Wednesday, December 23, 2009

XenServer - There was an error while attempting to unmount the NFS share

Recently in XenServer I was attempting to remove an ISO Library (CIFS) that I had created that no longer existed. All attempts using Destroy, Forget, Detach from XenCenter failed with error "There was an error while attempting to unmoun the NFS Share".

At this point I went to one of the hosts consoles and typed xe sr-list name-label="name of iso directory". This returned the uuid of the SR (which isn't listed in the GUI). From here I was able to run xe sr-destroy uuid=thesr'suuid. This returned "The SR is still connected to a host via a PBD. It cannot be destroyed."

Okay, what hosts and pbd's have it locked?

xe pbd-list sr-uuid=1c5a224d-f265-c84f-8e7d-8f4f891559c1. This returned that each host had a pbd to it... Taking note of each hosts pbd uuid I ran xe pbd-unplug uuid=xxxxxx for each uuid that displayed "currently-attached (RO): true. Each one unplugged successfully except one which returned "error code: SR_Backend_Failure_74 Error parameters: , NFS unmount error [opterr=error is 255],". This told me at least which host was at fault since the pbd uuid is listed directly above the host uuid ( xe host-list host-uuid=xxxxxxxx).

At this point a reboot of the host that was at fault cleared up the issue and I was able to forget the Library

Tuesday, December 8, 2009

Server 2008 System State Backups

In Server 2008 they removed ntbackup and replaced it with Windows Server Backup Utility. Unfortunately this doesn't backing up the systemstate to a network share anymore. In addition you can't backup to volumes listed as critical volumes (ie the OS volume).

First off, you can disable the inability to backup to critical volumes:

With this method you could backup to your C: drive and the use scheduled tasks to copy the backup to another location.

wbadmin start systemstatebackup -backupTarget:C: -quiet


If you have access to an iSCSI SAN you can give the server a new drive attached to the SAN which it will detect as a valid local disk. At this point you can dump the backup to this volume (which isn't local so less risk of loss) and then backup using your remote backup solution.

Note that for Windows 2008 R2 the commands are different

Also plan ahead for the size of the backup. I found that my total System State backup on a 2003 server was only 700MB, but on my 2008 servers it increased to over 10GB!

Tuesday, December 1, 2009

Citrix Access Gateway Virtual Appliance on XenServer

Thanks to ervik for this!

I'm placing my version of it here for my ease of access and also because I found loading his site very slow.

XenServer v5.5
CAG v4.6.1
  1. Create new VM
  2. Other Install Media
  3. Use the CAG iso for install media
  4. Add 512MB RAM
  5. Add Virtual Disk 12GB (appears that you can get away with as little as 5GB)
  6. Add 2 NIC's (must have 2)
  7. It will do it's thing and then display to remove install media and reboot
  8. Remove the iso image and reboot
  9. When it displays "Adding IPv4 address to the eth1 interface..." your done
  10. Give your management workstation an additional ip of 10.20.30.x
  11. Navigate to and install the admin tools
  12. Username: root Password: rootadmin

Tuesday, November 10, 2009

Server 2008 "Preparing your Desktop" stalls

Recently I built a new Server 2008 SP2 Domain Controller. When logging into it the "Preparing your desktop" would stall for a long period of time. The machine itself wouldn't freeze and functionality continued normally and you could even use the task bar, just not the desktop.

Open cmd prompt and type: Net localgroup Users Interactive /add

Logoff and back on with no more stalling.

Monday, November 9, 2009

Manage Temporary Internet Files with Group Policy

Temporary Internet Files should be proactively managed to help reduce security risks. In addition it can help with other issues as well, such as the Outlook attachment opening issue: "Can't create file: filename. Right-click the folder you want to create the file in, and then click Properties on the shortcut menu to check your permissions for the folder."

  • Get the Group Policy Client Side Extensions for all of your machines.
  • Depending on your machine SP level you may also need to install XMLLite. Check out this site for a list of requirements depending on the SP level:
  • Both can be pushed using your favorite method (third party, group policy, manually, etc)
  • At this point you can begin to push the new Group Policy objects
  • Open Group Policy Management (note that you cannot manage these new GPO's from Windows XP, they can only be managed from Vista, 7, or 2008)
  • This can be done several ways depending on your preferences. I did it by computer role / operating system.
  • In Active Directory I have all Terminal Servers in one OU, Workstations in another OU, Laptops in another, etc. As such it made sense to link the GPO by the computers role and operating system
  • It is important (to some extent) that the operating system be specified with this. For instance XP and Vista do not have the same paths to the Temporary Internet Files
    • Windows 2000, XP, 2003 = C:\Documents and Settings\%LogonUser%\Local Settings\Temporary Internet Files
    • Windows Vista, 7, 2008 = C:\Users\%LogonUser%\AppData\Local\Microsoft\Windows\Temporary Internet Files
  • User Configuration - Preferences - Windows Settings - Folders
  • New Folder - Replace - proper pathing to TIF location (depending on which OS you are targeting)
    • Check the following:
    • "Recursively delete all subfolders"
    • "Delete all files in the folder"
    • "Allow deletion of read-only files/folders
    • "Ignore errors for files/folders that cannot be deleted"
  • Common Tab - Item-level targeting
  • Targeting Button - New Item - Operating System
  • Set the operating system (notice that you can add multiples and right click it change the AND to OR, for instance if you want it to read Windows Server 2003 OR Windows Server 2003 R2)

Ensure that you have the GPO linked to the proper Active Directory OU and that if you link it to an OU with computers in it rather than users that you enable loopback policy - merge.

Friday, November 6, 2009

Migrate Print Server with Server 2008

Below is a guide on how I moved my Windows Server 2003 print server to Windows Server 2008 SP2 with little to no end user interaction.

With Windows Server 2008 there are a lot of new Group Policy options that are really cool! These help tremendously in helping manage an enterprise and this is what you'll use to change printers (and even set defaults).

  • Build your new Windows Print Server (in my case Server 2008)
  • Extract printers from old print server (in my case Server 2003)
    • From Print Management console
    • Right click old print server and select Export Printers to a File. **In my case I had some corruption issues with 2 ports that caused this to fail. To get around this I used the printmig tool to export and import my printers initially. Upon import with printmig it told me which ports where at fault so I removed them from the new server and all associated drivers/printers and recreated them.
    • Right click new print server and import printers from a file (file you just created)
  • At this point you should have 2 print servers
  • Get the Group Policy Client Side Extensions for all of your machines.
  • Depending on your machine SP level you may also need to install XMLLite. Check out this site for a list of requirements depending on the SP level:
  • Both can be pushed using your favorite method (third party, group policy, manually, etc)
  • At this point you can begin to push the new Group Policy objects
  • Open Group Policy Management (note that you cannot manage these new GPO's from Windows XP, they can only be managed from Vista, 7, or 2008)
  • Come up with a map of which Active Directory OU's will need different printer configurations. There are a lot of cool ways to do this by specifying specific OS's, Users, Computers, etc
  • Create a new (or edit an existing) GPO with a link to the desired OU
  • Under preferences, Control Panel Settings you'll find Printers
  • NOTE: notice that there is a column for Order.... you get the idea, they are applied in order
  • Right click, new, Shared Printer (for Shared networked printers)
  • At this point you'll have options for Create, Replace, Update, Delete
  • Set the first one for action Delete, check box "Delete all shared printer connections"
  • Common tab, check "apply once and do not reapply" and "Item-level targeting"
  • Click Targeting
  • Enter the criteria you want to target (ie Computer, User, Security Group, Operating System). I targeted Operating System with the overall GPO linked to an OU of the department that the users work in. This way it hits the user object for any computer of that operating system they log into. For instance All accounting users are in one OU so they all get this specific setting when they log into a Windows XP workstation (thus it doesn't affect their Terminal Server printers unless I set it to).
  • Right click, new, shared printer again
  • This time select create and path to the printer (\\servername\printersharename)
  • Set as default if desired
  • Common tab, "Apply once and do not reapply"
  • Item-level targeting again as you desire
  • Continue for each printer

NOTE: if you link the GPO to an OU that has computer accounts rather than user accounts then you will also have to enable loopback policy - merge (under computer config - Policies - Admin - system - Group Policy - User Group Policy loopback processing mode)

At this point as long as the computers have the Client Side Extension and the GPO's are linked properly they will get the old printers removed and new ones added / default set

Once all users have a policy setup for them and all CSE's are deployed to workstations you can zap the old print server (notice that you can Log Spooler information events to see if anyone is still printing to the old server)


  • User group of 10 needs 2 printers Printer1 and Printer2
  • 9 users need printer1 to be the default. 1 user needs Printer2 as default
  • All 10 users are in the same active directory OU
  • You don't want to split them into new OU's
  1. Create Delete All printers policy (apply once only option)
  2. Create Printer 2 policy (apply once only option)
  3. Create Printer 1 policy and select the set as default (apply once only option)
  4. Update Printer2 policy and select the set as default (apply once only option). Important: Item-level targeting - New Item - User - Enter the user. Should read "the user is domain\username (SID match)". This could also be done by computer or however you desire

Tuesday, October 13, 2009

Transfer DHCP from Server 2003 to Server 2008

Microsoft has really done a great job making this process easy and smooth.

