Writing ... or Just Practicing?

Random Disconnected Diatribes of a p&p Documentation Engineer

  • Writing ... or Just Practicing?

    In the Jungles of the Amazon


    I'm a great believer in the future of "cloud" computing. It seems to be the way forward for both large and small organizations to maximize return on investment and reduce the complexity of managing their own hardware. Not that I'm one to talk about simplifying technology requirements after the past three weeks of virtual notworkingness with new servers, Windows 2008, and Hyper-V (though, to be fair, it eventually evolved into mainly-workingness-with-odd-broken-bits). One thing it has exposed me to, however, is some of the problems that seem to be gathering in the cloud.

    Like an increasing number of people, my shopping regularly involves a Web browser and debit card, rather than traffic queues and the search for a car park space. I'd like to think I get a better deal on prices as well, though that's not my primary motivation. And I tend to use companies that I know and respect, rather than chancing my luck with some fly-by-night I've never heard of. Though, thankfully, when I do have to go outside my usual comfort zone, obviously taking appropriate precautions, it's mostly been a problem-free experience (try buying inline Ethernet surge protectors from your "regular supplier" to see what I mean).

    I'm one of the many millions of Web-based shoppers who recognize Amazon as a reliable and trustworthy supplier, and I regularly use our local (.co.uk) site to order a variety of stuff I need (or just want). Yes, music, films, books, the usual things; plus, increasingly, electronics and computer-related stuff such as cables and switch boxes. OK, so when I ordered two APC UPSs a while ago they "lost them in transit" and ended up refunding the money, but it was all pretty efficient and painless.

    So what suddenly changed? Or has it been a gradual process that only recently rubbed sufficiently to be annoying? The problem seems to be that they are now a "store front" as well as a supplier. When you find something you need, especially stuff other than books, films, and music, it invariably comes from an "associate" that you've never heard of. In some ways, I applaud that. They're providing a great opportunity for small companies who would never be able to build an effective Web presence otherwise. But, in other ways, I wonder if it is damaging their core business. It has certainly changed my behavior.

    Let me elaborate. The parcel delivered against one recent order contained, not the electric radiant heater ordered and confirmed, but 1000 empty DVD library cases. Instead of talking to Amazon (if you can actually find an email address or posting facility) I have to directly contact a supplier I've never heard of. In another case, a faulty mobile phone that was my wife's Christmas present had to go away somewhere (I've no idea where) to "be examined". OK, so both purchases were sorted out after a couple of weeks, but I'd have preferred to deal with somebody I know and trust (such as Amazon) rather than having to look at "ratings" and decide if I want to trust some other firm. The redeeming feature is that, I guess, you can go back to Amazon if it all goes pear-shaped.

    But the final straw was trying to buy a couple of USB cables, a USB extension cable, and two UPS power extension cords to finish off the network upgrades that have generally blighted my festive season. I found what I wanted easily enough, and was impressed by the prices. But, reaching the checkout, I discovered that the five cables were coming from three different suppliers - each one charging postage and packing. And one of them was trying to charge 18 pounds for post and packing on standard 3-5 days delivery - on an order consisting of two USB cables costing around 3 pounds each! In total, for goods to the value of 17 pounds, I was expected to pay more than 26 pounds post and packing...

    Instead, I went back to the main site and searched for products by specifying the name of one of the suppliers (not the 18 pounds delivery one) figuring I'd order all the stuff from one supplier. But examining the items in the list revealed that they were still all from different suppliers. Maybe each supplier puts their competitors' names in the search field to improve the number of hits? After about 40 minutes, I gave up and ordered the whole lot from one of my other regular suppliers (Dabs.com) who have never failed me yet - though I'm touching a large chuck of wood as I write this.

    So what's gone wrong with the "cloud" approach in this particular scenario? Thing is, if I want to deal with people I've never heard of who work out of a back bedroom, I can use EBay. Have Amazon damaged their brand by allowing suppliers to hide within their product lists, and by not providing enough interaction in terms of getting support or actually submitting a comment? Or are they bravely promoting the concepts of the cloud and providing opportunities to small suppliers who would otherwise struggle to reach market?

