drewhill.net, same blog but no redirect
drewhill.net, same web address but new hosting service. drewhill.net will no longer redirect to drewh70.wordpress.com. So, head on over to drewhill.net and follow me there.
New RSS Feed: http://drewhill.net/?feed=rss2
Cheers!
Drew
Windows Virtual PC Beta on Windows 7
Windows 7 RC was released today on TechNet and MSDN along with Windows Virtual PC Beta for Windows 7. As soon as I started messing around with Virtual PC, I ran into a problem with an error message that said hardware assisted virtualization was not enabled.
This is a known issue with Windows Virtual PC Beta as described in the release notes:
“On computers that have an Intel® processor with Trusted Execution Technology (TXT) enabled in the BIOS, you may encounter an error message when starting a virtual machine, stating that hardware assisted virtualization (HAV) is not enabled, even though the HAV setting is actually ON in the BIOS.
Possible Workaround: Try turning off the TXT setting in the BIOS of the computer.“
The system that I’m using is a Dell Optiplex 755 with an Intel Core 2 Duo E6850 3.00Ghz processor which does have the Intel VT technology.
To fix this issue, I booted the computer and pressed F2 to enter the BIOS.
In the BIOS I verified the following settings:
- Security – Execute Disable (set to On)
- Performance – Virtualization (set to On)
- Performance – VT for Direct I/O Access (set to On)
- Performance – Trusted Execution (set to Off)
In my case Trusted Execution option was turned ON. So, I turned it OFF, Saved the BIOS settings and restarted the PC.
Windows Virtual PC Beta works like a champ now!
NTFS Rights Issue with UAC, logged on with Domain Admin Account
Error: “You don’t currently have permission to access this folder. Click Continue to get access to this folder.”
If you click continue the currently logged in user id will be granted security permissions to the folder. This is not a good idea and the folder permissions will get messy quick if very many domain admin accounts are accessing the folders on the server. So, what is really going on?
Here’s how to recreate the issue:
- Create a new account in Active Directory and add it to the Domain Admins security group.
- Create a Windows Server 2008 server and join it to the domain.
- By default the Domain Admins security group is added to the local Administrators group when the server is added to the domain.
- User Account Control (UAC) must be left enabled.
- Login to the server with the account created in step 1 (Not the default built-in Administrator account for the domain).
- Create a new folder on the hard drive.
- Edit the security permissions by removing inheritable permissions from the parent
object and adding the local Administrators group and SYSTEM giving them Full Control permission. - When trying to access the folder an error will display that says you do not have permission to access this folder.
- Click Cancel. If the Continue button is clicked the currently logged in user id will be granted security permissions to the folder, which will gain access to the folder, but will cause folder permissions to get messy.
- There is NOT an option to elevate privilege to gain access to the folder with the rights that were granted in step 7 which should be sufficient (i.e. full control).
This issue is the result of User Account Control (UAC). UAC is the feature in Windows Vista and Windows Server 2008 that is designed to apply the principle of least privilege.
If UAC is turned OFF this issue goes away. Also, if you login with the built-in Administrator account for the domain the issue also goes away.
After digging into UAC a little further, I found that by default UAC applies to all interactive users with the exception of the built-in administrator account. This is because the group policy Admin Approval mode is on for the built-in administrator account is disabled by default which means the built-in administrator account will logon in XP compatible mode and run all application by default with full administrator privilege with out a filtered access token. This would seem to explain why the built-in administrator is not affected by the issue created by having UAC turned ON.
Note: If the group policy Admin Approval mode is on for the built-in administrator account is enabled this issue also effects the built-in administrator account in the same way.
All other admin accounts are subject to UAC and the filtered access token. The group policy Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for Consent by default. There is not a policy to disable Admin Approval mode for non-built-in administrator accounts.
Check out the Security Policy Settings and User Account Control blog post for more details.
At this point it looks like there are two choices to get around this issue:
1) Leave UAC turn ON and use the built-in Administrator account for the domain and let everyone share the same account which is a bad security practice or
2) Turn UAC OFF and use any user account that is a member of the domain administrators group. This might not be a bad idea since UAC is really a client feature anyway.
I would consider this issue a bug. Hopefully, Microsoft will come out with a fix that will allow UAC to be left enabled.
Hyper-V RC1 Hypervisor Failed to Start
There is a known problem in Hyper-V RC1 in which after you upgrade a perfectly working RC0 server the Hypervisor will not start.
You will see the following error in the event log:
Source: Hyper-V Hypervisor
Event ID: 48
“Hyper-V launch failed; Processor 0×4 does not provide the features necessary to run Hyper-V (leaf 0×80000008, register 0×0: features needed 0×24, features supported 0×26).”
Hyper-V RC1 apparently has issues with my processors which are Intel Quad Core Xeon 2.33Ghz E5345. This server did have an additional processor added after it was purchased. Both processors are E5345, but Dell OpenManage Server Administrator is reporting one processor as Model 15 Stepping 7 and the other one as Model 15 Stepping 11.