  • On 2003 DC open cmd prompt
  • Netsh
  • dhcp
  • server file://servername/
  • export c:\w2k3DHCPdb all
  • copy to new DC
  • Log onto new DC and open command prompt
  • net stop dhcpserver
  • rename or delete DHCP.mdb from system32\dhcp folder
  • net start dhcpserver
  • netsh
  • dhcp
  • server file://servername/
  • import c:\w2k3DHCPdb
  • Restart DHCP and verify that all information was moved
  • Change your scope options to the correct settings if needed (ie DNS and WINS)

Don't forget to Deactivate the old server scope(s) that where transfered.

Install Windows Server 2008 SP2 Domain Controller

Install a Windows 2008 SP2 Domain Controller in a Windows 2003 Forest / Domain

Prep Forest

  • run netdom query fsmo from Domain Controller to ensure Schema Master. Note the holder of the following roles
    • Schema owner
    • Domain role owner
    • PDC role
    • RID pool manager
    • Infrastructure owner
  • On the Domain Controller running the Schema Owner do the below:
  • Attach the W2K8 DVD to Schema Master
  • Navigate to D:\sources\adprep
  • Run adprep /forestprep
  • Type C and Enter to continue
  • Allow Replication to forest before continuing
Prep Domain
  • Note from previous the Infrastructure Owner
  • Run the following on the Infrastructure Owner
  • Attach the W2K8 DVD
  • Navigate to D:\sources\adprep
  • Run adprep /domainprep /gpprep
  • Allow replication through forest before installing Domain controller

Install 2008 Server Domain Controller
  • Server Manager
  • Roles - Add Role
  • Check Active Directory Domain Services
  • Install
  • Close wizard and launch the active direcotry domain services installation wizard
  • Existing Forest - Add a domain controller
  • Current credentials
  • Next
  • Yes to the adprep /rodcprep (read only) warning
  • Select site / next
  • Leave DNS Server and Global Catalog checked - Next
  • Default locations
  • Enter password for Restore Mode
  • Next
  • Reboot on completion check

    Transfer FSMO Roles
  • Note that MS recommends moving FSMO roles when rebooting Domain Controllers
  • Log onto the DC that will be getting the FSMO roles assigned to it (ie the new one)
  • Click Start - Run - type ntdsutil and press enter
  • type the following commands
    • roles
    • connections
    • connect to server *servername* (name of the server you want to roles transfered to)
    • q
    • transfer schema master
    • transfer naming master (note that I found that this role has different tranfer names between Server 2003 SP2 R2 and Server 2008. In 2003 it was domain naming master, in 2008 it is naming master)
    • transfer PDC
    • transfer RID master
    • transfer infrastructure master
    • q
    • q
    • From command prompt type netdom query fsmo and check that they are on the correct domain controller
Install other management as needed
  • WINS
    • Note that WINS is a feature not a role in Server 2008
    • Determine if you need WINS server installed
    • Open Server Manager
    • Click Features - Add Feature
    • WINS Server select
    • Install
  • DHCP
    • Ensure you have setup a Static IP (should have with the start of Domain controller installation)
    • Server Manager
    • Click Roles - Add Role
    • DHCP Server
    • Select NIC
    • Check domain and dns server address
    • Enter alternate address if desired (can do later as well)
    • Enter WINS address if needed
    • Enter Scopes or leave blank (I prefer blank and setting up later)
    • Disable DHCPv6 unless you need it
    • Enter credentials
    • Install
    • Don't forget to go back and configure your DHCP options later

Friday, October 9, 2009

SysPrep Windows Server 2008

Basic Server 2008 Sysprep

  • Navigate to C:\Windows\System32\sysprep
  • Run Sysprep.exe
  • Check "Generalize" (this regenerates SID's)
  • Change to Shutdown
  • Bingo, done, easy.

Wednesday, October 7, 2009

Slipstream W2K3 SP2

Extract files needed

  • Download the ISO's for W2K3
  • Download the network installs for SP2
  • Mount the ISO for W2K3 and copy the files to a new folder (ie C:\W2K3)
  • Run from command prompt the SP2 file name ie SP2.exe /x
  • Extract to an easy location ie (C:\SP2). Command for this would look like SP2.exe /x:C:\SP2

Slipstream SP2

  • Navigate to C:\SP2\i386\Update and enter update.exe -s:C:\W2K3
  • The slipstream will start
  • Convert the W2K3 folder back into ISO form

XenServer iSCSI SR's not connecting

The other day we had an issue with one XenServer VM's hanging so I attempted to do a force reboot. Unfortunately I found that this failed (never timed out). After attempting to run xe task-cancel uuid=xxx on the task in question and that not working something that I had found said to run xe-toolstack-restart (DO NOT DO THIS). The toolstack restart failed misureably and led me to having to restart the host. Once it was back online the iSCSI fun began.

  • The restarted host was the master
  • It showed 'almost' all SR's as broken to include the local DVD drive
  • SR's that didn't show broken still couldn't be booted from
  • Broken SR's couldn't be repaired successfully

This led me to start looking at the iSCSI SAN which is an HP Lefthand Networks SAN/iQ v8.1. After opening the SAN/iQ management console I found that many of the Snapshot schedules I had setup where 'paused' due to backlog. In addition all the SS's that I had deleted where still listed, but already reported as deleted if I attempted again.

Things to note:

  • The week prior one LH node had the RAID controller card fail and had to be replaced
  • The failed card had been replaced and system powered back on so that it could restripe
  • All VM's run off the LH Cluster that had the failed LH node in it
  • Snapshots wouldn't delete from either of the 2 clusters in the LH setup (VM cluster or Storage cluster)
  • Gateway connections to the XenServer host showed in a 'failed' status

The LH rep very quickly pointed out that the Local Bandwidth Priority was set to .25 MB/sec. Yikes! That's not right. Changing this setting back to the recommended 4 MB/sec helped a 'little', but not very much. We then changed it to 10 and the difference was not much better. Fortunately I did notice that within a few minutes the XenServer host has picked up it's SR's again. YEAH!

As I was waiting for things to replicate so that speeds would pick up again on the network (I had set it back to 4MB/sec by this point) it occured to me that the node with the failed RAID controller would be attempting to resync still along with all the Snapshot data.

BINGO! Shutdown the LH node that had failed and instantly everything picked up and ran at lightning speeds again. XenServer kicked in and all admin tasks worked great again. Once everything was connected and all Snapshots where taken care of I turned back on the failed LH node and let it resync which was fairly quick at this point and caused no more heart failures.

Leasons learned:

  • .25 MB/sec is way to slow for admin tasks on LH nodes (I already knew this, but now I know to check it)
  • Backlogged LH admin tasks can cause the iSCSI connection initiations to slow to a crawl (I was told this shouldn't affect it, but imo it clearly did).
  • Don't run xe-toolstack-restart unless you absolutely have to. I could have easily fixed the root of the issue (LH replication) without the outage had I not run this command
  • After major failures such as the RAID controller check up on it periodically to ensure that it's finished / processing in a timely manner. Had I done this I would have found the Snapshot issue and resync backlog days in advance.

Thursday, September 17, 2009

NIC Intermittent Connectivity

We have an older desktop provisioned for use by a user with an application which is "less than friendly". So rather than mess with the TS environment we gave her the old desktop. Recently she started having issues with slowness which progressed into lots of messages about Outlook retrieving data, extreme slowdown, network drives dropping offline, and other clients losing connection.

I quickly found in the eventvwr that the tcp/ip connection was going up and down every few minutes. After changing the patch cable and testing the desktop on a new network drop I found the answer. Changing the speed of the NIC from "auto detect" to "100 Mbps Full Duplex" resolved the issue. Apparently in it's old age something started causing it to fail to negotiate the speed. As such it was constantly trying to re-negotiate the speed which caused the up / down connections.

Thursday, September 10, 2009

Install SharePoint to share port 80

I decided that I wanted my Sharepoint site and my MediaWiki site on the same server. MediaWiki was already installed and using port 80, but I don't want my users having to type in an address with a port on it (they would simply just not use the site if they had to remember the port). Unfortunately websites can't share ports on the same ip address. Plus, I didn't want to move the wiki site off port 80 either.

I did the following on Windows 2008 IIS.

  1. Install SharePoint to port 80 (in my case as the non-default website)
  2. Open Manage network connections (ncpa.cpl from run)
  3. For your network connection go into properties
  4. Go into IPv4 properties
  5. Assumtion is that you already have it set to Static IP address
  6. Click Advanced
  7. Click add and add in another unused IP address (ex: for main and add in
  8. Ok out
  9. In IIS click the default website
  10. On the right side click Bindings
  11. Edit and change the IP address from * to the main IP address ( in our example)
  12. Okay out
  13. Click the new Sharepoint site (Default name is SharePoint - 80)
  14. Click Bindings and change IP address to the secondary IP (ex

From here you can access the original website normally and the Sharepoint site via the new IP address. This brings up some new issues though...

