The Sysadmins

Tips and tricks from the Sysadmins

Category: Windows (page 2 of 3)

Data Protection Manager 2010 – Long Term Backups Not Following Schedule for the Protection Group

We use System Center: Data Protection Manager for backups. On February 1st of 2011, the annual backup of one of my protection groups was running. Since it was scheduled for January 1st, I was a bit confused. I opened a ticket with Microsoft support and thus began a very long adventure into the DPM scheduling agent. The end result is that the issue is a bug triggered by an interaction between DPM and SQL Server that can be triggered under specific conditions that causes the behavior above.

Trigger

Modify a protection group that has a long term retention schedule that is on anything other than a weekly or monthly basis and NOT adjust the timing of those backups.

Effect

The job is recreated in the SQL Server Agent without modifying the Start Date. This will cause it to trigger inappropriately, by running when it shouldn’t as well as failing to run when it should. This is due to the fact that although the start date didn’t change, the last run date is lost. Since the jobs are actually configured to run on X date (or day of the week/month/year) every x period of time instead of exact dates, this means my January 1st run date is configured as run on the 1st of the month every twelve months. Because of this it runs on the 1st of the next month if I trigger this bug.

Confirmation

How can you confirm this issue is going to happen to you? The easiest way is to use a script I was provided by Microsoft Support. A copy of the script is in the zip file available here.

The first time I ran the script I got an error. I re-ran it however, and it executed properly. I was told this is a bug in the script as it is currently defined. The output will look something like this:

Name SQL Agent Job Definintion ID Protection Group Start Date Schedule Create date/time Last run date/time Next run date/time Tape_Label Time Zone
GUID GUID PGName 06-30-2011 2011-06-30 09:09:37.130 01-21-2012 23:00:00 01-28-2012 23:00:00 Weekly Ignore
GUID GUID PGName 07-01-2011 2011-06-30 09:09:36.173 01-01-2012 23:00:00 02-01-2012 23:00:00 Monthly Ignore
GUID GUID PGName 01-01-2012 2011-06-30 09:09:35.133 01-01-2012 23:00:00 01-01-2013 23:00:00 Yearly Ignore

This is an example of one of my protection groups. Fields in italics have been altered to anonymize the data. The text in red is the one that is likely to have the issue. Should I modify this protection group at this time without entering the Modify Schedule dialog it WILL end up running a backup on the 1st of the following month since the start date is in the past.

Workaround

As of now, there is no fix for this behavior. There is, however, a way to work around it. As mentioned in the Trigger section this only happens when you don’t open the modify schedule button. So what happens if you do? The Start Date is reset and the entire schedule will run as planned. When editing a protection group and you get to this screen:

DPM-1

You need to click on the Modify button on the Backup Schedule area so you get this screen:

DPM-2

Click OK on this screen to close it out. As long as do this the Start Date for the backup schedule will be reset so that it is correct. This will avoid triggering the bug and keep your backups on schedule.

Fix

At this time Microsoft has indicated that a script to fix this will be given to me in the relatively near future once they have the bugs worked out. Additionally either in DPM 2012 or DPM 2012 SP1 this issue will be resolved so the scheduler no longer causes this issue. At this time, they are unsure if the bugfix will be ported back to DPM 2010.

P2V – HP Proliant Support Pack Cleaner

CTxAdmTools provide a handy tool for removing HP’s Proliant Support pack. I’ve used it on a number of occasions typically when P2V’ing HP servers, and it’s a great time saver. Once the server is virtualized you’ll want to remove the PSP as it may cause issues further down the line and it’s simply software and drivers that you won’t need on the system any more. I’ve seen people recommend removing the PSP prior to the P2V process, but I believe it’s best to keep the source server ‘as is’ if you need to backout of the procedure.

You can download the tool here: HP PSP Cleaner

HP PSP Cleaner 15A

Nslookup – Common Usage Examples

NSLOOKUP is a basic command line utility for DNS queries, it’s built into Windows and should be a tool you’re familiar with. Here are some real world examples which I deem common queries.

