Apr
6
2013

Networking // Windows

Don't rejoin to fix the trust relationship between this

Copied from here: http://www.implbits.com/about/blog/tabid/78/post/don-t-rejoin-to-fix-the-trust-relationship-between-this-workstation-and-the-primary-domain-failed/default.aspx

f you Google “the trust relationship between this workstation and the primary domain failed”, you get plenty of information from support blogs and Microsoft articles; however, most of them ask you to rejoin your machine to the domain. That’s not always possible.

The underlying problem when you see this error is that the machine you are trying to access can no longer communicate securely with the Active Directory domain to which it is joined. The machine’s private secret is not set to the same value store in the domain controller. You can think of this secret as a password but really it’s some bits of cryptographic data called a Kerberos keytab stored in the local security authority. When you try to access this machine using a domain account, it fails to verify the Kerberos ticket you receive from Active Directory against the private secret that it stores locally. I think you can also come across this error if for some reason the system time on the machine is out of sync with the system time on the domain controller. This solution also fixes that problem.

This problem can be caused by various circumstances, but I most commonly run into it when I reset a virtual machine to a system snapshot that I made months or even years before. When the machine is reset, it is missing all of the automatic password changes that it executed against the domain controller during the intervening months. The password changes are required to maintain the security integrity of the domain.

Support blogs and Microsoft will generally tell you to rejoin the domain to restore the trust relationship. Another option they will give is to delete the computer object and recreate it without a password and rejoin.

Microsoft support article on the topic: http://support.microsoft.com/kb/162797

I’m not a fan of any of these options. This seems heavy handed and sometimes they aren’t even possible.

Recently, when I ran into this problem, the virtual machine that reset was an enterprise certificate authority joined to my test domain. Well, guess what, Microsoft will not allow you to rename or unjoin a computer that is a certificate authority—the button in the computer property page is greyed out. There may be another way to unjoin but I wasn’t going to waste time on it when it isn’t even necessary.

Just change your computer password using netdom.exe!

netdom.exe resetpwd /s:<server> /ud:<user> /pd:*

<server> = a domain controller in the joined domain

<user> = DOMAIN\User format with rights to change the computer password

Here are the full steps:

You need to be able to get onto the machine. I normally just log in with the local Administrator account by typing, ".\Administrator" in the logon window. I hope you remember the password. If you’re creative and resourceful you can hack your way in without the password. Another option is to unplug the machine from the network and log in with domain user. You will be able to do disconnected authentication, but in the case of a reset machine, remember that you may have to use an old password. Your domain user’s cached credential has the same problem as the machine’s private secret.
You need to make sure you have netdom.exe. Where you get netdom.exe depends on what version of Windows you’re running. Windows Server 2008 and Windows Server 2008 R2 ship with netdom.exe you just have to enable the Active Directory Domain Services role. On Windows Vista and Windows 7 you can get it from the Remote Server Administration Tools (RSAT). Google can help you get them. For other platforms see this link: http://technet.microsoft.com/en-us/library/ee649281(WS.10).aspx"
Extra steps if the machine is a domain controller. If the broken machine is a domain controller it is a little bit more complicated, but still possible to fix the problem. I haven’t done this for a while, but I think this works:
1. Turn off the Kerberos Key Distribution Center service. You can do this in the Services MMC snap-in. Set the startup type to Manual. Reboot.
2. Remove the Kerberos ticket cache. A reboot will do this for you, or you can remove them using KerbTray.exe. You can get that tool here: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=17657
3. Post change steps. Do these in conjunction with 5 below. Turn the Kerberos Key Distribution Center Service back on before rebooting. You should reboot the domain controller and then force replication in the Active Directory Sites and Services MMC snap-in.
Run netdom.exe to change the password.
1. Open an administrative command prompt. On Windows platforms with UAC enabled, you will need to right-click on cmd.exe and select "run as Administrator".
2. Type the following command: netdom.exe resetpwd /s:<server> /ud:<user> /pd:*
Reboot the machine.

Here is more information on netdom.exe: http://support.microsoft.com/kb/325850

I hope this is helpful. This problem comes up every few months for me, so I wanted to document it for my own use. It is difficult to find when you just search for the error you get in the login window.

Share

An article by Shawn

No Comments

Mar
21
2013

SharePoint

SharePoint and PeoplePicker configuration

MSDN Article: http://technet.microsoft.com/en-us/library/gg602075.aspx

Excellent article on complex scenarios: http://blog.octavie.nl/index.php/2010/10/12/my-challenge-with-the-people-picker/

Important steps:

1. Set an encryption key for use with a one-way trust

If the forest or domain on which SharePoint 2013 is installed has a one-way trust with another forest or domain, you must first set the credentials for an account that can authenticate with the forest or domain to be queried before you can use the Stsadm peoplepicker-searchadforests property.

