May 2009 - Posts
Here is a document for setting up Configuration Manager in multiple Active Directory Forest with or without trust. It kind touch on everything but lacking the detailed instruction as to how to set it up!
Let’s say you have a production AD forest which have Configmgr hierarchies in place, you have another AD forest setup for commercial facing websites or whatever reason. The security requirement is NO TRUST between the two forests. How are you going to setup the site to site communication between these two forests?
The forest/domain functional level are Windows server 2003 and above (which meet the minimum requirement – Windows server 2003 domain/forest functional level! Both site has to be primary site according to the doc above! They are both in Mixed mode in our case.
1) Create a standard sender address in both forest in a domain\user format as the computer account won’t work in this scenario;
http://technet.microsoft.com/en-us/library/bb680457.aspx
2) Add the site address account you created above to the Site to Site connection group on the respective site server';
http://technet.microsoft.com/en-us/library/bb632850.aspx
3) Set the Central site (in production forest) as the Parent site for the new site;
http://technet.microsoft.com/en-us/library/bb632349.aspx
4) Last but not least – Manually exchange the public key follow the below link!
http://technet.microsoft.com/en-us/library/bb693690.aspx
That’s all you will have to do to setup site to site communication cross active directory WITHOUT TRUST!
Yesterday, the OpsMgr 2007 R2 finally hits RTM, you can download the evaluation copy here. The production version will be available until July 1st. But you can install the evaluation copy now and upgrade later.
At times some people use service account to logon to machines and it has the potential to lockout the service account and therefore bring down the service which is not acceptable to the business and we would need to create a monitor or rule to monitor this behavior.
We can create a monitor or rule, the process is pretty much the same except the monitor will affect the availability of the business application and the rules do not. Another thing need to pay attention is how you reset the monitor once the state change occurred. So I prefer to use the rule instead:
Go to authoring console, expand Management Pack Objects, right click the rule and select create a new rule, in the next window, expand Alert Generating Rules, expand Event Based, select NT Event Log (Alert), make sure save it in a different Management Pack other than Default Management Pack, see below
Type a name for your new rule, set the Rule Category to Alert and set the Rule target to Windows Computer and uncheck Rule is enabled check box. We will do a override later to enable this rule for a targeted group. It is kind counter intuitive but that’s how this things works!
Choose Log name to “Security”
For the purpose of this blog, I am targeting a Windows 2008 domain and in windows 2008 domain the event ID for successfully logon event is 4624. If you are targeting Windows 2003 domain the event ID is different!
Delete the Event Source row and click Insert, choose the third option – Use parameter name not specified above and type EventDescription in the box and click OK.
In the next window, set the Operator to "Contains” and Type the target account in the Value column (xyz\yli here)
In the next screen, Type $Data\EventDescription$ in the alert Description Field.
Click on the Create button to create the rule.
Next do a overwrite to enable this rule for a pre-defined group which contains all the Windows 2008 domain controllers since all the logon event will be logged on the domain controllers.
That is all you need to create a monitor/rule to monitor account logon event. There are some other post outs there but the procedure above did worked for me!
It cost me a few hours the other day to do a mini – DR for one of my Hyper-V host! Hopefully this post will save you some trouble in the future.
The trouble starts when I try to build a new VM through VMM 2008, I got the error like below -
The requested operation cannot be performed on a file with a user-mapped section open. (0x800704C8)
Then I thought what about try to create the new VM using Hyper-V manager, I got this error -
VMName’ Microsoft Synthetic Ethernet Port (Instance ID
{7E0DA81A-A7B4-4DFD-869F-37002C36D816}): Failed to Power On with Error 'The specified network resource or device is no longer available.' (0x80070037).
I decided to reboot the Hyper-V hosts (this is off business hours and none of my Hyper-V guests are mission critical), and to my unpleasant surprise, four of my six VMs are gone! I would love to see if all the VMs are gone, then it could be the SAN (all the VMs are on a SAN disk) issue. But it puzzles me that just four of them are gone. I checked the SAN disk and it is visible to the OS and I checked all the VHD files for my VM are still on the drive which is encouraging – I could recover the VMs one by one.
But what could cause this problem, I couldn’t create new VM at first and then I lost VMs after reboot the host. I started to call MS support and at the mean time search the internet myself. The search point to Forefront, TrendMicro(which we use), as a matter of fact, all the antivirus software as the culprit.
Now I remember that just recently one of my coworker installed TrendMicro client on the Hyper-V host. So I disabled TrendMicro client on the Hyper-V host, indeed I could create new VMs after that and I was able to restore the “lost” VMs. Later MS tech call me back and confirmed that the antivirus (TrendMicro in our case) software can corrupt the VM configuration files and therefore lost the VMs after rebooting the host. It can also prevent us to create new VMs.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;961804
Lesson learned, we need to create exclusion for our Antivirus software for all the Hyper-V host following the above KB!