DNS Entry to make the site "friendly"

  1. Open your domain DNS and add a new Host (A). Make the Name what you want your users to type in to reach the site, then enter the second ip address (SharePoint site address)
  2. Try to ping the name you just entered. It should pingback as the ip address you just set.
  3. Try to navigate to the site (ex: http://example/)

Next issue... Authentication loopback check doesn't like this setup much. At this point you'll find that credentials fail. After a lot of searching I found the solution here:

  1. Click Start, click Run, type regedit, and then click OK
  2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  3. Right-click Lsa, point to New, and then click DWORD Value
  4. Type DisableLoopbackCheck, and then press ENTER
  5. Right-click DisableLoopbackCheck, and then click Modify
  6. In the Value data box, type 1, and then click OK
  7. Exit Registry Editor
  8. Restart the computer.

Note that the auther includes the following: "The security is reduced when you disable the authentication loopback check, and you open the Windows Server 2003 server for man-in-the-middle (MITM) attacks on NTLM."

Tuesday, September 8, 2009

Virtual Iron > XenServer Convert Data Disks

A majority of my Volumes on servers in Virtual Iron are setup using the MS iSCSI Initiator rather than having made them as Vitual Disks within VI. This made most of my conversions very easy. I had 1 case where a disk other than the system volume was a VI Disk. To move this disk to XenServer here's what I did.
  1. Use XenConvert 2.0 on the machine with the disk attached (ensure that any services such as SQL etc have been disabled so that the files on the disk are not in use)
  2. From: This Machine (machinename)
  3. To: Xen Virtual Appliance
  4. Choose disk (D: in this case)
  5. Choose location
  6. Once it's finished go to XenServer and select import VM
  7. Setup the import like a normal VM, but at the end deselect the "Start automatically" option
  8. Once finished importing you can delete the VM but choose to leave the SR intact
  9. Go to the server that needs the disk attached (or import if you haven't already) and attach the disk that's needed

Saturday, September 5, 2009

Restore XenServer with HP Lefthand Networks SAN

Today I had to restore a XenServer VM with the SR residing on an HP Lefthand Networks iSCSI SAN (SANiQ v8.1). It was smooth as butter and made me all happy inside due to the ease of the restore ;)

I had created a Wiki site for internal admin use on a W2K8 server on IIS. I decided that I didn't want to build another W2K8 server and use another license for the SharePoint site so instead I decided to have it run on the wiki site as well. During the install I made the mistake of creating the SharePoint site as the default site which was very effective for killing my Wiki site.

Luckily I had created a Snapshot on my LH Networks SAN prior to the SharePoint install. Here's the steps I used to restore.
  1. First I gave my test XenServer pool access to the Snapshot in the Lefthand Console.
  2. Turned off the Production server
  3. Detached the SR for the Production Server in question
  4. Created a new SR in the test pool
  5. Target IQN of the Snapshot name
  6. When you click finish it will see the disk and warns not to attach if other pools are using the SR. (thus the reason we turned of and detached the production server / SR). Click Yes
  7. Create a new vm with correct properties.
  8. Select any install media, it won't matter as you won't be installing
  9. You won't be able to select the Virtual Disk you want since it won't have free space. So just select any disk and we'll fix later
  10. Give it a nic
  11. UNcheck the Start VM automatically
  12. Go into the properties of your new VM
  13. Change boot order so HD is first
  14. Go to Storage and Attach the correct Virtual Disk
  15. Delete the Virtual Disk from when you created the VM (if you selected one)
  16. Ensure RAM / CPU are set correctly and boot.
  17. Check over the server to ensure it's what you want to restore

Once I verified that this was the server snapshot that I wanted I went to pull this into production

  1. Turn off the test server you just created
  2. Forget the Virtual Disk (this doesn't destroy data)
  3. Go into the HP Lefthand console and and right click the Snapshot you want and choose "Rollback".
  4. All Snapshots and changes created after that snapshot will be lost! Make sure this is what you want first.
  5. Go back to XenServer Console and click the Production SR and click Attach.
  6. Fill in the IP info and Discover LUN etc. Click yes to the warning about other VM's on it again.
  7. Start server
  8. Glance around the office to see if anyone noticed that the wiki was down ;)

Thursday, September 3, 2009

View Network Connections when Control Panel icons hidden

Occasionally I come across computers where the Control Panel has been "locked down" and the icons are hidden. Usually the hidding of these icons is done via a Group Policy.

I've found a couple of times now where the Network Connections icon is hidden, but this can be useful for finding out of a computer is getting an IP address correctly or not. Sure the command prompt ipconfig works too, but if the admin has the Control Panel locked down then surely they have the command prompt locked down ;)

Click Start
Click Run
Type ncpa.cpl
You'll see the friendly network connections your used to seeing (Windows XP).
Right Click the connection and select status, support tab, details.

Tuesday, September 1, 2009

SQL Server 2000 to 2005 upgrade

Upgrade process from SQL2000 Standard to SQL20005 Standard

First check versions of SQL Server. You can do this by running SELECT @@VERSION on the master DB. For Analysis Services you can check by opening and clicking Help - About. 8.0.2039 = SP4

  1. Make backup of all DB's
  2. Apply SQL2000 SP4 if needed
  3. Apply SQL2000 Analysis Services SP4 if needed
  4. Install SQL2005
  5. Select the following
    1. SQL Server Database Services
    2. Analysis Services
    3. Workstation components, Books Online and development tools
    4. Others if needed
  6. Click Advanced
  7. Ensure pathing for each component
  8. Default Instance
  9. Select the following
    1. SQL Server Database Services 8.00.2039
    2. Analysis Services 8.0.2039.0
  10. SQL Server Authentication Mode
  11. Analysis will run
  12. Use the built-in System account (Local System)
  13. Latin1_General
  14. Accent - sensitive
  15. Dictionary order, case-insensitive, for use with 1252 Character Set.
  16. Install
  17. Install latest SP's / updates

Friday, August 28, 2009

Group Policy Results Wizard - Access Denied

Finished migrating a server from VI to XS using XenConvert 2.0 seemed to go very smooth but then running Group Policy Results wizard on it to help resolve what I believed was a GP issue gave the error:
Group Policy Error
The wizard was unable to generate the Group Policy data due to the error listed below.
Details: Access denied

A little looking and I found this:

Go to Command Prompt --> Copy Paste the below lines
cd /d %windir%\system32
regsvr32 /n /I userenv.dll
cd wbem
mofcomp scersop.mof
gpupdate /force

Worked like a charm.

Wednesday, August 26, 2009

SharePoint Services 3.0 Install on Windows Server 2008

Overall installation of SharePoint Services 3.0 on Windows Server 2008 was a breeze. I found one issue that was not listed in the user guide (or rather the solution didn't actually work).

After installing SharePoint Services navigating to the website prompts for username / password. In the install guide it's listed that adding the site to the trusted sites will solve the issue, but I found this not only to not fix the issue, but to not be necessary at all.

Instead, removal of IE ESC (Enhanced Security Configuration) was necessary. Open Server Manager and click on "Configure IE ESC" in the Security Information Section. Turn off for admins and users.

Friday, August 14, 2009

XenServer - The hosts in this pool are not homogeneous. cpus differ

When I was using Virtual Iron there wasn't a problem with using slightly different hardware. I quickly found when joining my second Dell 1950 to XenServer pool that this wasn't the case with Paravirtualized drivers.

Attempting to join gave the error: The hosts in this pool are not homogeneous. cpus differ.

After a little looking around I found that I had purchased 2 of my Dell 1950's at the same time and the third later on and apparently with a slightly different cpu.

After some more research I decided that it would "probably" be okay to force join the server into the pool. This would allow for shared storage of VM's, but not the use of XenMotion (I confirmed this later on)
xe pool-join master-address=IPofmaster master-user=root master-password=password force=true

Wednesday, August 12, 2009

XenServer Forget Host

During my implementation of XenServer I had an oops. It resulted in an unretrievable host.

To get rid of the host that isn't retrievable I did this:
  1. On the master console type: xe host-list
  2. Note the uuid of the dead host
  3. type: xe host-forget uuid=UUIDofHost
  4. type yes
  5. I then had several drives that where local to bad host (greyed out drives in the pool)
  6. Note the uuid's of each drive (ie DVD drive, etc)
  7. type: xe sr-forget uuid=UUIDofDrive

Saturday, August 8, 2009

Virtual Iron > XenServer Terminal Server Conversion

This is pretty basic and follows the steps from my previous guides, but there where a couple of key points that I HAD to do in order to not have issues in the end.

  1. Uninstall VI Tools (Important)
  2. Start machine back up and follow these steps: (had to login via the local admin account, domain account login failed)
  3. Shutdown
  4. Export (this is for a Virtual Volume in VI, didn't have any Terminal / Citrix Servers with Raw LUN connections)
  5. Convert to xva
  6. Import and boot
  7. Login via local admin account
  8. Windows finds new hardware and installs drivers, reboot (not the pci device, but rather the hub root). I had to reboot after this occured prior to installing XenTools otherwise funky issues happened, may not be related, but what's a reboot?
  9. Cancel the search for drivers for the PCI device
  10. Install XenTools
  11. Reboot
  12. Login and ensure IP address is correct. When I did this I found that in the Device manager the "Citrix XenServer PV Ethernet Adapter" was not working properly. I simply waited 5 minutes (was researching how to fix) and it finished it's install and started working on it's own in that time.
  13. Fix IP address if necessary
  14. Shutdown
  15. Change Memory, CPU, and Advanced options (select Optimize for Citrix XenApp)
  16. Boot

Thursday, August 6, 2009


User came in today for simple corporate issue, but also mentioned that his personal computer wasn't running. He'd taken it to "a big box store" and had been informed that he would have to buy a new Hard Drive and to reinstall everything ($280).

