Sunday, February 28, 2010

IE Enhanced Security Configuration


There is an "annoying" or "secure" feature on Windows Server 2003 R2 and 2008 - IE Enhanced Security Configuration. It is turned on by default and basically your IE is rendered almost "useless".

You can use GPO to permit back everything. Another easier way is to simply turn off this feature. For W2K8, go to Server Manager - IE Enhanced Security Configuration as shown in the diagram.

Friday, February 26, 2010

Roaming User Profiles & Folder Redirection on Terminal Server

We are offering some RemoteApp Terminal Services (TS) based on W2K8. One consideration is the porting of existing user local profile to roaming user profile, so that the users won't get upset of losing their IE favorite bookmarks.

Unfortunately, WinXP local profiles are V1 and W2K8 are V2 and they aren't compatible. Hence, we use Terminal Service profile that supersedes the roaming profile in TS environment. To reduce the profile loading time, we implemented loopback policy on the TS server that enable folder redirection. If folder redirection is not implemented, the local server will have to load the profiles from the network shares when the users log in and upload again when the users log out. Users with large profiles will naturally have longer loading time.

I found two very good sources that implement roaming profiles and loopback policy on TS:
  1. How to implement Basic Roaming Profile & folder redirection
  2. Folder Redirection on Terminal Server

Wednesday, February 24, 2010

Migrating KMS Host for Windows Activation

Two types of activation for Microsoft OS, MAK (Multiple Activation Key) and KMS (Key Management Service). The former activation is mainly used for less than 5 servers. If you use KMS, the first four hosts won't be activated until the fifth is activated. Earlier, we did a mistake of keying in the KMS host license key into some of our servers instead of the KMS client keys. As a result, multiple SRV of _VLMCS._tcp. appears on the DNS servers. Furthermore, the current KMS server is not supposed to have Internet access. Hence, we decided to migrate the KMS to another VM.

Note: If you just need to install a new KMS server, jump straight to step 5.

Steps to migrating the KMS:

1. Uninstall the KMS host key first by running the following command:

slmgr -upk

2. Then, install the default kms key by running the following command:

slmgr /ipk [KMS Client Setup Key]

The default KMS client setup keys for W2K8 R2 Enterprise is 489J6-VHDMP-X63PK-3K798-CPX3Y. As for the rest, the default KMS client keys can be found here.

3. Delete the old SRV record from the DNS:

Open DNS console:

Expand _tcp node under the domain.com. There will be a record _VLMCS. Delete this record.

4. The KMS server is uninstalled.

5. To install KMS on a new server, enter:

cscript C:\windows\system32\slmgr.vbs /ipk

then to activate the KMS host, enter:

cscript C:\windows\system32\slmgr.vbs /ato

6. After activation is complete, restart the Software Licensing Service by running "net stop sppsvc && net start sppsvc"

7. Verify that the record is created for the new server in the DNS.

To verify that the KMS host is configured correctly, you can check the KMS count to see if it is increasing. Run slmgr.vbs /dli on the KMS host to obtain the current KMS count. You can also check the Key Management Service log in the Applications and Services Logs folder for 12290 events, which records activation requests from KMS clients. Each event displays the name of the computer and the time-stamp of an individual activation request.
--------

Windows 7 and Server 2008 KMS Client Keys
Windows 7 Professional - FJ82H-XT6CR-J8D7P-XQJJ2-GPDD4
Windows 7 Professional N - MRPKT-YTG23-K7D7T-X2JMM-QY7MG
Windows 7 Enterprise - 33PXH-7Y6KF-2VJC9-XBBR8-HVTHH
Windows 7 Enterprise N - YDRBP-3D83W-TY26F-D46B2-XCKRJ
Windows 7 Enterprise E - C29WB-22CC8-VJ326-GHFJW-H9DH4

Windows Server 2008 R2 HPC Edition - FKJQ8-TMCVP-FRMR7-4WR42-3JCD7
Windows Server 2008 R2 Datacenter - 74YFP-3QFB3-KQT8W-PMXWJ-7M648
Windows Server 2008 R2 Enterprise - 489J6-VHDMP-X63PK-3K798-CPX3Y
Windows Server 2008 R2 for Itanium-Based Systems - GT63C-RJFQ3-4GMB6-BRFB9-CB83V
Windows Server 2008 R2 Standard - YC6KT-GKW9T-YTKYR-T4X34-R7VHC
Windows Web Server 2008 R2 - 6TPJF-RBVHG-WBW2R-86QPH-6RTM4

Monday, February 22, 2010

Quick Tutorial on DiskPart

Some quick tutorial on using DiskPart (menu-driven utility to manage/create disk, partition & volume) if you happen to work on Server Core or Hyper-V Server 2008

How Time Synchronization Works in Active Directory

By default, all computers in the domain would sync their clock with their authenticating domain controllers. All domain controllers would, in turn, sync with the PDC operation master (See diagram for overview). Hence, it is important to sync your PDC with a reliable time source. To find out which DC is the PDC, run this command "netdom query fsmo". To configure the PDC to sync with an external NTP server, log in domain administrator mode. Enable UDP port 123 on both inbound and outbound host firewall and execute the following command: w32tm /config /manualpeerlist:sg.pool.ntp.org /reliable:yes /update /syncfromflags:manual net stop w32time && net start w32time where peers specifies the list of DNS names and/or IP addresses of the NTP time source that the PDC emulator synchronizes from. For example, you can specify time.windows.com. When specifying multiple peers, use a space as the delimiter and enclose them in quotation marks e.g. /manualpeerlist:"ntp1.time1.com,0x8 ntp2.time2.com,0x8". Use the 0x8 flag to force W32time to send normal client requests instead of symmetric active mode packets. The NTP server replies to these normal client requests as usual. To verify: w32tm /query /peers and read the event viewer under system. Or better, create a custom event view from log source "time service" for longer term viewing.

Tuesday, February 2, 2010

How to setup iSCSI Initiator on Server Core R2 and Hyper-V server

In my earlier post, I mentioned about using OpenFiler as a free iSCSI Target server and even build a pair of failover cluster VM server on Hyper-V. Setting up iSCSI initiator in full graphical W2K8 installation is pretty straightforward. What about Server Core R2 and HyperV server that provide minimal GUI and mostly CLI?

After digging through MS TechNet, I've figured out and tested it on my test HyperV server.

Step 1: Create a RAID volume, configure the iSCSI target, and map a LUN on it

Step 2: MS added a nice GUI of iSCSI initiator. Otherwise, you have to make do with the "iscsicli" cmdlet, which is difficult to manage. At the server core command prompt, just type "iscsicpl.exe"

Step 3: On "Discovery", enter the iSCSI target IP address or DNS. Make sure you add it as favorite targets, so that it will reconnect everytime the server restarts. On "Targets" tab, click "Connected".

Step 4: Type "diskpart.exe" on command prompt. Do "List Disk" to ensure that the new disk is added. Type "Select Disk", "Create Partition", "Assign Letter" to disk and finally "Format quick". All these commands are equivalent to what you normally do on a graphical "Disk Management" console.

Step 5: Check on the newly created disk and it is ready to go.