Extending your Schema for Microsoft System Configuration Manager 2007
This is a guide for Extending your Schema for Microsoft System Configuration Manager 2007
Root Technet Resource
http://technet.microsoft.com/en-us/library/bb633121.aspx
Note: Windows support tools required for these processes
http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en
1. Extend schema with ExtADSch.exe
http://technet.microsoft.com/en-us/library/bb680608.aspx
2. Create sys mgmt container in AD
http://technet.microsoft.com/en-us/library/bb632591.aspx
3. Set Security on the sys mgmt container
http://technet.microsoft.com/en-us/library/bb633169.aspx
4. Publish Config mgr site info
http://technet.microsoft.com/en-us/library/bb680711.aspx
5. Verify site info is published
http://technet.microsoft.com/en-us/library/bb693614.aspx
MSDTC Could Not Correctly Process a DC Promotion/Demotion event. EVENT ID 53258
Installing a fresh windows 2003 R2 install onto a new esx server and then creating a new forest from scratch yielded this error.
I created a brand new domain from scratch and got this error off the bat so i thought it was worth fixing before it got any worse.
Error Message:
EVENTID 53258
Source MSDTC
MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings.
One of the Many eventid.net responses helped me out here.
EVENTID Article
1. Click Start -> Administrative Tools -> Component Services.
2. Click the “+” next to Component services to expand it.
3. Right click “My Computer” in the right window pane and select Properties.
4. Click the MS DTC Tab.
5. Click the “Security Configuration” button, a dialog box appears. Click “OK”.
6. Click “OK” on the “My Computer Properties” box; this will take you back to the console.
7. Right click “My Computer” and select “Stop MS DTC” (this stops the MSDTC service.
8. Again, right click “My Computer” and select “Start MS DTC”.
By following the above steps, it appears that this sets the MS DTC defaults resolving the error messages. Check the event log to verify that the problem is gone. You might also want to restart the server to verify this.
SSH to ESX 3.5
Most people only have a root account created and wonder why you cant login via ssh with that, you can get to the ssh console but when you try to authenticate you can’t.
This is due to a security best practice and should not really be circumvented, your best course of action is to create another account and SU yourself up to admin.
If you feel the desperate need to enable root to have ssh abilities into your esx box (really not reccomended) then here it is.
on the service console on the esx box physically type:
vi /etc/ssh/sshd_config
Where you see PermitRootLogin the no needs to be a yes
then type
do service sshd restart
and you are done
Deploying Vista Service Pack 1 (Vista SP1) via WSUS
Well I luckily upgraded our WSUS Server to 3.0 SP1 and ran into a snag where I couldn’t deploy SP1 to our Vista test machines, after some digging I found out that under that version you need to run a patch on the WSUS server retrieving the update. Updating the WSUS server that connects to the internet for updates would never actually retrieve the vista SP1 so you have to run through this.
The full step by step is here http://blogs.technet.com/wsus/archive/2008/03/24/deploying-vista-sp1-into-a-wsus-3-0-server-part-ii.aspx
Or for my trademark cliff notes.
Get this Patch http://support.microsoft.com/kb/938759
Patch your wsus server that connects to the internet for updates (I patched all my WSUS servers to be safe) NOTE: Requires a reboot
Then in the WSUS console under your server right click “Updates” choose “Import”
This will redirect you to the website where you can search for Vista SP1
Pick the standalone pack, click view basket at the top of the page and then import.
Voila Vista SP1 in your shiny new WSUS box.
IIS Service Stuck Stopping
A friend of mine shared a solution to an issue they were having when they tried to update Trends Spam filter and it crashed an IIS service.
When they did the update the IISADMIN Service got stuck in a Stopping state, using the following command restarted all IIS services and fixed the issue.
iireset
iireset
The Microsoft Article detailing this and other switches is below.
http://support.microsoft.com/default.aspx?scid=kb;en-us;202013
The Ultimate MMC Setup
I’m not going to go through everything I use as alot are default and you should be able to sort out remote desktop and standard stuff like event logs on your own, i do however recommend these packs to really spice up your remote mmc goodness.