I volunteered to fix it ;) Mainly because I wanted to see if I could and somewhat because I'm a nice guy ;)

BSOD Unmountable_Boot_Volume 0x000000ED with second paramater of (0xC0000032).

Right off... according to MS this is a file system damaged error NOT a bad hard drive necessarily. I ran a utility that checks the disk and it came back that the disk is fine, just needs some tlc.

After running through chkdsk /r and fixboot and not getting any good results I fixed it by doing the following (note typing DIR also resulted in an error that I forgot to write down)
  1. Boot to Windows XP install disk
  2. Choose Repair (R)
  3. type fixmbr
  4. type y for yes to the warnings
  5. type fixboot
  6. type chkdsk /r (took a long time to run, but didn't fail like it previously had prior to running fixmbr)
  7. Reboot
  8. Hand back the computer saving the user $280 and the overall nuisance of the process.

Wednesday, August 5, 2009

VMWare / VI Conversion Tip

Received this great tip from an unidentified colleague ;)

He had used this method on VMWare machines. It also works great on Virtual Iron machines and especially with Windows Server 2008 conversions.

From within VMWare machine

  1. remove VMWare Tools
  2. reboot
  3. Go to the Device Manager->IDE ATA/ATAPI controllers
    • Right click on the "Intel 82371AB/EB PCI Bus Master IDE Controller" drive
    • Select 'Update Driver'
    • No, not this time
    • Install from list or specific location
    • Don't search
    • Select 'Standard Dual Channel PCI IDE Controller'
  4. This will update the driver to a generic non-busmaster driver.
  5. Shutdown your VM then convert to VHD


Wednesday, July 22, 2009

Virtual Iron > XenServer Raw LUN Server Conversion

Several of our Virtual Iron VMs where created without making a virtual storage disk and where mounted as raw LUNs instead. Servers without a virtual storage disk in VI can't be exported via the VI gui.

For this I ran a P2V conversion using XenConvert v2.0.1.

  1. Log into the server needing converted.
  2. Install XenConvert
  3. Remove Virtual Iron Tools and reboot
  4. From "This Machine (machine name)" To "Xen Virtual Appliance"
  5. Select the disk to convert and a location to store the conversion. In order to get this to work I had to map a network drive to the server with a drive of E (C for local disk and D for cdrom). According to the XenConvert guide this is a known issue.
  6. Conversion took a long time on a 20GB drive. This was due to it pulling the drive into a .vhd and then converting the .vhd into XVA.
  7. Import the ova.xml the same as outlined in Virtual Iron > XenServer Conversion

Important: the initial boot of the server was fine, but after a shutdown I began to receive the error "NT Detect Failed" when booting. I was able to fix this by booting to the installation CD and running a repair (R). Once at the prompt I ran chkdsk /r which resolved the issue

Note: I found it extremely important to remove the VI Tools before the conversion. Otherwise a lot of issues would begin on the second boot of the VM.

Tuesday, July 21, 2009

XenServer iSCSI SAN Setup/Config

There are 2 ways to setup iSCSI SAN connections in XenServer. Via cli or gui.

Create Bonded connection
  1. Click your Pool
  2. Click a Host
  3. Click NICs tab
  4. Click Create Bond
  5. Add NICs
  6. Create
  7. I then recommend going to Network and naming the bond that shows something understandable
GUI Method
  1. Click Server drop down then Management Interfaces
  2. Click New Interface at the bottom
  3. Name the MI and select the Network NIC
  4. Enter IP information

CLI Method

  1. Open the cli for the server needing connection to the iSCSI SAN
  2. Type "xe pif-list" to get the uuid of the pif you want to alter (note that eth0 is listed at the bottom)
  3. xe pif-reconfigure-ip mode=Static uuid=(enter uuid) ip=IPaddresshere setmask=
  4. xe pif-param-set disallow-unplug=true uuid=(enter uuid)
  5. xe pif-param-set other-config:management_purpose="Storage" uuid=(enter uuid)
  6. At this point you should be able to ping an iSCSI storage node from the server console
  7. Don't make the same mistake I did... remember to give the server node access permissions within your SAN management interface so that it can discover the Target IQN. To find the IQN of the node type simply open the server node properties. On the General tab it is listed at the bottom. Change it to a desired IQN.
  8. Click Storage and select iSCSI
  9. Type in the IP of the Storage server target host
  10. Click discover IQNs then discover LUNs. Click Finish. Note that you will want to ensure that you have exported your VI server prior to connecting to any existing VI LUNs as it will format the disk for XenServer use.

At this point I went on to import the converted VI server onto the disk. Note that initial attempts to import a 19.99GB export onto a 20GB disk failed saying that their wasn't enough space. To get around this I edited the volume to have an additional .5GB. Less than this would have likely been sufficient. I then followed the import steps from Virtual Iron > Citrix XenServer Conversion to successfully import the VM.

Monday, July 20, 2009

Virtual Iron > Citrix XenServer Conversion

With the purchase of Virtual Iron by Oracle we decided to move away from VI/Oracle and into the realm of either MS HyperVisor or Citrix XenServer. This lead us to the need of converting Virtual Iron VM's to XenServer VM's as we tested out Citrix XenServer.

I began by removing the Virtual Iron tools installation and then exporting a test server that was created with a Virtual Iron logical disk (ie boot source of "Disk") to a .vhd format. Download and Open XenConvert v2.0 and convert from VHD to Xen Virtual Appliance format. This will create an ova.xml and related directories for importing into XenServer (you could convert directly into XenServer as well). Open XenServer and select Import > Browse > change file types to "XenServer Virtual Appliance Version 1 (ova.xml) > select the ova.xml file > Select Home Server > Select Storage > Click Import.

A 20 Gig .vhd took approx 20 mins to import and I didn't see a progress bar. Instead when it was completed the option for starting the server became available. Once the VM was started I removed the VI tools and installed the XenServer tools.

I haven't attempted a server that is raw LUN boot (ie boot source of SAN), but will post when I do and whether it's successful or not.

Edit: The import progress bar is displayed on the logs tab.

Note: I found it extremely important to remove the VI Tools before the conversion. Otherwise a lot of issues would begin on the second boot of the VM.

Monday, June 29, 2009

PHP Error Logging

Enable php error logging
Edit php.ini
Find the variable "error_reporting"
Set "error_reporting = E_ALL"
Find the variable "log_errors"
Set "log_errors = On"
Find the variable "error_log"
Set "error_log = \path\to\valid\logs\phperrors.log"

Saturday, June 27, 2009

Install MediaWiki on Server 2008

MediaWiki successfully installed/running on Windows 2008 with the following:
Windows Server 2008 Standard SP1 (Virtual Machine)
PHP v5.2.9
MySQL v5.1.34
MediaWiki v1.14

Install IIS7 on Windows Server 2008
  • Open Server Manager
  • Add Role - Web Server
  • Click - Add Required Features
  • Next, Next
  • Select CGI option under Application Development
  • Click Install
  • Install update for FastCGI - KB954946

Install PHP v5.2.9-2
  • Create a new directory: C:\PHP
  • Extract the contents of to C:\PHP
  • Navigate to C:\PHP and change the name of "php.ini-recommended" to "php.ini"
  • Open php.ini and uncomment the following (uncomment by removing the ;)
    1. open_basedir (then add the following = "C:\inetpub\wwwroot"
    2. extension_dir (then change to show as "./ext"
    3. cgi.force_redirect = 0 (change from 1 to 0)
    4. cgi.fix_pathinfo=1
    5. fastcgi.impersonate = 1
    6. extension=php_mysql.dll
    7. extension=php_mysqli.dll
    8. upload_tmp_dir="C:\inetpub\wwwroot\WikiName\upload" Create a new folder in C:\inetpub\wwwroot\WikiNam named "upload"
    9. session.save_path = "C:\php\session" Create a new folder in C:\PHP named "session".
    10. IMPORTANT - Ensure that the session and upload folders created have write permissions for Users.
  • At command prompt navigate to C:\PHP and type enter php -info (ie C:\PHP\php -info) You should see the config of php or a lot of information scroll across the screen
  • Open IIS Manager
  • Open Handler Mappings
  • Select "Add Module Mapping"
    1. Request path = *.php
    2. Module = FastCgiModule
    3. Executable = C:\PHP\php-cgi.exe
    4. Name = PHP via FastCGI
  • Click OK, then Yes when prompted
  • Navigate to C:\inetpub\wwwroot and create a new file named phpinfo.php then edit the contents to show (I can't seem to get blockquote to work for anything so...) Starts with lesser than sign (no space) then ?php phpinfo(); ? followed by greater than sign (no space)
  • Open IE and navigate to http://localhost/phpinfo.php the site should display as PHP Version 5.2.9-2 with other config data on the rest of the page

Install MySQL v5.1.34
  • Run mysql-5.1.34-win32.msi to install
  • Typical install
  • Default Location
  • Configure the MySQL Server now option checked
  • Change to standard configuration
  • Install as Windows Service (Default)
  • Uncheck Modify Security Settings (This will be changed later)
  • Execute (note that it may have errors and fail, if so hit cancel)
  • From a command prompt navigate to C:\Program Files\MySQL\MySQL Server 5.1\bin
  • Type mysqladmin -u root password NEWPASSWORD

