Migrating DHCP databases between Windows servers

Posted on By Mark Wilson
This content is 19 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

One side effect of rebuilding the server that runs pretty much everything on my home network was that I had to migrate the DHCP database (twice – first to a virtual machine operating as a temporary server, and then back to the original hardware after it had been rebuilt).

I knew that it was possible (I did it from NT 4.0 to Windows 2000 for a client few years back) but hadn’t done it recently.

It turned out to be pretty straightforward – all of the details are in Microsoft knowledge base article 325473 but basically on the source (Windows 2000 Server) server, stop the DHCP service and use jetpack.exe to tidy up the database, then use the DHCP database export/import resource kit tool (dhcpexim.exe) to dump the database and finally import it on the target (Windows Server 2003) server using the network shell (netsh.exe). The second migration was even quicker – for a Windows Server 2003 source and target it just involves a couple of netsh commands. Finally, don’t forget to disable redundant DHCP services (or deauthorise the servers in Active Directory) to prevent multiple DHCP servers from servicing clients simultaneously.

Using netsh to set multiple DNS server addresses in Windows

Posted on By Mark Wilson
This content is 19 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

During my recent two days of torment caused by a flaky Java application, I had to change the preferred and alternate DNS server entries for one of my network cards. Ordinarily that would be simple, but with an unresponsive Explorer interface refusing to open any network connection dialogs I needed to do it from the command line.

Enter the network shell (netsh) – a fantastic command line utility that has sneaked into recent versions of Windows and seems to have more and more functionality added with each new release.

After entering the netsh shell, interface ip got me to the TCP/IP interface settings; then show dns gave me the details of the current DNS servers; set dns "Local Area Connection" ipaddress allowed me to set the preferred DNS server and add dns "Local Area Connection" ipaddress index=2 set the alternate DNS server (that was the difficult one to work out – I had tried to set dns with a list of IP addresses but that does not work!); finally, exit the network shell and type ipconfig -all to check settings the normal way.

I love the command prompt!

This is why I’m not a fan of Java

Posted on By Mark Wilson
This content is 19 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I just wasted 2 days (one of which was on my weekend), and a lot of sleep, trying to work out why I couldn’t upgrade the Windows 2000 server which looks after my domain, DHCP, RIS, SUS and a whole load of other bits at home.

Every time I tried to run Windows Server 2003 setup it seemed to hang – and everything else was pretty slow too. I had to launch control panel applets using their .cpl filenames (e.g. appwiz.cpl for the Add or Remove Programs applet) and services would not stop cleanly.

I decided that my system was badly broken and quickly built a virtual machine on another piece of hardware, promoting that to a domain controller to provide a live backup of Active Directory. As in-place upgrades weren’t working, I resigned myself to the fact that I was going to have to migrate everything to the virtual server, then rebuild the original box but I wanted to cleanly remove the original domain controller from the directory.

Every time I ran the Active Directory installation wizard (dcpromo.exe) it failed – usually with the following error.

Active Directory Installation Failed

The operation failed because:

Failed to prepare for or remove the sysvol replication “The file replication service cannot be stopped.”

(Even though logged events with IDs 13502 and 13503 suggested that the FRS had indeed stopped).

Microsoft knowledge base article 332199 led me to try the dcpromo /forceremoval command but that failed in exactly the same way. I ran dcdiag /s:localhost on each server to look for any issues, checked that each server could ping the other one, that net view \\servername returned a list of shares, and all required DNS entries were present. I checked the DNS settings (to make sure that each server was using itself as the primary DNS server and the other domain controller as a secondary) and restarted just to be sure but all to no avail.

To cut a long story short, I found the answer purely by fluke. I couldn’t get the DHCP server service to stop cleanly (to let me migrate the database to my virtual machine) so I did a Google search for “windows services hang on stop”. This turned up a TechRepublic thread titled APC Java issues cause services to hang. I realised that I do have an APC UPS attached to the server, and that I was using a version of PowerChute Business Edition (PBE) that had been sitting there happily for a couple of years (v6.2.2) – I hadn’t upgraded to 7.x as recommended by APC knowledge base article 7202 because APC had never e-mailed me to notify me of a problem and services that aren’t broken (and that don’t have an inbuilt patching mechanism) generally get left well alone on my systems!

