SRP).
To begin to configure a SRP you will need to get into either the local workstations gpedit.msc tool or AD’s GPO editor and drill down into COMPUTER CONFIGURATION/WINDOWS SETTINGS/SECURITY SETTINGS/SOFTWARE RESTRICTION POLICY. The container starts life empty so you will need to right click on the node and choose “Create software restriction policy”.
You will then be greated with these new options
From within the Security Levels you have 3 available options which are Disallowed, Basic User and Unrestricted. These 3 settings will specify the default options for applications that have no specific rule defined. Disallowed obviously means that software with no specific policy defined will not be allowed to run. Basic User allows software to run that does not have a specific policy defined providing that it requires no administrative access to the file system etc. Unrestricted simply means that any software will be allowed to run that does not have a specific SRP defined. To enable any of these settings you need to open the setting type you want and click the set as default button.
I shall miss out on the Additional Rules section for the moment as this is where you set specific rules for applications. The next option down is Enforcement, this defines how strict the default policies are, configurable options include applying the policies to all software files excluding or including DLL files etc. You can also specify if the SRP’s apply to users or all users including administrators (dangerous) and ignoring or enforcing certificate rules.
The Designated File Types option specifys what is considered to be executable file types (in addition to exe and vbs), from this menu you can remove any of the default types or add your own.
The Trusted Publishers option allows you to specify who is allowed to manage the list of trusted pulishers and you can set either to allow both users and administrators to manage the list, or just administrators or just enterprise administrators. There are also 2 other settings you can change which relate to checking whether the publishers certificate is still valid or not.
Looking at this post I think I will split this into two or three posts, I will go into actually creating a SRP in the next blog but for now heres a video of a basic one in action.
Comptia Lifetime certs now with less lifetime
0748 days
by admin
in Uncategorized
CompTIA have recently dropped a bombshell (I say dropped I actually mean sneaking it through the backdoor) by changing their policies.
The policy change is to do with how long test takers certifications last (including their A+,N+ and Sec+ certifications). Historically their certifications have been for life but they have now changed it to just 3 years which after such time you will need to take the highest exam again to renew all of your certifications. This you would think would apply only to those who are certified after the date of the policy change but I’m afraid not dear reader, this currently also affects ALL test takers who have EVER passed a CompTIA exam. This is now the case that anyone who certified before december 31st 2010 will retain their lifetime cert status, those certifying after that date will need to re-certify their highest comptia cert every 3 years should they wish to keep their certifications. The below rant is kept for historical reasons only!
So all of a sudden my lifetime A+ certification is now expiring and I will be required to take the test again should I wish to renew it.
CompTIA’s official line is that they are bringing their policies in line with other certification vendors (sources I have read on the internet suggest they have cited the likes of Cisc0 and MS having a renewal policy, Cisco do but MS do not have such a policy). However this smacks a little of a money making scheme to me.
I can understand that thinking recertification is a good thing because technology does move on at a fair rate so my A+ taken back in 2003 talked about 400Mhz cpus etc is vastly outdated, however there is one big glaring problem with the renewal policy. The A+ and similar exams are meant for entry level candidates looking to break into IT, who in their right mind 3 years down the line in their IT career are going to go back are renew that A+ or whatever, when they are more than likely will have higher level certifications or knowledge that renders the A+ obsolete anyway.
So why am I worried about the change then well TBH it does not really bother me were it not for a couple of facts, a couple of years after the millenium I decided I wanted to get into IT, I bought the relevant Mike Meyers book studied lots and lots and took the 2 exams required to become A+ certified. This back then was a lifetime certification no matter what happened I would always be A+ certified and which is also why each exam was extremely expensive to take (from memory it was about £130 back then, considering today MS exams are £88 a pop). Now they have suddenly changed their mind and want to take that certification away from me I dont think its fair. The DVLA wouldn’t say to me that even though I passed my driving test under the understanding that I would not need to take it again until 65 that actually I need to take it again after only 15 years why should CompTIA be allowed to do this!
At the end of the day I have left that certification way behind and can quite happily mark it as expired or strike it off my CV however its the point that I studied and paid for a lifetime cert and now its not!
