Month: June 2008

TechNet Edge has a video of Cross Platform Extensions in action.  You’ll see how it manages a network consisting of Windows Server, IIS, SQL, MySQL, Oracle, SUSE and Solaris.  A fault is found in the web application, the operator drills down to find that a logical disk has not been mounted.  He uses the Operator Console to remount the logical disk, thus bringing the application back into a healthy state.

I recently deployed a new domain for a customer.  Initially it had only one domain controller because we had to rush the network into production.  We had a machine on order which I built up a few days later and promoted last Friday.  I was doing some remote work on Saturday when I got some alerts about AD replication.  I’d already had some of those after the initial DCPromo but I expect those after that first reboot while the directory/SYSVOL replicates and FRS allows the server to become a DC for the first time.

I logged into the DC’s and could find nothing wrong in the event logs.  Absolutely nothing!  AD replication, on the face of it, appeared fine.  I logged into DC2 and tried to force replication between DC1 and DC2 and that’s when I found I got an error: "Naming context is in the process of being removed or is not replicated from the specified server."  Uh-Oh!

How did SCOM notice this problem but the event logs didn’t?  Installing a SCOM agent creates some containers and objects in the directory.  SCOM agents update objects and measure to see how long it takes to replicate those changes between DC’s with agents on them.  If it exceeds a pre-determined time then replication isn’t working correctly.  It’s a perfect test.

I tried to delete the KCC generated link object that was failing and replace it with a manual one via the GUI.  That failed.  So I resorted to using the Support tools (SUPPORT.MSI on the Server 2003 CD) and REPADMIN.  The complete guide is available to read.

The high level steps were as follows:

• DC1 was OK.  DC2 was failing to replicate from DC1.  I logged into DC2.
• I installed the support tools on DC2.
• I opened the support tools CMD.
• I ran "readmin /showreps DC2" on DC2 to retrieve the GUID’s of DC1 and DC2.
• I used AD Sites and Services to manually delete any connection objects to replicate from DC1 to DC2 (found under DC2).
• I ran "repadmin /add "cn=configuration,dc=mydomain,dc=internal" <DC1 GUID>._msdcs.mydomain.internal <DC2 GUID>._msdcs.mydomain.internal".
• I forced a full replication using "repadmin /sync cn=configuration,dc=mydomain,dc=internal DC1 <DC2 GUID> /force /full".
• I refreshed AD Sites and Services under D2 and forced a full replication there – everything was OK.
• I monitored SCOM for any more events.  Everything was good.

SCOM to the rescue!

Credit: Gary Olsen.

1 year ago I talked about how not to host an interview.  That was based on a couple of interviews that I’d attended as a candidate and the interviewing companies really screwed up and steered me elsewhere.  You could say that they made a lasting impression.

In college, my IT course featured classes on all sorts of business subjects such as law, maths and marketing.  Marketing was sometimes interesting.  One of the most interesting things I learned was that (a) a happy customer might relay their positive experience to 2 or 3 people and that (b) an unhappy customer will relay their negative experience to around 13 people.  That certainly has held true in relation to my experiences last year.

I’ve seen Company A sponsoring events I’ve been at, trying to recruit people.  I suddenly feel the urge to retell my story from there.  You can imagine the response of anyone when I tell them of the advert for an architect that was actually a break/fix engineer and the rude & unprofessional manner of one of the interviewers.

A colleague who I’d rate as being very skilled recently told me he was interviewing for a job with Company A.  I reminded him of my experience.  He rightly said he’d try it out anyway.  Following the interview, he emailed me with a story of his own.  This skilled engineer was told over the phone that he wasn’t skilled enough.  Hmm.  It sounded like someone was let out of the basement to do interviews again 🙂

Then this morning, the recruitment agency that sent me to Company A last year rang me up.  Allegedly, Basement Boy has been "sidelined".  Yeah, right!  Either that or he’s been cloned.  My name came up in relation to a job there.  I politely said "no thanks".  Anyway, I’ve got something good going right now so I don’t need the hassle of dealing with underground dwelling engineers who haven’t seen the light of day since the millennium.  I’ve dealt with politics-playing morons in the past and I won’t voluntarily go waltzing into that playground again.  I’d want to see a photocopy of his P45 before I’d even venture into the office … and you’d better bet my contributions to the employment contract would be … creative.

Anyway, first impressions last.

Configuration Manger 2007 has a great feature called Desired Configuration Management (DCM).  It’s pretty easy to understand and use.  You define a standard using queries of the registry, WMI and the file system to say what must be present, not present or what settings are valid, e.g. "this service must be disabled".  Anything not meeting this compliance statement can be reported and acted on.  In theory you could build a collection based on this data and enact an automated response.

