Category Archives: System Engineers

Powershell – the 3 line quicky

I needed to change the profile path for a fair number of users in AD a go. Thought I’d give PowerShell a go. Talk about easy…. here it is.

Change the Profile Path for all users in an OU – the easy way

$users = Get-ADUser -filter * -SearchBase “ou=<yourOu>,dc=<yourDC>,dc=<yourDC>”

ForEach( $u in $users )

{

$ProfilePath = “\\<yourProfileServer>\<yourProfileShare>\” + $u.sAMAccountName

set-ADUser -Identity $uDistinguishedname -Profilepath $ProfilePath

}

Well – I lied – there are 4 lines of code. Talk about easy

 

Tony’s rules of data

I’ve been copying some large data sets around lately and have formulated 2 rules of data

1. Data will ALWAYS expand to fill any available storage
2. Moore’s Law is irrelevant as data is ALWAYS conspiring to bring the apparent speed of a system back to that of a 386.

There you have it – 30 years in the IT industry condensed into 2 statements

PC Skill Drought?

I have a gut feeling that we are about to enter a PC skills drought. I work with other grey headed headed guys who feel the same way.

Reading my previous post about cheap PCs, It makes me think, no wonder we can’t get young guys interested in PC’s – these devices (in real terms) are 10% of the prices that we paid for PCs in the 1990’s. They are just raw commodity items and are seen as “old tech” by the young ‘uns. All the vibe in computing is around mobile and I can see a generation arriving where mobile (Android, iPhone etc) coupled with console gaming provides all their needs. Most mobile users, (x)Pad users included, don’t seem to need a PC at home. This includes Macs too.

From a business perspective, skill sets in PC level devices need to be maintained but unless PCs present themselves as “new and sparkly”, I don’t see this happening. Unless the kids build an initial skill set on their home PC then the entry level abilities needed to get on the Helpdesk, the usual first rung on the ladder, becomes that much harder to obtain.

This is compounded by the reality that business level computing is becoming MORE complicated that ever. Have a think about what virtualisation is doing. It adds enormous flexibilty for medium to large business environments but it also adds, using VMWare for and example, a whole new new layer between the hardware and the OS. We have now introduced VMWare skills as a requirement. This is the same for storage virtualisation as well. The network layer has has virtualisation as a core skill for 10+ years (think vLans – Layer 2 virtualisation) but now the top line network devices have virtual routers as well.

In the VMware world (where I spend a lot of my time) it also facilitates a proliferation of servers. Where in the past you would try to aggregate functions, Its simpler and despite needing more O/S licenses, to just create a new server for that application you want to roll. In the end you manage more servers.

I suppose its good for old farts like me as business depends on PCs for day to day operations (and I will probably be able to get work forever) but eventually we will all want to retire and someone needs to maintain these systems. Someone is going to need to address this skills gap.

Interesting times ahead.

PCs as commodity items

Did an upgrade for an old customer of mine last week. Their 15 YO computers were well beyond it (Gotta love that 486 technology – it never quits) so we drifted over the road to ARC Computers (They really are over the road) and bought 2 x Intel Celeron E3300 based machines for the princely sum of $AU238 each.

These boxes included a 500GB SATA and 2 GB of fast DDR3 RAM (I think it was about 1033 MHz). Ran XP Home up and they fly! They are running a basic ASRock M/B with GMA Graphics (DX10!) and have a bucket load of USB ports and a 10/100 Ethernet. On top of that ARC supplied a great little black FOXCONN cases which look great and fits easily into the desks provided.

I needed to assemble them – no sweat (damn Intel Push-Pins), I enjoy a bit of screwdriver work occasionally but really.. these prices are just a “race to the bottom”.

I have an August 1988 issue of Australian Personal Computer (APC) in front of me. A 10 Mhz PC/AT / 640Kb with a 20MB HDD from a clone manufacturer was…… $2290. No NIC, monochrome graphics or USB (whats that?) etc. 386 class machines started at $5K.  Back in the bad days, those computers didn’t even have a real time clock. Every time you booted it, you had to enter the correct date and time.

How about the adjustments for inflation. Using the RBA inflation calculator http://www.rba.gov.au/calculator/annualDecimal.html

A computer worth $2500 in 1988 is actually worth $4700 dollars these days. On raw figures alone = 1/20 th the cost Amazing if you were to factor in the raw MHZ performance as well (10 mhz vs 2.5Ghz – 250 times!) the new computer is about 1 in 500o (th?)  the price. No multitasking, RAM = less than a 4000 th of current norms. No network (NICS were > $500 each) Makes my mind rattle.

Windows 2008 R2 Activation blues

Its taken me a while to find this but now its blindingly obvious. We are testing R2 as it has some advanced Terminal Server (now Remote Desktop Services) that we are interested in. We have a number of 2008 (R1?) servers and an activation server with a KMS key that works OK.

Now comes the hard part. If you don’t want to go through the hassle of recovering your KMS keys from the R1 activation server then you need to

1. SP2 the R1 server
2. Apply the appropriate hotfix to permit R1 servers to activate R2 (and Windows 7) machines.

You got through the change control process (you do have one don’t you?) and apply all these changes to your licensing server including the new R2 KMS key.