Lo and behold, the APC services had hung on startup and there were various events logged with ID 7022 (the APC PBE Agent service hung on starting). I disabled both the APC PBE client and server services, using the registry (as the services console was inoperable) to locate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\servicename\ and set Start to 0x00000004 for disabled (0x00000002 is automatic and 0x00000003 is manual), restarted the server and had the fastest boot sequence in days! My Windows installation was responsive again and I was able to remove the offending applications in a few short clicks.

My problems were nothing to do with Active Directory, DNS or even Windows – they all boiled down to an expired Sun Java Runtime Environment (JRE) certificate and sloppy coding from APC which meant that if their services hung, then so did all subsequent ones. I’ve never been a fan of Java applications on Windows – generally they are slow and have a poor user interface – and this experience has done nothing to change my mind.

Once the APC PBE agent, client and server had been removed, I was able to successfully (and cleanly) demote the original domain controller (avoiding having to follow the steps in Microsoft knowledge base article 216498 to remove data left in the directory after an unsuccessful demotion) but having migrated all the services to my virtual machine, I decided to go ahead and perform a clean installation of Windows on the original hardware anyway. I’m currently mid-way through patching the rebuilt server but I’m so glad that P McGrath from Rocky Mount, VA posted his experience on TechRepublic and Google did it’s thing.

Remind me again – how did we ever manage to find things out before we had the web?

Microsoft management technologies – product roadmap

Posted on By Mark Wilson
This content is 19 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

My recent post on Microsoft’s dynamic systems initiative (DSI) outlined the various waves of new products which Microsoft is releasing in the management space over the next few years. What follows is a summary of some of the other product roadmap information that I picked up from last Friday’s Best of the Microsoft Management Summit 2005 event:

System Center is Microsoft’s overarching brand for integration of it’s management products, in the same way that Computer Associates (CA) has Unicenter, Hewlett-Packard (HP) has OpenView and IBM has Tivoli.

Microsoft System Center Data Protection Manager 2006 is the first “System Center” branded product – launched last week in New York with an EMEA launch slated for 12 October 2005. The first release provides server backup and recovery for Windows – v2 (as part of the second wave of System Center products) will add support for Exchange Server, SQL Server and SharePoint.

Established products like Microsoft Systems Management Server 2003 (SMS) and Microsoft Operations Manager 2005 (MOM) are also part of the System Center suite and the launch of the SMS 2003 inventory tool for Microsoft updates integrates the Windows Software Update Services (WSUS) scanner into SMS – effectively a locally hosted version of Microsoft Update.

Windows Server 2003 Release 2 (R2) is due for release later this year and will bring a number of new features to Windows Server 2003:

  • New storage and management capabilities (Simple SAN, virtual disk service v1.1, common log file system, WS-Management, Microsoft Management Console v3.0).
  • Enhancements to Active Directory (AD) (federated services, ADAM in-the-box, AD as a NIS master).
  • .NET Framework enhancements (simplified data access and remoting, advanced transactions, ASP.NET v2.0).
  • Services for Unix (Unix application subsystem and utilities – no longer a separate download, database connectivity).

Microsoft are positioning R2 as a minor release – i.e. it has no kernel changes and will actually ship on two CDs, the first is effectively Windows Server 2003 with SP1 and the second has the extra functionality.

Microsoft Virtual Server 2005 R2 (formerly planned as Virtual Server 2005 service pack 1) is Microsoft’s answer for production virtual environments and will include:

  • Non-Windows guest support.
  • Network installation of guest operating systems.
  • Clustering support.
  • Greater scalability.
  • 64-bit host support.
  • Performance enhancements.
  • MOM management pack.
  • PXE booting.
  • A licensing program for the virtual hard disk (.VHD) file format.