John Howard, Microsoft Senior Program Manager on the Hyper-V Team reported on his blog the following:
“Yes, we are aware of a bug in RC1 which affects the Hypervisor from launching correctly on a small number machines. The class of machine is where there is more than one physical socket containing processors, and the processors are reporting mismatching capabilities. However, that fix will not be available until a future release.”
There is a temporary solution that will allow Hypervisor to start after a reboot.
- Open MSCONFIG
- Select the Boot tab and click Advanced Options.
- Select the Number of Processors check box and set the number of processors to 4.
- Click OK twice.
- Click Restart.
The bad news is that I’m losing the benefit of one of my processors, but at least Hyper-V is functional. I’ll have to remember to set the processors back after Hyper-V RTM has come out.
XPS 420 & Radeon ATI HD2600 XT – Choppy DVD Playback
I got my XPS 420, took an image of HDD (32 bit OEM OS) and installed Vista Ultimate x64, downloaded and installed all the drivers from support.dell.com and then also updated newer drivers for the video and network cards and updated the firmware on the ATI Digital Cable Tuner. Everything that I’ve tested so far seems to be working OK, except for DVD playback in Media Center and Media Player. Playback is choppy with video getting hung and buzzing audio. CyberLink’s PowerDVD plays just fine.
It seems that the DVD playback only gets choppy if I try to move around in Media Center while the DVD is playing. But, if I maximize and/or unmaximize the window it resets the DVD playback and re-syncs the audio/video. Playback is smooth then.
DVD playback on Media Player is a different story which really doesn’t work at all.
I had previously purchased the CinePlayer DVD Decoder for Windows Vista. So, I tried that and it didn’t help DVD playback in Media Player.
System Specs:
- Intel® Core™ 2 Quad Processor Q9300 (6MB Cache,2.50GHz,1333FSB)
- 4GB Dual Channel DDR2 SDRAM at 800MHz – 4 DIMMs
- Radeon ATI HD 2600 XT 256MB
- Blu-ray Disc Combo (DVD+/-RW + BD-ROM)
- Integrated Sound Blaster®Audigy™ HD Software Edition
- Single ATITV Wonder™Digital Cable Tuner with Remote
Has anyone seen any issues with DVD playback with the Radeon ATI HD 2600 XT 256MB video card?
I’ve not tested a Blu-ray disk playback or digital cable yet.
**Updated 5/29/08 1:15pm - I just tested Blu-ray disk playback and it worked like a charm in PowerDVD.
Windows Server 2008 DCPROMO
During DCPROMO in Windows Server 2008, If you select the option to install DNS, you might receive a message that indicates that a DNS delegation for the DNS server could not be created and that you should manually create a DNS delegation to the DNS server to ensure reliable name resolution.
If you are installing an additional domain controller in either the forest root domain or a tree root domain, you do not need to create the DNS delegation. This is a known issue by Microsoft. Just click Yes and disregard the message.
Error message when you run the "Adprep /rodcprep" command in Windows Server 2008
“Adprep could not contact a replica for partition DC=DomainDnsZones,DC=Domain,DC=suffix”
“Adprep could not contact a replica for partition DC=DomainDnsZones,DC=Subdomain,DC=Domain,DC=suffix”
“Adprep could not contact a replica for partition DC=ForestDnsZones,DC=Domain,DC=suffix”
Note: I could not get the VB script that Microsoft provided in the above KB article to work. I received the following error, “fixfsmo.vbs(1, 1) Microsoft VBscript compilation error: Expected statement”.
Here’s the way I ended up fixing the problem:
- Open ADSIEdit
- Connect to DC=DomainDnsZones,DC=domain,DC=suffix
- Expand it and select CN=Infrastructure
- Right click, click on Properties and look at the fsmoRoleOwner attribute. In my case it was referencing a deleted domain controller:
CN=NTDS SettingsADEL:0db95bd9-0a15-46d8-9665-951689a3c7f9,CN=PFCSRDC1ADEL:5bcf835e-adb2-4eba-9a3e-bccc9611fc78,CN=Servers,CN=PFCS,CN=Sites,CN=Configuration,DC=pfcs,DC=farm
- This means that AD has a bad value for the infrastructure master because the infrastructure master for the referenced partition or partitions has been forcefully demoted or is offline.
- You will need to copy the correct path to the infrastructure master into the fsmoRoleOwner value. To do this, first determine what server your infrastructure master is supposed to be using AD Users and Computers.
- Once you have the <servername>, go back into ADSIEdit.
- Connect to the Configuration partition.
- Expand CN=Sites, CN=<site where Infrastructure Master server is located>, CN=<server name> and go to properties of CN=NTDS Settings.
- Edit the distinguishedName attribute, select the value and copy it into the clipboard.
- Now go back to the Infrastructure object underneath DomainDNSZones, and copy
the value you got into the fsmoRoleOwner attribute. - This will have to be done for each partition with a bad value.
