I’m running the Virgin London Marathon 2012 for The Lighthouse Group
This post is nothing more than a shameless request for sponsorship! As the title suggests, I am running the London marathon this year (in 96 days!) for the charity "The Lighthouse Group". Check out the TLG site for more detail on what they do, but in a nutshell they are a charity that works with young people who have been excluded from school, at risk of exclusion or are at crisis point in their education. It's a really worthwhile cause and my father-in-law has just been involved in opening a TLG center based in Normanton, Yorkshire
I'd appreciate any contribution, big or small! It's fair to say I'm not quite the right build to run a marathon, so a little bit of sponsorship would be very encouraging! I've been training since late August last year, and am currently managing two 7 mile runs a week, plus a game of football and a couple of swims! Keep up to date with my progress over on my Runkeeper profile.
Overriding the OpsMgr Exchange 2007 Test MAPI Connectivity Monitor for Recovery Storage Groups
The Test MAPI Connectivity monitor for the Exchange 2007 management pack will automatically generate a critical error for any Recovery Storage Groups you have on monitored Exchange Mailbox Roles. As these are generally temporary Storage Groups created for a recovery and then removed, you don't want an alert - but manually adding an override for every time is not a great use of your time either.
Trouble with SCOM 2007 R2 Certificates? Validate the entire PKI path!
I learned something new today: SCOM 2007 R2 certificate based communications not only checks the validity of the certificate you use, but also the CA that issued it...let me expand:
Like many organisations there is a root CA (we'll call it ROOTCA01), and then a subordinate CA (we'll call that SUBCA01). OPSMGM01 has a certificate to identify itself and has certificates for ROOTCA01 and SUBCA01 in it's Trusted Root Certificate Authorities.
The certificate to secure the connection between OpsMgr Gateway (OPSGW01) and the OpsMgr Management Server (OPSMGM01) is issued by SUBCA01 and is installed on OPSGW01, and to validate the certificate chain SUBCA01's certificate is also installed in the Trusted Root Certification Authorities. Opening OPSGW01's certificate and examining the Certificate Path tab shows the certificate is valid all the way up to the issuing CA - SUBCA01.
The connection will not work - OPSGW01 logs the following events:
Log Name: Operations Manager
Source: OpsMgr Connector
Date: 05/01/2012 10:18:28
Event ID: 21016
Level: Error
Computer: opsgw01.definit.co.uk
Description: OpsMgr was unable to set up a communications channel to opsmgm01.definit.co.uk and there are no failover hosts. Communication will resume when opsmgm01.definit.co.uk is available and communication from this computer is allowed.Log Name: Operations Manager
Source: OpsMgr Connector
Date: 05/01/2012 10:18:25
Event ID: 20070
Level: Error
Computer: opsgw01.definit.co.uk
Description: The OpsMgr Connector connected to opsmgm01.definit.co.uk, but the connection was closed immediately after authentication occurred. The most likely cause of this error is that the agent is not authorized to communicate with the server, or the server has not received configuration. Check the event log on the server for the presence of 20000 events, indicating that agents which are not approved are attempting to connect.Log Name: Operations Manager
Source: OpsMgr Connector
Date: 05/01/2012 10:18:24
Event ID: 21002
Level: Warning
Computer: opsgw01.definit.co.uk
Description: The OpsMgr Connector could not accept a connection from xxx.xxx.xxx.xxx:5723 because mutual authentication failed.Log Name: Operations Manager
Source: OpsMgr Connector
Date: 05/01/2012 10:18:24
Event ID: 20067
Level: Warning
Computer: opsgw01.definit.co.uk
Description: A device at IP xxx.xxx.xxx.xxx:5723 attempted to connect but the certificate presented by the device was invalid. The connection from the device has been rejected. The failure code on the certificate was 0x800B0109 (A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.).
It's the last event that led me to check the certificate chain for the SUBCA01 certificate, which was installed and trusted but did not validate up the chain to ROOTCA01. Installing the ROOTCA01 certificate resolved this issue.