Full of expectation and jumping on the R2 server you hit

slmgr -ato

and get rewarded with a 0xC004F074 error. I have tried a couple of times to find this but eventually Googled “Security-SPP 0xC004F074”. This lead me to

http://technet.microsoft.com/en-us/library/ee355153.aspx where at the end of Table 10 – it finally pointed to Table 11.

This is the “gold” document – it enabled me to decypher the error code in the 12288 message.

Cutting a long story short. The string has a value of 5 where I have only 1 R2 server in the farm.

I don’t understand this. I already have 10+ 2008 servers in my farm but now MS needs me to build 5 R2 servers to go through the “minimum number” procedure again to get activation to work again.

I’m finding the MS Licensing/Activation regime to be hard work. This has taken about 8 hours to get this far (with service packs etc) and I still have even more work to do to get my systems activated. I’ve already crossed the #5 threshold once – why do I have to do this again?

Monitoring your Active Directory

Another interesting week. Client has 8 DCs distributed over 4 sites for AD management. Most of the time it works well – well enough so you don’t feel the need to be taking the pulse of the patient 24/7… BUT…. every so often, you have issues.

So… How to monitor. You are a small(ish) shop so there isn’t enough IT Operations bandwidth to monitor everything all the time. You can do several things.

– Invest in some COTS tools – Quest comes to mind – however there is a both an initial costs and these things need care and feeding as well. Often there are backend databases, specialist knowledge etc. Some of these things are more fragile than AD itself. If they break then often the solution is to completely re-install.

– Write something yourself – this is obviously where I’m going with this. WMI, Command line tools, vbscript, Powershell, performance monitor – there a is a stack of choices.

I’ve found something that seems to do the trick for me. Its “timesync” – MS DC’s rely on syncronised time for authentication. If your time between workstations, servers and DCs drifts out by more than 5 minutes the kerberos, GP etc all seem to stop.  The command you need to get to grips with is

W32tm  specifically the “/monitor /domain:<yourdom.dom>”  option. Give it a try in your domain and see – it will show you which DCs are syncronids

So I’ve written a simple HTML page in vbscript that parses the output – code to follow

 

Altiris Error 1326

One of those beautifully informative error codes. I must be getting slow, this one took an hour to figure out….

I have changed all the jobs on a customers site to use a UNC for the sofitware source. The customer has a disaster recovery site with full functionality so it was logical to replicate all the software source there (and keep it in sync with DFS-R). This source is also a share on the Altiris DS deployment share.

Right – time to create a new package. I’m probably a bit old fashioned but I copy the source files from the share to the target and then execute an install. Like most admins, my workstation is the usual “guinea pig” for most jobs but I kept getting “Error 1326”. About an hour later, after trawling the net – here was the answer.

I use a special account to execute the install job but I already had a connection to the deployment server. Once the job began, the special account tried to connect and failed, with Error 1326. You can’t have 2 different accounts connecting to the same target from the one workstation. Basic you say… basic enough to get me!

As soon as I took the blinkers of and executed somewhere else then BINGO! job executes.

Error 5871, ForestDNSZones and Top Level Domains

I hate this….

Ahh the life of a systems engineer.

You go to the trouble of fixing an error and 18 months later you are chasing down the same error again but forgetting that you fixed it before.

A customer of mine is running a classic root and child domain AD model. Issue was (and is) that the root domain only uses a “single label” top level domain (Imagine calling your internal root domain .com and you will get the idea.

Well MS – for good reasons – decided that AD will not, by default, update a SLTLD. Problem is that when you upgrade to 2003 and decide to store your DNS in a forest wide application partition then the partition name becomes “forestDNSzones.com” which is a zone stored in a SLTLD.

OK issue is then the DCs in the child “child.com” then try to update into partition which is inaccesible so hence stuff like the _MSDCS records (essential for cross site replication) don’t get updated.  The DCs then start to register Error 5871 messages.

Here’s where I hate this…

There is a Group Policy HKLM\Softtware\Policies\Network\DNSCLient (don’t quote me on this – its 12:47AM) which is supposed to be applied but mysteriously didn’t

-and-

I looked back at some notes and found I’d fixed this in the past.

Problem I have is that this link http://support.microsoft.com/kb/300684 doesn’t come up in a search for “error 5871 site:microsoft.com” until about page 14 (actually it doesn’t) so you would never find it.

After consulting a mate he said “remember the TLD issue”…… DOH.  The lights came on. Still don’t know why this one DC hasn’t updated from the Default DC GP (which has the entry) but the problem is fixed, the errors have dissappeared and I can stop worrying.

New data to hand, Windows 2008 R2 also will not update a SLTLD. There are 2 registry entries you need – they are (Conveniently in REGEDIT 5.0 Format)

[HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters]

“AllowSingleLabelDNSDomain”=dword:00000001

[HKLM\SYSTEM\CurrentControlSet\services\DNSCache\Parameters]

“UpdateTopLevelDomainZones”=dword:00000001

Again – this fixes Event Error 4513