|
|
|
|
|
|
|
|
Citric SharePoint Services > Citric Blog
|
| The team's thoughts, ideas and musings |
06/08/2008
Most of the time, recovering a Small Business Server is pretty straightforward - get hold of the last SBS backup and either recover to the original server or a new box using NTBackup. The SBS backup wizard ensures the system state, Exchange and all the data is covered.
What do you do though when the presented with a server that's not booting becuase the Active Directory is corrupt, and the backup has been customised to exclude system state?
This was the scenario we had last week - the client had used a remote backup firm, who, no doubt to reduce the backup size, had customised the backup to only include the Exchange store and file data - no system state.
Without the AD, recovering Exchange to a new box was impossible, even though we had a valid Exchange backup with the same storage group/organsation names. This is by design - imagine if you could restore mailboxes to a new environment without the original security - anyone with access to a backup tape and a knowledge of Exchange recovery could access the mailboxes of the entire company!
Luckily, Quest ignore this fundamental security rule. Using their Recovery Manager for Exchange, its possible to open up a mailbox store from an NTBackup file, and recover the contents to .PST files, which you can then import back into the new Exchange server using Outlook or ExMerge. It's a doddle to use, and we recovered every mailbox from a seemingly desperate situation. Highly recommended.
Of course, you still need to be able to get the backup from the original server in the first place, and build a new server with a new AD to begin with...
 We had a Dell PowerEdge 1750 that's just gone out of warranty, but is running some important stuff (It's our root certificate server for one). Having run Hyper-V in production for a while now, and been very happy with it, we wanted to import it and run it as a Hyper-V virtual machine.
Trouble is, there's no direct way to do this - at least not until Virtual Machine Manager gets updated. However, VMware have offered their VMWare converter for free for a long time (you'll need to register). This tool connects to a physical machine and creates a VMware Machine, with a VM disk and configuration file.
Once you have the VMWare image, you can convert this to a Hyper-V (or Virtual PC/Virtual Server) compatible .VHD file using this tool from VMtoolkit. Again, you'll need to register, but again it's free.
Once you've converted the disk, create a new Hyper-V machine and point it at the converted disk. Fire it up, log in, and wait for all the hardware to be redetected - the HAL will change, so it will need rebooting. On the second reboot, you can insert the virtual machine additions, which will change the HAL again, and require a third reboot, which will finish off the virtual machine additions, before a final reboot.
If you can't see you're network card, you may need to use the legacy adaptor. For example, our PowerEdge 1750 used a Broadcom in teaming mode, and until we swapped the standard Hyper-V NIC for a Legacy one, we couldn't uninstall the teaming software or see the network configuration.
Once we'd tidied up (removing stuff like Dell OpenManage), we switched off the Physical Server, connected the network to the new Hyper-V server, and crossed our fingers - everything worked. The new server connected back to our iSCSI SAN and began replicating using DFS just like a good clone should - except the performance was noticably improved!
All in all, for an hour's work, this is a relatively straightfoward process with an excellent result. Admittedly we had a lot of things going for us - Windows 2003 target, single domain, simple network, single disk (split into two volumes), with a high performance Hyper-V server - but I can't see any reason why this shoudn't be attempted with more complex setups.
In summary the process to follow is:
- Have a Windows 2008 server ready with Hyper-V - ours is a Dell PowerEdge 2970 with 16GB RAM, Dual quad-core AMD Opteron Processors, and a RAID 1/RAID 10 split for the OS/Storage. All the Hyper-V files run from the RAID 10 volume. This is good for about 12 guests.
- Install the VMWare convertor on the Hyper-V server. You don't need to install the agent.
- Download the VMDK to VHD Convertor and unzip it to a local drive on the Hyper-V server (the desktop will do).
- Create a network share on the Hyper-V server that the target server can reach.
- Run the VMware converter against the target (it must be a Windows box, anything from NT4 upwards).
- Once complete (Our PE1750 with a 70GB disk took about 20 mins), point the VMDK to VHD converter at the new disk, and create a Hyper-V disk under your Hyper-V file location. Once complete, you can delete the VMDK file.
- Create a new Hyper-V virtual machine, using the new .VHD file as the boot disk. Don't connect the machine to the physical network at this point.
- Boot the new Hyper-V machine, log in and let the hardware detection process run. Don't insert the integration services disk yet. Reboot.
- Log in again and insert the integration services disk, and let it do its stuff. Reboot again.
- Log in a third time, and let the install complete. One more reboot!
- Log in now and have a look at the network settings. If you can't see anything, you'll need to shut down the guest and install a legacy adapter.
- Tidy up stuff that isn't needed for a virtual machine - typically hardware management stuff.
- If all is good, shut down the old box, connect the network to your new virtual machine and fire it up!
18/07/2008We encountered the following scenario:
Vista domain users couldn't open file saved in their networked home folder, receiving an "Access is denied" error. However they could create and delete files in the same network folder. They could also access the files without any problems from an XP client. Vista clients could also open files from other network shares. DFS and network permissions were therefore ruled out - as was offline files, as it was not being used.
However - even though offline files were not being used, it was still enabled - and this was the problem. The user certificate used to encrypt files had expired, and renewed automatically through group policy. Vista though was still encrypting files using the original certificate in the background for the user's home drive - unencrypting all offline files resolved the issue.