VMware PowerCLI – Set Path Selection Policy on all LUNs for a host
Just a quick script to set the Path Selection Policy on any LUNs on a host that do not have your target policy enabled. The script sets the server to Maintenance mode first, evacuating any VMs if you are in a full DRS automated environment. While this is not strictly necessary, it was required for my production environment just to be safe.
param( [string] $vCenterServer = $(Read-Host -prompt "Enter vCenter Server Name"),
[string] $TargetPolicy = $(Read-Host -Prompt "Enter target policy (RoundRobin, Fixed or MostRecentlyUsed)"),
[string] $TargetHost = $(Read-Host -Prompt "Enter target Host"),
[switch] $WhatIf)
# Add the VI-Snapin if it isn't loaded already
if ((Get-PSSnapin -Name "VMware.VimAutomation.Core" -ErrorAction SilentlyContinue) -eq $null ) {Add-PSSnapin -Name "VMware.VimAutomation.Core"}
Connect-VIServer $vCenterServer | out-null
Write-Host "Connected to: " $vCenterServer -ForegroundColor Green
Write-Host "Target PSP: " $TargetPolicy -ForegroundColor Yellow
Write-Host
switch ($TargetPolicy) {
RoundRobin { $DisplayPolicy = "VMW_PSP_RR"; }
MostRecentlyUsed { $DisplayPolicy = "VMW_PSP_MRU"; }
Fixed { $DisplayPolicy = "VMW_PSP_FIXED"; }
default { Write-Warning "Unknown PSP selected! Please consult the help and try again."; exit }
}
Write-Host "Setting Policy to"$TargetPolicy" on "$TargetHost -ForegroundColor Green
if($WhatIf) {
$vHost = Get-VMHost -Name $TargetHost
$vHost | Set-VMHost -State Maintenance -Evacuate -WhatIf
$vHost | Get-ScsiLun -LunType "disk" -ErrorAction SilentlyContinue | where {$_.IsLocal -eq $false -and $_.MultipathPolicy -ne $TargetPolicy} | Set-ScsiLun -MultipathPolicy $TargetPolicy -WhatIf
$vHost | Set-VMHost -State Connected -WhatIf
} else {
$vHost = Get-VMHost -Name $TargetHost
Write-Host "Setting "$TargetHost" to Maintenance Mode" -ForegroundColor White
$vHost | Set-VMHost -State Maintenance -Evacuate
$vHost | Get-ScsiLun -LunType "disk" -ErrorAction SilentlyContinue | where {$_.IsLocal -eq $false -and $_.MultipathPolicy -ne $TargetPolicy} | Set-ScsiLun -MultipathPolicy $TargetPolicy
Write-Host "Exiting Maintenance mode on"$TargetHost -ForegroundColor White
$vHost | Set-VMHost -State Connected
}
SCOM 2007 DFS Backlog Monitoring – Distributing a RunAs account to only DFS replication members
The DFS monitoring tool in SCOM 2007 has some great features, which will replace many a custom VB script running in enterprises. As with a lot of Management Packs, to get the most out of it you need to have a dedicated RunAs account with local admin permissions on the servers you are monitoring (e.g. for the Backlogged Files reporting).
The easy (and wrong) option here is to go with the less secure option and distribute a RunAs account to ALL servers. There are lots of reasons why you wouldn’t want to distribute the credentials to every server in your SCOM installation – but just from a security standpoint, you shouldn’t do it! Selecting the “More Secure” option and distributing credentials only to servers which will require them is a much safer bet.
You can view the members of the DFS discovered inventory in the SCOM Console by going to the “Discovered Inventory” view and changing the target type to “Replication Member” – which is great: you can see all the Servers involved in the DFS replication topology. But there’s no easy way to add these to a RunAs credential to distribute.
To narrow it down to a short list, you can open a Operation Manager Shell prompt and list any monitoring classes which have “DFS” in the name – there are about 6 or so:
Get-MonitoringClass | where {$_.Name –match “DFS”}
The one that matches my SCOM console view is “Microsoft.Windows.DfsReplication.ReplicationGroupMember” so I want to select all the monitoring-objects that match this discovery and export the “Path” (server name) to a csv file:
Get-MonitoringClass | where {$_.Name –match “Microsoft.Windows.DfsReplication.ReplicationGroupMember”} | get-monitoringobject | select-object Path | export-csv c:\DFS-Members.csv
I’ve not yet figured out how to add these to the RunAs account credential distribution via PowerShell, so I’m afraid it’s a manual process from here. To make it easier I opened the csv in Excel and filtered out duplicates (for servers with multiple DFS shares) before pasting the servers in individually to the distribution dialogue.