Install MediaWiki v1.14
  • Create new directory C:\inetpub\wwwroot\WikiName
  • Copy mediawiki-1.14.0 contents to C:\inetpub\wwwroot\WikiName
  • Run the following at a command prompt to grant permissions to the config folder (so that it can write the localsettings file) icacls %SystemDrive%\Inetpub\wwwroot\MediaWiki\config /grant BUILTIN\IIS_IUSRS:(W)
  • Open IE and navigate to http://localhost/WikiName/config/index.php
  • Enter Wiki name: WikiName
  • Database Config
    1. Database name = WikiName
    2. Username = root
    3. Password = MySQL root password
  • Click "Install MediaWiki!"
  • At the bottom of the next page you should see "Installation Successful!"
  • Close IE
  • Copy the localsettings.php from C:\inetpub\wwwroot\WikiName\config to C:\inetpub\wwwroot\WikiName
  • Open IE and navigate to http://localhost/WikiName/index.php You should see the Main page "MediaWiki has been successfully installed"
  • Delete the config folder
  • Change permissions on the WikiName\Images folder so that Users and IUSR have write access (for uploads to work)

Other Goodies to enable:
* $wgEnableUploads = true;
* $wgFileExtenstions = array('png', 'gif', 'jpg', 'jpeg', 'doc', 'xls', 'pdf');
* $wgVerifyMimeType = false;

Disable reading by anonymous users
* $wgGroupPermissions['*']['read'] = false;
But allow them to read e.g., these pages:
* $wgWhitelistRead = array ("Main Page", "Special:Userlogin", "Help:Contents");
* $wgGroupPermissions['*']['edit'] = false;

Custom Logo
* wgLogo = "{$wgScriptPath}/ImageName.jpg"; (image saved in the WikiName root folder)

Thursday, June 25, 2009

Batch File Date/Time in Filename

I wanted to create a batch file that made a mysql backup with the dbname, date, time in the filename:

for /f "tokens=1,2" %%u in ('date /t') do set d=%%v
for /f "tokens=1" %%u in ('time /t') do set t=%%u
if "%t:~1,1%"==":" set t=0%t%
set timestr=%d:~6,4%%d:~0,2%%d:~3,2%_%t:~0,2%%t:~3,2%

"C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqldump" -u root --
password=YOURPASSWORD dbname > "C:\MySQLBackups\wikidbname\dbname-%timestr%.sql"

I then set it to look for and delete backups that where older than 14 days.

cd c:\MySQLBackups\wikidbname
forfiles /d -14 /c "CMD /c del @FILE"

Note: Make sure that there are NO FILES in the directory specified or they will be removed to include this batch file if you place it in that directory

Monday, June 22, 2009


After fresh install of Windows Server 2008 I was recieving this error on Windows Update

Running the following fixed it:

Saturday, June 20, 2009

MySQL 5.1 Backup / Restore

Here is the process I came up with to backup and restore a MySQL v5.1.34 Database

To Backup:
mysqldump -u root --password=PASSWORD dbname > c:\mysqlbackups\backupfile.sql

This can then easily be entered into a batch file and run via scheduled tasks for regular backups.

To Restore:
mysql -u root --password=PASSWORD dbname < c:\mysqlbackups\backupfile.sql

Note: mysql and mysqldump are located in the installation directories bin folder

It's also important to note that the generated backup file could be used in other DB engines since it is just SQL statements that recreate the DB and populate the data.

Wednesday, June 17, 2009

"The system cannot find the drive specified" Windows 7

Windows Vista was a bust imo, I dislike it like I disliked Windows ME. So this week I downloaded Windows 7 RC to see how it fairs.

Download was long, but I just let it run overnight and then continued with the install in the morning.

I installed Windows 7 RC into a Virtual Iron virtualization environment. Install was easy with no issues at all. I gave the install 2GB RAM, 2 CPU's at 2.66GHZ each and 20GB HD (the VI backend storage is iSCSI SAN). Installation was actually very fast and I was up in no time.

Icons in the task bar seem so large and take up to much space imo. Right click, properties, check use small icons. Only problem I see at this point is that each button needs several pixels shaved off each size so they aren't as wide anymore. Just an annoyance.

------------------- SOLVED - Solution below -----------------
Open cmd prompt, U: enter.... "The system cannot find the drive specified"
Hmm... Try it on XP, works just fine. K. Look under Computer and yep, all my drives where mapped from the domain logon script. I do have a U: drive according to the "Computer" view along with all my other normal mapped drives, but the U and I notice that my R drives do not have permissions. Being a Domain Admin I most definitely do have permissions. Strange, then I realized that the missing drives are DFS mapped drives... All non-DFS drives show up.
After a little research I figure out that using the Pre-Windows 2000 domain name is what doesn't work. If I enter the FQDN then it works fine.

This is actually more of an issue that it sounds like. With 250 users with shortcuts mapped out to the pre-windows 2000 domain name changing this will break a lot of links in documents and shortcuts.
This was actually a very simple fix. Simply remove the workstation from the domain and then rejoin. The Win7RC workstation had been restored to a prior state from a snapshot that was made on the iSCSI SAN. From the time that the snapshot was made to the time of the restore the computers domain password had changed. As such it no longer matched up and didn't have the proper permissions as a result.

Block unwanted sites with HOSTS File

The other day I got a call from colleague asking about antivirus software. During the conversation he had asked if I was using the HOSTS file from I wasn't but checked it out as it sounded very intriguing.

I've since then applied it to my workstation and I'm seriously considering pushing it down to other users.

Check it out:

Sunday, June 14, 2009

Citrix - Printer Errors

For a long time our environment has been plagued by an issue that "seems" random where Citrix user logs in, attempts to print from x application, fails with random error.

The errors usually go along the lines of

  • Select a printer
  • No printers installed
The user can't print from some applications while other apps still work fine. Usually the default printer in the applications that do print is not set according to what shows in the Printer Management screen. The printer in question is listed in the Printer Management screen.

Attempting to delete the printer from the Print Management screen results in a error "Cannot delete client printer" (the error is a little longer, but I don't have the exact error in front of me atm)

From there simply adding the printer again fixes the issue and even allows the printer to be deleted.

Looking at the users profile hive in the registry shows that the printer is listed under HKUSERS/UserSID/Printers and removing it here removes the printer in the Print Manager screen, then adding the printer back resolves the issue.

Things to note:
All drivers are either:
  • Native Drivers
  • Stress Tested
This does not occur with "auto-created" printers, but rather normally with printers that are assigned via Citrix print policies.

What really annoyed me was that the user couldn't delete the printer unless they re-added the printer first. This led me to believe that perhaps the printer registry keys do not have the proper permissions for the user to remove them (simular to the administrator access denied issue)

With this new informmation I began searching and found this:
which in turn quickly led to this:

I have since added the x2 to my DefaultPrnFlags key to make it now appear as 0x28004000

8000000 for the auto Creation event log errors and 4000 for adding the administrator permissions to the printers.

Time will tell if this fixes the problem for Windows2003 (note the article mentions that it is fixed in Windows2008 since w2k8 maps the printers differently)

Thursday, June 11, 2009

Disable UAC

Here's how to disable UAC in Vista, Windows 7, and Server 2008

Vista and 2008
Control Panel > User Accounts > Turn User Account Control on or off

Windows 7
Control Panel > System and Security > Action Center "Change User Account Control settings"
Use the slider up and down to set the UAC level.

Wednesday, June 10, 2009

Mass file copy

Recently I needed to copy a shortcut to a mass number of users. Since we utilize Citrix this made the task considerably easier for me. We redirect all user settings to a central location so I was able to easily script out the copy using a Text file that contained the names and Loop through all the user names.

Created the shortcut to be copied and the text file in the following format:

Dim fREM, fLOC, answer, cUser
Const ForReading = 1
Set FSO = Wscript.CreateObject("Scripting.FileSystemObject")
answer = MsgBox("Run the file copy?", 1)
If answer = 2 Then
msgbox "You pressed cancel"
Set objTextFile = FSO.OpenTextFile("c:\ShortcutCopy\names.txt", ForReading)
i = 0
Do Until objTextFile.AtEndOfStream
strNextLine = objTextFile.Readline
cUSER = Split(strNextLine , ",")
fLOC = "C:\ShortcutCopy\ShortcutName.lnk"
fREM = "\\path\path\path\" & cUSER(i) & "\path\desktop\ShortcutName.lnk"
msgbox "Copying to " & fREM
FSO.CopyFile fLOC , fREM, True
i = i + 1
Loop While i<20
msgbox "Copy completed"
End If

Friday, June 5, 2009

Citrix Printers - Creation Errors

Default installs of Citrix have creation logging turned on by default. This can cause a lot of excess errors in the eventvwr which generally are not useful.

Add the following

You can combine this one with the Access key by making the dword:08004000 Citrix Printers - Access Denied

Tuesday, June 2, 2009

Citrix Printers - Access Denied

By default I've found that in Citrix admins do not get permissions to auto-created printers.
Add the following

Sunday, May 31, 2009

SQL 2005 Install error

There was an unexpected failure during the setup wizard. You may review the setup logs and/or click the help button for more information.