    I eventually ended up on some "Your Account" feedback page where I complained about the post and packing cost thing, but I have no idea where my feedback went, or if I was wasting my time. And, strangely enough, the next day I was talking to a friend who I know is an active Web shopper and told them about my experiences. And their response? "Oh yes, I know what you mean, that's why I only ever use Amazon for books and CDs these days..." Maybe this is an issue that new partakers of cloud-based services need to actively address. I can appreciate that part of the ideal of Web trading is to get rid of the need to handle emails and phone calls, but I reckon most people still value the capability to buy from someone they know, and actually talk to somebody when the need arises, or at least get some prompt response and a solution - without having to jump through hoops just to submit it.

  • Writing ... or Just Practicing?

    Leicester Talk About...


    I reckon it's a Government conspiracy. Obviously continental drift has speeded up while we weren't looking, and England has drifted north into the Arctic during the last couple of weeks. I did check on Virtual Earth, but the maps are three months old (it takes a while to erase all the UFOs at Area 52). I suppose the experts will blame global warming, and point to "cataclysmic climate changes becoming the norm". So it's fairly predictable that the most commonly heard comment around here this last couple of weeks has been "I'll be glad when we get some of that global warming they keep promising us..."

    So, anyway, there I was bravely battling my way through the two inches of snow that has brought the whole country to a standstill, traveling down to Leicester to do a user group presentation on Policy and Dependency Injection with Enterprise Library. I'd have to say that the response to the session was good, even if the turnout was distinctly limited by the weather. But at least it was in the lounge of a rather nice little city centre pub, so suitable refreshment was on hand.

    Now, I don't know about you, but when I'm standing at the bar waiting to partake of the liquid gold, I'd expect the response to my request for "a pint of the landlord's finest please" would most likely be something like "straight glass or handle?", "with ice and lemon?", or (if you are a fan of Boddingtons ale) "do you want a flake in that?" Instead, the young slip of a girl behind the bar greeted me with "what's the formula for the Fibonacci sequence?" I suppose I'm rather too old (and married) to have much idea about the ways of the youth of today, and it didn't sound like it was meant to be a chat-up line, so I was somewhat stumped for a suitable response.

    Then I noticed the sign behind the bar saying "Tuesday Quiz Nights", so I guessed she was in a team and just boning up on some possible answers. Obviously they have themed quiz nights, and this week it was mathematics. Probably next week it's nuclear physics, followed by investigative medicine and rocket science. Reminded me of the old joke from one of our TV comedians who asked if NASA engineers, when explaining something simple about their job, say "it's not rocket science" when it patently is. Although I also hear it said that rockets are an engineering technology, not a science, so it should be "it's not rocket engineering". Doesn't have the same ring to it...

    And, coming back to themed nights, round us the pubs struggle to manage themes like a "Mexican Night" or even a "Steak Night" (the last steak night I went to had fish 'n' and chips and mushroom lasagna on the menu). But then I realized that the pub we were in is just across the road from De Montfort University, so I assume that all the quiz contestants have brains the size of a planet. However, that turned out not to be the case when, partway through my session, the other (empty) half of the room filled up with groups of people armed with pens and paper. There was me trying to explain property setter injection, while somebody else was asking who Abraham's two brothers were in the Old Testament. I wonder if anybody answered "use a Dependency attribute"...

    Anyway, it turned out that Sara (the barmaid - try and keep up at the back there) had heard about a new type of charity raffle they are running at another pub locally, where you pay so much and get to choose some numbers between something and something else, according to some rule (OK, so I didn't quite catch all of the details). But she wanted to know how much money they were going to make, and somehow it involves the Fibonacci numbers. Thankfully she got the formula from another (obviously academic) member of the clientele, and calculated that they'll make 450 pounds if they sell all of the numbers.

    At that point, I just nodded sagely and offered to pay my one pound now if she promised not to try and make me understand how it worked. Dependency injection, AOP, service location, and inversion of control I can cope with. Biblical ancestry questions and higher mathematics I'm happy to postpone until another evening.

  • Writing ... or Just Practicing?