Once the RunAs account has been downloaded by the Agents, and if you've added it correctly to your "DFS Replication Monitoring Account" profile, you should start to see the Backlog Monitoring view beginning to populate.
More notes on Threat Management Gateway Arrays
It seems that despite my previous experiences with TMG 2010, I still stumble when creating a TMG array. Here are some "notes to self", which will hopefully stop me making the same mistakes next time
Get the NICs right first
In this case I came to a project after the initial installation of the array and there was no dedicated intra-array network installed. I added a new NIC to each VM and configured the IP addressing, VLANs and routing, but could not get the intra-array network to ping, let alone talk to each other. So the lesson here is to set up the servers with their NICs before you install TMG - Microsoft recommend a dedicated intra-array network and every bit of experience I have with TMG arrays confirms that.
Get the NIC Binding order right
This is simple, the order I have found to work is:
- Intra-array Network
- Private/Internal Network
- Public/External Network
Some people recommend the Private/Internal network first, then the Intra-array, but I have found that this order works better (anyone able to dispute this or give me a reason why it should be the other way?). The key thing is that the External Network (which should be your default Gateway) is last in the binding order, which brings me to the next point...
Get the gateway and routing right
- Default Gateway: The only NIC with a Default Gateway set should be the Public/External NIC
- DNS: The only NIC with DNS configured should be your Private/Internal NIC
- Register in DNS: The only NIC registering in DNS should be the Private/Internal NIC
- Client for Microsoft Networks: Only enabled on the Private/Internal NIC
- File and Print Sharing for Microsoft Networks: Only enabled on the Private/Internal NIC
- NetBIOS over TCP/IP: Only enabled on the Private/Internal NIC
Add any static and persistant routes required and make sure you can access those networks before installing TMG. This allows you to get the routing right without the complication of TMG rules and firewalls.
Then, and only then, install TMG 
Installing and Configuring OTRS 3.0.9 on Windows Server 2008 R2
OTRS is an exceptionally flexible ITIL compliant ticketing/helpdesk solution, which runs beautifully on almost any LAMP (Linux, Apache, MySQL, Perl (yes, I know it’s PHP really;-)) server, but what happens when you work in a Windows-only environment? OTRS does have a Windows installer, but it is somewhat clunky and requires almost as much work to configure as manually installing. Installing as components allows you to upgrade portions of the system and have more granular control over the setup.
I’ve recently installed OTRS on a Windows Server 2008 R2 (64-bit) server, including experimenting with various combinations of IIS/Apache, MSSQL2008/MySQL, ActiveState Perl 32-bit/64-bit, different configurations and setups - these are my findings:
- IIS7, MSSQL (64), ActiveState Perl (64) – to make use of the native IIS7 webserver and 64-bit Perl. The server does run but performs abysmally, and you have to force IIS to run a 32-bit application pool to get Perl to work.
- Apache2.2 (32), MSSQL (64) and ActiveState Perl (32) – again OTRS will run but performance is grim
- Apache2.2 (64 unofficial binaries), MySQL (64) and ActiveState Perl (64) – this seemed the most promising approach but without a 64-bit version of mod_perl the performance was worse than the final combo
- Apache2.2 (32), MySQL (64) and ActiveState Perl (32) – this performed the best, and although there are slow portions (SysConfig) the general user experience was good.
None of these combinations came close to the performance of OTRS running on a native Linux server, my 64-bit Ubuntu server absolutely flew, with less processor and RAM than the Windows box. In short, if you have the skills, use the Linux option. Yes, yes I do feel a little dirty now, sorry Mr Gates.