This is caused when you downloaded your install files. After unzipping them you need to place the installation files in to the respective folders:

This allows the installation to find the needed files which are hard coded into the installation to look in ./Tools for the components.

Wednesday, May 27, 2009

IE8 Enable Compatibility Mode

Recently I began testing out IE8 in our environment to ensure that everything would work properly on it. I quickly found that our Citrix Access Gateway didn't display properly. Not a big deal for most users, but... well you know.

Group Policy Under Computers
Administrative Templates/Windows Components/Internet Explorer/Compatibility View
* Use Policy List of Internet Explorer 7 sites *

Now it doesn't even matter. They'll never know the difference on corporate computers.

Sunday, May 24, 2009

Disable IE8 In-Private Feature

With the release of IE8 comes a new feature that allows a user to turn on "In-Private" browsing. This makes the following true:
1. The browsing history for the session is not stored.
2. Temp Internet Files / Cookies are removed.
3. Searches / Addresses are not saved
4. Passwords are deleted

This is great for that loved one that is getting the perfect gift and doesn't want their girl/guy to accidently get clues as to what the present might be.

BUT the likely use of this feature has coined it the term "Porn-Mode". There are very few reasons that a corporate network should have need of the In-Private feature and it should be locked down.

Install IE8 on a domain controller
In Group Policy make a setting that applies to all computers (ie Default Domain Policy).
Machine/Admin Templates/Windows Components/Internet Explorer/InPrivate/Turn off In-Private Browsing

For home users this can (and should) be disabled especially if you have kids.

Click Start then click Run. Type gpedit.msc and hit Enter
User Configuration > Administrative Templates > Windows Components > Internet Explorer > InPrivate
Here you will see the option "Turn off InPrivate Browsing"
Double click the policy and set to "Enabled" to disable InPrivate Browsing
Close the Group Policy window and open IE8 and ensure that it is disabled.

(Click to enlarge)


via the registry: (Making changes to your computers registry can cause unrepairable damage if done incorrectly)
HKLM/Software/Policies/Microsoft/Internet Explorer/Privacy/EnableInPrivateBrowsing
You may have to create the keys "Internet Explorer", "Privacy", or the Dword "EnableInPrivateBrowsing" with a value of 0 to disable.

Thursday, May 21, 2009

Remote View Internet Explorer History

On several occasions I've found it necessary to view a users IE History. Sure I can login as the user and open IE and view the history, but I prefer the remote route.

I found this tool which allows you to view history folders of users. You can even use a UNC path to the users history folder. I've found it very useful for determing what site a user is on when they found spyware, viruses, etc.

Sunday, May 17, 2009

Block IE8

Here's the quick key to block IE 8 from installing before you are ready for it.

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Setup\8.0

DWORD - DoNotAllowIE80 - set to 1 to prevent

Monday, May 11, 2009


NumLock can be turned on by default several ways. This is normally done in the BIOS, but in some circumstances I've found that this isn't an option or doesn't work (usually on older systems).

Another method is the force it in the registry.

[HKEY_USERS\.Default\Control Panel\Keyboard]

Thursday, May 7, 2009

Registry Changes via Regedit or VBScript

Recently I decided to make a new batch file that would automate setting up a new workstation that is installed fresh from the disks to prep it for sysprep/imaging. During this process I found that I needed to make several Registry changes. I found 2 ways to do this easily.
1. use the regedit command (haven't tested)
regedit filename.reg
/S to suppress the message box (also see /E and /D for export and delete options)

Within the file the following are valid:
Windows Registry Editor Version 5.00
To Clear
To remove
Remove entire key

2. Using VBScript which I find easier
Pick one depending on the key(s) being modified
Const HKEY_CURRENT_USER = &H80000001
Const HKEY_LOCAL_MACHINE = &H80000002
Const HKEY_USERS = &H80000003

strComputer = "."
Set objReg = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")

strKeyPath = "SOFTWARE\Path"
strValueName = "KeyName"
svalue = "Value"
objReg.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, svalue
objReg.SetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, svalue

Const HKEY_USERS = &H80000003
strComputer = "."
Set objReg = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")
strKeyPath = ".DEFAULT\Control Panel\PowerCfg"
strValueName = "CurrentPowerPolicy"
svalue = "3"
objReg.SetStringValue HKEY_USERS, strKeyPath, strValueName, svalue

Monday, May 4, 2009

Remotely Add Scheduled Tasks (SCHTASKS)

echo off
SCHTASKS /Create /S MachineName /RU administrator /RP password /SC DAILY /MO 1 /TN TaskName /TR C:\batfileorapplocation\name.bat /ST 03:00:00 /SD 01/30/2009

see SCHTASK /? for more information on other uses of SCHTASK

Friday, May 1, 2009

Clear Pagefile on Shutdown

Clear Pagefile on Shutdown can be toggled on and off to help speed shutdowns. By default it clears the pagefile on shutdown for security reasons.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]

Sunday, April 26, 2009

Terminal Server / Citrix Printing Errors

Terminal Servers and Citrix can be very picky when it comes to printers. BSOD, print spooler crash, auto-created printers fail, etc. The list of side effects of a bad print driver can be overwhelming.

Something that should be noted right away. These issues are not necessarily due to bad programing from Citrix or TS. These problems are the direct result of sloppy drivers written by the manufacturers (HP, Sharp, etc). To fully fix the issue the printer manufacturers need to step up and write true multisession drivers. That said...

The normal issue that is experienced with Citrix/Terminal Services and print drivers is that a driver is not true multisession aware or an application it calls upon isn't multisession aware. This can cause a number of issues the most common I’ve seen to be that the print spooler stops responding and crashes. Simply restarting the print spooler and citrix print management service fixes this until the next error. The errors can start by users logging in, printing, etc.

How to fix….
create a batch file to automatically restart the services for you when it crashes
This will give you some breathing room to actually work on the issue rather than just putting out fires.

net stop "Citrix Print Manager Service"
net stop "Print Spooler"
net start "Print Spooler"
net start "Citrix Print Manager Service"
SET logfile=C:\AdminTools\SpoolerCrashLogs.log
ECHO Print spooler crashed on %date% at %time% on %computername% >> %Logfile%

This will stop each service and then restart in the correct order. It then looks for the logfile and will log that it did this. This gives you a visual representation so that they can actually see how bad the problem is (longer the file, worse the problem).
Go into Services and set the print spooler service Recovery tab so that first, second, subsequent failures to run a program. Set the path of the program to run to the location of the batch file created.
To test you can open the task manager and end task on the spoolsv.exe then check the logfile. It should have logged it if it’s working and the print spooler and citrix print manager service should have restarted.

Next we need to find the drivers that are causing the problem.
If it produces a failure then you have your bad driver. Certain errors can be ignored (see bottom of above link page for details on running and errors).

Run it for each driver with different criteria (ie test it creating 1 printer, then 5, then 10) I tested up to 40 printer creation. If it could pass that then it’s good. Note this tool can also be used to find which types of drivers perform best (PCL5 vs PCL6 vs PS). Also test multiple drivers simultaneously (HP 4050 and 4350 at same time).
Make list of all drivers that don’t pass.

Create new list of printers and map to only drivers that passed the test (for instance if a 4100 series driver passed but a 4200 series didn’t then map the 4200 printer to the 4100 driver).
  • Use the MS spooler cleaner utility (ensure all users are logged off the Citrix server). (it’s the cleanspl.exe tool).
  • If using a network print server… you have to start there which likely isn’t a small job. In my environment I rebuilt printing from the ground up. (long term has saved me countless hours though). NOTE if you run this tool you can’t undo! Make sure you are ready to rebuild the servers print drivers/printers list including all ports, etc. Make very sure you have a list of all printer share names and driver mappings etc.
  • When you run it, it asks you if you want to remove some things that are actually delivered (and installed by default) with Windows. In most cases, you should answer No to the corresponding prompts (you don't want to remove the Standard TCP/IP Port or the BJ Language Monitor).
  • After cleaning print server and Citrix servers spoolers reinstall only the good drivers and map printers to correct drivers.
  • Test all drivers prior to installing / purchasing new printers. Make a list of good drivers and only allow them, make no exceptions.
  • Don’t trust manufacturer’s “supported” lists. I know for a fact that the HP list and Sharp list both contain drivers that they state they “tested” and support in Citrix and I have verified that they cause various issues in Citrix from spooler crash to high RAM usage or CPU usage.
  • Use as few drivers as possible.
  • Use only Windows Native drivers if possible. (drivers from the windows installation disk)
  • Ensure that all print processors are “winprint”. Disabling Advanced properties also helps with speed.
  • Absolute must!!! Create policy in Citrix and AD Group Policy
    Citrix Printing – Drivers – Native printer driver auto-install
    i. Enabled
    ii. Do not automatically install drivers
    Citrix Printing – Drivers – Universal driver
    i. Enabled
    ii. Use universal driver only if requsted driver is unavailable
    Active Directory Group Policy create template
    i. Create and attach custom adm to group policy and enable it. This prevents mapping of print drivers though RDP sessions (ie Administrator logons to Citrix/TS servers via RDP). Enable it with Loopback policy so that it only applys to your Terminal Servers (or other servers if wanted as well).
CATEGORY "Custom RDP Printer Redirection"
POLICY "RDP Printer Redirection"
EXPLAIN "When enabled this policy stops mapping of printers from client workstation through RDP sessions - This does not effect ICA connections - The Default GP rule effects both ICA and RDP - Purpose is to prevent Admin RDP sessions from installing drivers. Set to Enabled to Disable Mapping"
KEYNAME "System\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp"
VALUENAME "fDisableCpm"

Some other good reading…

The absolute best solution though… Throw away all printers.