    Hyper-Ventilation, Act III


    After approximately two weeks of intermittent network upgrades, I seem to still have a working network. I guess at least that's something to be thankful for. But it's still not fulfilled the original plan. And much hyper-ventilation has occurred during the process, particularly when watching those little green caterpillars crawl across the endless "Please wait..." dialogs, and wondering what the next error dialog will say...

    Scene I: "Virtual Notworks"

    One of the hardest parts of the configuration process for Hyper-V (at least for me) seems to be understanding virtual networking, and applying appropriate network settings. Despite reading up on it beforehand and thinking I grasped how it worked, I encountered endless error messages about multiple gateways and duplicated connections while trying to configure the network connections for the VMs and the host machine. It turns out that I was probably being as dense as usual in that I missed the obvious point about what the virtual switches that Hyper-V creates actually do.

    Stepping back, the scenario is a machine with three physical network cards. I want to use one to connect the host (physical) server O/S to the internal network, one to connect specific virtual machines to the internal network, and one to connect specific virtual machines to the outside world. One of the virtual machines, hosting the firewall and mail server, will connect to both.

    So step one is to use the Virtual Network Manager to create two virtual switches and connect these to the two physical NICs. When you look in the Manage Network Connections dialog on the host, you see - as expected - the three physical connections and two additional connections. What's confusing is that they are all "Connections". It's only when you examine the properties of each one that you realize two of them are bound to the new Microsoft Virtual Switch protocol and nothing else. At this point, it's a good idea to rename these connections so the name contains the word "Switch" to help you easily identify them.

    So, now you can use the Hyper-V Settings dialog for each virtual machine to add the appropriate network connection(s) to that VM. What this actually does is create a connection within the virtual machine and "plug it into" the virtual switch you specify. You can, of course, plug the connections within more than one VM into each virtual switch. It really does help to think of the "switch" connections as "real" network switches like the 4 and 8 port ones you can buy from your local computer store. Ben Armstrong has some nice pictures in his blog post that illustrate this.

    What's confusing in almost every post and document I've read is the use of the word "host" or "parent" to refer to the physical machine and its O/S. It implies that the VMs somehow run "inside" the O/S that is running directly on the hardware. I've started to refer to it in my head as the "base machine" and "base O/S" instead. While the base O/S and the Hyper-V runtime implement the virtual switches, these switches are not "inside" the base O/S. The Virtual Network Manager effectively moves them out of the base O/S. So the confusing part (at least for me) was what do I do with the two new "Connections" that are visible in the Manage Network Connections dialog of the base O/S. I know that I must configure the non-virtual connection that the base O/S will use to talk to the network. And I know that I have to configure, within each VM, the connections that I add to these VMs using the Hyper-V Settings dialog.

    Unable to find any guidance on the matter, I assumed that the two "Connections" visible in the base O/S were being used to link the physical NICs to the virtual switches, hence the quandary over how to configure them. As it was, I followed the "know nowt, do nothing" approach and left them set to the default of "Obtain an IP address automatically". It was only after a day or so I noticed that file copy speed was erratic, and that the physical servers each had two different IP addresses in the domain DNS list.

    Probably you are already hopping up and down, and waving your arms to try and attract my attention, with the answer. My error is obvious now, but wasn't at the time. What the Virtual Network manager does is steal the physical NIC and plug it into a virtual switch. However, this would cause a problem if the machine only had one physical NIC, so it tries to be helpful by automatically creating a new connection in the base O/S for each virtual switch it creates, and then plugs these new connections into the appropriate virtual switch. This means that the base O/S still has access to the physical NIC.

     Duplicated connections shown dark shadedHowever, this also means that, on a multi-NIC machine, you can easily get duplicate connections in the base O/S. For example, in my case I already have a connection in the base O/S that's nailed to one of the physical NICs, and that's all I need. But when I dig a bit of CAT6 out of the junk box and plug one of the other physical NICs in the machine into the network, the virtual switch links it to one of the un-configured "Connections" in the base O/S. This means I've got two connections from the base O/S to the network for the same machine, but with different IP addresses.