So, the final setup I have opted for is:
- A Virtual Machine running Windows Server 2008, 2GB RAM and 2 vCPUs at 3.2Ghz
- MySQL Server 5.5, 64-bit
- Apache 2.2, 32-bit
- ActiveState Perl, 32-bit
Configuring a Guest wireless network with restricted access to Production VLANs
It’s a fairly common requirement – setting up a guest WiFi network that is secure from the rest of your LAN. You need a secure WLAN access for the domain laptops which has full access to the Server and Client VLANs, but you also need a guest WLAN for visitors to the office which only allows internet access. Since the budget is limited, this must all be accomplished via a single Access Point – for this article, the access point is a Cisco WAP4410N.
A work/learn balance
As with all things IT the pace of technology change is relentless and we are constantly and rightly told that change is good and that being able to evolve and move with the times is an important skill and ability.
However I am often left wondering how we can maintain a balance. I have all to often seen IT professionals falling into the trap chasing the latest and greatest and rushing to try to implement or learn new emerging technologies without much thought to what they already have.
Installing SharePoint Foundation 2010 with Remote BLOB support in SQL 2008 R2
Configuring WSS or SharePoint Services for a small client is a pretty effective way of getting a document management solution for a reasonable cost point. One of the limitations that caused headaches was that it used to have a maximum storage of 4GB, which was the database limit. If you wanted to go larger, you would need either a) multiple SPS installations, b) a full version of SQL server, or c) the full version of MOSS. None of those solutions are particularly cost effective, and for a small company cost is king.
Recent Comments
- Sam McGeown on PowerCLI Script to set RDM LUNs to Perennially Reserved – Fixes Slow Boot of ESXi 5.1 with MSCS RDMs
- Stu on PowerCLI Script to set RDM LUNs to Perennially Reserved – Fixes Slow Boot of ESXi 5.1 with MSCS RDMs
- ScottM on Powershell script to zip all .bak files in a folder structure, then delete the .bak
- Why secure your vSphere environment with valid SSL certificates? « DefinIT on Using the VMware SSL Certificate Automation Tool with a Microsoft Certificate Authority
- John Wiersma on PowerCLI Script to set RDM LUNs to Perennially Reserved – Fixes Slow Boot of ESXi 5.1 with MSCS RDMs
Top Posts & Pages
- Installing and Configuring OTRS 3.0.9 on Windows Server 2008 R2
- PowerShell: Recursively taking ownership of files and folders and adding permissions without removing existing permissions
- Configuring a Guest wireless network with restricted access to Production VLANs
- Unable to access admin shares (c$, d$, ADMIN$, IPC$) on Windows Server 2008 in a Workgroup
- vCenter 5.1 - Configuring vCenter Linked Mode
Categories
Qualifications
_1084_1085_thumb.jpg "MCITP Logo")
Archives
- May 2013 (2)
- April 2013 (2)
- March 2013 (2)
- February 2013 (4)
- January 2013 (1)
- December 2012 (2)
- November 2012 (3)
- October 2012 (4)
- September 2012 (1)
- August 2012 (4)
- July 2012 (1)
- June 2012 (1)
- May 2012 (1)
- February 2012 (1)
- January 2012 (4)
- October 2011 (2)
- August 2011 (1)
- July 2011 (1)
- June 2011 (2)
- April 2011 (1)
- March 2011 (7)
- February 2011 (4)
- January 2011 (1)
- December 2010 (1)
- November 2010 (3)
- October 2010 (1)
- September 2010 (5)
- August 2010 (3)
- July 2010 (5)
- June 2010 (4)
- May 2010 (2)
- April 2010 (3)
- March 2010 (6)
- February 2010 (5)
- January 2010 (1)
- December 2009 (2)
- November 2009 (1)
- October 2009 (3)
- September 2009 (3)
- July 2009 (3)
- May 2009 (1)
- April 2009 (2)
- February 2009 (2)
- January 2009 (4)
- December 2008 (2)
- November 2008 (1)
- October 2008 (3)
- September 2008 (5)
- August 2008 (1)
- July 2008 (6)
- May 2008 (8)
- April 2008 (2)
- March 2008 (1)
- February 2008 (1)
- January 2008 (1)
- November 2007 (1)
- October 2007 (1)
- July 2007 (1)
- June 2007 (6)
- May 2007 (2)