Query A and PTR records

This is as straight forward as you can get. NSLOOKUP FQDN or NSLOOKUP x.x.x.x

Nslookup Query

Query A and PTR records from another Name-server

You can query other name-servers to the one your client is configured with by adding the NS IP onto the end of the query, for example to use an OpenDNS NS (208.67.222.222) you’d type:

NSLOOKUP FQDN 208.67.222.222

or

NSLOOKUP x.x.x.x 208.67.222.222

Nslookup Query Alt NS

You may notice the non-authoritative answer, this simply means the name-server queried does not hold the entire zone for the domain (in other words it doesn’t have every single record)… more on that later.

Query other types of records

You can query pretty much any other type of record (see the full list here: http://technet.microsoft.com/en-us/library/bb490745.aspx) with the set type= or querytype= command. The single line command would be:

nslookup -querytype=mx bbc.co.uk

The interactive mode command would be:

nslookup
set type=mx
bbc.co.uk

You can query another NS by appending the NS onto the end like the previous examples. If you have multiple records to lookup you might decide to head into interactive mode (see below). In interactive mode you can change the queried NS by using server 208.67.222.222.

NSlookup Query type

Nslookup Full mode

Remember I mentioned earlier about non-authoritative answers? So, below what I’ve done is I’ve queried for the name servers for the bbc.co.uk and then queried them directly.

Nslookup Auth NS

You can do a lot more with nslookup for example use ‘set debug’ will give you verbose information on a record including things like TTL, here’s the output:

NSlookup set debug

I hope this gives you the basics and some good real world examples…

Active Directory Fine Grained Passwords with ADSI Edit

Updated post for Server 2012 FGPP

Server 2008 introduced ‘Fine Grained Passwords’ (FGPP), which allows multiple password policies in a single domain. Prior to Server 2008 there was a limitation of one per domain.

To achieve this you will need to create a PSO (password settings object) which applies at the user or security group level. There are 3rd party applications out there to for this, but personally I find using ADSI straight forward enough.

The domain functional level needs to be 2008 or higher.

Let’s get to it!

  • Administrative Tools – ADSI Edit
  • Actions -> Connect
  • DC=domain,DC=com
  • CN=System
  • CN=Password Settings Container
  • Right click select new -> object

adsieditpso
You’ll be presented with a set of options which are explained below.

Common-Name – Friendly name to identify the policy
Password Settings Precedence – Think of metrics, if a user is in two groups the policy with the lower precedence will win
Password reversible encryption status – No need for this in our example and generally bad for security true/false
Password History Length – How many passwords does a user have to use before being allowed to return to the first
Password Complexity Status – Password Complexity true/false
Minimum Password Length – Minimum Password Length
Minimum Password Age – Minimum time before the password can be changed. This is set in Days:Hours:Minutes:Seconds, so for 1 day you would use 1:00:00:00
Maximum Password Age – Maximum time a password can be used This is set in Days:Hours:Minutes:Seconds, so for 90 days you would use 90:00:00:00
Lockout Threshold – How many times the password can be entered incorrectly before the account is locked out
Observation Window – The time in which incorrect passwords are logged, for example if we set 5 above, and 00:00:20:00 for this, if more than 5 incorrect passwords are typed within a 20 minute period the account will get locked out
Lockout Duration – If the account is locked out, the duration in which it stays locked out. This is set in Days:Hours:Minutes:Seconds, so for 1 hour you would use 00:01:00:00

  • Select ‘More Attributes’
  • Select a property to view and change to ‘PSO Applies to’

Get the DN (distinguished name) from ADUC (active directory users and computers). You will need to select advanced features in the view menu at the top. Double click on the group or user this PSO will apply to, select the attribute editor tab and find the distinguishedName attribute a small distance down. Copy and paste this into the edit attribute box in ADSI edit.

We can test if the policy has been applied by resetting a password for a user in ADUC or by typing dsget user DN -effectivepso , if dsget succeeded is returned without anything else displayed you went wrong somewhere as this means the default domain password policy is still in effect. This is what you want to see:

DSGET PSO

Server 2008 R2 PPTP VPN With 1 Nic

Today we’ll look at setting up a quick PPTP VPN from Server 2008 R2 with 1 network card.

