Skip to main content


Showing posts from February, 2011

Course/exam/certification links & books & skill goals, oh my

The following are training options that I'd like to pursue. Just noting links for future reference.

VMware courses/certifications
VTSP4 (completed, Q1, 2011)VSP4 (when time allows, 2011)
VCP4 (booking shortly...May, 2011)
VCAP4-DCAdministration (Q3, 2011?)
VCAP4-DCDesign (Q1, 2012?)
vSphere Troubleshooting (VMware link) (confirmed, April 18-21, 2011)
vSphere Manage for Performance (VMware link) (as funds allow)
vSphere Manage and Design for Security (VMware link) (as funds allow)
vSphere Design Workshop (VMware link) (as funds allow)
VCDX4 (by the time I'm ready for this, it'll be VCDX5 or 6)

Microsoft exams/certifications
MCM: Windows Server 2008 R2: Directory (by the time I do this, it'll be Server 2050 R3 or something)
70-297 - Designing a W2k3 Active Directory and Network Infrastructure (definite, Q4, 2011)
MCITP: Server 2008R2 Virtualization Administrator
The VirtAdmin cert consists of:
70-699 - TS: Windows Server 2008 R2, Desktop Virtualization70-693 - PRO: Windows Server 2008 …

New lab setup

My employer has kindly allowed me to take some APC UPSes off their hands, a two-post rack with 1U PDU and some shelves, and a zero-U PDU (which is on loan). I can take two of either a 3U 3000VA or 2U 3000VA. Just need fresh batteries. I wonder what they utilize for normal operation... The rack is also has a shelf-type bottom so I can mount heavy long stuff from the bottom up.

We've decided to invest in a lab for certs and training. Immediately it will be my VCP lab, and afterwards for VCAP and other MS certifications (not to mention test environment/learning lab for new tech).

Key items:
Firewall (Astaro) with multiple NICs for DMZ, etc.Switch upgrade (from 8 port to 24 port Gb)Three ESX hosts (i5, 16GB)The NICs and switches I'm sourcing from Ebay/local.

My employer has also graciously offered to donate a two post rack for the lab, just need to get it home and mounted to the floor. All will be mounted on said rack in the basement. Currently…

VMware backup for ESXi free

I've been doing some digging for a client. I've got him started on the ESXi free path for his small VoIP company, and he loves it. I had always figured that for backup we would just set him up with VCB (even though I've had awful past experience with it, it's a free option), or more to the point, GhettoVCB.

I checked out the FAQs for GhettoVCB more closely today, and it seems you must have the licensed version in order to access the APIs that VCB uses. Fair enough, an Essentials pack is cheap enough, and he and I have discussed it in the past. He is amenable to buying the base pack - he would never need more than two host machines anyways.

Another issue crops up: VCB is EOL as of 4.1. Going forward, it is all vStorage APIs for Data Protection (VADP). This is a nicer solution than VCB, but it seems that right now the only options in the VADP area are 3rd party paid software. For someone who wants to do everything cheap and open-source, this will not be a good opti…

Certification path update

I've asked my employer for support with the VCP4 training/exam, so we'll see how that turns out. Lord willing, I'll be passing this Q4 2011. One other item is the 70-297 exam (2003 AD design).

To get me to that point, I'm setting myself goals:
Read at least one VMware book per month. I have a lot of good VMware books - I need to read them! I am starting (rather, finishing) 'Mastering VMware vSphere 4', by Scott Lowe.Get serious about my home lab. Sounds like a silly thing, but I've bounced around here and there about how I want to do things - all Workstation, dual hosts, etc. I think I'm going to bite the bullet and get two identical PCs (probably whiteboxen, as I've had before).Set aside study time and ONLY study during those set hours. Outside of that time, no studying. I have a (tendency is too light a word) compulsion to do things in intense chunks, usually separated by long periods of time. I think 3-4 hours each weekend, and 2-3 hours …

Weird issue with Exchange Global groups

Update: Ok, the below post contains erroneous conclusions. Clients are NOT using child domain GCs. I am becoming more convinced this is local to the Exchange server, as the child domain users are seeing their GCs (and can cycle with 'reconnect') with no issues. I observed a user here having the issue, and I noted that their Outlook 2007 Con.Status was not showing any directory items. However, when it started working for them after a while (15-45 minutes...?) they still did not see any directory items. Going to start from scratch in a new post.