Note: The encryption key must be set on every front-end web server in the farm on 
which SharePoint 2013 is installed.

To set an encryption key, type the following command:

stsadm.exe -o setapppassword -password <Key>

2. Enable cross-forest or cross-domain queries when you use a one-way trust

If the forest or domain on which SharePoint 2013 is installed has a one-way trust with another forest or domain, you must specify the credentials to be used to query the forest or domain, in addition to the names of the forests or domains to be queried. People Picker will only query the forests or domains that you specify in the peoplepicker-searchadforests property setting.

STSADM.exe -o setproperty -pn peoplepicker-searchadforests 
-pv "forest:Contoso.com,Contoso\User1,Password1;domain:Fabrikam.com,Fabrikam\User2,Password2" 
-url http://central

Here are is a sample batch file to help

@echo off
setlocal

SET UID=%1
SET PWD=%2

SET PPCFG="domain:corp.avanade.org,%UID%,%PWD%;domain:pws.avanade.com,%UID%,%PWD%;domain:gmd.lab,%UID%,%PWD%" 

CALL :execute %PPCFG% <<URL1>>
CALL :execute %PPCFG% <<URL2>>
exit /b

:executeecho Setting People Picker for URL: %2
STSADM.exe -o setproperty -pn peoplepicker-searchadforests -pv %1 -url %2
GOTO:eof

Attached script:

set-peoplepicker.bat (375.00 bytes)

Share

An article by Shawn

No Comments

Feb
3
2013

Exchange

How to Recreate the System Mailboxes in Exchange 2010

Original Source: http://www.mikepfeiffer.net/2010/04/how-to-recreate-the-system-mailboxes-in-exchange-2010/

When you install Exchange 2010, several system mailboxes are created in the root of the Active Directory forest. The actual Active Directory accounts for these mailboxes are disabled and not intended to be used by administrators, and instead are used for things like the moderated transport system, etc.

The system mailbox descriptions and names are as follows:

Discovery- SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}
Message Approval - SystemMailbox{1f05a927-xxxx-xxxx-xxxx-xxxxxxxxxxxx} (where x is a random number)
Federated E-mail - FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042

So, what happens when someone deletes these mailboxes and they are purged from Exchange? Well, the solution is simple. You just need to use the Enable-Mailbox cmdlet with the -Arbitration parameter, for example:

Enable-Mailbox "SystemMailbox{1f05a927-409a-4693-9ea1-c71cc379dab7}" –Arbitration

Run the above command for each mailbox as needed.

What if the Active Directory Accounts are Deleted?

If the system mailbox accounts are deleted from Active Directory, you can restore them by re-running the PrepareAD process using Setup.com from the Exchange media:

Setup.com /PrepareAD

After the Active Directory accounts have been recreated, you can create mailboxes as shown in the first example using the Enable-Mailbox cmdlet. Hope this helps!

[Update] MSDN Article http://technet.microsoft.com/en-us/library/gg588318.aspx

Share

An article by Shawn

No Comments

Jan
31
2013

Virtualization // Windows

Nesting Hyper-V with VMware Workstation 8 and ESXi 5

Original Source Post: http://www.veeam.com/blog/nesting-hyper-v-with-vmware-workstation-8-and-esxi-5.html

As Veeam moves forward and starts to become focused two virtualization platforms, I thought to myself now is the time to work out how I’m going to introduce Microsoft Hyper-V in my lab environment. I wanted to know if it could be virtualized running inside a VMware virtual machine of some sorts. Veeam has been very successful in presenting its solutions through the use of portable labs running for example on laptops nested under VMware Workstation. We would often have a nested ESX server, vCenter, DC and Veeam apps running on a single laptop and I wanted to know if Hyper-V could be thrown into the mix.

This post will function as a how-to guide and provide a step-by-step process to run Hyper-V virtual machines on either VMware Workstation 8 or ESXi 5.

For a long time, I was told it was impossible, and a few months ago, I heard a passing rumour that it would be possible when ESXi 5 came out. I’d also heard that ESXi 5 running on Intel Nehalem or Intel Core i7 was going to allow nested hypervisors to also contain running, nested 64bit virtual machines. So firstly, I went about making sure that when I was due for a new laptop, I would have this Intel architecture, or equivalent AMD, in my system. I also managed to build a lab with the same architecture that I plan to use on the road for events.