Note: see my post HP Print Monitor Errors / RAM and CPU Utilization regarding how to "fix" some HP drivers so that they work in TS / Citrix environments with less problems.

Thursday, April 23, 2009

HP Print Monitor Errors / RAM CPU Utilization

HP print drivers sometimes contain worthless "monitors" which are installed by default (and can't be opted out of). Following are directions on what some of these monitors are and how to manually remove them prior to installation.

These monitors can cause RAM and CPU usage issues. hpbpro.exe, hpboid.exe are the main problematic executables that are executed with each print job / user logon.

Clean spooler using cleanspl.exe from MS
Download latest driver. I tried this on the 4x50 and 4100 drivers
Extract the driver to a temp directory
Edit the .inf file and remove all references to the exe’s, msi’s, and dll’s in question (most have at least 2 references to the file)
4x50 I removed hpzdbi.dll, hpzDBI32.msi, hpcdmc32.dll
4100 I removed hpboid.exe, hpbpro.exe, hpbmini.dll, hpcdmc.dll

Install using the edited .inf file. This prevents the bad files from being copied into the spooler directory or even being placed in the registry from installation.

Here’s another method that I have not tested due to my success of just removing the file references from the inf.
I found 2 DCOM component with the same name of the services HP Port Resolver HP Status Server From the properties of both component, I modified Launch Permission and Configuration Permission removing all accounts (MMC will crash because you will not have permissions). You must then disable both Windows Services and restart server.

Monday, April 20, 2009

Group Policy Folder Redirection

Group Policy has folder redirection built into it, but imo it's not sufficient for all the redirect needs that can be found in a Terminal Server environment. To compensate I wrote my own template with folder redirection.

In this template I included some folders that shouldn't be redirected (Local Settings). I did this because in some environments I had found that the settings for these locations had already been redirected, usually by a login script.

Obviously the pathing needs changed to reflect the environment. Other settings such as My Documents, etc which are provided by MS should be used as they have additional functionality such as copying from the current location on redirection.

Don't forget to use this with Loopback Policy so that it only applys to your Terminal Servers. Otherwise you will have a mess with your laptops / desktops.

CATEGORY "Custom Folder Redirection"
"Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"

POLICY "Application Data"
EXPLAIN "When enabled this policy
redirects the 'Application Data' folder to the path specified. You can use
either a UNC or drive path."
PART "Path to where you want the Application
"U:\TSProfile\Application Data"

POLICY "Cache"
EXPLAIN "When enabled this policy redirects
the 'Temporary Internet Files' folder to the path specified. You can use either
a UNC or drive path."
PART "Path to where you want the Temp Int Files Folder
DEFAULT "%Userprofile%\Local
Settings\Temporary Internet Files"

POLICY "Favorites"
EXPLAIN "When enabled this policy
redirects the 'Favorites' folder to the path specified. You can use either a UNC
or drive path."
PART "Path to where you want the Favorites Folder
VALUENAME "Favorites"

POLICY "History"
EXPLAIN "When enabled this policy redirects the
'History' folder to the path specified. You can use either a UNC or drive path."
PART "Path to where you want the History Folder redirected." EDITTEXT
DEFAULT "%Userprofile%\History"

POLICY "Local AppData"
"When enabled this policy redirects the 'Local AppData' folder to the path
specified. You can use either a UNC or drive path."
PART "Path to where you
want the Local AppData Folder redirected." EDITTEXT EXPANDABLETEXT REQUIRED
DEFAULT "%Userprofile%\Local Settings\Application Data"

POLICY "Local Settings"
"When enabled this policy redirects the 'Local Settings' folder to the path
specified. You can use either a UNC or drive path."
PART "Path to where you
want the Local Settings Folder redirected." EDITTEXT EXPANDABLETEXT REQUIRED
DEFAULT "%Userprofile%\Local Settings"
VALUENAME "Local Settings"

POLICY "NetHood"
EXPLAIN "When enabled
this policy redirects the 'NetHood' folder to the path specified. You can use
either a UNC or drive path."
PART "Path to where you want the NetHood Folder
DEFAULT "U:\TSProfile\NetHood"

POLICY "PrintHood"
EXPLAIN "When enabled this policy redirects the 'PrintHood' folder to the
path specified. You can use either a UNC or drive path."
PART "Path to where
you want the PrintHood Folder redirected." EDITTEXT EXPANDABLETEXT REQUIRED
DEFAULT "U:\TSProfile\PrintHood"

POLICY "Programs"
EXPLAIN "When enabled this policy
redirects the 'Start Menu Programs' folder to the path specified. You can use
either a UNC or drive path."
PART "Path to where you want the Start Menu
"U:\TSProfile\Start Menu\Programs"
VALUENAME "Programs"

POLICY "Recent"
EXPLAIN "When enabled this policy redirects
the 'Recent' folder to the path specified. You can use either a UNC or drive
PART "Path to where you want the Recent Folder redirected." EDITTEXT
DEFAULT "U:\TSProfile\Recent"

EXPLAIN "When enabled
this policy redirects the 'SendTo' folder to the path specified. You can use
either a UNC or drive path."
PART "Path to where you want the SendTo Folder
DEFAULT "U:\TSProfile\SendTo"

POLICY "Startup"
EXPLAIN "When enabled this policy redirects the 'Startup' folder to the path
specified. You can use either a UNC or drive path."
PART "Path to where you
want the Startup Folder redirected." EDITTEXT EXPANDABLETEXT REQUIRED
DEFAULT "U:\TSProfile\Start Menu\Programs\Startup"

POLICY "Templates"
EXPLAIN "When enabled
this policy redirects the 'Templates' folder to the path specified. You can use
either a UNC or drive path."
PART "Path to where you want the Templates
VALUENAME "Templates"


Friday, April 17, 2009

Group Policy Issues

Recently I started experiencing GP issues on select machines, usually new ones. We where seeing the norm errors with GP problems:

Event Source: Userenv
ID: 1053
Description:Windows cannot determine the user or computer name. (The RPC server is unavailable. ). Group Policy processing aborted.

Source: Userenv
Event Source: AutoEnrollment
ID: 15
Description:Automatic certificate enrollment for local system failed to contact the active directory (0x8007003a). The specified server cannot perform the requested operation. Enrollment will not be performed.

ID: 1054
Description:Windows cannot obtain the domain controller name for your computer network. (A socket operation was attempted to an unreachable host. ). Group Policy processing aborted.

Okay, login, gpudate /force all good, DNS resolves, Network connected, GP IS applied.

Event Source: NETLOGON
ID: 5719
Description:No Domain Controller is available for domain ***** due to the following: The RPC server is unavailable. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

Strange, I can ping the computer immediately after bootup, in fact before the user can even login. So of course I update the computer NIC driver (HP dc5800) with the latest and greatest after finding several posts regarding Intel and Broadcom NIC's. Problem solved right.

Next day, same issue. (note, user doesn't actually see ANY issues, I just see it in the event log and it bugs the hell out of me and it's on multiple computers all with Intel / Broadcom newer NIC's). Sure I found all the posts stating that you can update the driver (which I did) set the link speed to 100 (but I installed gigabit switches so we could use gigabit not fast ethernet), check w32Time (which was correct), network issues (which I didn't "think" I had), DNS issues, check firewall, rejoin the domain, etc

So I happen across this handy MS article.
Sounds just like it. Gigabit network, Gigabit NIC, still get net shares, etc.

This problem is more likely to occur on fast networks that use 1-gigabit network
adaptors or in teaming environments where the network takes several additional
cycles to negotiate link speed
No good, applied the setting and same errors. Grrrr.

So next day I check some of it's settings, here's how I have now resolved this error on multiple machines by:
1. Turn off Hibernation
2. Check NIC Power Settings and remove anything mentioning reduce power, standby, hibernation, etc.

No more errors =)

Tuesday, April 14, 2009

Prompt for Remote File Copy

Recently we needed to push some files to over 80 remote laptops. Being that they where laptops of course not all of them are on the network at one time (strange...). That being a file with the list of laptops wasn't really an option since the users would be brining in their laptops at unknown times. Being slightly lazy I didn't feel like manually copy the folders each time and came up with this script to help simplify the process so that with just a couple of keystrokes per laptop the files would be copied.

Note: depending on the folder size being copied it may take some time for the Copy Completed box to popup and will appear to be doing nothing while copying.