Lesson: The danger of assuming something is happening when you don't know conclusively is that you send your entire investigation off in the wrong direction.

Sort of resolved. So we fix the issue of parent domain users having groups not resolve. What about child domain users trying to resolve child domain groups? If I remove the child domain GCs from the list, does that prevent child domain group lookups? Will investigate.


SYSVOL replication issues

Recently had a DC (we'll call it DC1) acting very strangely.

There were some errors in the event logs:

EventID 1058, The system cannot find the path specified. (then lists a GPO GUID path in SYSVOL)

Rebooting would just give me the error again. Tried gpupdate and got this:

Updating Policy...

User policy could not be updated successfully. The following errors were encount

The processing of Group Policy failed. Windows attempted to read the file \\domain.local\SysVol\domain.local\Policies\{9EA16EAF-3A76-4972-88CE-1BA2435CAE8
E}\gpt.ini from a domain controller and was not successful. Group Policy setting
s may not be applied until this event is resolved. This issue may be transient a
nd could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
has not r…

Kerberos ticket etypes (eventID 27 on 2003 DCs)

Our 2003 DCs are seeing these errors (not the 2008 DCs):
KDC EventID 27
While processing a TGS request for the target server krbtgt/DOMAIN.LOCAL, the account username@DOMAIN.LOCAL did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18. The accounts available etypes were 23 -133 -128 3 1.

The reason behind this error is that the client is trying to authenticate with an unknown etype - unknown to the 2003 DC. Once the client finds a 2008 DC, all is well.

Solution is to replace the 2003 DCs with 2008 DCs, it is really just a question of compatibility.

Extended explanation:
Client is asking for a Kerberos ticket with which it will authenticate against domain resources. These tickets are encrypted. XP/2003 has a set list (DES) of supported encryption types (etypes), and Win7/2008/R2 support different etypes (AES/RC4). Since an XP/2003 client does not know about the new etypes, you'll see these errors when a Win7/20…

WINS errors

I've spent a bit of time the last few days struggling with WINS.

My topology consists of three WINS servers, one for each location, with one functioning as a hub, the other two as spokes (as per Technet's recommendation). The hub is configured with the two spoke servers as push/pull replication partners. The spokes each have the hub as their push/pull replication partner. (as per Technet's recommendation)

So everything is set how Microsoft wants it to be. There are no firewall restrictions between the WINS hosts (who are also DCs). They are running Server 2008.

All my configuration seems correct, yet I get these errors in the System event log: EventID 4102 'connection aborted by remote WINS'. When you turn on advanced logging, you see more detailed errors: EventID 4149 'Winsock Send could not send all the bytes.'

Another server returned the following: EventID 4343 'WINS server noticed chance of duplicate name registration...' These are …

Fixing duplicate SPNs (service principal name)

This is a pretty handy thing to know:

SPNs are used when a specific service/daemon uses Kerberos to authenticate against AD. They map a specific service, port, and object together with this convention: class/host:port/name

If you use a computer object to auth (such as local service):

If you use a user object to auth (such as a service account, or admin account):

Why do we care about duplicate SPNs? If you have two entries trying to auth using the same Kerberos ticket (I think that's right...), they will conflict, and cause errors and service failures.

To check for duplicate SPNs:
The command "setspn.exe -X

C:\Windows\system32>setspn -X
Processing entry 7
MSSQLSvc/ is registered on these accounts:
CN=SQL Admin,OU=service accounts,OU=resources,DC=company,DC=local

found 1 groups of duplicate SPNs. (truncated/sanitized)

Note that y…