Changing the recovery mode doesn’t shrink an SQL Database log file, how to shrink logs manually.

So I found out recently that one of our servers was running out of space.  It’s our AV server so I was like what the hell, why is it running out.  Turns out it had an instance of SQL Server on there as a quarantine and configuration database.  The Virtual Machine was being backed up but not the database itself therefore no log back ups and log truncates after that.

To check exactly how much space the logs are taking up you can run the following SQL cmd:

SELECT * FROM <database>.sys.sysfiles

Or you could just as easily right-click the database and check file sizes from there.

To fix this I simply changed the recovery mode from FULL to Simple for the databases, but without a backup of the databases themselves the logs wouldn’t truncate.  Doing a backup from the right-click menu won’t truncate them either.  Since I wasn’t really worried about backing up the database itself I could just force SQL Server to truncate the logs.  I ran the following command to shrink the log file:

DBCC SHRINKFILE('<database_log>')

With <database_log> being the name of the database log file you want to shrink.  That solves that problem.

Fixing KDC Authentication Problems when upgrading your domain and forest functional level from 2003 to 2008 R2

We recently upgraded our Domain and Forest Functional Level from 2003 to 2008 R2, after a day or so I started having problems connecting to a number of 2008 R2 Hyper-V Virtual Machines. When attempting to connect I would receive the following error:
An Authentication Error Has Occurred. The Encryption Type Requested Is not supported by the KDC
At around the same time we also had one of our Exchange 2010 Transport Servers stop servicing clients, when I attempted to open the Exchange management console on the local server console ended with a HTTP server error status 500 and “Kerberos” authentication failed. So I decided to take a look through the event viewer to see what was up.

As part of Exchange there is an Active Directory Topology Service which will scan your environment for Active Directory Servers every 15 minutes or so, all of the exchange services rely on this service (if you ever have to restart all exchange services, simply restart the AD Topology Service). In the application event log I noticed the following error message:
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=xxxx). Topology discovery failed, error 0×80040952 (LDAP_LOCAL_ERROR (Client-side internal error or bad LDAP message))….
There were also issues with the Exchange STORE service with the following two events:
Process STORE.EXE (PID=xxxx). All Global Catalog Servers in forest DC=xxx,DC=xx,DC=xx are not responding.
Process STORE.EXE (PID=xxxx). All Domain Controller Servers in use are not responding

The rather simple resolution to all this trouble is simply to restart the KERBEROS DISTRIBUTION KEY or KDC service on all Domain controllers. While simply restarting the Service will solve the problem, you’re probably better off just doing a proper restart after upgrading your functional levels, only from 2003 to 2008 / 2008 R2.

FortiAnalyzer shows xx of xx database tables need to be upgraded

So I was recently presented with a message after a firmware upgrade that a number of database tables needed to be upgraded.  I searched the Fortinet knowledge base but found nothing. After a discussion with a Support Rep from Fortinet we quickly found the solution and being that it is a very common issue I thought I would post the steps on here for the general public.

Log onto your Analyzer and follow the below instructions.

– System – > Config -> SQL Database set the location to “Disabled”
– run on the CLI “execute sql-local remove-db” and confirm
– On the CLI run “execute reset sqllog transfer”
– SQL Database reactivate

Depending on how large your logs are the remove-db command make take several minutes.

Update WSUS 3.0 SP2 to support Windows 8 and Windows Server 2012 Clients

Just a quick one today.  Microsoft have released an update for those running WSUS 3.0 SP2 which allows you  to provide updates to clients running Windows 8 and Server 2012.  The update is available at this Knowledge Base Article for both 32 and 64 bit environments.

Also, no word yet on when they will be releasing a patch for the IE flaw (see here and here), but should be available over the next few days.

Admin SVC Error when trying to install SharePoint solutions (WSP) and how to fix it

Short and sweet post about deploying SharePoint solutions.  You usually do this by invoking Install-SpSolution under the SharePoint PowerShell, but sometimes you’ll get the following error:

Install-SPSolution: Admin SVC must be running in order to 
create deployment timer job

All you need to do is to go to the Services section in Control Panel\System and Security\Administrative Tools and look for the service called SharePoint 2010 Administration and start it. You might also find that the service is on manual start-up, you can optionally change it to automatic to make sure that the service is always available and ready. Simple isn’t it!

What is new with Hyper-V in Windows Server 2012

I’ve been reading a lot lately about what people have been saying about Microsoft’s latest go at a hypervisor and many say that now with Hyper-V 2012, Microsoft is catching up to VMware in the enterprise virtualization arena (one example from ZDnet).  So what is all the fuss about…really.  I’ll identify some of the key points of what Hyper-V 2012 is bringing to the virtualization world. To summarise:

  • 32 Virtual CPUs and 512GB to a Virtual Machine
  • VHDX File Format for Virtual Hard Disks (16TB of Storage)
  • Native NIC teaming
  • 64 Node Clustering
  • Cluster-Aware updating
  • Hyper-V Replica (Replication of Virtual Machines)

Two of my favourite additions though are the Cluster-Aware Updating and Hyper-V Replica features.
Cluster-Aware Updating helps to manage down time by maintaining availability during windows update time, so you pretty much schedule when you want the updates to occur and let the cluster take care of the rest, automatically moving Virtual Machines,  maintaining services and availability and then moving them back once the server has restarted and updates are completed. Hyper-V Replica, which performs asynchronous replication of VMs to a replica site (either stand alone or cluster).