Dim fREM, fLOC, cREM

Set FSO =

cREM = InputBox("Enter the machine name", "Remote Name", "Laptop")

If cREM = False Then
msgbox "You pressed cancel"
fLOC = "C:\Folder\Location"
fREM = "\\" & cREM & "\C$\Location"
msgbox "Copying to " & fREM
FSO.CopyFolder fLOC , fREM, True
msgbox "Copy completed"
End If

This can then be done without any user prompting to call a .bat file (or any other executable type file)

Dim fREM, fLOC, cREM

Set FSO = Wscript.CreateObject("Scripting.FileSystemObject")
Set oShell = CreateObject("WScript.Shell")

fLOC = "C:\Folder\Location"
fREM = "\\" & comp & "\C$\Location"
msgbox "Copying to " & comp
FSO.CopyFolder fLOC , fREM, True

oShell.Run ("C:\LocationofBatchFile.bat")

Sunday, April 12, 2009

SQL 2005 Install Error with DotNet 3.5 SP1

During an upgrade for a compliance application from SQL2000 to SQL2005 I encountered the following error on the Upgrade Logon Information (Windows Authentication Mode):

UpgradeAdvisor returned -1 .
Error Message:

That's nice, lovely error message, helps a lot.

Luckily I stumbled on this:

DotNet 3.5 SP1 installed, yep.
Create the folder BPAClient under C:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\BPA and copied the dll BPAClient.dll from the bin folder and click next...

Friday, April 10, 2009

Check Windows Activation

Sometimes I've found it useful to check windows activation, especially after deploying machines from a sysprep image.

Open run and type:

%SYSTEMROOT%\system32\oobe\msoobe.exe /A

This will inform you of the activation status of the system.

Thursday, April 9, 2009

Remote Services / Permissions (SC and Subinacl)

So with our new solution for pushing updates to a new software package I discovered that I needed to disable, stop, and change permissions on remote computers (and local for devices in my office).

Here's a handy tool that I've used for viewing remote processes:
sc [machine name] query [service name]

To stop the remote service:
sc [machine name] stop [service name] (use start to "start")

To change service to manual startup:
sc [machine name] config [service name] start= demand (for disabled replace with "disabled")

Of course ommiting the [machine name] makes the command apply to the local machine

Then comes the fact that I needed to change permissions so that the users could start / stop the service as needed without making them administrators. For this I used a tool called Subinacl which can be downloaded from MS. First off note that you do have to move this to the machine in question. This actually took me longer to realize than changing the permissions since by default I install the Admin tools on my machine when built. Having not realized that the tool comes with this installation and not by default (duh) I puttered with why the command wasn't working on the remote machine for a good 30 minutes. So, make sure you pull the tool to the remote machine if it doesn't already have it.

Change permissions:
SUBINACL /SERVICE file://machinename/ServiceName /GRANT=[DomainName\]UserName[=Access]
for local station with local account (or group)

T = Start Service
O = Stop Service
R = Generic Read (may be needed depending on situation)

Note: you can also do it through Group Policy and Security Templates. I recommend checking those methods as well to see what will work best for your scenario.

Wednesday, April 8, 2009

Tasklist / Kill Remote Process (tasklist / taskkill)

You can use Tasklist to find tasks on remote computers:
/s system Specifies the remote system to connect to.
/fi filter Displays a set of tasks that match a given criteria specified by the filter.
example: tasklist /s compname

You can then use taskkill to kill processes:
/s = remote system
/f = force kill
/im = process
example: taskkill /s compname /f /im spoolsv.exe

Tuesday, April 7, 2009

Remotely Enable Remote Desktop

As long as remote registry is on Remote Desktop can be enabled remotely. (There are other ways that are less direct)

HKEY_LOCAL_Machine_\SYSTEM\CurrentControlSet\Control\Terminal Server]

Change the data from 1 (Remote Desktop Disabled) to 0 (Remote Desktop Enabled)

Restart required.

Monday, April 6, 2009

Disable Windows Tour

I've always disliked getting the Windows Tour popup on new logins. No more, simply add the following to disable it for all users on the machine.

0 = disabled

Can also easily be blasted out with Group Policy (also works using the user class, for some reason I prefer the machine level)

POLICY "Disable Windows Tour"
EXPLAIN "Disables the Windows Tour for all users"
KEYNAME "Software\Microsoft\Windows\CurrentVersion\Applets \Tour"

Sunday, April 5, 2009

Disk Volume Extend (DiskPart)

useful for extending volumes

list volume
select volume vol# (from list)
Extend size=n noerr (where n = the space in MB to extend)

Saturday, April 4, 2009

Internet Explorer Favorites - Menu Order

It's always iritated me when I went to a new workstation and copied my favorites over that the order wasn't saved, even more it iritated me that IE doesn't have some way of saving this for us.

So... Save your favorites including the order that they appear in Internet Explorer (v7) with ease.

Create a new .vbs file and place the following in it.

'Set Favorites Backup Folder
strFolder = "C:\FavoritesBackup"
objFSO = createobject("Scripting.FileSystemObject")
objFSO.FolderExists(strFolder) = False then
objFSO.CreateFolder strFolder
wscript.echo "Folder Created"
end if

'Set Userprofile location
Set oShell = CreateObject("Wscript.Shell")
strUserProfile = oShell.ExpandEnvironmentStrings("%USERPROFILE%")

'Copy favorites from profile
Const OverWriteFiles = True
Set objFSO = CreateObject("Scripting.FileSystemObject")
objFSO.CopyFolder strUserProfile & "\Favorites" ,
"C:\favoritesbackup\Favorites" , OverWriteFiles

'Export Registry Key
strCommand = "regedit /e c:\favoritesbackup\FavoritesMenuOrder.reg
set objWshShell = WScript.CreateObject("WScript.Shell")
intRC = objWshShell.Run(strCommand, 0, TRUE)
if intRC <> 0 then
WScript.Echo "Error returned from exporting
registry: " & intRC
WScript.Echo "No errors returned from exporting
the registry file"
end if

Save and double click the vbscript you just created.

The registry key can also be obtained for non-logged in users by connecting to the users hive and exporting the key, just remember that it will export with the connection name so that will have to be updated for import.

Import reg key on the new computer after copying favorites icons to the new computer profile.

Friday, April 3, 2009

Disk Is Write Protected

Plugged in my USB device to copy some drivers to a new computer, dropped in the files and "The Disk is Write Protected. Remove the write protection". Hmm, quick google seach and see lots of posts stating that the write protect on the USB slide over, just slide it back and tape it.
Pull out USB, no write protect tab on this thing. Try a different card, same error. wth. Eject and stick in a different PC. Works, okay, what's going on.

So I did a little research. From what I can tell their are several ways to apply write protect.
1. IF your card has the switch you can just flip the switch, but not all cards have the switch
2. Windows has a settings to write protect Mass Storage Devices

REG_DWORD WriteProtect
0 = Write Protect Off
1 = Write Protect On

Tested both USB cards and no more write protection. One of my configuration software platforms that was setup to lockdown Mass Storage Devices automatically for all workstations except administrators had snagged my desktop during it's setup just a few days earlier and set the key to 1.

New Profile Icons - Active Setup

Removing the contents of these keys removes the named icon when new user profiles are created on the machine in question: (delete the contents of the stubpath key)

HKLM/Software/Microsoft/active setup/installed components

"%ActiveSetup%\{5945c046-1e7d-11d1-bc44-00c04fd912be}","Stubpath" ;Windows Messenger

"%ActiveSetup%\{89820200-ECBD-11cf-8B85-00AA005B4383}","Stubpath" ;Internet Explorer 6

"%ActiveSetup%\{6BF52A52-394A-11d3-B153-00C04F79FAA6}","Stubpath" ;Windows Media Player

"%ActiveSetup%\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}","Stubpath" ;Outlook Express

"%ActiveSetup%\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}","Stubpath" ;Outlook Express

"%ActiveSetup%\>{26923b43-4d38-484f-9b9e-de460746276c}","Stubpath" ;Internet Explorer

"%ActiveSetup%\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}","Stubpath" ;Windows Media Player

Thursday, April 2, 2009

Default Profile Setup

How to set the default profile the way YOU want it.

Setup the profile exactly the way you want it. Check Power Settings, Quick Launch Bar, Desktopo Icons, etc. I've always done this with a local computer account that has administrator rights (so that you can change power settings etc). Once finished you can remove the admin rights.

Once it's setup the way you want it logoff and back on using a different admin account. Open folder options and on the View tab select to show Hidden files and folders.

Open System properties, Advanced Tab, user profiles Settings button. Select the account you setup and click Copy To. Browse to the default user folder (C:\Documents and Settings\Default User), click Change in the permissions area, change the location to local computer name if needed. Type everyone and check name. Hit okay. In Permitted to Use it should show as "\Everyone". Click okay and then Yes when prompted (backing up the default folder prior to is advised jik).

Turn back off the show hidden files option if wanted.

All new profiles on this machine will now get the settings from the account you copied into the default profile.

Wednesday, April 1, 2009

Power Settings

Power Settings can be found and changed in the registry. These settings are on a per user basis so each user has to be changed or the default can be changed prior to any profile creations.

The key is: [HKEY_USERS\.DEFAULT\Control Panel\PowerCfg]

Set the key value to the desired profile (profiles are listed in the same registry directory)

0 - Home/Office desktop
1 - Portable/Laptop computer
2 - Monitor on for presentations
3 - Network computer (no Wake-on-LAN)
4 - Optimized for high performance
5 - Optimized for power saving

Custom settings can be created and imported as well.