2003 admin pack
Must be installed before proceeding
http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&DisplayLang=en
Vista Issue: Note that Vista is a bit broken with this so to get this working with vista and active directory connector (mmc) you need to follow This Guide
Active Directory Admin Pack
http://technet2.microsoft.com/windowsserver/en/library/2218144f-bb92-454e-9334-186ee7c740c61033.mspx?mfr=true
Note: You will need your Server 2003 CD to do this.
Overview:
http://technet2.microsoft.com/WindowsServer/en/library/57adeda2-3e00-4d5e-9b01-cf2bf256912d1033.mspx
Installation instructions
http://technet2.microsoft.com/windowsserver/en/library/57adeda2-3e00-4d5e-9b01-cf2bf256912d1033.mspx?mfr=true
Remote Schema Management
This isn’t in the AD admin pack by default so you need to follow this
http://technet2.microsoft.com/WindowsServer/en/library/8c76ff67-9e9d-4fc7-bfac-ffedee8a04d41033.mspx
Exchange Admin Pack
http://www.petri.co.il/administer_exchange_2003_from_windows_xp_2000_2003.htm
You need to install the admin pack from the exchange cd and I would walk you through it but petri as usual comes through with the goods so if you need a guide on that go to the link
Remote desktop right click addon
Allows you to right click a computer in AD and try to remote control it
http://www.microsoft.com/downloads/details.aspx?FamilyID=0A91D2E7-7594-4ABB-8239-7A7ECA6A6CB1&displaylang=en
needs to be run once on the AD
rcontrol_setup.exe program is run once for the AD to enable the feature
On any computer you want to have this feature on (your admin machines) copy rControl.exe tool and make sure it’s in a locatable path, e.g. %WINDIR% (C:\WINNT for example)
note: I don’t tend to use this feature, i find it easier to just make a section of my MMC with remote desktops setup to all my important servers. I use dameware for remoting to clients as that is much easier and allows for an interactive session.
WSUS
Install .Net Framework 2.0 or 3
http://www.microsoft.com/downloads/thankyou.aspx?familyId=10cc340b-f857-4a14-83f5-25634c3bf043&displayLang=en
Install MMC 3.0
http://www.microsoft.com/downloads/details.aspx?familyid=4C84F80B-908D-4B5D-8AA8-27B962566D9F&displaylang=en
Install Report Viewer
http://www.microsoft.com/downloads/details.aspx?FamilyID=8a166cac-758d-45c8-b637-dd7726e61367&DisplayLang=en
Run the WSUS Setup and just choose the console, nothing else
http://www.microsoft.com/downloads/details.aspx?FamilyId=F87B4C5E-4161-48AF-9FF8-A96993C688DF&displaylang=en
Handy WSUS Commands
When im doing troubleshooting i always find random commands that help me along the way, this is the best of the best for WSUS.
Note: all are done at the commandline unless specified otherwise
wuauclt /detectnow
Explanation: Forcing an update/install of a client against the server, this command will force the client to check for new updates and install them if thats enforced in a group policy.
wuauclt /detectnow /reauthorize
Explanation: A variant that can be used when really trying to update a machine in the WSUS database.
wuauclt.exe /resetauthorization
Explanation: This will reauthorize the machine for WSUS updates,
All commands will create an entry in the windowsupdate.log file this is located in the root of your system root (usually WINNT or WINDOWS), make sure its the one without a space as the ‘windows update.log” file is different.
/ReportNow
Explanation: This will send reports to the report server immediately.
Wsus Not Applying Group Policy Groups(OU’s) To Computers
Computers would not go into groups thanks to this tickbox
http://www.eggheadcafe.com/software/aspnet/30033002/wsus--assign-computers-t.aspx
“3. Open WSUS console, click Options->Computers, select “Use Group Policy or
registry settings on computesr” setting and click OK.”
I had initally set it up using the internal WSUS listings then i changed to using site based OU’s to apply their groups but had forgotten about that tickbox from the initial install.
Installing WSUS 3.0 SP1
So i was installing WSUS 3.0 SP1 and I thought I would put all the links i used here.
