Sunday, April 27, 2008

Win2k3 convert to dynamic grayed out - GPT and me

I decided to add another drive to an external vault that's attached to my backup exec system. It's used as an intermediary for disk to disk to tape backups and was getting a bit full. (1.9TB) So I added a disk to the array, let it rebuild and then went into computer management. Then I found that all options for adding or changing the drive were grayed out including "convert to dynamic", "convert to GPT", etc. This was puzzling but after some reseach I found out that I had hit a 2TB barrier that's caused by the old Master Boot Record (MBR) partitioning scheme. The solution Microsoft proposes is to go to the GPT paritioning scheme (GUID partitioning) which scales up to 2^64 logical blocks in length.
http://www.microsoft.com/whdc/device/storage/GPT_FAQ.mspx

Of course the hitch is that you have to wipe out everything on the drive before you can convert to GPT. Even if you try to do it from diskpart you'll get a "The disk you specified is not empty." "Please select an empty MBR disk to convert." So after whacking everything on the disk, it let me upgrade the partition scheme to GPT and I was then able to utilize all the space on the disk.



I have no idea how the performance is affected when you go from MBR to GPT as I haven't been able to find any reviews online. So far I haven't noticed any decrease in performance so that's good. Oh, and in case you're wondering, Symantec Ghost Solutions 2.0 and higher support ghosting GPT partitions.
http://www.symantec.com/business/products/newfeatures.jsp?pcid=2247&pvid=865_1

Thursday, April 24, 2008

Workaround for the BCM 3.6 and Vista/IE/Java

Previously I discussed how to get around this problem with the 3.7 version of the BCM software. But it's been brought to my attention that it doesn't work with the 3.6 version. So, after several permutations of playing around with Mozilla and IE I went with an entirely different option - Opera. http://www.opera.com

Step 1: Download it
Step 2: Install it
Step 3: Browse to your BCM and choose Install for the certificate



Step 4: Log in as normal, go to the Telephone Services Tree and Voila



Tested on Vista 32 bit with Opera 9.27

Monday, April 21, 2008

Upgrading a 2k3 domain to 2k8.

Decided to upgrade the old 2k3 AD domain this week to 2008 AD. First stop was the Microsoft Technet page - strongly recommend you read it first.
http://technet2.microsoft.com/windowsserver2008/en/library/9c91be5f-df14-40b2-b176-2b1852a51e611033.mspx?mfr=true

I opted to install a new domain controller to start with just to ease into the process. Prior to that, I ran the ADPREP /forestprep, adprep /domainprep /gpprep, and just for kicks adprep /rodcprep and let the changes propagate for a couple of hours just to be on the safe side.

I decided to go with a VM for the domain controller this time. It seemed like a good way to future proof it as far as hardware and since it's a small site I'm not really worried about performance issues. Windows 2008 Enterprise installed right on, vmware tools followed easily enough. Then I added the AD DS role through the new snazzy Server Manager. Last step - DCPROMO, which now defaults to dummy mode but there's still an option for 'Advanced' for real admins.

Once completed, I ran all the usual netdiag, dcdiag, etc and all was well and left it to stew overnight to see if any cool errors would manifest. The first thing to get used to is the new server manager likes to make you aware of *ALL* warnings and errors no matter how trivial they may be. One valid one was from IIS and complained about WAS and the IIS_IUSRS group. A long search pulled up a nifty script from Microsoft that fixed it.
http://support.microsoft.com/kb/946139

So with renewed confidence that all was well, I went ahead and upgraded the rest of the Domain controllers with little problems. Prior to upgrading the existing domain controllers, I had to uninstall things like powershell and antivirus and backup exec, etc. The powershell was mandatory and of course was hidden under a hotfix name
so uninstalling it was impossible without figuring out which hotfix it was under. The other software I uninstalled just as a precaution. One domain controller had the Exchange 2003 management tools installed which caused MMC issues post upgrade with the Active directory User and Computers snap-in. The resolution there was just to uninstall it.

Once all the DCs were upgraded and working, I reinstalled backup exec agents, symantec antivirus, and applied new Security Configuration Wizard policies. Then made backups, documentation, etc.

Since all my DC's were running windows 2008 server now, I went ahead and upgraded the Forest mode to 2008 functional level. (keep in mind, functional level changes are ONE WAY, no going back). The 2008 functional level comes with some cool features like AES encryption on Kerberos, better DFS replication, and last interactive logon. I went ahead and tried to enable the "last interactive logon" according to Microsoft's help pages and my test Vista workstation could not longer unlock the terminal. So after some searching it turns out that you have to enable the policy on All Your Domain Controllers First!. Thanks go out to Steven Bink for his article I found on google to solve it:
http://bink.nu/news/showing-last-logon-info-at-logon-in-windows-server-2008.aspx

And now happily, the feature works perfectly when you log into win2k8 or vista boxes that have the policy set on the domain.

Friday, April 18, 2008

Backup Exec 12 - upgraded and running

Okay, even this skeptic has to admit they're getting better. I upgraded my 11d server to version 12 this week.

Pros:
Now comes standard with Open file protection and the base level IDR option
New installer has a nicer layout
Win2k8 Support right off the bat
The new System Recovery agent looks cool and supports virtual machine conversions.

Cons:
Had a few hiccups getting the policy based jobs up and running again afterwards.

