O R G A N I C / F E R T I L I Z E R: 08.08

Aug 27, 2008

sysinternals is now a suite

suite?  sweet.  i thought it was always a complete pain in the ass to have to download different utilities in the suite.  now you can get the entire zip all at once.  http://technet.microsoft.com/en-us/sysinternals/0e18b180-9b7a-4c49-8120-c47c5a693683.aspx

Aug 20, 2008

renaming files with powershell or for loop …

i have a directory of scripts with names like mom_myScript.vbs or sms_myScript.vbs.  this is all so that i can do a relatively simple directory search to see what kind of scripts i have for a particular technology i’m working with.  the problem is, i flip-flip on my use of hyphens and underscores and have apparently done it often enough to warrant a little a clean up.

first, the old way i would have done this in cmd shell.  it’s basically a for loop to go through the list of files in a directory that matches where the script has a hyphen.  to pull back just the file name, i’m using the dir /b command.  i’ve broken down the file name into tokens that’s separated by the hyphen and then renaming the files, positioning underscore between the tokens.

for /f "tokens=1-2 delims=-" %a in ('dir /b mom-*.*') do @ren %a-%b %a_%b


here’s my new, preferred way to do it in powershell.  basically, i’m pulling back the list of files i want to work with and passing it through to the rename-item cmdlet.  the script block here is pretty cool.  i can run a replace on the fly which doesn’t require any token breakdowns, etc.

dir mom-*.* | ren -NewName {$_.Name –replace 'mom-','mom_'}

Aug 19, 2008

sql server 2005 database health script noise…

out of the box, the sql server 2005 db health script is amazingly noisy.  here’s a description of a sample event that you don’t need to see (unless you report on them).

The database myDatabase in instance myInstance is in a healthy state.


aside from reporting on the value, you probably don’t care.  if you want to make this events stop for normal database state, you’ll need to modify the script sql server 2005 database health.


to begin with, look for this line:

Public Function CheckDBHealth(sInstance, sHighSevDatabases)


if you search far enough down (around line 2400), you’ll see a block of code that looks like the following:

Set objEvent = ScriptContext.CreateEvent()
objEvent.EventSource = SCRIPT_NAME
objEvent.EventNumber = iEventId
objEvent.EventType = iEventType
objEvent.Message = message
ScriptContext.Submit objEvent


to quiet down the script, we just need to put some logic around the block.  in order to do this, we’ll add a simple if/then that checks against the already defined boolean variable bDatabaseHealthy.  If it’s false, then we’ll write the event.  If not, we’ll just quietly let it ride… here’s the how the new block should look:

If Not bDatabaseHealthy Then
    Set objEvent = ScriptContext.CreateEvent()
    objEvent.EventSource = SCRIPT_NAME
    objEvent.EventNumber = iEventId
    objEvent.EventType = iEventType
    objEvent.Message = message
    ScriptContext.Submit objEvent
End If


wow, at some point, i need to start blogging on opsmgr.  :/

Aug 14, 2008

default refresh periods for dynamic dns

i wrote this article on dns aging/scavenging simplified awhile back.  one of my coworkers recently asked me what the default refresh period was.  wow, i had totally forgotten since i had written it and since i had forgotten to put it in the original post, it was more time on google than i wanted to spend to find it.  that means – blog it.  so here it is… the default refresh periods. 

you can find this information from this article: http://technet.microsoft.com/en-us/library/cc757041.aspx.

service default refresh period
net logon 24 hours
clustering 24 hours
dhcp client

24 hours

The DHCP Client service sends dynamic updates for the DNS records. This includes both computers that obtain a leased Internet Protocol (IP) address by using Dynamic Host Configuration Protocol (DHCP) and computers that are configured statically for TCP/IP.

dhcp server

Four days (half of the lease interval, which is eight days by default).