Their are rumblings on certification forums of class actions etc against CompTIA so we shall have to see how this eventually pans out! I shall be checking out CompTIA’s news pages over the next few weeks with great interest.
http://www.comptia.org/certifications/listed/renewal.aspx
EDIT: Well it looks like they are rightly reversed their decision and are now only imposing their 3 year renewal for people who take their tests after 2011. So thats a good result for us who already have the certification and it may well jolt some into taking the test before the lifetime certification ends.
Windows 7 Minimum Requirements And Features
0748 days
Hi all,
Im starting to read my win 7 books now so will be putting up a few posts around my studying. The first blog post is about the minimum hardware requirements of windows 7 and also its features.
Firstly Windows 7 has 6 different editions which are: STARTER, HOME BASIC, HOME PREMIUM, PROFESSIONAL, ENTERPRISE, ULTIMATE.
The hardware requirements for 7 Starter and basic are as follows:
1Ghz x86 or x64 CPU
512MB’s of RAM
20GB hard disk (for x64 version) or 16GB hard disk for x86 version both must have 15GB free.
A graphics card that supports DX9 and has at least 32MB of Ram.
Windows 7 Home Premium and upwards requires:
1Ghz x64 or x86 CPU
1GB’s of RAM
40GB hard disk (15GB free)
A graphics card that supports DX9 and has a WDDM driver with pixel shader 2, 32bits per pixel and 128MB or RAM.
As always these minimum requires are of the OS only and you will find that Windows 7 will probably be usable but slow, adding applications will often make these systems too slow to use sensibly so you will need to install win7 in the real world on computers that are far better than the specs above.
Other hardware restrictions in windows 7 editions include support for up to 8GB or RAM in the x64 versions of Starter and Home Basic, whilst Home Premium is up to 16GB or RAM on x64 editions. All higher editions (Pro/Ent/Ult) are only limited by the x64 architecture which limits the RAM to 128GB (still if you get that in a laptop in the next few years your doing well).
The below table shows some of the major features of Windows 7 and which edition supports it.
| Starter | Home Basic | Home Premium | Professional | Enterprise/Ultimate | |
| Features | |||||
| Windows Aero | N | N | Y | Y | Y |
| DVD Playback | N | N | Y | Y | Y |
| Media Center | N | N | Y | Y | Y |
| IIS | N | N | Y | Y | Y |
| ICS | N | Y | Y | Y | Y |
| Join Domain | N | N | N | Y | Y |
| EFS | N | N | N | Y | Y |
| AppLocker | N | N | N | N | Y |
| Direct Access | N | N | N | N | Y |
| Bit Locker | N | N | N | N | Y |
| RDP | N | N | N | Y | Y |
| Branch Cache | N | N | N | N | Y |
Passed VCP 310
0765 days
by admin
in Uncategorized
Hi all,
Well I passed my VCP exam back on the 11th December. Very pleased with that as it had only been announced a couple of weeks ago that the exam was retiring at the end of the year, So my studying suddenly increased 10 fold.
The exam itself seemed mostly fairly simple and the questions weto the point (not like the MS ones where they tell you about jane and dans breakfast routine before getting onto the NTFS issues).
I understand that the exam has also now been extended until the end of March 2010.
I think the next exam on my list will be the Windows 7 exam 70-680. After that perhaps a bit of Vsphere.
VMware High Availability
0818 days
High availability or HA as I will call it from now on, is a feature of Virtual Center which allows for the automatic restart of VM’s in the event of a host failure.
For example if you had 4 ESX servers running 40 VM’s (10 on each). if one host goes pop then HA would detect the failure and restart the VM’s on the 3 remaining hosts. However of course whilst there is not a great deal of options to fiddle about with (most of them follow the same pattern) you do have an important decision to make, which is if a host fails do you want to restart your VM’s or would you rather they stay down. This is basically is it more important that all the vm’s are up and running but possibly slower than normal, or would you rather some or all of the VM’s stay down until you have dragged yourself out of bed and into the office to fix the issue.
HA can be enabled once you have created a cluster by right clicking on the cluster and selecting “Edit Settings”. The first screen you will see consists of 2 check boxes, one for enabling/disabling HA and one for enabling/disabling DRS. The choice here is self-explanatory but you might want to spend a minute reading the couple of paragraphs on that page.
The next tab worth looking at is the Vmware HA tab there are 3-4 options here that you will need to consider.
