Well, it’s been a long time since I’ve posted anything and this will most likely be the last post before I hop platforms, but since the resolution took nearly my whole morning I felt it was worthy a posting. As you know we’ve been rolling with System Center Configuration Manager for nearly two years now and while it doesn’t necessarily follow best practices, it’s been as stable as that product appears to be.

So today I was given a machine to image, and I promptly checked our servers to see if it was still lurking out there somewhere.

• In AD? Nope.
• In SCCM? Nope.
• In DHCP? Yes, but that’s ok.

So I fired up the SCCM console and expanded leaf objects until I got down to Computer Association. Right click and choose Import Computer Information and follow through the dialogs. What we’ve always done is add the computer by Name and MAC address, mainly because the GUID is entirely too long for any normal person to remember or have the time to write down. After adding the computer to the proper collection and finishing out of the wizard, I fired up the computer and hit F12, and let the PXE do it’s magic.

Sadly, there was no magic, after about a minute I heard two beeps which means the computer is unable to boot off the network. No worries, I know my view on time is different from that of SCCM so I waited about 5 minutes and tried again, still two beeps. I decided that perhaps I had typoed the MAC address, so decided I’d try it again; two beeps.

That’s when I began my trouble-shooting, the first thing I did was double-check the MAC, as well as make sure there were no duplicates in DHCP, which based on how we roll DHCP is impossible, but still doesn’t hurt to check. There is a report in SCCM that let’s you know if there are duplicate MAC’s inside it’s database, “MAC - Computers for a specific MAC address.” This will let you know if the MAC you enter is associated with more than one computer, it wasn’t.

I fired up the log and saw the following message, I decided to leave the typo intact, since that’s the way Microsoft left it!

The SMS PXE Service Point intructed device to boot normally since it has no PXE advertisement assigned.

Device MAC Address:00:1A:A0:B9:EF:A8 SMBIOS GUID:4C4C4544-0000-2010-8020-80C04F202020.

That seemed odd to me, since I knew that everything was set properly, I decided to restart the Windows Deployment Services (PXE) service. Often times that will fix small issues with PXE booting workstations for imaging, two beeps. That wasn’t it, so then I had to go to the bad place, SMSPXE.LOG. I’m not sure why, but apparently the SMS dev’s decided to punish admins and write absolutely horrible log entries that look like XML and reference line numbers in the source code. Sadly, there wasn’t much of anything different in here either except this:

<![LOG[MAC=00:1A:A0:B9:EF:A8 SMBIOS GUID=4C4C4544-0000-2010-8020-80C04F202020 > Device found in the database. MacCount=1 GuidCount=4]LOG]!><time="09:36:01.121+300" date="09-06-2011" component="smspxe" context="" type="0" thread="88272" file="pxehandler.cpp:341">

See what I mean by horrible? Anyway, the interesting tidbit is GuidCount=4, wtf? So a while back Carson wrote a report in SCCM that would show GUIDs, I suppose I should post that at some point because it is SUPER handy! But sure enough there were 4 computer’s with the exact same GUID. All of them but one were current, so I decided to nuke them, restart PXE and attempt my boot again, two beeps. I was not a happy camper.

So it was off to Google, since I wasn’t having any luck with the logs. As you can imagine there were lots and lots and LOTS of threads, postings and technical documents.  Most of what I read was from the Microsoft Technet social site, but as I began reading I began noticing that several of these were referencing Dell Optiplex computers. While not the same vintage Optiplex as what I was reading about I was working with Dell hardware nonetheless.

I finally fell on the answer in a two year old thread on the Dell support site. Turns out that service tag is more than just helpful on their website! The GUID for the computer is based on that service tag, and if the motherboard gets replaced and the tech doesn’t add it back into the BIOS, the computer will create a generic one. That’s the GUID or SMSBIOS GUID listed above, and it was a painfully easy fix! You will need to download the ASSET.COM utility from Dell’s Utility FTP site.

Once downloaded run that command with the /S switch and the service tag for your computer. Please be aware that if you muck up that entry, there is no way to remove it! So double, triple, quadruple check before you confirm that it’s ok to update that information.