First off I like the new selection layout during the install. It breaks the modules up by what you're licensed for, then what you can eval, and then the stuff you can't even eval.


click for larger image

I went ahead and upgraded the antivirus to symantec endpoint prot 11 like it wanted. It also has a new antivirus integration but you have to install the full endpoint protection manager on the backup exec server. The upgrade itself went smoothly and I rebooted the server. Then I had to upgrade all the remote agents because it kept giving warnings about the old version.

As for my policy based backups, I had a few issues with the jobs not wanting to work - or cancel for that matter. So first I tried the old "Delete Jobs Created By Policy..." and recreating them but the Incremental parts kept failing. So I cancelled them and started the Full backup job part of the policy.



Once that finished successfully then the incrementals started working right again.
*Mental note to self, don't do upgrades in the middle of the week*

Overall I'm satisfied that Backup Exec is once again on the right track. The expanded feature set and those little extra UI tweaks really do help.

Monday, April 14, 2008

Separate VLANs for nortel ip phones and data

For this week's project, I decided to split up the network to give IP phone traffic it's own VLAN with the eventual goal of QoS and all that good stuff in mind. The first challenge of course was getting my Dell and Netgear routers to play together nicely which actually wasn't that bad. I already have a Layer 3 routing Switch from netgear (FSM7352S) in place which I previously configured to support routing between our existing network and an isolated vlan for the testing LAB. The plan was to use the i2002 and i2004 phones to use VLAN 20 and to pass through untagged packets to the PCs attached to them.

Steps:
1. Setup VLAN 20 on the switch.

2. Change the access mode of all the ports involved to 'General' which would allow them to handle traffic from multiple VLANs including the default 'VLAN 1'. Then make sure VLAN 20 is selected and set all ports to 'tagged'. When done, each port should still have a PVID of 1, be untagged for VLAN 1 and tagged for VLAN 20.

3. Changed the ports connecting my switches to TRUNK mode. On the ones where trunk mode was not available, I just set that port to be tagged for VLAN 20 and made sure the port was set to 'General' mode.

4. Turned on GVRP which I naively thought was a great feature that would propagate all my vlans to all my switches, solve all the world's problems, perform miracles, etc. Which to be truthful, it did advertise the VLANs and the other switches acknowledged their existense but I wasn't able to tag any ports on the switches that had dynamically received the VLAN info. I'm still not sure if that's a problem with the Dell switches or the monkey writing this blog.

5. Turned off GVRP and just setup VLAN 20 manually on all switches.

6. Tested that an IP phone on one switch in each building to make sure that VLAN 20 was routing properly.

7. I hard-coded a block of switch ports to 'Access Mode' with a PVID of 20 for the nortel BCM phone servers to lock them into VLAN 20. Then I set up one of the BCM servers to be a DHCP server for that VLAN and rebooted it to make sure changes took effect.

8. I setup option 191 and 128 on the win2k3 DHCP server on the Data lan with the high hopes that it would redirect the ip phones automatically to VLAN 20. Option 191 tells the phones to use VLAN X which in my case is 20 and option 128 is a string which tells the phones settings like the ip of the BCM, etc. HAHAHA, didn't work right - probably my fault. It seemed to get the right server address but just wasn't DHCP'ing on VLAN 20.

9. Manually went to each IP phone and set the server IP, and VLAN to 20.

10. Backed up all switch configurations.

Lo and behold, it all worked. All ip phones were able to DHCP to VLAN 20, and all PCs hooked up through them were able to DHCP to vlan 1. Now all my IP phones are isolated away from the data network. Next project will be QoS. Don't forget, anytime you add a new switch you'll need to configure VLAN 20 on it unless you've got GVRP working.

For more information on option 191, 128, and IP Phone settings, I found some Very helpful posts on McNamara's blog.

Option 128:
http://michaelfmcnamara.blogspot.com/2007/10/dhcp-options-voip.html
Option 191:
http://michaelfmcnamara.blogspot.com/2007/10/dhcp-options-voip-part-2.html
and Ip phone settings:
http://michaelfmcnamara.blogspot.com/2007/10/nortel-i2002i2004-internet-telephone.html
(I went with Partial DHCP because I still haven't gotten the Full to work yet.)

Wednesday, April 9, 2008

Vista command prompt eccentricies, elevation/run as administrator and path fun

First thing I like to do with the command prompt shortcut is to reduce the number of steps needed to open it and set it to have a unique font color so it's easier to track which command prompts are elevated and which aren't. To start, make a copy of the command prompt shortcut and rename it to something like "Elevated CMD". Then go into properties and click on the advanced button. Then check the box for "Run as Administrator".



Then click on the Colors tab and set a Screen Text color like Green, purple, whatever works for you.



Then just save your new shortcut.

Now for some fun things about command prompts in Vista. If you're using an elevated command prompt you can't change drives to mapped network resources. You can still access them by UNC but not by drive letter. And if you're using a non-elevated command prompt you can access network drives by drive letter but you don't get the same PATH variable as an elevated command prompt. So you have to manually run programs like Powershell from the full path. (C:\Windows\System32\WindowsPowerShell\v1.0>" So until I can crack this one, I've just got a batch file that I run that just contains:
path = %path%;C:\Windows\System32\WindowsPowerShell\v1.0

I can see how some of these annoyances are part of making it more secure but it can be a pain for power users or powershell coders to get up and running.