- After AD has been cleaned up rerun the “Adprep /rodcprep” command.
Dell XPS 420
I finally decided to buy a Dell XPS 420 desktop computer this weekend. Dell is running a great deal for Mother’s Day; $350 off XPS 420 systems. I’m not a mother, but who cares right? I can get the configuration that I want cheaper than I can get with my Employee Purchase Program discount mainly because I don’t have to take the 3 year warranty on the Mother’s Day deal.
This system is configured with the ATI TV Wonder Digital Cable Tuner. I really want to start recording digital/HD TV content including Premium stations with Windows Vista Media Center. With my current system I’m only able to record the analog stations and the quality leaves a lot to be desired on a 46″ LCD HD TV.
I went down to Charter Cable yesterday to talk to them about Cable Cards. They were not very helpful. Both the woman at the front counter and the technician that I eventually talked to really couldn’t answer my questions. The reason is that they haven’t hooked up that many cable cards in PCs before. They did say that I would be able to get the digital/HD and premium stations. But, I could have a problem with voltage feedback into the cable lines. After further questioning this could be an issue with any TV tuner card hooked up with a coax to the cable company.
Here’s my configuration:
- Intel® Core™ 2 Quad Processor Q9300 (6MB Cache,2.50GHz,1333FSB)
- Genuine Windows Vista® Home Premium with Digital Cable Support
- 4GB Dual Channel DDR2 SDRAM at 800MHz – 4 DIMMs
- Dell USB Enhanced Multimedia Keyboard
- 22 inch E228WFP Widescreen Digital Flat Panel
- Radeon ATI HD 2600 XT 256MB
- 750GB – 7200RPM, SATA 3.0Gb/s, 16MB Cache
- Dell Media Card Reader included in Dell Bluetooth Package
- Dell Optical USB Mouse
- Blu-ray Disc Combo (DVD+/-RW + BD-ROM)
- Integrated Sound Blaster®Audigy™ HD Software Edition
- Dell 19 in 1 Media Reader with Bluetooth
- 1Yr In-Home Service, Parts + Labor,24×7 Phone Support
- Single ATITV Wonder™Digital Cable Tuner with Remote
- McAfee SecurityCenter with anti-virus, anti-spyware, firewall, 24-months
- Adobe® Acrobat® Reader 8.1
- Included 3 GB DataSafe Online Backup for 1Yr
- No speakers (Speakers are required to hear audio from your system)
- No Productivity software pre-installed
- No Modem Requested
DFSRDIAG (Distributed File System Replication Diag)
I’ve recently been tweaking my data replication schemes. We’ve got multiple servers spread out all over and seems like we replicate date all over the place. My most recent brilliant idea was to replicate our offline virtual machine images and software installation ISO files to all of our Hyper-V servers. In working through some staging quota issues because the files that I wanted to replicate was greater than the default 4GB default staging quota, I found a cool tool that will show a list of the backlogged files waiting to replicate. The tool is called dfsrdiag and is run from a command prompt. In Windows Server 2008 with UAC the command prompt window will need to have its credentials elevated to Administrator.
Sample command:
dfsrdiag Backlog /ReceivingMember:vs1 /SendingMember:vs3 /RGName:”Software Library” /RFName:”Software Library”
Sample Output:
Member <vs1> Backlog File Count: 9
Backlog File Names (first 9 files)
1. File name: win2008×64Ent-disk1.rar.part01.exe
2. File name: win2008×64Ent-disk1.rar.part03.rar
3. File name: win2008×64Std.rar.part01.exe
4. File name: win2008×64Std.rar.part02.rar
5. File name: win2008×64Std.rar.part03.rar
6. File name: win2008×86std.rar.part01.exe
7. File name: win2008×86std.rar.part02.rar
8. File name: SW_DVD5_Windows_Svr_DC_Ent_Std_2008_English_32bit_MLF_X14-26710.ISO
9. File name: SW_DVD5_Windows_Svr_DC_Ent_Std_2008_English_x64_MLF_X14-26714.ISO
Operation Succeeded
Command “Backlog” Help:
Usage: DFSRDIAG Backlog [/ReceivingMember:name] </SendingMember:name>
</RGName:name> </RFName:name>
</RGName>
The display name for the replication group
Example: /RGName:Applications
</RFName>
The display name for the replicated folder
Example: /RFName:”Applications Distribution”
</SendingMember> or </SMem>
The DNS or NetBIOS name of the member that is sending the replication
data
Example: /SendingMember:Branch01.sales.contoso.com,
/SendingMember:sales\Branch01, /SendingMember:Branch01
[/ReceivingMember] or [/RMem]
The DNS or NetBIOS name of the member receiving the replication data.
Uses local computer if not specified
Example: /ReceivingMember:Branch01.sales.contoso.com,
/ReceivingMember:sales\Branch01, /ReceivingMember:Branch01
[/Help] or [/?]
Display help message for the command
Example: /?
[/Verbose] or [/V]
Enable verbose logging
Example: /v