The only other complicated part for me was finding a floppy drive, and more importantly a floppy disk to make bootable so I could run this and a BIOS update on the intended computer!

So I hopped services again, and it’s taken me a bit to get things up and running the way I want them to. The big difference now, I’m hosting my own services, so there was a learning curve for me to get things working properly. This site has been up for a while, but I’ve only recently gotten my subversion site online. The site that caused me the most trouble was my trac site. Turns out my issues had nothing to do with trac at all, but TMG 2010.

The problem I had with the site was, I could get it online just fine, browse the content, and login to check the admin settings. But it wouldn’t let me log out, well it would, but wouldn’t. I would login, close the browser, dump the cache and cookies and when I opened the site back up, I was still logged in, kind of. It was very frustrating, I tried configuring the site back to default settings, same problem. I tried creating a new blank site, same problem. I even tried setting it up on a different server, thinking there was some problem with my servers configuration.

Today I had some time to troubleshoot, and started rolling through each of the rules on firewall. Now I’m no newb to Microsoft Firewalls, I’ve run every Proxy they’ve had since they called it Proxy Server. But I’ve not really had a setup with no clients behind the firewall, so the default rules for caching were just fine. Silly me, didn’t check this when I set up the TMG 2010 firewall.

I could create an exception rule to prevent caching for specific servers behind the firewall, but since I don’t really surf from my server or have clients behind the firewall I just turned it off. So for future reference while RTFM is always true, I think perhaps in this situation it was doubly true.

The short of it is, everything’s back up and running and I can get back to my other stuff. Since I’ve moved I have 5 articles queued up and now I can get back to them.

Today we’ll be working on some moldy oldies! I give you the SGI Indigo, and it’s successor the SGI Octane! Bow in front of their immense glory!

Here is the problem:

We have research analysis software designed solely for SGI, and our main computer for these analysese, the SGI Octane unix computer, OCTANE, will not boot due to apparent hard drive RAM failure. This 10+year old may not be recoverable.

We can regain our analysis functionality using the functional SGI Indigo 2 computer that has the necessary software, INDIGO. However, the network functionality is not currently available on INDIGO to allow file transfer to/from the computer. Thus, my primary request is that INDIGO be configured to allow secure ftp and remote shell access only.

I believe the computer needs to be added to the workgroup (or in setup in that "domain"). Please assign someone to complete this network access task in the next few days. Please coordinate with my lab assistant to assure that sftp and secure shell from our PC computers is working.

Secondarily, if it is staightforward to recover an image of the failed SGI Octane hard drive, we may consider replacing the drive (if possible), restoring the image on the "new" (likely used) drive and getting the SGI Octane, OCTANE working again. This is a lower priority, as there is no substantial data loss, and we have already been looking at ways to move the analyses done on the SGI over to Windows PC software (or possibly Linux). We have no desire to invest large amounts of time and/or money to restore the failed SGI. But, if the process is simple and cost is "cheap", then we would like to restore the SGI octane until a long-term solution is found.

So how do you start? Well, we started with one assumption, the SCSI card is dead. If the disk itself is dead, then there is really nothing we can do. Working on our assumption we were able to scrounge up a full length PCI SCSI card.

We verified that it was recognized in the BIOS and could see an attached disk.

After our regularly scheduled lunch (Buffalo Wild Wings…yum) and our staff meeting we headed over to the lab. We had been there once before with Nick, and it wasn’t much fun then either. It was during an IP inventory that we found these machines, and it was on that visit that we configured them to use our network. Sadly the “Supercomputers” were so old, they pre-dated DHCP…but that’s another story. We spoke with the advisor who was unaware that SGI ceased to exist as a company about 8yrs ago, further he was also unaware that SGI stopped using MIPS and switched to Intel based CPU’s about 4yrs before the company filed for bankruptcy.

In the lab we found many things, lovely wiring:

We also found the sad little Octane, with it’s drive removed. The first thing we noted was that the disk was six years newer than the computer. This was good news for us as we had servers that we could mount that disk into natively. We also “fixed” their network issue, turns out that the Indigo2 had the subnet incorrectly specified, sounds like a stupid mistake, aside from the fact you had to set the network id in hex, ya…you heard me. We gave them the IP of their box and they were able to access it via sftp.