    If you managed to follow that rambling description, you'll be pleased to know that it finally dawned on me what was going on, and I confirmed it when I finally came across this advice in the last comment to a long blog post on the subject: "...if you have multiple physical NICs, disable the duplicated connections in the base O/S that the Virtual Network Manager creates". In other words, in the Manage Network Connections list in the base O/S, unplug all the "Connections" (not the "Switches") that Hyper-V so helpfully created (and, coincidently, you don't know what to do with). Unless, of course, you need the base O/S to talk to more than one network, but that probably negates the whole point of having a vanilla and minimum base O/S install that runs multiple VMs containing all the complicated stuff.

    Note: In Windows Server 2008 R2 you can untick the Allow management operating system to share this network adapter option in Virtual Network Manager to remove these duplicated connections from the base O/S so that updates and patches applied in the future do not re-enable them.

    By the way, if you get odd messages about duplicate connection names, gateways, or other stuff while configuring network connections within a VM, it's worth checking for any "orphan" unconnected connections that the Virtual Network Manager may have created. In fact, it's worth doing this anyway to avoid "connections problems" when you try to import an exported VM if the roof falls in. Use the process described in http://support.microsoft.com/kb/269155 to find these and uninstall them.

    Scene II: "An Exchange of Plan"

    All that remains now is to get one more VM up and running to host my firewall, public DNS, and Exchange Server. One more day's work and it will all be done. All the hardware is in place, all the infrastructure and networks installed, and most of it is performing without filling the Event Logs with those nasty "red cross" messages. Maybe I can phone the lad down the road who is finding a home for my old boxes and get rid of the last one...

    Or maybe not. I just read the "ReadMe" file for ISA 2006 and discovered that I can't run it on a 64-bit machine. Yet Exchange Server really wants 64-bit to work properly (according to the docs). And why should I run 32-bit software on my gleaming new 64-bit boxes anyway? So I check out the replacement, Forefront, but it's still in Beta. Do I want to chance that on my only connection to the outside world? Probably not.

    And after reading How to Transition (or Migrate) to Microsoft Exchange Server 2007 I begin to wonder how migration will go when I'm coming from a box that was originally upgraded from Exchange 5.5 to Exchange Server 2000. Do I really need an Exchange Server? Yes, it's useful for experimenting and researching stuff I work on, but the administrative overhead - never mind the upgrade hassle I can see lurking in the wings - probably far outweighs the gains.

    In fact, if it's comparable to the struggle with Windows 2000 Server, I'll probably have to book a week's vacation. Or hire someone who knows what they're doing. Maybe I should just have done that in the first place, but then I wouldn't have learned all this valuable stuff about how it all works.

    For example, after a couple of days, the old server, which is still the main domain controller for the external network, started filling the Event Log with a message every five minutes telling me that there was a domain error. According to Microsoft, the message you usually get is

    "Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com. The file must be present at the location <\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984 F9}\gpt.ini>. Group Policy processing aborted."

    Well, that would be useful. What I got was:

    "Windows cannot access the file gpt.ini for {}. The file must be present at the location (). Group Policy processing aborted."

    However, after implementing the process described in Event ID 1000, 1001 is logged every five minutes in the Application event log and rebooting, it seems to be fixed. The problem was incorrect permissions on the Winnt\SysVol folder and rights assignment for "Bypass traverse checking". Probably another left-over from the original NT4 installation. Thank heavens for Technet...

    And, increasingly, I find I'm struggling for disk space. I need 120GB just to back up the three VMs I'm running, and the servers only have a pair of 160GB disks. If you are ordering hardware to do Hyper-V, buy boxes with four times the space you think you'll need. And make sure you get Gigabit NICs in them and use quality CAT6 cable and a Gigabit network switch 'cos you're going to be spending a lot of time copying very large files...

    Ultimately, I took the decision to outsource my Exchange Server to a well-known and reputable company here in the UK. The cost is less than I pay now just for outsouorced email filtering services, so it looks like a bargain. And that meant that I could create a virtual 32-bit Windows 2003 instance (ISA will not install on Win 2008) on Hyper-V to run just ISA 2006 and the external DNS server for my public domains. Less stuff to worry about in the long term I hope, though I'll probably have to upgrade that to Forefront on Win 2008 some time in the future. But at least there's no need now for an external domain! 