Through Twitter, someone sent me a link to a few blogs that helped me start my quest:

http://www.vcritical.com/2011/07/vmware-vsphere-can-virtualize-itself/#comment-12442

http://www.virtuallyghetto.com/2011/07/how-to-enable-support-for-nested-64bit.html

By the time I’d gotten a chance to give it a whirl, ESXi had gone GA. What I found from the blogs posted above was there were some great pointers, but when I followed either post’s instructions, all I got was a blank Black Screen like a few other people were reporting. No matter what additional information I gave, it just would not work. Undeterred, I decided to try something different. I installed VMware Workstation 8 instead of ESXi 5 and managed to get a nested Hyper-VM working. At this point, I knew my hardware was going to be compatible with nesting Hyper-V. The blog posts above stated the key to making it work is a feature found in your CPU/BIOS called Intel EPT. Now, I read that if you have Nehalem/Core i7, you should have Intel EPT; the blog posts suggested that it should be enabled through the BIOS. However, I didn’t find this option in either of my system BIOS.

While testing what would work, I decided to use Windows 2008 R2 Standard and enable Hyper-V as a Role rather than install the standalone Hyper-V product. I only did this to make my life easier, but the standalone Hyper-V product is a fine option as well.

Nesting a Hyper-VM on VMware Workstation 8

So, following are the steps to create a Microsoft Hyper-V VM running in VMware Workstation 8, but later I’ll show you how to do it in ESXi 5 as well:

1. Create a New VM with version 8 hardware

2. Give it 4 GB RAM and 2 x vCPUs with about 80-100 GB disk space, depending upon how many VMs you wanted nested underneath Hyper-V.

3. The instructions lead you to believe that you should pick a VMware ESX option as the guest OS... STOP! DON’T! Select Windows 2008 R2 x64.

4. When you are finished, make sure you add another NIC to the VM used as the Hyper-V virtual network,

5. Under the settings of the VM > CPU, make sure you have the option to pass-through the Intel VT-x/EPT feature.

6. Make sure you have set the VM to boot from Windows 2008 R2 x64 media ISO.

7. Before booting, you should edit the config file .vmx and add the parameter: hypervisor.cpuid.v0 = “FALSE”

8. Now Boot and Install Windows 2008 R2 x64.

9. Once finished, open up Server Manager and click “Add Role”.

10. Select and install the Hyper-V option. At this point, you will know if your system is working correctly and passing the Intel EPT feature, because if it doesn’t, you won’t be able to go past this point.

11. You’ll also have to select the network adapter used for the virtual network.

12. Now install Hyper-V, which will need a reboot.

13. After it is completed, open Server Manager drill down to Hyper-V and connect to the local server.

14. Now create and install a virtual machine.

Once done, you should be able to use it as normal, albeit slow.

Nesting Hyper-VM running ESXi 5

Now, doing the same thing on ESXi 5 is a little trickier although some of the steps are the same.

1. Before anything you need to place an entry in the /etc/vmware/config file found in the tech support mode on your ESXi 5. I enabled SSH through the security profile in the vSphere Client. Then used putty SSH into the ESXi system.

2. From there I executed the following command which is needed to allow nested hypervisors :

# echo 'vhv.allow = "TRUE" ' >> /etc/vmware/config

Notice the use of single and double quotes in the command-line

3. Now create a virtual machine using version 8 hardware, 4GB (or as much as you can spare), 2 x vCPUs, 2 or more vNICs and a 100GB virtual disk.

4. Before booting up the VM and installing Hyper-V we need to add two lines the virtual machines config file .vmx

You can try this through the vSphere Client in the settings of the virtual machine > Configuration Parameters, whereas I had better luck doing it from command-line

To add them using command-line move back in SSH > change into the directory where you Hyper-V VM is installed

# echo 'vhv.allow = "TRUE" ' >> /etc/vmware/config

In my example the config file is called Hyper-V.vmx. Type the following commands:

# echo 'monitor.virtual_exec = "hardware" ' >> Hyper-V.vmx

# echo 'hypervisor.cpuid.v0 = "FALSE" ' >> Hyper-V.vmx

5. Now back in the VM settings > Options > CPU/MMU Virtualization make sure you have the option to pass the Intel EPT feature.