We informed the advisor that we would attempt to access the disk back in our office, but first we had to make a stop over to our storage room. We picked up a lovely Dell PowerEdge 2650, and swapped one of it’s disks for the failed SGI disk.

Upon booting into the BIOS we ran disk utilities and it informed us that the disk was in fact dead. Sadly this means we were unable to fix that part of the problem. But the good news is that we had a nice trip down memory lane playing with hardware that used to cost thousands of dollars, and now is up for sale on E-bay for about $400. Sorry this has been a rather rambling post, but I felt upon receiving this ticket in the help desk that it really merited some form of posting.

I took the SANS 546 class today, and it got me thinking about setting up my server to respond to IPv6 hosts. Steps thus far are pretty straightforward:

1. Get an account with a tunnel broker
2. Configure your host
3. Test connectivity
4. Configure IIS
5. Create AAAA record on your DNS provider
6. Troubleshooting

Tunnel Broker Account

This is very easy and painless! There are several to choose from, but one that was mentioned by the lecturer was Hurricane Electric. Fill out the form and check your email for your password, the whole process takes about 1 minute. Once you login you will need to create your first tunnel:

1. Login to http://www.tunnelbroker.net/ with your username and password
2. Click “Create Regular Tunnel”
3. IPv4 endpoint is your webserver
4. They will find a tunnel closest to your IP
5. Click “Create Tunnel”

Configure your host

See? Pretty painless, now that you have your tunnel up you will need to configure your host, since I’m working with Windows 2008 R2, there is actually a set of netsh commands you run. They are specific to your configuration and you can access them by clicking, “Example Configurations” tab on the Tunnel Details page. From the dropdown select your Operating System, and it will give you the commands you need to set it up.

Test connectivity

Once everything is configured the easiest way is attempt to access an IPv6 host:

• Open your browser to http://ipv6.google.com
• Or ping –6 ipv6.google.com

Configure IIS

Configuring IIS is pretty simple as well, I found that I had some extra stuff that I didn’t think I should need to do though.

• Open IIS Manager
• Select the site you wish to enable IPv6 on
• From the Action pane choose “Bindings…”
• For basic web server
  • type = http
  • Ip address = ipv6 address
  • port = 80
  • host name = the name you want the server to respond to
• Click Ok

Create AAAA record on your DNS provider

I use GoDaddy.com for my dns, so you will just need to go into total dns manager and add the AAAA entry. This entry will need to be the same as the host name you specified in your IIS bindings

Troubleshooting

• The first thing you will want to do is make sure that you are able to ping your own ipv6 address
• Then try pinging your ipv6 address remotely
• Repeat these steps with the ipv6 hostname that you set in DNS.
• It may also be a good idea to visit test-ipv6.com
  • If all those tests fail you may have other issues, that I can’t really help you with

What I found is I was able to ping my ipv6 address locally and remotely, my name ipv6.patton-tech.com resolved locally and remotely, but when pointing a browser at that URL nothing showed up. It was the end of the day when I got this setup, and I had done some of the above basic troubleshooting that all returned successful. This morning I began again I ran the following command:

netstat –s

The output from this command showed several failed attempts over IPv6, this seemed to increase each time I attempted to open the website (could have been coincidence). Since I saw there were failures on IPv6, the next thing I did was run this command:

netstat –an

This should show what addresses are listening on what ports, I saw my IPv4 addresses, but no IPv6. That’s when I started browsing the forums looking for something useful, and I didn’t find much. Most of what I found talked about making sure you didn’t choose the temporary IPv6 address, but since ours is assigned statically via netsh I don’t think that was the problem. Running the command:

netsh interface ipv6 show address

Shows that my interface was a tunnel interface, which makes sense, but that got me spun off into checking the firewall, which wasn’t the problem at all. Finally I found a forum post on iis.net that was close enough to my issue that I was able to resolve it. One of the posters suggested running this command:

netsh http show iplisten

Unlike the original poster I was able to see my IPv4 public address but not my IPv6 address. The suggestion was to remove all iplisten entries which would force iis to listen on all ip addresses. Since I have several services running and listening on port 80, I couldn’t do that. But the syntax of that command led me to TechNet for the proper syntax to add a listener:

netsh http add iplisten ipaddress=ipv6addy

I posted a question in the forums to ask if there is something I have done wrong, or if perhaps the default is to not add the listener but no answer yet. It seems to me that when I add a binding to iis, it should also allow the web server to listen on that address. I know there was nothing I had to do for IPv4, so it’s either a default (not likely) or the fact that this address is set statically (more likely).

Or, “What’s in a name?”

Turns out a whole hell of a lot! First I need to thanks Nick for the awesome title, as he completely pinpointed my issue after I told him what happened! The last article I posted talked about our desire to move away from vanilla Windows 2008 and up to Windows 2008 R2. What should have been a pretty straightforward process got slightly mangled by two things. I forgot to rename the computer, and I moved to fast, hence the “Premature Installation!”

Naming is important, there are some names you can change and some you can’t. How computers get names has also changed with 2008, it used to be that during installation you were prompted for a name, now you do that after. One of the things we found out was that a Domain Controller can have multiple names, while I don’t know how recent that change is, or isn’t it was new to us. Back to the naming process, while there’s nothing inherently wrong with a Domain Controller named WIN-LLF3467Q0, you would undoubtedly agree it doesn’t really roll off the tongue.

So that was the first problem, I installed Windows 2008 R2 without mishap, and Directory Services installed, and when I hopped over to the Domain Controller’s OU I noticed my problem. So the first thing I did was go to the above article and renamed my new Domain Controller, and this is where the second problem occurred.

Replication while speedy, it does take time, and the more things you have in your AD the longer it could potentially take. The end result of my fubar is that we wound up with no less than three different entries in DNS for the same server, only one of which was correct, and due to replication latency the name of the server in AD was completely wrong.

So I did what I imagine most people would do, and went to uninstall DS from the server and attempt to start over. But because things had gotten so trashed I was unable to uninstall DS, because the server name that I was on didn’t exist in AD, I really should have screenshot stuff but take my word, I was on dc1 and the error was dc1 didn’t exist…which was technically true. It was a crazy weird edge situation, you could actually connect to DC1 but you had to type it in manually in order to get there. At any rate I was unable to remove DS, so I turned off the computer and attempted to remove the computer account that was listed from the Domain.

The problem with that was in order to do it, you MUST be on a Domain Controller to remove a non-functional Domain Controller from the Domain. I’ve not found an article on TechNet that mentions that, but I’ve not looked in any great detail. This information was found on the TechNet Social site, after connective over RDP to the off-site Domain Controller I was able to remove the offending account.

So, in the future, remember to be patient and make sure you have a checklist!

1. Install Windows OS
2. Change the default name before network connectivity
3. Make any needed changes
1. Disable IPv6
2. Apply 3rd party DNS Hotfix
4. Install Directory Services
5. Wait
6. Wait
7. Wait
8. Verify successful replication

These are the steps I followed on my server rebuild yesterday, as well as the same instructions I followed when I migrated the second Domain Controller this morning.

We decided it was time to move to R2 on the domain controllers, while we’re at it we also moved up to Windows 2008 Functional. Sadly we can’t go to 2008r2 functional until our last 2008 DC goes out of warranty, in 2014! Oh well, maybe something will happen to it…

Fairly straightforward process

1. Transfer FSMO roles
2. Take a VM snapshot
3. Perform the DCPromo
4. Uninstall ADDS binaries
5. Export Logs
6. Reset computer account
7. Install Windows 2008R2 Core

Well this morning Boe Prox posted a nice function to poshcode, Get-FSMORoleOwner. This function returns what server owns which roles and it was very helpful as I performed my transfers. Originally I had wanted to use Powershell to perform my transfers, but without ADWS the built-in ActiveDirectory module wouldn’t load. So I performed the transfers the old-fashioned way, using the MMC. After each transfer I would run Get-FSMORoleOwner to verify that the role had been moved. This all went without a hitch as expected, then came the Domain Functional Level.

