Thursday, December 16, 2010

Automatically Print Server 2008 Backup Confirmation/Results Logs

Please Note This Does Not Work For Server 2008 R2.  MS opted to axe the plaintext files.  Back to the drawing board . . .  I'll be using the tips at http://www.techrepublic.com/blog/networking/four-ways-to-manage-windows-server-2008-backup-on-multiple-servers/4159 in the mean time.

For a year I've looked for a way to confirm Server 2008 backup results without regularly logging in and examining the Server Manager, perusing the System Logs, or buying a backup software package.  Windows Backup makes quite readable reports in the \%systemfolder%\logs\WindowsServerBackup\ folder that can be viewed in Notepad.  These files are created upon the completion of each backup, and seem to stick around for a couple of weeks.

Scheduling the following .bat files to run after your backup has completed will yield printed backup reports that will list what is backed up in the first report, then a second report with any exceptions which will be blank except for the number "1" in the bottom center of the page if there are no exceptions.

Create a text file called prtbaklog.bat containing the following:

@echo off
setlocal
if {%1}=={} @echo Syntax PrintDevice (\\Server\Printer)
set device=%1
set prt=N
for /f "Tokens=*" %%i in ('dir /o-d /b "C:\windows\logs\WindowsServerBackup\Backup-*.log"') do call :print %%i
endlocal
goto :EOF
:print
if not "%prt%" EQU "N" goto :EOF
set prt=Y
"C:\Program Files\Windows NT\Accessories\wordpad.exe" /pt "C:\windows\logs\WindowsServerBackup\%1" %device%
The  prtbaklog.bat is invoked with the following command syntax:

prtbaklog.bat \\servername\printername


Next create the following .bat file entitled prtbakfail.bat"

@echo off
setlocal
if {%1}=={} @echo Syntax PrintDevice (\\Server\Printer)
set device=%1
set prt=N
for /f "Tokens=*" %%j in ('dir /o-d /b "C:\windows\logs\WindowsServerBackup\Backup_Error*.log"') do call :print %%j
endlocal
goto :EOF
:print
if not "%prt%" EQU "N" goto :EOF
set prt=Y
"C:\Program Files\Windows NT\Accessories\wordpad.exe" /pt "C:\windows\logs\WindowsServerBackup\%1" %device%
Again, schedule it to run after your backup has completed with the command syntax:

prtbakfail.bat \\servername\sharename

Tuesday, November 16, 2010

Site to Site IPCop to pfSense VPN

NOTE:  Spoofing the MAC Address of your WAN adapter breaks IPSec in PFSense 1.2.3

Since IPCop seems to have slowed development to a slow drip (last stable update was 1.4.21 and it was made available in 2008, but a new beta was recently released - you can get it here), I am beginning the migration from IPCop to pfSense.  The extra features and reports will be most welcome, but this will require replacing 20+ IPCop's across four states - all are connected to one central IPCop via VPN.  I must focus on minimizing disruption to the end users - simultaneous replacement of all of the units is out of the question.

I considered an IPCop and an pfSense firewall running in a side-by-side configuration with the new pfSense on our second public IP, but this means added hardware and complication with regards to routing.

Once these settings have been completed it is a ready drop-in for the IPCop and the far IPCop should require no additional configuration.

Rummaging around in the IPCop docs I found that its bundled VPN server uses IPSec.  Rummaging around in the pfSense forums yielded a sparse description of the settings that allowed pfSense and IPCop to establish VPN communications - see http://www.perkiset.org/forum/all_things_general_tech/vpn_tunnel_helper_pfsense_to_ipcop-t2661.0.html - thanks to the author Perkiset for these nuggets of wisdom.  While his exact configuration did not work for me, a slight variation did.  I've reposted his settings but revised them with the ones that worked for me.