6. Now in the Options area > CPUID Mask click on Advanced

7. Add the following CPU mask Level ECX: ---- ---- ---- ---- ---- ---- --H- ----

8. Now Install Hyper-V or Windows 2008 R2 and enable the Hyper-V role.

9. You are ready to roll.

Gotchas/Tips

Here are a few tips from Ricky to avoid any of the stopping points along the way:

On my system part way through install of Microsoft Hyper-V the OS requires a reboot. When you do this after Hyper-V has been installed it blue screens...DON’T PANIC because it doesn’t blue screen while actually using Hyper-V
With both my server and laptop I had no way of telling if my systems had Intel EPT it was a case of seeing if VMware passed Intel EPT without complaining and if Hyper-V spotted it. The give a way for me was when I’d tried VMware Workstation first and it worked straight off. I’ve read a million and 1 things about this subject, but my gut feeling is if you look for Nehalem or Core i7 and a motherboard that supports Intel VT. I think that is a safe bet. I read you need Intel VT –x2 which I don’t have (I don’t think) so that was misleading...If I can narrow the field of information I will update this post.
Remember nesting a hypervisor means it’s going to run very, very slow...however installing the nested hypervisor in a datastore that is on SSD disks helps big time.
The 2 blogs linked above presented 2 methods for creating the VM using version 4/7 hardware or version 8 hardware. I first went with version 8 hardware and no joy at all. All I got was a blank black screen. I actually tried a combination of the tweaks in both methods and that is what worked for me.
The port group that the nested Hyper-V machine resides on should be set to Promiscuous Mode: Accept
In one of the blogs there was a note suggesting making the entries manually in the config files (instead of using the GUI) was more stable. I found this too, so hence why I changed the config files in a shell session using putty.

Share

An article by Shawn

No Comments

Jan
31
2013

Development

Excellent set of JSON samples

Check out this site for a break set of JSON samples.

Some information from the site:

Over 100 code samples covering Json.NET's most commonly used functionality.

Samples

Serializing JSON - Serializing and deserializing JSON, serializer settings and serialization attributes
LINQ to JSON - Parsing, querying, modifying and writing JSON
JSON Schema - Loading schemas and validating JSON
Converting XML - Converting JSON to XML and XML to JSON
BSON - Serializing and deserializing BSON
Reading and Writing JSON - Reading JSON with JsonTextReader, writing JSON with JsonTextWriter

Share

An article by Shawn

No Comments

Jul
25
2012

Virtualization

Improving Performance of your Virtual Machine

http://www.howtogeek.com/howto/31303/improve-vmware-vm-performance-by-defragmenting-virtual-disks/

Improve VMware VM Performance by Defragmenting Virtual Disks

Have you noticed your VMware virtual machines sees like they’re sluggish and slow to respond? Here’s how you can quickly defragment your virtual disks to make them fast as they were originally.

Just like a hard drive on a normal computer, the virtual hard drive on a virtual machine can become defragmented over time. In fact, if your virtual disk is setup to dynamically expand over time, then fragmentation can become a serious problem, especially if your hard drive is low on free space. You may notice your virtual machines running slower or being less responsive, and VMware itself may even notify you that your virtual disk is too fragmented.

Here’s what you’ll need to do. First, while your virtual machine is running, run the default disk defragmenter as normal inside the virtual machine. This may take some time if you haven’t done it in a while, and may also slow your whole computer down while it’s running.

Once the virtual machine’s OS has finished defragmenting, shut down the virtual machine. Then, open your VMware virtual disk properties. To do this in VMware Workstation, double-click on the Hard Disk info on the virtual machine’s main page.

Alternately, if you’re using VMware Player, right-click on the virtual machine’s name and select Virtual Machine Settings.

Then select the Hard Disk entry from the Hardware tab if it’s not already selected. If your virtual machine has multiple virtual disks, you may wish to repeat these steps on each virtual disk.

Click the Utilities button

VMware will start defragmenting your virtual disk. This may take a while depending on your virtual machine’s size and how often you defragment it.

Once it’s done, you’ll be notified that the defragment is completed.

To improve performance even more, you should also regularly defragment your host computer’s hard drive. This is not much of a problem in Windows 7 and Vista since they automatically keep your hard drive defragmented, but if you’re using XP, you might want to setup automatic disk defragmenting. Alternately, if you’d like more defragmenting control, you can always run the defrag command in an elevated command prompt for a wide range of analysis and defrag options.

Most of us don’t think much about defragmenting virtual machines, but it can seriously improve your virtual machines’ performance. We’re big fans of the free VMware Player, and if you have more advanced needs, VMware Workstation is a great option as well. The great thing is, no matter which one you’re using, you can still keep your virtual machines running at top speed with a quick defrag.