Refresh attempts are made only by DHCP servers that are configured to perform DNS dynamic updates on behalf of their clients, for example, Windows 2000 Server DHCP servers and Windows Server 2003 DHCP servers. The period is based on the frequency in which DHCP clients renew their IP address leases with the server. Typically, this occurs when 50 percent of the scope lease time has elapsed. If the DNS default scope lease duration of eight days is used, the maximum refresh period for records that are updated by DHCP servers on behalf of clients is four days.


and while i’m at it, if you wanted to change some of these defaults, you can do this by group policy as of windows 2003.  i guess that should be pretty old news by now.  here’s the link for that article: http://support.microsoft.com/default.aspx/kb/294785.

imaged machines and the dnsapi event id 11163

i wonder if this is going to end up a long-winded post.  i never intend for that to happen because somewhere i picked up that technical information should be succinct.  however, when i started looking into this problem, it seemed like there just wasn’t good information on it.


a user in your environment needs to have their machine reimaged.  as a loyal IT citizen, you promptly do so by any manner that happens to be your favorite (e.g. mdt, swimage, ghost, etc).  you bring up this machine as the same name.  later on, you try to remotely manage the machine but realize that the ip it once had is different.  you spin your wheels a bit trying to figure out why the new ip hasn’t registered in dns.  upon reviewing the event log of the machine, you discover events that look eerily similar to these:
Event Type:    Warning
Event Source:    DnsApi
Event Category:    None
Event ID:    11163
Date:        8/12/2008
Time:        5:32:32 PM
User:        N/A
Computer:    myComputer
The system failed to register host (A) resource records (RRs) for network adapter with settings:

   Adapter Name : myAdapterGuidorName
   Host Name : myComputer
   Primary Domain Suffix : myDomain.com
   DNS server list :
         10.x.x.x, 10.x.x.x
   Sent update to server :
   IP Address(es) :

thanks to this blog post, i stopped chasing the elusive message “sent update to server :”.  so let’s leave that alone and move on to the actual problem.


some background

alright, so the prerequisite for this condition happening above is that you would need an AD-integrated zone that has secure-only dynamic updates.  when you do this, acls are placed on the dns objects in ad.  also, you’ll notice your dns objects will have an available security tab.
if a zone has secure-only set, the security tab will show an ace for the machine.  so, as it’s stated above, i’d see an ace for

MYCOMPUTER$ (myDomain\myComputer$)

in a zone with nonsecure and secure dynamic updates, there will be no such ace for the computer object.  what’s this mean?  anyone can make updates to that record.  sounds okay so far, right?


the real problem

you’re probably way ahead of where i’m getting with this.  essentially, the reimaged machine is no longer the same computer object as before.  stepping through this, in a secure-only zone…
  1. the original dns object was created by the computer through dynamic dns update
  2. ace is placed on the dns object by AD
  3. computer is reimaged with the same name
  4. computer objectsid changes during this operation causing a mismatched ace on the dns object*
  5. computer attempts to create/update the dns object in the zone
  6. attempt fails because the computer no longer has access to the dns object.

* you can verify this condition pretty easily.  check the security tab of the dns object.  do you see something that says "account unknown" followed by a long string of numbers?


the not-so-real solution

  1. the easiest/quickest fix is to go into the zone and delete the record. 
  2. you could also configure dns scavenging.  however, there is a lag period of when the record would get cleaned out.
  3. reimage the machine as a new computer name so that a new dns object is created instead of hitting a conflict against an existing object.
  4. modify your imaging process so that the record is deleted prior by an account w/ elevated privileges to the record.
  5. utilize the dhcp lease-expiration process that automatically unregisters the dns record.
i haven’t tried the method in step 5.  i’m curious how well it works.  leave me a comment if you have it in place.

Aug 12, 2008

show vmware snapshots script

here’s a simple, little powershell script to show all of your snapshots.  you have to use the vmware vi toolkit and virtual center to do this.  i have mine going to a html file, in this example.