The last point has been my biggest gripe with using Hyper-V, how do we achieve DR with a relative low-cost.  We already have all the hardware but the licensing and software costs to perform replication were astronomical.  Now our DR solution is quite straight forward and cost-effective thanks to Server 2012.

This post is by no means exhaustive, but simply the features that stand out to me, and the reasons as to why we are planning to move to Windows Server 2012 and Hyper-V 2012.

Upgrading your current KMS Server (Server 2008 R2) to support Windows 8 and Server 2012 activation

If you’re in an enterprise environment, chances are that you have a KMS server running (usually either Windows 7 or Server 2008 R2).  So now that Windows 8 and Server 2012 has hit VLSC for SA customers you’ll most likely want to begin testing and performing pilot deployments but we need to get our Key Management Server to accept these new clients.  If you have tried to activate your KMS keys with existing KMS hosts you will receive the following error message:

Error: 0xC004F050 The Software Licensing Service reported that the product 
key is invalid.

Thankfully for us, Microsoft has released an update that will upgrade Windows 7 or Server 2008 R2 KMS Hosts to support Windows 8 and Windows Server 2012, you can view the KB article by clicking here (KB2691586).  You will need to request the hotfix from the KB.  Once downloaded, open up an elevated command prompt and execute the update (which acts as a windows update package).  When it finishes installing you will need to restart your server.

Now that our server is back up, we need to replace the KMS Host key with one for 2012 or Windows 8.  Open an elevated command prompt and enter slmgr.vbs /upk which will show us Uninstalled product key successfully when complete.  Now we install our new key with slmgr.vbs /ipk product-key-here

You should now be presented with a product activated successfully window.  You can also run
slmgr.vbs /dlv and under description you should see VOLUME_KMS_2012.  Now you can start to activate your new Windows 8 and Server 2012 clients.

Allowing anonymous relay on Exchange 2007/2010 on connectors for programs to send via SMTP using your Mail servers and how to secure it for internal use only.

I was recently helping out a colleague at another school as they were having difficulty in a specialised application sending e-mails to external addresses.  After a bit of investigating we found that the send connector configured for internet e-mail wasn’t allowing anonymous connections to it (which is dangerous) but since this particular application didn’t allow us to specify authentication details we were forced to enable anonymous relay for this connector.

I will first show you the PowerShell command that we used to grant the anonymous permissions for the connector that you specify:

Get-ReceiveConnector “Default SBSSERVER” |
Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON”
-ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”

Now the above is really one command getting piped into another, so first of all we are specifying a particular receive connector, in this case Default SBSSERVER (change this to reflect the connector you want to modify).  We are then simply giving rights to anonymous logons (anyone) telling exchange to accept any recipient.

Now as for securing this connector, I would strongly suggest creating a separate one for this particular application (for example Sales App Connector).  We then add incoming IP restrictions, by editing the properties of the receive connector and adding entries to Receive mail from remote servers that have these IP addresses using either specific IP addresses or IP ranges in CIDR notation (so 10.1.0.0/16).

And there you have it, allowing anonymous connections / relay for internal applications to use.

Getting a list of users in Active Directory as well as their Logon Script using dsquery and dsget

So I’m preparing on doing a clean-up of our NETLOGON/SYSVOL folder containing about 50 or so different logon scripts (plenty of which I know are no longer used).  I wanted to create a list of all of our active directory users along with what logon script they were assigned (I could then feed this list into excel and play around).  I realised that I could get this information using dsquery, but how exactly do I build a query to get a logon script.  The following command is what I used, I will then break it down for a better understanding.

dsquery user -name * | dsget user -display -loscr > C:\users_script.txt

So we’ve got our dsquery, which is really looking for AD object types of user with a name of anything, so basically ALL user objects in Active Directory (you can also optionally specify a limit using -limit).  We then pass on this list to dsget which will use this information to obtain the objects’ display name (with -display) and logon script (-loscr).  I am then simply piping the output to a text file.

So that is a quick and easy way of getting a list of all users in AD along with their logon script.

Short blog hiatus…

So you may see that I haven’t been blogging lately. The reason being that I have a new job (focusing on Systems Engineering/Admin, Network Admin as well as IT Super Hero), so I’ve been mainly focusing on that and getting up to speed.  Now that I’ve settled in I will be back at it writing up on my adventures in the world of IT.  Expect more soon.