Microsoft System Center Reporting Manager 2005 is due early in 2006 (so I guess the name will change) but is currently expected to include:

  • Integration of data from MOM, SMS and AD.
  • An extensible schema.
  • Facilitation of better business decision making.
  • Offline data warehouse.
  • Consolidated view of a multi-site hierarchy.
  • Streamlined querying.
  • Consolidated management.

Another new System Center product is Microsoft System Center Capacity Manager, a sizing solution (initially for Exchange Server 2003 and MOM 2005) which will provide:

  • Assessment of architecture choices for future deployment.
  • “What-if?” analysis.
  • Performance modelling for current deployments.
  • Identification of future bottlenecks.
  • Prediction of the user experience.
  • Understanding of the impact of changes.
  • Optimised upgrade path.

Further out on the development path are new versions of MOM and SMS. MOM v3 is expected to go into limited beta testing at the end of this year with a public beta early in 2006. SMS v4 is further out in the plan, expected in the first half of 2007 (as part of the Longhorn Server wave) with a limited beta in early 2006 which will be expanded later in the year.

Microsoft’s view is that every vendor’s management product has its agent(s), communications protocol, database and user interface, but MOM’s strength is in its knowledge, with management packs built by the product groups. Their goal is to capitalise on that strength and it is expected that MOM v3 will offer:

  • Model-based operations (more than just today’s management packs).
  • Service-oriented monitoring (using SDM models defined in Visual Studio 2005).
  • Improved task and command support.
  • Extensive software development kit (SDK) and authoring tools (making it easier to produce management packs and import knowledge, e.g. from the Internet).
  • Deep platform integration.
  • Role-based user interface.
  • Probable-cause analysis (a vehicle for managing uptime).

SMS v4 is about building on SMS 2003 (which some might consider to be the first solid SMS release), providing:

  • Model-based operations.
  • Desired configuration management.
  • IT policies and industry compliance.
  • Security interface for both intranet and Internet deployment (i.e. RPC over HTTPS).
  • Integration with Windows network access protection (NAP) to implement quarantine for patching etc.
  • Simple, role-based user interface.
  • Unified operating system deployment, pulling together RIS, ADS and the SMS operating system deployment feature pack.

Of course, much of this is still some way off, and product feature sets are always subject to change, but Microsoft is certainly making moves towards becoming a significant player in the enterprise management space – or at least for the management of their own platform.

Best practices for managing automatic IP addressing with DHCP

Posted on By Mark Wilson
This content is 19 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Dynamic host configuration protocol (DHCP) is often taken for granted – we expect it to work; however there are a few items which need to be considered and this post is intended as a general discussion of DHCP best practice.

Most administrators will be familiar with the overall DHCP concept – basically a database of IP addresses allocated to clients dynamically, allowing centralised IP address management; however, most of the organisations I see still need to use static addresses for some devices (e.g. servers). Whilst there is nothing wrong with this and I would still suggest using fixed IP addresses for networking equipment and the DHCP server itself, reservations can be useful to reserve particular addresses for certain clients, based on their media access control (MAC) address. The main drawback of this approach is that if the NIC in the computer changes, so does the MAC, although reprogramming the MAC address is possible (as is setting up a new reservation).

If there are static addresses in use which fall within the an IP address range intended for DHCP, exclusions can be configured (much easier than configuring several scopes to cover the fragmented IP range). Exclusions can be configured for a single address, or for a range of IP addresses.

Lease duration is another area to consider (i.e. the amount of time before a client needs to renew its DHCP address) – if this is set too long, and there are a large number of mobile clients, there is a risk of running out of available IP addresses as these mobile clients join the network, lease an address and then leave again without releasing it; conversely, too short and there is a large amount of renewal traffic as the DHCP client attempts to renew its lease at the half life. For most environments, I find that an 80:20 rule can be applied – i.e. provide 20% more addresses than are expected to be in use at any one time (to cater for mobile clients) and set the lease time to 1 day but for a subnet with largely static PCs, then longer leases may be appropriate.