No big surprises here, we did a little digging and found that moving to 2008 Functional level was equivalent to staying at 2003. There are a few new features in 2008, the most interesting one for me at least, is the Interactive Logging. Raising the functional level was a breeze, and all domain controllers reported the same level within minutes.

Since I’ve been moving away from VBscript and over to PowerShell I decided to take my VM snapshot using the PowerShellCLI from VMware.

New-Snapshot -Name Pre-Demotion -VM dc1 -Description "Snapshot prior to demoting."

In order to backup all the logfiles I threw together a quick little function Backup-EventLogs. It takes the name of the computer and uses Get-WinEvent to get all the logs available. It then writes out each log where the RecordCount is greater than 0 to a csv file, using Export-CSV. Carson pointed out that it may have been easier to copy the log files over…ya, well…dammit I wouldn’t have gotten a nifty function out of it though!

Anyway, resetting and re-installing are fairly vanilla, and I’m pretty sure I covered standing up a core server somewhere before.

Thanks,

I’ve been really busy working with and learning PowerShell and dutifully committing my code into my subversion repo. For the most part it’s been really fun and I’ve not had too many problems. What I wasn’t expecting was not being able to view my scripts on my Trac site. I had recently uploaded a script I wrote that would delete local user accounts from computers in the domain. I had decided to link the help page I created to the source page, except when I browsed the repository and clicked on the file I received the following message:

Property svn:mime-type set to application/octet-stream

Trac let me know that while I couldn’t view it, I was perfectly welcome to download it. My first thought was great, now what do I do. After a little bit of searching the above message, adding in keywords like Trac, Apache and TortoiseSVN I came across a few pages of interest. The first page was the Subversion FAQ, about halfway down the page was the auto-props heading. Now that I knew what I was looking for a change in the search brought me to TortoiseSVN project settings page.  Following the document I found the Subversion properties for my scripts folder, and then defined a mime-type for the PowerShell and VBScripts files. Since there is nothing particularly special about these files, I set their mime-type to text/plain.

After committing my change (everything is version controlled in subversion), I went back to the browser, and was greeted with the same message. Even though I checked the box to apply the property recursively, this setting only applies to new files and not existing ones. So I solved the problem moving forward, but I still needed my scripts to open, I browsed to the file in my local repo and went into it’s properties and noticed that it’s mime-type was set to application/octet-stream, sound familiar?

After removing that property the links work, so I decided to write this up really quick, because I’m sure I’ll hit it again. If you find it useful as well, awesome!

It’s been over a month since I’ve posted anything and a lot has been going on.

I’ve decided that this year I actually will move from VBscript over to PowerShell. I have restructured my scripts repo created a vbscripts and PowerShell top folder, then the production and playground subfolders within each. I moved my Active Directory scripts over to the vbscript section of my scripts repo. I fleshed out my trac site, http://scripts.patton-tech.com with some documentation for the Active Directory scripts, and the PowerShell scripts that I have started to write. I created a PowerShell page on my site to document the scripts and libraries I create. I have posted some of what I think are more useful libraries to the code gallery on TechNet.

But the most important thing is my son was born on March 19th. Nathan James Scott showed up at 5:03 weighing in at 5lbs and 13oz. Consequently I took the following two weeks off from work to spend time with my growing family.

A fair amount of my time is spent at the command-line, and as such I want it to work in a particular way. Since I don’t want to lose this information the next time I need to set this up, I figured I’d write it down someplace.

The console window

I hate the console window, it’s hurty and painful. By default you can’t copy/paste easily, and the size of the screen is set to 80 cols. Nobody has a screen anymore like that so I wanted that to change first. You need to make changes to the default preferences for the console window. Open the command prompt and right click on the title bar and choose, “Properties.”

Command History:

• Buffer Size: 999
• Number of Buffers: 5
• Discard Old Duplicates: True

Edit Options

• QuickEdit Mode: True
• Insert Mode: True

Screen Buffer Size:

• Width: 2500

Window Size:

• Width: nnn
• Height: nnn

Window Position:

• Left: nnn
• Top: nnn
• Let system position window: False

Where nnn is some number that works for you.