IPCop Box:
  • Use pre-shared key
  • Local and remote addresses thus: (a).(b).(c).0/255.255.255.0 where a b c is the LAN address of the remote network
  • Dead Peer detection set to restart
  • IKE Encryption: Blowfish 256, Blowfish 128
  • IKE Integrity: SHA and MD5
  • IKE Grouptype: MODP 1536
  • ESP Encryption: Blowfish 256, Blowfish 128
  • ESP Integrity: SHA1 & MD5
  • ESP Grouptype: Phase1 Group
  • ESP Keylife: 8 hours
  • IKE + ESP: Unchecked
  • IKE Aggressive: Not checked
  • PFS: Checked
  • Negotiate Payload: Unchecked


pfSense Box:
  • Local subnet: LAN subnet
  • Remote subnet: (a).(b).(c).0 / 24
  • Remote gateway is the public address or domain name of the remote network
  • Negotiation Mode: Main
  • Indentifier: My IP Address
  • Encryption Algo: Blowfish
  • Hash Algo: SHA1
  • DH Key Group: 5
  • Lifetime - leave blank
  • Authentication method: preshared-key
  • Phase 2, Protocol: ESP
  • Encryption Algo: Blowfish
  • Hash Algos: SHA1 & MD5
  • PFS Keygroup: 2
  • Lifetime: 28800 Seconds
  • Ping Host: This is redundant to the Dead Peer detection in IPCop, which will execute a restart

    Tuesday, October 19, 2010

    Migrating SBS 2003 to SBS 2008? Is your target server a ML150G6?

    You may have serious headaches during this migration.  Mine lasted four days, with most of the time spent watching Microsoft Support clean up the Active Directory on the source server.  A Blue Screen of Death was my ultimate reward towards the end of each install.

    BSOD Error:  STOP 0x0000003B  System_Service_Exception

    I checked that all firmware was up to date, I reseated everything I could possible reseat (RAM, CPU, HDD cables, and even the fan connectors), and I spent a lot of time on the phone with HP and Microsoft.  Ultimately I gave up on the idea of a "swing migration" - using the MS migration tools to move the user and computer accounts, exchange mailboxes, etc. - and am going with the "side-by-side migration" that any sane admin would do in a small business environment.

    Ultimately my Microsoft support rep says that there have been reports of similar issues when doing the migration from SBS 2k3 to SBS 2k8 where the target server is an ML150, and that I should just proceed with the side-by-side migration.

    Heres a side-by-side migration in a nutshell:


    • Load a fresh copy of SBS 2k8 into your new server with a new domain name and server name.
    • Give your new server its own IP on the subnet.
    • Set up usernames that are identical to your old servers usernames, if you can set up identical passwords, do that also.  I reset everyones passwords on the 2k3, kept a list of them, and set up the users in 2k8 with the same passwords as I assigned in 2k3 - this will make for easy migration of redirected My Documents folders.
    • Export all of your users Exchange info in the SBS 2k3 to some kind of external drive using Exmerge.
    • While the export is happening, complete the SBS 2k8 Internet configurations, then set up your SBS 2k8 to redirect the users documents.
    • Import the PST's into each mailbox on the SBS 2k8's Exchange 2007 using these instructions on Technet.  Check the users Outlook - their old stuff will now be there after you reconfigure Outlook to point at the new SBS 2k8.
    • Use Profwiz from Forensit.com to migrate each desktop from the old domain into the new domain, which will preserve the users desktops, favorites, etc.   Before running Profwiz delete the migrating users' Outlook profile from the Mail in Preferences (you backed up the mailboxes, right?).  (WARNING:  This doesn't work on Windows Vista or 7 - it mudges up the profile and you risk losing their profile data - you will need to back up their docs, favorites, etc., and manually change the domain)
    • If the users un/pw is the same, the users My Documents will be automatically copied and redirected from the 2k3 to the 2k8 when you log in.  Expect the 1st login to take a few minutes.
    • Reconfigure each desktop's Outlook to point to the new server and check that it works.
    • Move the client's line of business applications and databases and share folders as required to support them.
    • Fix all the little things that broke during the process.
    • If an end-user needs remote desktop access via the RWW you must run the http://connect wizard - the problem is that it doesn't migrate domain accounts, only local accounts, so you will need to use Profwiz (XP and lower!) then once this is complete run the http://connect wizard to complete the process.  The connect wizard also allows for automatic configuration of Outlook.
    • Fix file synchronization on each desktop (because your desktops will still try to synchronize with the old server!) by signing in as a user with local administrative privileges, opening My Computer, selecting Tools, Offline Files, then holding CTRL+SHIFT and clicking on the Delete Files . . . button.  Be certain that you have the contents of My Documents moved to the new server before doing this!