You need to download the installer HERE
you will need the .net framework installed before installing this or you will get the following error.
Error Message:
WusSetup.exe – Unable To Locate Component
This application failed to start because mscoree.dll was not found. Re-installing the application may fix this problem.
Ms article related to it HERE
.net Framework download link HERE
Unable To Browse To Sharepoint From Clients
Every now and then a single client will stop being able to browse to sharepoint, they will get a 404 or 504 error or something. Sharepoint works fine for everyone else but whenever this specific client tries to go there its just a plain error, It’s to do with credential caching and heres the solution.
Solution
In IE -> tools->options->security->local intranet->custom level->(scroll to the bottom)->”prompt for user name and password”
Access the site once like this and it will prompt for credentials, enter your correct credentials.
Then set that back to “automatic logon only” in intranet zone
Gpresult On 2003 Native Domain Shows 2000
This did come as a shock to me but due to the age of the application it still only identifies Native 2003 domains as 2000 Domains, so no need to panic like I did and wonder what massive part of your network just broke.
Example gpresult on a native 2003 domain:
------------------------------------------------------------------
C:\>gpresult
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 27/03/2008 at 11:16:03 AM
RSOP results for domain\user.name on computername : Logging Mode
----------------------------------------------------------------------
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: domainname
Domain Type: Windows 2000
Site Name: sitename
Roaming Profile:
Local Profile: C:\Documents and Settings\user.name
Connected over a slow link?: No
How to find FSMO roles in a Domain
FSMO Roles are extremely important to Active Directory and understanding where they lie and how they all work (eg. some roles only exist once on a domain) should be at the top of your list of “things to know” if you aren’t already well versed on it.
Wiki - FSMO Explained
Windows Networking explain FSMO
Petri explanation of FSMO
I found this Technet Blog to be extremely useful in the most efficient ways to find where your roles lie.
On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.
Type roles, and then press ENTER.
Type connections, and then press ENTER.
Type connect to server
At the server connections: prompt, type q, and then press ENTER again.
At the FSMO maintenance: prompt, type Select operation target, and then press ENTER again.
At the select operation target: prompt, type List roles for connected server, and then press ENTER again.
Type q 3 times to exit the Ntdsutil prompt.
Petri has an article on the matter but i find his ways a little more involved than the technet above from Mark.
I find that no matter how confident I am that I have removed all FSMO from a domain controller before demoting it, I still use this to double check.
Define IP Address via Commandline
A very interesting situation i came across when migrating a server into ESX.
I coudlnt’t change the ip address through network connections as they weren’t appearing there and the network connections panel would lockup.
The server was showing them in ipconfig but i coudln’t change the ip adresses to define them, my only choice was to do it via commandline.
This is where the netshell comes into its own, the following command was what i used. As soon as i made the specific change the adaptors became available in the network connections menu.
I cant explain why this was an issue but due to migrating from a physical install to a virtualised one i was willing to go with it.
The source=static part is to define static instead of dhcp.
Command
netsh interface ip set address name="local area connection” source=static addr=10.0.0.1 mask=255.255.255.0
unfortunately the vlan my servers sit in dont have dhcp or the following command would help at least get an ip on the NIC and allow me to administer it that way, but maybe you want to so here it is.
netsh interface ip set address “Local Area Connection” dhcp
netsh interface ip set dns “Local Area Connection” dhcp
Determining which NIC to alter
luckily i could still access the commandline so i can do an ipconfig and find the name of the NIC, you may want to change a different one than the primary and say its the second one you can use the command below to give you an idea of how that should be put in.
“local area connection 3”
Defragmenting Exchange Server 2000 and 2003 without enough disk space
Up until now Petri.co.il has been one of my local haunts for info on how to do certain tasks, sometimes I find he has things laid out in a certain way that aren’t always suitable for me. Generally if I’m going back for a second or third time just to get a command out of his site I want a more “concise” explanation. For those who still need to be walked through it properly I still strongly recommend him as his site contains allot of good info.
http://www.petri.co.il/defragment_exchange_2000_2003_server_databases.htm
For those who just need the nitty gritty like me, here’s the quick reference version.