# =============================================================================
# NAME: VMSnapshots
# AUTHOR: Marcus C. Oh, Cox Communications, Inc.
# DATE  : 8/5/2008
# COMMENT: A real simple script to pull back snapshots of a VM.
# =============================================================================

$myVC = $Args[0]

If ($Args[0] -eq $null) {
    Write-Warning "Please provide a server name as an argument."
} else {
    $VCServer = Connect-VIserver -server $myVC -credential (Get-Credential $_.username)
    Get-VM -Server $VCServer | Get-Snapshot `
        | ConvertTo-Html -Property created,quiesced,powerstate,`
        @{label = "Note";expression = {If ($_.Description -ne ''){$_.Description}else{"None"}}},vm `
        -Title "VM Snapshots Report" > c:\temp\VMSnapshot.html

don’t roll vmware update 2 … yet (updated – fixed!)

if you’ve had the displeasure of applying update 2, here’s what you’re in for.

An issue has been uncovered with ESX/ESXi 3.5 Update 2 that causes the product license to expire on August 12. VMware engineering has isolated the root cause of this issue and will reissue the various upgrade media including the ESX 3.5 Update 2 ISO, ESXi 3.5 Update 2 ISO, ESX 3.5 Update 2 upgrade tar and zip files in the next 36 hours (by noon, August 13, PST). They will be available from the page: http://www.vmware.com/download/vi. Until then, we advise against upgrading to ESX/ESXi 3.5 Update 2.

The Update patch bundles will be released separately later in the week.

The issue is being tracked on KB 1006716 on http://kb.vmware.com/.


Reference this community article and have them reset your ESX clocks back.


The work-around: turn off NTP (if you're using it), and then manually set the date of all ESX 3.5u2 hosts back to 10th of August. This can be done either through the VI Client (Host -> Configuration -> Time Configuration) or by typing date -s "08/10/2008" at the Service Console command line on the ESX hosts.

if it weren’t for the fact that someone is going to be in hell fixing this, it would be pretty funny. imagine if your guests are syncing time with your esx servers. let’s say you set that clock back. guess what? so do your guests… and if you don’t know it, kerberos requires time differences of < 5 mins. that means your clients are no longer capable of authenticating with active directory (unless you set that back, too). of course, if you do that, then all of your users will complain that their clocks are wrong. your emails still stamp funny, etc, etc, etc.

now if you have your guests syncing to ntp or ad or something, you should be in the clear.



We have released the express patches for the product expiration issue. Please go to http://www.vmware.com/go/esxexpresspatches for more information.
An issue has been discovered by many VMware customers and partners with ESX/ESXi 3.5 Update 2 where Virtual Machines fail to power on or VMotion successfully. This problem began to occur on August 12, 2008 for customers that had upgraded to ESX 3.5 Update 2. The problem is caused by a build timeout that was mistakenly left enabled for the release build.

The following message is displayed in the vmware.log file for the virtual machine:
This product has expired. Be sure that your host machine's date and time are set correctly.

There is a more recent version available at the VMware web site: http://www.vmware.com/info?id=4.

background information on active directory

i was watching this interesting thread about the history of active directory and its roots going along the activedir.org mailing list. looks like joe captured it here: http://blog.joeware.net/2008/08/11/1420/ if you’re interested in reading it.

while i’m at it, he also posted a link to active directory’s ldap compliance. this is something, i too, lose all the time. so here it is for reference: http://www.microsoft.com/windowsserver2003/techinfo/overview/ldapcomp.mspx

Aug 4, 2008

how to query for slash and backslash in active directory

often times when integrating with other idm solutions or using directory sync or some sort, the other system may not be able to parse the slash or backslash properly. here’s one way to root out where those objects may be residing and what they are. if you want to find objects in AD that may contain a slash (/) or a backslash (\) in the object cn, you can use a simple query like this:

adfind -default -f "(|(cn=*\2f*)(cn=*\5c*))" dn cn

same thing with dsquery, if you prefer that:

dsquery * domainroot -filter "(|(cn=*\2f*)(cn=*\5c*))" -attr distinguishedname cn

you can find this and more in the list of escapable characters at: http://msdn.microsoft.com/en-us/library/aa746475.aspx. don’t miss joe richards’ comment in the community section. :)

and of course, you can find this information in rfc2254. (the msdn list is more complete, oddly.)