    Scene III: "DNS = Decidedly Negative Scenario"

    Of course, everyone knows that DNS is a black art, and that you should never expect a DNS server to do what you expect. Well, unless you know about this stuff anyway. Up to now, my old DNS setup seemed to be working fine, though probably more through luck and old shoelaces than any real expertise on my part. So I decided this time to read up on how I should do DNS for ISA and an external DNS server to see if I could get it right. And, having got it all set up and running fine on a spare IP address, all seemed hunky-dory.

    Until the "big switch-over day" arrived and I pulled the old ISA box out of the network. Everything stopped working. Every machine began to spew its excess event log messages all over the garage floor. My wife was shouting that she couldn't get her email. And it was only 9 o'clock on a Sunday morning. Maybe I should just put the old ISA box back and go back to bed...? However, after calming down and topping up with coffee, I started to investigate. A couple of wrong gateway entries in the domain controller network connections obviously weren't helping, but fixing these didn't cure it. So I went back to the docs to see what I missed the first time round.

    The guidance I'd used was Configuring DNS Servers for ISA Server 2004 (there is no ISA 2006 version), which shows the setup for "Domain Member ISA Server computer with full internal resolution". However, the doc is a bit confusing in that it covers several different scenarios. In the end, it was grasping that the ISA box needs to use the internal DNS server and that the internal DNS server will do all forwarding to other DNS servers. These forward lookups go out to the Internet through the ISA server, but do not go to the DNS server on the ISA box. Read "Why can’t I point to the Windows 2000 DNS first, and then to the ISP DNS?" in the "Common Questions" section of that document to understand why. Plus, the internal domain machines must not include the external DNS server in their list of DNS servers, but should instead reference only the internal DNS and allow that to forward lookups (I use DHCP to set these options). Maybe the following more detailed version of the schematic in the Technet doc will help...

    Note: If your public DNS server is only answering queries for zones for which it is authoratative (which is most likely the case) make sure you set the Disable Recursion option in the Advanced tab of the Properties dialog for the DNS server. See Can I Plug My Guitar Into My DNS Server? for more details.  

    I set the zone TTL for the external DNS server zones to one day, but you may want to increase that if you don't plan moving IP addresses around or updating records very often. Keep the internal TTL at about an hour to cope with DHCP and dynamic address updates. One thing I noticed is that, if you don't specify a DNS server for an interface (i.e. the external network connection), Windows uses the local address "because DNS is installed on this machine". But it doesn't seem to break anything that I've noticed yet...

    Scene IV: "Time Passes..."

    They say that the show ain't over till the fat lady sings. I sincerely hope she's in the wings tuning up and ready to let rip, because the tidying up after my virtual Yuletide seems to go on and on. Obviously I broke most of the connections and batch files on the network by changing the machine names and IP addresses. But other things about Hyper-V are still catching me out.

    For example, I've always used the primary domain controller as a reliable time source for each domain by configuring it to talk to an external time server pool. I even know the NET TIME command line options off by heart. But it all gets silly on Hyper-V because you have multiple servers trying to set the time. The solution, I read, is to get the base O/S to act as a reliable time source, and target the VMs (and other machines if required) to it. You have to use use the more complex syntax of the W32TM command, but it all seemed to work fine until I installed the ISA box. ISA 2006 is clever in that it automatically allows a domain-joined machine to talk to "trusted servers" (which, you'd assume, includes its domain controller). But I had tons of messages saying it couldn't contact or get a valid time through the internal or external connection.

    Well, I have to say that I wouldn't expect it to work with the external connection as that is blocked for the ISA box. But why not over the internal connection? Should I just disable the w32time service on the grounds that Hyper-V automatically syncs time for the VMs it hosts (unless you disable this in the Hyper-V Settings dialog for the VM)? Or should I allow external NTP (UDP) access from the ISA box to an external time server? In the end, after some help from other bloggers, I just used NET TIME to remove any registered time servers from the ISA box, restarted the w32time service, and it automatically picked up time from both the "VM IC Time Synchronization Provider" and the domain controller. Perhaps, like me, it just needed a rest before starting again.