Lesson learnt: Vista isn't necessarily opening the files you think it is. When a group policy to encrypt offline files is enforced, Vista seems to cache home drive files locally and encrypt them as it does so. 04/04/2008
In December we installed a large server farm on a customer site using the Enterprise version of MOSS 2007, on Windows 2003 R2 x64, including MOSS/WSS 3 SP1. Everything was working well when we shutdown for Christmas.
When we came back in January to carry on the configuration, we had two problems:
My Sites were returning the error: "The evaluation version of Microsoft Office SharePoint Server 2007 for this server has expired"
And performing any searches would result in the error: "Your search cannot be completed because of a service error"
Now we went through everything on the farm with a fine tooth comb, recreating accounts, reinstalling service packs etc - even to the point where we got Microsoft to confirm the keys we had used were valid.
In the end, exasperated, we raised a support call with Microsoft, and their first question was "Is Portalshield installed?" which it was. It was actually deployed in our absence, and we never even considered it would be related, as the error messages didn't indicate it as a potential cause.
MS's suggestion was to change the Path statement, so that the WSS BIN path doesn't appear at the end. This didn't work, so we uninstalled Portalshield, and My sites and Search returned. Losing Portalshield wasn't a short-term problem, as the first portal was purely internal.
for details. You'll need to raise a support call to get the fix unfortunately, but as we've recreated this on every x64 system we've tried it on so far, I'd imagine they'd need to put it on general release soon.
McAfee too refer to a problem with the path statement, which seems to imply significant differences between the x86 and x64 versions of MOSS - Portalshield/MOSS are fine on 32 bit machines. 19/04/2007We've had some fun today setting up our existing secondary SMTP server to double up as a POP3 server for a new domain. Actually setting the POP3 service up is a doddle. It's also pretty simple to set up the MX records to get mail to actually arrive on the server. What we couldn't work out was why mail was just sitting in the SMTP queue and not being delivered to the drop directory. We were thinking things like it must be a problem with the DNS name, or service binding (the server has two NICs and about 10 IP addresses, and services incoming mail for about 15 domains).
Looking at the logs revealed little. Then I remembered, because we use Exchange for all our other email domains, we use LDAP routing on the SMTP servers to check whether the email account exists in AD before sending it to the Exchange server – a quite useful anti-spam measure, that stops the Exchange server getting nonsense emails. However, in this case we were setting up POP3 users using the password file method (its intended for hosting clients) so they had no account or email address in AD – so the SMTP server didn't know what to do. Turning this feature off (LDAP Routing) and restarting the SMTP service did the trick, and mail instantly arrived in the appropriate POP3 box.
The final thing we implemented was email domain quotas. This means the whole domain shares a quota, rather than each user being limited to a certain amount. Again this is made slightly trickier by using the password file method. First, you have to create a local account on the POP3 server – we've named ours after the corresponding domain. Then, enable disk quotas on the volume containing the POP3 boxes (C: if you haven't changed anything). Then add a new quota entry for this new user – 10MB per mailbox is generally the case. Then use the WINPOP utility to create a quota file for one of your email accounts, and associate this with the user account as follows:
WINPOP createquotafile user@domainname.com /user:useraccount
This will create a quotafile in the corresponding email accounts mailbox folder – copy this file and put it in each mailbox you create that this quota applies to, and the quota will apply to all those boxes. 13/04/2007The commerce kit we've used in the past to base our e-commerce solutions on has been updated to DotNet 2.0 and become a full open-source project. It now supports credit-card payments through a provider model, along with a load of new features. Its available here Whilst looking through the showcase on the Microsoft Ajax site I came across this site (because it's about mountain biking in the UK) and wondered how they did the maps. Turns out they use the Virtual Earth SDK, which is very powerful, but unfortunately is implemented through client side javascript. Luckily though some clever chap has already written an ASP.DotNet/Ajax server control that makes things a lot easier here. This should mean it's very easy to pop maps/directions/location indicators on any web page using server side code to populate the data.
Ideas for use:
- The static maps we regularly put on "Contact Us" pages for directions could be replaced with dynamic maps with driving directions from the user's current location.
- The websites we have with databases of location information are obvious candidates for updating with this technology.
If you see this message displayed in IE7 for internal websites (or published sites such as OWA or Team Services) this is because (1) the computer you are using doesn't trust the issuing authority of the website's certificate, or (2) you are using the internal name and the certificate has the full DNS or external name. In either case, it's OK to continue by clicking on the "Continue to this website". Long term the fix is either to (1) download the certificate authority's root certificate and add it to the machine's list of trusted root authorities, or (2) use the correct name of the site, as on the certificate.
Of course, there's always a 3rd reason – the certificate may have expired, in which case it will need renewing from the server.
I think I've seen this problem with deploying SpotCheck from the TAP website, when asking clients to use the secure (https) address to reach the deployment page. This KB article describes how a common Internet Explorer security setting ("Warn if changing between secure and not secure mode") can stop the ClickOnce setup in its tracks if the deployment manifest file contains a different URL to the calling page i.e. if the deployment page is secure but points to a non-secured manifest file. |
|
|
|
|
|
|
|
 |
|
|
|
|