    Friday, October 08, 2010

    Prevent Computers from Hibernating

    Add this to your logon batch fine:

    powercfg.exe /change "always on" /monitor-timeout-ac 20

    powercfg.exe /SETACTIVE "always on"

    Tuesday, August 31, 2010

    Automatically Print NT Backup Logs - Revised

    A serious shortcoming of today's printers is an inability to print output from MS-DOS (or is it a Windows shortcoming?)  One way around this is the wordpad /pt [filename] [printer] command.  Here's a revised PRTBAKLOG.bat file that will print the last NT Backup Log file to the specified printer.

    @echo off
    setlocal
    if {%1}=={} @echo Syntax PrintDevice (\\Server\Printer)
    set device=%1
    set prt=N
    for /f "Tokens=*" %%i in ('dir /o-d /b "%userprofile%\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data\backup*.log"') do call :print %%i
    endlocal
    goto :EOF
    :print
    if not "%prt%" EQU "N" goto :EOF
    set prt=Y
    "C:\Program Files\Windows NT\Accessories\wordpad.exe" /pt "%userprofile%\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data\%1" %device%

    There is also a notepad /p [filename] OR wordpad /p [filename] to send output to the default printer should you need it.

    Thursday, August 26, 2010

    IPCop 2.0 - Withered on the Vine?

    Our friends who have worked so hard on the IPCop system seem to have run out of steam - whether it is a lack of community support (the project is too much for one man, I'm certain), or an over-crowded roll-your-own firewall space (pfSense, UnTangle, Shorewall, and M0n0wall, to name the more popular distributions), I'm not certain.  What I am certain of is that the others have continued development where IPCop has stalled.

    I've had repeated issues with unstable 3rd party addons (Squid and Squidguard addons called AdvProxy and URLFilter), but have otherwise been happy with IPCop.  What is spurring my move is not performance (though I think I can see some performance improvements when using other distros - I wish I had a good metric!) but the ability of the firewall to handle client VPN traffic such as a user inside of the network connecting via PPTP to a remote network - iptables apparently can't handle such a situation and won't allow the connection.

    I will be reviewing pfSense, but more info on UnTangle and the others would be nice - what do you think of these?

    /Update 11-Apr-11


    A new IPCop 2.0 Beta has been released!  Visit http://sourceforge.net/projects/ipcop/files/IPCop%20Test%20Versions/ and try it out - don't put it on a production box as many features are incomplete but it is in a quite useable condition!


    One thing that I've realized:  when comparing IPCop and pfSense it's important to consider the that the projects have different targets for their user base - IPCop is aimed at the small office/home office and pfSense is aimed at the big boys - the end products reflect this in their ease of configuration and available configuration options.

    Wednesday, July 07, 2010

    Installing Agris Software on Windows 7 64-bit

    I contacted John Deere about Agris and asked whether they supported installing the current version of their software on Windows 7 64-bit edition.  They had said that it would work under Windows 7 after the next update (I think he said R15) but it would not be supported in the 64-bit Windows 7.

    Don't forget that there is an XP Mode, and the system runs fine when it is in XP Mode!  Visit Microsoft's XP Mode Download Page and install it per the instructions on the Microsoft site.  Next find and run Windows XP Mode under the Windows Virtual PC Folder in your Start Menu.  The XP Mode initially uses an IP Address that cannot reach your Agris server so you will need to then go to the Menu Bar and Select Tools -> Settings ->  Networking then select Adapter 1 and change it to your wired or wireless network adapter depending on how you connect to your Agris server. 

    This is an XP Virtual Machine, an imaginary computer within your computer - use it just like you did XP, map the network drive and install Pervasive SQL, Agris, and the Agris updates.  Run Agris from the XP Mode desktop and verify that it functions properly.

    You will need to add any printers to the XP Mode using the traditional methods available to XP users.

    Working?  Good!  Select CTRL+ALT+Delete from the XP Mode menu bar and select Shutdown.  Go to Start -> All Programs -> Windows Virtual PC -> Windows XP Mode Applications and you will see an Agris shortcut - copy it to your desktop for a quick way to run Agris without the apparent hassle of running the XP Virtual Machine.