    Another interesting (?) issue that crawled out of the woodwork after a few days was the error "The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified." As I don't use smart cards, I ignored the error until I found the article Event ID 29 — KDC Certificate Availability on Technet. Another example of problems bought on by domain migration from Windows 2003 perhaps. As with several other issues, the solution is less than useful because I get to the bit where it says "...click Request New Certificate and complete the appropriate information in the Certificate Enrollment Wizard for a domain controller certificate", but the Wizard tells me that "certificate types are not available" and I should "contact the Administrator".

    Not a lot of use when I am pretending to be the Administrator. Unable to find any other useful guidance, I took a chance and installed the Active Directory Certificate Services role, which created a root certificate in the Personal store and allowed me to create the domain controller certificate I needed. I have no idea if this is the correct approach, but time will no doubt tell...

    One thing I would recommend is putting the machine name in big letters on the screen background. I used to get lost just working four machines through a KVM. Now there are multiple machines for some of the KVM buttons. And if you are executing command line options, use the version that contains the machine name as a parameter in case you aren't actually on the machine you think you are...

    Finale: "Was It Worth It?"

    So, after three weeks, was it actually worth it? I'm not referring to the time you've wasted reading all this administrative junk and doubtful meanderings. I mean, what do I think about the process and the result? Here's my opinions:

    • Installing Windows Server 2008 on suitable hardware is a breeze. And it doesn't keep asking for the original disk when you add or remove roles and features.
    • Hyper-V is great. On my basic Dell 2.4 GHz Xeon 4-core boxes it runs well, as do the three VMs. Though in reality they aren't under a great deal of load. The biggest bonus for me is a reasonable chance of disaster recovery without (additional) weeks of work.
    • Exporting, copying, and managing VMs seems easy and reasonably quick. Note that snapshots are not recommended for VMs running Active Directory. And you'll need lots of additional disk space for this anyway.
    • The new servers are green (in environmental and performance terms, not actual color), quiet, and emit very little heat. So I should save on electricity, earplugs, and cabinet cooling fans.
    • Moving or migrating stuff from Windows 2003 Server to Windows Server 2008 is not desperately painful, but doing the same from Windows 2000 Server is tough and I nearly gave up (via FDISK) more than once.
    • Ultimately, overall, it was well worth the effort. At least until I find the lurking problems that haven't yet raised their ugly heads...

    And the good news for any remaining readers of my blog is that I can maybe find something more interesting to ramble on about next week...

  • Writing ... or Just Practicing?

    Hyper-Ventilation, Act II


    Outside, the snow lies deep, crisp, and even. Inside, the continuing quest to achieve calm and serenity through the application of virtuality. Noticeably, without much sign of virtuosity. I know that a "Minister of the Church" is somebody who ministers to the poor and sick as well as the good and the godly. I wonder if, being surrounded by all my very old and somewhat sick machines, I am really a "Network Ministrator". So far, "Administration" doesn't seem to be one of my latent talents. Still, onwards ever onwards...

    Scene I, "Reality Begins to Bite"

    Today, set up the external Web sites on a separate Hyper-V instance that will sit in the DMZ. I run the old DaveAndAl site that still contains the support stuff for books Dave and I wrote before I drifted into the arms of MS as an employee, and I wanted to keep that available. I also run the local village information site that contains news, events, activities, and other resources for the village action group (based on the ASP.NET "Club" Starter Kit).

    This all went reasonably well, except for some hassle figuring out that you have to install the SMTP service separately and use IIS 6.0 Manager to manipulate it. However, the Web app just drops messages into the Pickup folder, and the SMTP service instantly sweeps them up and tosses them out onto the Internet. Installing the SMTP role automatically adds a suitable rule to Windows Firewall; however - if you are only sending mail (and have a suitable return address configured for the messages that is on a different and valid mail server) - you can disable this rule to prevent inbound access to the SMTP server. And I did remember to remove all the default exception rules for other services (except for HTTP and HTTPS, of course).

    Final check, get few port scans done from various sites (such as Shields UP and Audit My PC), and go live. Wow, maybe I really can be a network administrator after all! While I've got a couple of hours left I'll prepare the old Windows 2000 box for migration of the domain to Server 2008....

    So I read the docs about this process, and start to feel the Hyper Ventilation coming on again. If you have installed Exchange Server 2000 (I have), it will have corrupted three attributes in Active Directly that you "should" (it says) resolve before running ADPREP. But elsewhere it says that these are not really important attributes, and it even says you can resolve them after you run ADPREP. Maybe you can on Windows 2003 Server. On Windows 2000, ADPREP simply won't run at all until you fix them. Time, I think, for bed.