Command Prompt

The usual prompt we’re all familiar with C:\Windows\System32>_ it’s ok, it tells you where you are, but how much fun is that? So I changed it to something that is a little more descriptive. I wanted it to look a little more like a linux prompt, plus give me more command-line space.

jspatton@l1132c-pc01 | 16:05:15.33 | Tue 2/22/2011 | C:\Windows

In order to get this prompt all I did was run the following command:

prompt=%username%@%computername% $B $T $B $D $B $P $_

The only problem with this command is that as soon as you exit the shell it goes away. So to make it permanent change the syntax of the command above to the following:

setx prompt "%username%@%computername% $B $T $B $D $B $P $_"

Setx will store that value in the registry which will allow your prompt to persist across multiple shells. Now to make it more fun you need to download a few things, first since I tend to find myself in Linux and Windows on a regular basis I sometimes find myself issuing linux commands in Windows. For a list of all the prompt variables you can use, visit ss64.com. In addition to that you also have access to all the regular environment variables. GnuWin32 has a whole suite of linux commands that you can download and install, but it’s a pain so someone created a project that downloads and installs all the tools for you, GetGnuWin32. I won’t go into details on how to install this, read the page it gives you what you need.

What would be nice right now is ANSI.SYS but that hasn’t been around for ages, so if you want to have nifty colors in your prompt you will need something similar. There may be several utilities that will do this for you, but I found ANSICON, it’s pretty straightforward, download and extract the files onto your computer. Once you’ve done that all that’s left is to load it into the registry with the following command:

ansicon –i

That’s about it, now I have posted up here and you know how to do it too!

Enjoy!

So I wanted the list of blogs I follow in Google Reader to be displayed on my website. Blogengine uses XML files for just about everything, so I decided I would see how difficult it was to convert the Google Reader OPML to a format suitable for Blogengine. The first step is to export your list to an OPML file, once you have that you need to grab this XSLT file that will handle the conversion and finally some sort of utility that will read in the OPML and XSLT and output the appropriate XML.

Getting your feed

Login to Google Reader, and navigate to Manage Subscriptions. You can find that link in the lower left of your reader display. From there you will need you need to click the Import/Export tab, and then just click the “Export your subscriptions as an OPML file” link.

That file will download to your computer, you’ll want to remember where it goes as you’ll need it shortly. Once you have that file you will need the following XSLT file. I found this code on codeplex where the original is located.

<?xml version="1.0" encoding="utf-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" exclude-result-prefixes="msxsl">
  <xsl:output method="xml" indent="yes"/>

  <xsl:template match="*|@* | node()">
    <xsl:copy>
      <body>
        <xsl:apply-templates select="//outline"/>
      </body>
    </xsl:copy>
  </xsl:template>

  <xsl:template match="outline">
    <xsl:if test="@type='rss'">
      <outline xfn="contact">
        <xsl:apply-templates select="*|@*|node()"/>
      </outline>
    </xsl:if>
  </xsl:template>

</xsl:stylesheet>

You should save that as a file with a .XSLT extension, ideally this would live in the same folder as the .OPML file you received from Google. Now you need something that will convert those two files into what you need, blogroll.xml. I found the utility on Microsoft.com, msxml.exe and it did the trick, you will just need the msxml.exe file. I downloaded that to the same place as my OPML and XSLT files.

Now we can create our file, the syntax is pretty straightforward, and actually quite flexible you can literally key in your XML and XSLT from stdin. But this is what my syntax looked like.

msxsl.exe google-reader-subscriptions.xml google-reader-to-blogengin.xslt -o blogroll.xml

The first parameter is your input XML file, the second parameter is the XSLT file that will be used to create your output (-o) file. The resulting blogroll.xml file can be copied into your APP_DATA folder on your Blogengine installation, and you may or may not need to restart the webserver before it shows up. If you don’t have the Blogroll extension displayed you’ll need to login and add that to the site.