MS has released the SCAP Conversion Tool for Desired Configuration Manager that will enable you to convert Security Content Automation Protocol files into files that can be used by DCM.

They’ve also released a Security Compliance Management Toolkit to help you how to plan, deploy, monitor, and remediate a security baseline.

My SCOM 2007 deployment relies heavily on certificates for monitoring non-trusted servers.  This is accomplished by deploying customised certificates that are requested from a W2003 CA CertSrv website.  W2008 Certificate Services does not allow you to request machine certificates from the web site so getting things to work is a bit more complicated … actually, much more complicated.

The SCOM team has blogged how to get things working.  Luckily, they’ve bundled the cert request process into a script.

I can’t help it; I’m a System Center Operations Manager junkie.  I’ve preferred Operations Manager over other products since I started using the beta of MOM 2005 for monitoring production servers back in 2004.  I’ve use CA Unicenter, BMC Patrol and evaluated HP Openview and they just couldn’t stack up.

One of the criticisms of SCOM was that is was "just for MS networks".  You know, it was best of breed in MS centric networks but you could use thrid party extensions (some of them being free, e.g. Citrix, Dell and HP) to manage other platforms.  But it’d still be best if we could monitor more with SCOM without sing 3rd party products, some which add complexity and costs.

Some time last year (I think) MS acquired one of those 3rd party firms that developed solutions for monitoring non-MS products.  And at MMS this year, it was announced that MS launched the public beta of Operations Manager 2007 Cross Platform Extensions.  With it and SCOM 2007 SP1 you can monitor:

• Solaris 10
• HP-UX 11iv3
• Redhat Enterprise Linux 5 Server
• Novell SUSE Linux Enterprise Server 10 SP1

Now you’re getting monitoring of more of your network with just one solution.  Pretty cool, eh?  The Cross Platform Extensions beta is available for download from Microsoft Connect.

I’ve just uploaded a guide on how to install a single-domain forest with 2 domain controllers using Windows Server 2008:

This document is going to focus on how to build a new Windows Server 2008 Active Directory domain.  There are two goals for this paper:

• You will be able to build a domain which you can use for lab work that is presented in the rest of this book.
• You will be able to build a domain that will suit 80% of organizations.

Most people who read something like this document will never need a domain that needs more than two domain controllers.  It’s likely the domain won’t need to span multiple sites.  The network probably has less than 500 users and no more than a handful of member servers.  What we’re going to do is build a Windows Server 2008 domain that will serve those needs.  Hopefully the 80% who recognize their network in that description will be able to use this section as a starting point.  Anyone who does not fall into this category will have a good jump off point from which to span their Active Directory across more sites.

The whitepaper continues …

MS is hosting "TechEd North America IT Professionals" (what we call "IT Forum Pro") from June 10th until 13th.  It’s a huge event and is often the location where huge announcements are made.  There’s a few things we’re expecting soon:

• System Center Configuration Manager 2007 R2.
• Hyper-V.

We were promised that Hyper-V would be launched within 90 days of W2008’s launch.  Apparently, they are ahead of schedule and there’s a whirlwind of rumours that MS will launch it next week.

I’ll be installing a "production" lab environment based on Hyper-V later this week on a HP DL380 G5 so I’ll try to blog my experiences with it as things move along.

I’ll continue to blog about my W2008 experiences.  Our first W2008 DC is running nicely.  I’m planning replacing our original W2003 DC ASAP.  It was put in place by a 3 sided consultancy firm before my time with the company.  This consulting firm SUCKS!  9GB C: partitions might have been OK 10 years ago but they have been a bad idea for more than 5 years now.  Plus I found so many other things wrong with the DC, it’s just gotta be rebuilt – and rebuilt with W2008 x64!

I’m also getting to the point where I need to deploy Windows Deployment Services.  I’m going to be deploying lots of servers in our network in the coming months and I want standardisation and speedy deployments.  WDS is the way forward because it’s relatively easy and it’s free.  I’ve already got a machine selected: my WSUS server has a relatively light load and is perfect for this job.  Eventually I might look at SCCM 2007 R2 but I can’t justify the cost of a dedicated SCCM box or the agents right now.

Still no sign of W2008 production support for the SCOM 2007 agent or a supported W2008 management pack.  My gut is telling me that they might come out at the same time as Hyper-V; it just makes too much sense.  Some 3rd party solutions for monitoring Linux or Cisco via an agent.  Un-trusted forests are monitored via a gateway.  Being able to run these as dedicated agent VM’s might be a cool solution.

In case you’ve noticed an absence of W2008 news, I’m posting that stuff over on the Windows Server 2008 User Group (Ireland) blog.  I’m too lazy to post the same articles in two places at once.  I’ll continue to post larger chunks here and then link from the W2008 blog.