Server Side (Server 2008 R2)

  • Head to Server Manager, right click and Add Role
  • Select Network Policy and Access Services
  • Select Routing and Remote Access Services, next, next until complete
  • Expand Roles, right click on routing and remote access and select configure
  • If you select “Remote Access” give the following error “Less than two network interfaces were detected on this machine. For standard VPN server configuration at least two network interfaces need to be installed
  • Select Custom Configuration to get around this, then select VPN Access
  • Right click Routing and remote access and select properties
  • Browse to the IPv4 tab and assign a static pool of IPs for the remote clients
  • Now load up ADUC (Active Directory Users and Computers) and double click the user you wish to give access
  • Select the Dial-in tab and set the Network Access permission to Allow Access

Client Side (Windows 7)

  • Head to Network and Sharing Center
  • Select Set up a new connection or network
  • Select Connect to a workplace
  • Select User my internet connection (VPN)
  • Enter the IP/Host of the VPN server you configured earlier, give the connection a friendly names
  • Enter the username, password and domain
  • Click Skip before it tries to connect (if this is a remote system it will cut you off, you can get around this by disconnecting the client from the RRAS interface)
  • Click Change adapter Settings in the main Network and sharing Center
  • Right click the VPN connection you just created and select properties
  • Go to Networking, IPv4, Properties, Advanced and unselect Use default gateway on remote computer
  • You should be ready to connect!

Networking

  • Enable forwarding for TCP Port 1723 (PPTP) to your 2008 R2 Server
  • The firewall must support GRE

New!

Server 2012 PPTP with 1 NIC guide now up.

 

Configuring Server Core 2008R2

So your have your Core Server installed, now what? This post will give you some options for configuring your install. We’ll cover basic commands, Sconfig and 3rd party tools.

Basic Commands

Show interfaces -> netsh interface ipv4 show interface

Set Static IP Adress -> netsh interface ipv4 set address "local area connection" static 10.0.0.10 255.0.0.0 10.0.0.1

Change DNS -> netsh interface ipv4 add dnsservers "local area connection" 10.0.0.2 index=1 (2 for secondary NS)

Enable Remote Desktop -> cscript C:\Windows\System32\Scregedit.wsf /ar 0

Rename Server -> netdom renamecomputer oldname! /newname:newname!

Restart Server -> shutdown -r

Join Server to domain -> netdom join /domain:domain /userd:abc /passwordd:123

Enable Window Remote management -> winrm quickconfig

SConfig

SConfig is built into 2008 R2 Server Core by default, and you can do a lot of the most common configuration tasks from here. It’s pretty straight forward and each step has on-screen instructions. Type sconfig from the command prompt.

Sconfig Server Core
Continue reading

Installing Server Core 2008R2

Server Core is Microsoft’s bare-bones version of Server 2008/R2, which was first introduced with Server 2008.

Microsoft did a lot of work reducing the attack surface with Server 2008 by cutting down on pre-installed features and roles. Server Core takes a step further, resulting in an even smaller attack surface. There are less patches, which means less reboots so overall maintenance time should be reduced. Server Core has a much smaller footprint too, requiring around 3GB for a running installation.

The traditional GUI that we’re used to seeing has been dropped and the ‘shell’ is nothing more than the command prompt. At first this might seem a little daunting for those used to the GUI but in part 2 I will talk you through common commands and some nice 3rd party GUI tools you can use to configure your installation.

In this video we’ll look at installing Server core 2K8R2 into ESXi. The procedure is practically identical on VMware player and workstation. The main difference being instead of uploading the Server 2008 R2 ISO to the Datastore you will store it locally.

Setting up a virtualized test machine/network is a great way of learning new technologies. ESXi and VMplayer are both free products from VMware which allow you to create guests, couple that with the free 180 trial of server 2008 R2 and you are good to go.

You can download the Microsoft Server 2008 R2 Trial ISO here.

Once you have the ISO, upload it to your ESXi datastore, personally I always create an ‘ISO’ folder for dumping them into. If you are using VMware workstation or VMplayer you can store the ISO locally.

In the following video I will perform a standard installation of Server 2008 R2 Core.

Server Core 2k8r2 #2 Configuring

Older posts Newer posts