DHCP includes a number of pre-defined options that can be set on a client:

  • Server options apply to all scopes on a server (e.g. 006 DNS servers, 015 DNS Domain Name).
  • Scope options apply to a single scope (e.g. 003 Router).
  • Class options can be applied to a specific type of device.
  • Reservation options apply to specific reservations.

Occasionally it may be necessary to configure custom options – e.g. 060 for a pre-boot execution environment (PXE) client or 252 for web proxy auto-discovery (WPAD).

If there are multiple DHCP servers on a subnet, then the client will be allocated an address by the first one to answer – hence the reason for Windows 2000 and later DHCP servers supporting DHCP authorisation in Active Directory (hence preventing the use of rogue DHCP servers); however this will not affect non-AD DHCP servers (such as the one in Virtual Server, or on an ADSL router). When a client issues a DHCP request, all listening servers respond with an offer and the client will respond to the first answer received. Because DHCP requests are broadcast-based, they typically cannot traverse routers and so DHCP relaying must be configured to overcome this where clients are remote from the DHCP server.

To configure DHCP for redundancy, it is generally advised to configure two DHCP servers and to split the scope using a 50:50 or 80:20 ratio (50:50 works well where both DHCP servers are on the same site; 80:20 may be often appropriate where a remote site is providing redundancy for a local server) so, for example, if I want to allocate addresses on the network 192.168.1.0/24, I might reserve the top 10 or so addresses for static devices and create two scopes on two DHCP servers – one for 192.168.1.1-120 and the other for 192.168.1.121-240. This provides 240 potentially available addresses but if one server is unavailable then the other can answer. Of course, this scenario only provides for 120 clients (96 taking into account my earlier recommendations for dealing with mobile devices). It is also possible to cluster DHCP servers for redundancy.

Superscopes can be used to group several scopes into one for management purposes, but when I tried to implement these in a live environment, we found that they did not work well and had to revert to individual scopes for each subnet.

Since Windows 2000, the Microsoft DHCP server implementation has included DNS integration. Set on the scope properties, this allows three options for updating A and PTR records in DNS as IP addresses are leased to DHCP clients:

  • Enable DNS dynamic updates, either always, or if requested (by Windows 2000 or later clients).
  • Discard DNS records when the lease is deleted (i.e. clean up afterwards).
  • Dynamically update DNS for legacy clients that do not request updates (e.g. Windows NT 4.0).

In terms of new features, Windows Server 2003 improves on Windows 2000 Server by allowing backup and restoration of the DHCP database from the DHCP console. It also provides for both user- and vendor-specified option classes. Potentially the greatest area of improvement is integration of DHCP commands within the netsh command shell.

Finally, DHCP servers use a JET database and may be busy. At a recent Microsoft TechNet UK event, John Howard recommended that every now and again, the service is stopped and jetpack.exe is used to perform database maintenance, improving performance (as described in Microsoft knowledge base article 145881).

Building a Windows cluster using Virtual Server 2005

Posted on By Mark Wilson
This content is 19 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Last year, I blogged about building a Windows cluster using VMware. Since then, new versions of VMware have made this more difficult/expensive (as it no longer works with VMware Workstation) and Rob Bastiaansen has removed the virtual SCSI disks from his website. I haven’t tried building a cluster on Microsoft Virtual Server, but it seems feasible, and a few days back, I found a Windows IT Pro magazine article on building a Windows Server 2003 cluster using Virtual Server 2005.

For anyone who says “why do this – the point about clustering is high availability and that needs the supporting hardware”, I would agree with you, but a virtual cluster is great for testing/proof of concept.

Troubleshooting DNS on a Windows server

Posted on By Mark Wilson
This content is 20 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Earlier today, I blogged about some of the tools that are available for monitoring Active Directory (AD) enterprise replication and troubleshooting Windows authentication. Given that AD is so heavily reliant on the domain name system (DNS), it seems logical that I also list some of the tools available for monitoring and troubleshooting DNS issues.