[Updated] The opensource UltraDefrag might be a better option to use as it will defrag files of any size

Share

An article by Shawn

No Comments

Jul
25
2012

Mobile

Great Article on Mobile vs. Mobility

http://blogs.hbr.org/cs/2012/07/the_future_isnt_about_mobile_its.html

The Future Isn't About Mobile; It's About Mobility

by David Armano | 8:03 AM July 18, 2012

While the globe grapples with uncertain economic realities, "mobile" appears to be gold.

Facebook is expected to announce their uniquely targeted mobile advertising model before the end of the month. Amazon is talking to Chinese manufacturer Fox Conn with ambitions of building their own mobile device to serve as a complement to Amazon's considerable digital ecosystem of products and services. China itself has surpassed the US as the world's dominant smartphone market with over a billion subscribers and roughly 400 million mobile web users. Advisory firm IDC predicts that by 2014 there will have been over 76 billion mobile apps downloaded resulting in an app economy worth an estimated thirty five billion in the same year. Mobile business will become big business in the not so distant future.

However, there will be blood as the business world pursues the mobile gold rush.

We've seen this movie before. In the early days of the web, it was the website that created a browser-fueled gold rush — until organizations realized that maintaining a website that provided real value was more difficult than launching something quickly. The same story is now playing out in social — getting something launched on Facebook, Twitter or Pinterest is easy, but building an engaged and meaningful following isn't. And the same will happen in the rush to mobile if companies take a "channel" approach vs. a behavioral approach. In short, it's not about mobile as much as it is about understanding mobility.

In the early days of digital, the core behavior we needed to understand was that people wanted information at their fingertips and the convenience that came with digital transactions. In the social era it was all these things plus social connectivity. Mobility means information, convenience, and social all served up on the go, across a variety of screen sizes and devices.

Mobility is radically different from the stationary "desktop" experience. In some cases, mobility is a "lean back" experience like sitting on a commuter train watching a video. In other cases it can be "lean forward" — like shopping for a gift while you take your lunch break at the park. And in many cases, it's "lean free" when your body is in motion, or you're standing in line scanning news headlines or photos from friends while you wait for your turn to be called.

Mobility trumps mobile. The difference between mobility and mobile is like the difference between hardware and software. Mobile is linked to devices — it is always one thing, wherever it is. But mobility changes with context: cultures incorporate mobile technologies differently. For example, in Africa, SMS technology helps farmers pay bills electronically. In America, it helps teenagers keep up with their friends — an average of 60 times a day. Mobile itself is the nuts, bolts, and infrastructure, while mobility is the context which determines if it all works together or doesn't.

To avoid "bloodshed" in mobile, learn from past lessons in Web, digital and social. Improve your understanding of the nuances of mobility and mobile behaviors before you ramp up your investment in mobile. Resist the temptation to rely too much on a guru; hiring a guru will only take your organization so far. Many of the organizations who brought in "social media gurus" learned this lesson the hard way. A single individual cannot scale. However, if the organization is willing to put real teeth behind their mobile efforts, a single smart person can help form a center of excellence. Establishing a center of excellence that puts mobility at the core, and integrates it with other business initiatives, can get a business thinking about mobile more strategically.

Secondly, realize that going mobile is not the same thing as having an app. In fact, avoid the temptation to "app everything." A lot of content — whether video or text-based — can easily be optimized for mobile consumption. Popular apps such as Flipboard or Pulse point to a future of consumer "appgregation" — using one app to aggregate many sources of content. Instead of creating a whole host of apps that few are likely to download, invest in making your "digital ecosystem" more mobile-friendly.

Lastly, don't put mobile tactics in front of strategy. In the early days of the web, every site seemed to have an animated GIF or a clunky site-counter. In the early days of social, companies spent millions on costly Facebook apps with cute gimmicks but no real utility or sharing value. Today, companies are scrambling to come up with something "mobile" whether or not it makes sense for their long-term business goals, and whether or not users will actually want it. The outcome is the same in across all of these examples: a low number of visits/installs/downloads and ho-hum business results. Tomorrow's winners of today's mobile gold rush will boast significant (and sustainable) usage numbers due to the value of their content, whether it's sheer utility or impossible-to-ignore entertainment value.

Today's mobile realities are stark. Competition is fierce and users are demanding. If your company wants to put out a fitness app, you're competing not just with Nike FuelBand or Run Keeper, but with dozens of other apps put out by scrappy start-ups.

Before doubling down on mobile, any business should first ask themselves if they really understand mobility as a behavior and lifestyle, followed by tough questions about the role mobile plays in their business. From there, a strategy for mobile, built on an understanding of mobility, can take root.

Build on the expensive lessons learned from past bubbles and there will be less "blood" all around.

Share

An article by Shawn

5 Comments

Jun
4
2012

SharePoint