    Wednesday, June 09, 2010

    W3SVC Log Files are Filling Up Your SBS's System Drive

    I can't believe that I haven't encountered this sooner:  The system drive on an SBS 2003 was full.  I used my trusty SequoiaView and found that the W3SVC1 folder was 6.14GB - OUCH!  A quick Google search yielded an excellent discussion of how to deal with the matter.


    At a command prompt enter this all on one line:


    at 12:00 /EVERY:Su Forfiles.exe -p C:\WINDOWS\system32\LogFiles\W3SVC1 -m *.log -d -30 -c "Cmd.exe /C del @path\" 


    This will schedule a job that will run every Sunday and remove W3SVC1 log files that are >30 days old.


    Thanks to Tom Watson for posting this gem!

    Tuesday, June 08, 2010

    "Power Outage"-Proof Your Mac

    Ah, spring has sprung, the flowers are making me sneeze, and the birds are singing way too loud, way too early.  Spring showers have brought not only May flowers but frequent power failures that have rendered my lovely Mac unavailable when I'm out and about.  "This moron needs an UPS!" you say - I've been a little slow on the uptake, I'll admit, and after an entire life without one I've been aggravated enough to plunk down my $100 and get one.  I'm definitely not proud that I've gone for so long without one - it's been on the list, but it's always been put off then remembered the next time the power went out.

    I opted for a unit from CyberPower because it said that it supported Mac and was $30 cheaper than a comparable model from APC.  I've always gone with APC and Tripp-Lite for my customers because, frankly, I don't know and trust CyberPower like I do the the other two.  But $30 is enough to convince me to try it, and it's my own computer, so noone but me will be aggravated when it breaks.  Hopefully I'm in for a pleasant surprise and the unit will be higher quality that I anticipated.

    I plugged in the new unit (CyberPower 850VA model CP850AVRLCD), plugged in all my cords and wall warts (Linux box and iMac on the battery side, router, switch, and WAP on the surge only side), plugged it in, hooked up the USB cord to my iMac, and was pretty much done.  Surprisingly enough, OS X comes with built-in UPS management software that is under Apple -> System Preferences -> Energy Saver -> UPS tab.

    But what about my open programs?  I want to run VirtualBox and save the state of the machine if my computer gets interrupted.  Safe Sleep seems like a good bet - it functions in MacBooks iMacs like Hibernate does in PC's - the contents of the RAM are saved to the HDD and the computer goes to sleep, powering the RAM and ready to wake in a moments notice.  If power is interrupted there is no loss because the RAM was saved to the hard drive and it is simply recovered the next time the computer powers up.  It's helpful to set your "Start up automatically after a power failure" option under Energy Saver so that can pick up where it left off automatically.  There is no Safe Sleep or hibernate function available on iMacs out of the box, but SmartSleep fixes that.  Download it, install it, then set your sleep state to Sleep & Hibernate.  I tested this by opening some apps, putting my iMac to sleep, pulling the plug, plugging it back in, and feeling the joy.

    Next you will go to the UPS settings under Energy Saver and set your Computer Sleep to a sane amount of time.  5 minutes to 1/2 hour depending on how big your UPS is.  I've opted for safety and went with 5 minutes.   DO NOT go the extra step and configure any shutdown options - this will quit your programs and shut down.

    Your computer will now go to sleep with the RAM contents saved after it has been on battery for the time you set.  If the battery runs out of juice the computer goes off.  When power is restored the computer comes back on.  Hopefully the power remains on for a while and allows the battery to recharge because too soon a repeat outage and your sleep timeout won't be reached before it's cut off.

    Friday, April 02, 2010

    How to find out which user is using which computer on a Windows domain.

    Provided you have access to the domain controller this can be easy.  If you don't it gets a bit more complicated.

    If you are on the domain controller then you may use your Security Event Logs.  I don't know about you, but the Security Logs are the last place I want to dig for information.  If the user in question is using shares on the server you will be presented with the username and IP's of computers accessing those shares.  On your server go to Computer Management (right-click My Computer, select Manage) and drill down System Tools -> Shared Folders -> Sessions.

    If you don't need to know immediately, but you desire a log of login/logoff times.  Free Windows Network User Accounting is the tool for the job.  Though it is a bit of a challenge to set up, it's worth the effort.  This web interfaced system is useful in finding out who is currently logged in and which computer they are using.  The log is never cleared unless you clear it, so the history of who used which computer when can provide a lot of insight.