Dismount your store -> Exchange System Manager -> go to DB and right click (Dismount)
Not dismounting will give this error: Operation terminated with error -550
You can find your database easily by doing a file search for priv1.edb if you are not sure.
You will do the defrag with eseutil which is in the exchange dir (again do a file search for it if you can’t find it)
Please note my Drive names are different to the default as I don’t mount my store with anything else, my log files and my store are both separate partitions from each other as well as all other windows components to keep performance up at a maximum.
F: = where my store exists
H: = where I have enough disk space to perform the defrag as you need about 130% of the store to do a defrag and i didn’t have that on the partition the store currently exists on.
F:\bin>eseutil /d “f:\mdbdata\priv1.edb” /t “h:\mdbdata\tempdfrg.edb” /f “h:\mdbdata\tempstrm.stm”
Make sure to do a full backup after this as your old backups are no longer valid, that’s why it’s best to do this whole process in a big after hours outage window. Note that it can take some time to do a defrag (approx an hour for 5gb of store)
Specify the streaming files location (if it’s not in the default with your edb)
http://support.microsoft.com/?kbid=254132
Error 550 when using eseutil – database still mounted
http://support.microsoft.com/?kbid=232301
Australian 2008 Timezone Changes / Updates
Australian timezones call back delta and spring forward delta will be extended this year (2008), I’ve listed a whole bunch of links and article links below to help you in getting things patched in time for this change.
Server 2003 Package (x86)
http://www.microsoft.com/downloads/details.aspx?FamilyId=308D599A-164A-40F6-B2A2-5DD5728FE5B4
Server 2003 Package (x64)
http://www.microsoft.com/downloads/details.aspx?FamilyId=940AD40D-3088-4CD0-B0DC-F517594C904D&displaylang=en
Vista Package (sp1 doesnt need the update)
http://www.microsoft.com/downloads/details.aspx?FamilyId=F75E30D4-3036-4970-BC16-48A96E1CEDC7
XP Package
http://www.microsoft.com/downloads/details.aspx?FamilyId=FBC1661D-E017-4A7F-9CDE-F44CAE1F8DC9
Outlook 2003
Requires sp2 or sp3 installed
http://support.microsoft.com/kb/947674
requires a request to MS for the patch
Outlook 2007
http://www.microsoft.com/downloads/details.aspx?familyid=2714320d-c997-4de1-986f-24f081725d36&displaylang=en
odd name for the patch but this is the one to use.
Windows Mobile Update (cab file to be installed on phone)
http://www.microsoft.com/downloads/details.aspx?FamilyId=0D6FC192-3142-4473-B435-B514E4B360A5&displaylang=en
Windows Mobile Update (run on desktop with phone connected)
http://www.microsoft.com/downloads/details.aspx?FamilyId=3BD7C55C-8AC1-4821-81FE-3F4ADA831FE0&displaylang=en
Microsoft Exchange 2003
Exchange is a little tougher, you have to request the patch which makes it a slower process and will catch people out who only patch after the daylight savings changes happen and realise they haven’t patched their mail server(s).
You need to be at, at least Service Pack 1 in exchange 2003 and I would suggest using the excuse to go to SP2. To check your service pack there are two methods, I find the method that is actually listed on a Cisco page of all places as one of the easiest ways.
http://www.cisco.com/en/US/products/sw/voicesw/ps2237/products_tech_note09186a00801675b8.shtml
you basically find the store.exe in your exchsrvr\bin directory and go to the properties and in the version comments it displays your service pack level.
Microsoft do offer the SPCheck tool for those who wish to check on that as well as a large number of other components.
http://support.microsoft.com/kb/279631
Exchange 2003 SP2 page with request link
http://support.microsoft.com/kb/943068
Full Technet Article with all the appropriate links (alot of which used here)
http://technet.microsoft.com/en-au/bb887637.aspx
2008 daylight savings planning pdf
http://download.microsoft.com/documents/australia/timezone/Australia2008DaylightSavingPlanningGuide.pdf