The first port of call is the Windows version of the original Unix DNS lookup tool (nslookup.exe). Typing nslookup at a command prompt enters the nslookup shell, from where issuing the help command will list all of the available options.

The DNS server troubleshooting tool (dnscmd.exe) is a support tool for Windows 2000 Server and Windows Server 2003 (available on the Windows installation media) which allows administration of DNS from a command prompt. It extends and replaces the earlier dnsstat.exe tool provided as part of the Windows NT resource kit. The DNS server troubleshooting tool displays and changes the properties of DNS servers, zones, and resource records, manually modifying properties, creating and deleting zones and resource records, and forcing replication events between DNS server physical memory and DNS databases and data files. Some operations of the tool work at the DNS server level while others work at the zone level. Simply type dnscmd for usage information.

DNS has its own set of performance counters available under the performance monitor DNS object.

The domain controller diagnostic tool (dcdiag.exe) checks DNS functionality as part of its diagnostic tests but the command to specifically test DNS registration (which does not need to be run from a domain controller) is dcdiag /test:registerindns /dnsdomain:domainname.

The network connectivity tester (netdiag.exe) helps to isolate networking and connectivity problems by performing a series of tests to determine the state of a network client to identify and isolate network problems. Parsing the output for “DNS test” will give DNS-specific results. Type netdiag /? for usage information.

DNS debug logging may be set in the DNS server properties and creates a log file at %systemroot%\system32\dns\dns.log for further diagnosis of DNS activity.

Finally, the dnslint.exe support tool allows verification of DNS records for a specified domain name to help diagnose potential causes of incorrect delegation and other common DNS problems, producing an HTML report. Usage information can be obtained by issuing the dnslint /? command.

Troubleshooting Windows authentication with the Microsoft account lockout and management tools

Posted on By Mark Wilson
This content is 20 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

A few weeks back I was at a Microsoft TechNet UK event where John Howard demonstrated the free tools provided by Microsoft to troubleshoot and diagnose account lockout and management issues for Windows NT, 2000 and 2003:

  • acctinfo.dll (also included with the Windows Server 2003 resource kit tools) is installed using the regsvr32 acctinfo.dll command and extends the functionality of the Active Directory users and computers MMC snap-in, with an Additional Account Info page on the user object properties to assist in isolating and troubleshooting account lockouts and to change a user’s password on a domain controller in that user’s site. This extra page contains a variety of information, including:
    • The last time the password was set.
    • Domain password policies.
    • Password expiration date.
    • Lockout status.
    • Last good and bad logons.
  • alockout.dll can be used to create a log file to assist in diagnosing the cause of account lockout problems. It should be copied to the %systemroot%\system32 folder on the computer experiencing the lockout problems (usually a user’s workstation) and the appinit.reg script run to add alockout.dll to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs key. Once the computer is restarted and an account locked out, a log file called alockout.log will be created in the %systemroot%\debug folder. This tool should not be used on servers that host network applications or services (in particular it should not be used on Exchange servers, because it may prevent the Exchange store from starting).
  • aloinfo.exe displays the password age for user accounts to allow determination of accounts which are about to expire in order to anticipate problems before they occur. It is a command prompt tool, with two options:
    • aloinfo /expires /server:servername returns a list of user names followed by the age of their password.
    • aloinfo /stored returns a list of services and the accounts used as well as mapped drives for the currently logged on user.
  • enablekerblog.vbs can be used as a startup script to enable Kerberos logging (as described in Microsoft knowledge base article 262177) on all clients running Windows 2000 or later (it actually sets HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\Kerberos\Parameters\LogLevel to 1, which once removed will disable Kerberos logging). When looking at Kerberos authentication issues, it is worth checking to see that the Kerberos key distribution center service is started on all domain controllers, that time synchronisation is working correctly from the PDC emulator at the root of the forest down to all client machines (Kerberos authentication will fail if the time is skewed by more than 5 minutes by default), and that both Kerberos and LDAP have service location records defined in DNS (check with nslookup _kerberos._udp.domainname and nslookup _ldap._tcp.domainname).
  • eventcombmt.exe (also included with the Windows Server 2003 resource kit tools) searches event logs on multiple computers and collects event records matching specified criteria (useful for gathering specific events from event logs on several different computers to one central location).
  • lockoutstatus.exe (also included with the Windows Server 2003 resource kit tools) determines all the domain controllers that are involved in a lockout of a user in order to assist in gathering the logs. It can be useful in identifying if lockout problems are arising from Active Directory replication issues, as typically this means there will be two or more entries for different domain controllers.
  • nlparse.exe can be used to extract and display desired entries from the netlogon log files generated by lockoutstatus.exe or alockout.dll, parsing the logs for specific return status codes and directing the output to a comma-separated value (.CSV) file. It is also possible to enable netlogon debug logging with the nltest.exe Windows support tool, or via the registry, as described in Microsoft knowledge base article 109626.