    Scene II: "Reshaping History"

    I've been following the "migration" approach to domain upgrades that Microsoft seem generally to recommend. You prepare the Active Directory forest and domain using ADPREP to get it up to the target version (2008 in this case), then join the new machine to the domain and use DCPROMO to promote it to a second domain controller. Finally, you move the global roles (such as FSO) to the new DC and then demote the old one.

    This process worked reasonably well with the internal Windows 2003 domain, but it was looking like being a bit of an awkward task for the old Windows 2000 domain. Especially as I'd suddenly remembered while watching TV the night before that this machine and its domain started life under Windows NT4 running Exchange Server 5.5. Ah, what wondrous history doth permeate and perfuse my historic domain... and might be an additional cause of my problems. Strangely, I can't find any Microsoft KB articles that describe moving from NT4 to Server 2008...

    But I did read up on the schema issues with Exchange Server 2000, and created and ran the scripts to fix the incompatibilities. Or rather, I tried to. None worked. In the end, I resorted to using AdsiEdit to manually change the LDAPDisplayName attributes in the AD schema (see http://support.microsoft.com/kb/314649). After that the ADPREP process succeeded and updated the forest and the domain to the Windows 2008 schemas. Four hours gone so far.

    Next, join the new Windows 2008 box to the existing domain. No problem - worked a treat. Then install the Active Directory role and promote the new box to a domain controller. Oh dear - "Failed to modify the necessary properties for the machine account. Access is denied." So, off to search for more help and apply the user rights delegation permission configuration specified in http://support.microsoft.com/kb/232070. After these fixes, DCPROMO ran fine and I had a new domain controller. And it only took seven hours in total.

    Scene III: "The Plan? What Plan?"

    You see, I thought I had this all planned out. Virtualize my three important and complicated servers so I can keep backup copies of the VHDs and just fire the appropriate one up if the active one throws a software wobbly. Or even run all three on the second identical (cold-swap) backup server if bits start falling off the active box.

    Except, now, things are starting to look a bit less well planned. For example, if I need to shut down the host box to fix something, or just to copy the VHD off as a backup, I have no domain controller or internal DNS. So all the other machines on the network start wandering aimlessly around like lost souls. And the same will happen with the virtualized external domain controller once I get that part of the network upgraded...

    Worse still, the base machine that hosts the VM that is the domain controller complains when it boots that it "...cannot find a controller for the domain..." (not surprising I guess), and so it gets all huffy about doing even ordinary stuff. Probably the worse huff is that it can't access the Hyper-V Manager service. So you are in the interesting position of not actually being able to talk to your VMs, one of which is the domain controller. OK, so if the VM is set to auto-start, things will sort themselves out after about half an hour. But what happens if it isn't set to auto-start? Or if it falls over when starting? In the end, it looks like I need a physical (rather than virtual) domain controller that starts up before the Hyper-V host machine...

    And, again, it seems I should have ordered bigger (or more) disks. Turns out you can't just copy a VM file and the corresponding config file to another Hyper-V enabled server and run it, because that screws up the network configuration (see Hyper-V Export and Import Part 1 and Part 2). You need to use the Export command in Hyper-V Manager, but that only works when exporting to the same physical host machine.

    I suggest you become familiar with Ben Armstrong's blog at http://blogs.msdn.com/virtual_pc_guy/, 'cos he does document many of these kinds of issues. For example, whether to virtualize domain controllers, how to manage VMs with script, how to export VMs, and much more. He also references other blogs that describe import/export work-rounds, though none are officially supported. I used an old spare machine to expose backup storage space for exported VMs and used the process described in the comments to Brian Ehlert's blog post to export them to that machine. But make sure you read the security caveats.

    And if you intend to make backup copies of VMs to run on another machine should a hardware disaster occur, check out John Howard's blog as well - especially Why is networking reset in my VM when I copy a VHD? and MAC Address allocation and apparent network issues MAC collisions can cause.

    More next week...

Page 1 of 1 (4 items)