The first option is Admission Control, within that setting is the options to set the number of host failures the cluster can tolerate this can be any number between 1-4. This by default is set to 2 and of course if you suddenly find yourself loosing 4 hosts in your cluster then you have a rather large problem on your hands. The next option is to prevent or allow the powering on of vm’s if they violate availability constraints. This means basically do you want to allow VM to be powered on even if the total number of configured memory resources exceeds the actual resources that the cluster provides.
Maths bit: You can work out your availability constraints by taking the amount of ram provided by your smallest ESX host (I.E, the one with the least amount of physical memory) and then find your vm with the most amount of configured memory and divide the ESX memory by the vm ram which will give you your figure of the amount of guest vm’s each host can have, any more than that and your availability constraints have been violated!
Example:
6 ESX Hosts smallest has 24 GB of ram largest amount of guest ram is 2GB and host failure is set to 1.
24/2×5=60
So if one host fails the total amount of virtual machines that can be powered on with violating availability constraints is 60. If you need any more than that then you will need to allow the vm’s to power on even though they violate the constraints.
The next setting is the default cluster setting, within the settings is the vm restart priority which is by default set to medium This setting is cluster wide but can be overridden at individual vm level. The configurable options for the restart policy are high, medium low and disabled. Clusters set to high have their vm’s restarted first, medium next and low last and disabled.. well you get the idea.
The next option down is the host isolation response setting, I’ve blogged about this before so I wont go into too much detail but it basically means when a host loses its network connection to other hosts in the cluster. Network connectivity is checked regularly by a heartbeat (ping). It is possible in vmware to have a situation where the host has lost its network connection to the other hosts in the cluster but the vm’s on that server are perfectly happy and working away normally. In previous updates of esx the default behaviour was to power off the vm which would leave HA to restart the vm’s on another server, However from U2 onwards this changed to leave vm powered on because you will find 9 times out of 10 just the service console is having issues and the vm’s are still working away quite happily.
The next option is “virtual machine monitoring” this again is an experimental feature which allows virtualcenter to monitor the tools installed on the vm’s (by using heartbeats in a very similar way to HA). You an enable this option and use the slider to adjust the sensitivity. Virtual machine monitoring does know when a vm has been purposefully shutdown or powered off so it will not be constantly restarting machines you are trying to shutdown.
The only button on this page is the Advanced Options which you should only make changes to this once you know what you are doing.
The sub tab of the HA options is “Virtual Machine Options” this allows you too specify different restart priority and host isolation response behaviours for individual vm’s. So you can effectively prioritize/delay or disable the restarting of individual vm’s should you deem appropriate.
Vmware common myths
0830 days
I think this is a post that i will keep updating as i think of things, but i thought i would start out with nice easy ones to get going with.
Something that quite often happens with a new esx farm is the admins want to tentively vm a ‘low risk’ server thinking that its not the end of the world if it goes skyward.
This normally translates as a server that does not do much and has been sat in the corner of the server room for years banging away doing its thing. Now of course when its virtualized its given a whole new set of hardware that is years away from what its used too. This gets admins and users very excited as whatever that server used to do is now been given a massive boost in performance.
Virtualization is not about speed its about consolidation. As admins start virtualizing other boxes the old server may very well go back to about the speed it was before.
More to follow
VMware NTP Weirdness
0832 days
by admin
in Uncategorized
Well today I discovered that one of the ESX hosts in our cluster did not have its NTP settings correctly configured, although it did take me a little while to figure it out.
We have a 2003 guest box on the host which when I logged onto it to do some work was displaying a totally wrong date and time. So I set it back manually in the OS (we dont use DHCP for our server subnet). Did not think much of it until 10 minutes later all of a sudden the correct date and time reverted back to the wrong date and time. I checked the 2003 boxes settings again and it wasnt synching its time with any internet NTP server which is how we like it. So I had a look at the vmware tools installed on the box and sure enough that was not set to synch time with the host so again I ruled that out.
So I merrily set the date and time again and went on my way and sure enough in another 10 minutes the date/time had reverted. so I checked the host and found that NTP was not enabled and was displaying the same date and time as the 2003 guest OS. I set up NTP on the host and this cured the issue.
I do find it somewhat strange that even though the guest was not set to sync date/time with the host it still did it, presumably after the w32 service failed to sync with an online ntp service the VMware tools took over and synched it anyway.
Weird, I feel a bit of googling coming on!
Recent Comments