Links

Implementing and troubleshooting account lockout (WindowSecurity.com).
Microsoft account lockout and management tools.

Disabling the Shutdown Event Tracker in Windows Server 2003 (and XP)

Posted on By Mark Wilson
This content is 20 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I run Windows Server 2003 on my work laptop (largely because I’m getting up to speed with Windows SharePoint Services right now). I find that pretty much anything designed for Windows XP runs under Windows Server 2003, but there are some configuration differences out of the box. One of these is the shutdown event tracker – a useful feature on enterprise servers, but not so useful for me on my everyday laptop – so I was pleased to stumble across Microsoft’s advice on configuring the shutdown event tracker, including how to disable it. Interestingly, Microsoft knowledge base article 293814 reports that the functionality is also available in Windows XP but is disabled by default.

Windows Server 2003 SP1 is now available for download

Posted on By Mark Wilson
This content is 20 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Yesterday, Windows Server 2003 service pack 1 (SP1) was released to manufacturing and the 329Mb service pack is available for download from the Microsoft website.

Like Windows XP service pack 2 (SP2), released last August, SP1 is primarily a security patch, providing new functionality to address known security vulnerabilities and to prepare for future security threats with new technologies including:

  • Security configuration wizard. Customers can more easily reduce attack surface area with the new Security Configuration Wizard. The tool reduces the attack surface by gathering information about specific server roles, then automatically blocking all services and ports not needed to perform those roles.
  • Windows firewall. Originally released with Windows XP SP2, Windows Firewall is now available for the Windows Server System platform and serves as a host (software) firewall around each client and server computer, which may be controlled locally or via group policy.
  • Post-setup security updates (PSSU). As systems are vulnerable during the time between their installation and application of the latest security updates, SP1 blocks all inbound connections to the server after installation until Windows Update has delivered the latest security updates to the new computer.

Other SP1 features that offer a more robust security defence include Internet Information Services (IIS) 6.0 metabase auditing, which allows administrators to identify potential malicious users should the store become corrupted, stronger defaults and privilege reduction on services to establish a minimum security threshold for applications, and the addition of network access quarantine control components.

According to Microsoft:

“Install Microsoft Windows Server 2003 Service Pack 1 (SP1) to help secure your server and to better defend against hackers. Windows Server 2003 SP1 enhances security infrastructure by providing new security tools such as Security Configuration Wizard, which helps secure your server for role-based operations, improves defense-in-depth with Data Execution Protection, and provides a safe and secure first-boot scenario with Post-setup Security Update Wizard. Windows Server 2003 SP1 assists IT professionals in securing their server infrastructure and provides enhanced manageability and control for Windows Server 2003 users.”

For more information about SP1, see the Microsoft Windows Server 2003 TechCenter and, for those who are unconvinced as to why this service pack is necessary, Microsoft has published a top 10 reasons to install Windows Server 2003 SP1.