    If you only have access to the local computer then checking the Security Event Log and checking the last modified times of the folders in c:\documents and settings\ can provide important clues.


    If you are using NetBIOS (which is becoming less and less common) and you know the user's computername or IP address then you can use your trusty command prompt.

    nbtstat -A [target ip address]
    nbtstat -a [netbios name]

    Wednesday, March 24, 2010

    32 Bit ADPrep for Migration to Server 2008

    There's a lot of misleading/frustrating information out there regarding where to find a 32 bit version of ADPrep.  Allow me to define the problem:  http://www.petri.co.il/windows-server-2008-adprep.htm (excellent info!) states that the Server 2008 DVD is strictly 64 bit and and will not run on a 32 bit server.  One must download the 32 bit evaluation version of Server 2008 then extract the \support\adprep folder to some medium that is then mounted on your Win2k (or Win2k3) server and executed.

    I didn't want to download a massive ISO and extract files, etc. as I'm on a T1 and time is of the essence.  I checked the Server 2k8 DVD's \support\adprep folder and found a adprep32.exe - woohoo!  Copy the adprep folder to something that is mountable on your old server, execute adprep32 instead, and feel the joy!

    Tuesday, February 23, 2010

    AT&T Global Dialer and Verizon Access Manager Don't Get Along

    If you use Verizon as your cellular Internet provider and you are going to install and use the AT&T Global Dialer on your computer you may run into some issues.  Typically users who have Verizon Access Manager (VZAccess) installed cannot install AT&T Global and get it working - it will stop installing then roll back the install.  In some cases it also prevents VZAccess from functioning properly even though it was removed.

    This has to do with the way AT&T Global Dialer inserts itself in the network stack - their process is messy and dangerous to put it nicely.

    So you've installed AT&T and now VZAccess doesn't work?  Uninstall AT&T Global  if it managed to install, uninstall VZAccess, then restore your system to a point prior to the installation of AT&T' Global.  Once the system restore is finished you may reinstall VZAccess and it whould work.

    So you can't live without AT&T Global?  You will need to download the installation app, but don't install it yet.  Uninstall VZAccess, reboot, THEN install AT&T.  Once AT&T is safely installed and your system has been rebooted you may then install VZAccess.

    Do not taunt AT&T Global Dialer.

    Wednesday, February 17, 2010

    Server 2003 Enterprise Edition R2 x64 Terminal Server Software Installation/Uninstallation Slow

    Link goes to post that helped the most (I don't make this stuff up myself)!

    I found that my Server 2003 x64 Enterprise Terminal Server was taking a stupid long time to install and remove applications.  It was making me crazy!  This server has 1TB of hdd space (500+GB free), hardware RAID (with a battery, so write-back wasn't an issue), dual Quad-Core Xeon's, and 8GB of RAM.  Everything I installed took an eternity (7-Zip took 45 minutes!)

    After much reading I found a forum post saying that someone had used Process Explorer while removing software and was seeing huge amounts of data being copied out of the registry that contained Hewlett-Packard in its key.  Further searches have found that when users connect to a Terminal Server and fallback drivers are configured it will try to install the users print drivers in the server, fail, go for the fallback driver, then never remove the installed (nonworking) driver info from the registry.

    All the extra info in the registry was being read and written to a backup of the registry during software installs, taking a really long time.  Deleting these keys and their subkeys fixed the trouble.

    REMEMBER TO BACK YOUR REGISTRY UP BEFORE MAKING CHANGES TO IT!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\RefHive\Hewlett-Packard]

    [HKEY_USERS\.DEFAULT\Software\Hewlett-Packard]



    Reboot and feel the joy!

    Wednesday, February 10, 2010

    Intalling IPCop + USB Keyboard = Headache

    Link goes to a bug report in the ipcop-devel board.

    IPCop 1.4.20 has trouble installing on computers with USB keyboards - on mine it was sticking at the blue screen just prior to the language selection dialog.  Unfortunately many new computer don't come with PS/2 ports, so USB is a must.

    If you unplug your USB keyboard after hitting ENTER to start installation it will start properly (minor errors regarding the keyboard will be seen in the boot messages).  When you see the language dialog you may plug in the keyboard, wait a few seconds (I press the NumLock to see if the light toggles) then proceed normally.