Ever since the installation of MOSS 2007 on our server, the application event log filled up with the errors 7076, 6482 and 6398. Each of these messages have as message: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
Secondly, you'll notice that the IIS administration is not showing any web sites or application pools. The only way to administer the IIS at that moment is to reboot the server.
All of these messages are linked with 1 problem: .NET framework 2.0
Microsoft has released a patch for this problem, to install only when you experience this problem: http://support.microsoft.com/kb/923028/en-us .
After applying this patch, the error messages should stop and the IIS is back online.
Friday, June 22, 2007
Tuesday, June 05, 2007
SQL 2005 takes extremely long to install
The other day I had to install a SQL 2005 server at a client to host his sharepoint services.
During the initial setup, no specific options were chosen (mixed authentication, default instance, default corralation, ...), but once the installation got to the "Creating local accounts" and "Settings File security" of the database creation portion, the installation got really slow. In the verbose logging, you saw that the installation did about 3 - 4 settings every 10 minutes!!
This is a known issue when installing on a server which is in a domain that has many external trusts. However, I experienced this in a single domain setup.
Luckily, there are 2 ways around this.
First, is the "quick and dirty" way.
Go to the server locally, so not via a remote desktop and disable the various NIC's. It's ok to do this while the installation is still running. Also if you've specified a domain service account for SQL to run on.
You'll notice the installation continues in a normal pace.
When the installation is done, just re-enable the NIC's and connect to your SQL management suite.
Second, is the more difficult but clean way, especially if you know you have to do this more than just once.
1. Contact Microsoft to obtain hotfix KB901530 (it is not available for download from their site)
2. extract the hotfix in a folder
3. run the .exe with /X to extract them to seperate new folders
AS2005-KB901530-x86-ENU.exe /X:C:\QFE\AS
SQL2005-KB901530-x86-ENU.exe /X:C:\QFE\SQL
DTS2005-KB901530-x86-ENU.exe /X:C:\QFE\IS
NS2005-KB901530-x86-ENU.ex /X:C:\QFE\NS
RS2005-KB901530-x86-ENU.exe /X:C:\QFE\RS
SQLTools2005-KB901530-x86-ENU.exe /X:C:\QFE\Tools
SQLSupport2005-KB901530-x86-ENU.exe /X:C:\QFE\SqlSupport
4. install SQL 2005 with the command:
\Servers\setup.exe SQLSUPPORTPATCH="C:\QFE\SqlSupport\msp\SqlSupport.msp" HOTFIXPATCH="C:\QFE\AS\hotfixas\files\sqlrun_as.msp;
C:\QFE\SQL\hotfixsql\files\sqlrun_sql.msp;
C:\QFE\IS\hotfixdts\files\sqlrun_dts.msp;
C:\QFE\NS\hotfixns\files\sqlrun_ns.msp;
C:\QFE\RS\hotfixrs\files\sqlrun_rs.msp;
C:\QFE\Tools\hotfixtools\files\sqlrun_tools.msp"
Enjoy!
During the initial setup, no specific options were chosen (mixed authentication, default instance, default corralation, ...), but once the installation got to the "Creating local accounts" and "Settings File security" of the database creation portion, the installation got really slow. In the verbose logging, you saw that the installation did about 3 - 4 settings every 10 minutes!!
This is a known issue when installing on a server which is in a domain that has many external trusts. However, I experienced this in a single domain setup.
Luckily, there are 2 ways around this.
First, is the "quick and dirty" way.
Go to the server locally, so not via a remote desktop and disable the various NIC's. It's ok to do this while the installation is still running. Also if you've specified a domain service account for SQL to run on.
You'll notice the installation continues in a normal pace.
When the installation is done, just re-enable the NIC's and connect to your SQL management suite.
Second, is the more difficult but clean way, especially if you know you have to do this more than just once.
1. Contact Microsoft to obtain hotfix KB901530 (it is not available for download from their site)
2. extract the hotfix in a folder
3. run the .exe with /X to extract them to seperate new folders
AS2005-KB901530-x86-ENU.exe /X:C:\QFE\AS
SQL2005-KB901530-x86-ENU.exe /X:C:\QFE\SQL
DTS2005-KB901530-x86-ENU.exe /X:C:\QFE\IS
NS2005-KB901530-x86-ENU.ex /X:C:\QFE\NS
RS2005-KB901530-x86-ENU.exe /X:C:\QFE\RS
SQLTools2005-KB901530-x86-ENU.exe /X:C:\QFE\Tools
SQLSupport2005-KB901530-x86-ENU.exe /X:C:\QFE\SqlSupport
4. install SQL 2005 with the command:
C:\QFE\SQL\hotfixsql\files\sqlrun_sql.msp;
C:\QFE\IS\hotfixdts\files\sqlrun_dts.msp;
C:\QFE\NS\hotfixns\files\sqlrun_ns.msp;
C:\QFE\RS\hotfixrs\files\sqlrun_rs.msp;
C:\QFE\Tools\hotfixtools\files\sqlrun_tools.msp"
Enjoy!
Friday, June 01, 2007
PAC files
PAC stands for "Proxy Auto Configuration"
With a PAC file we can define how web browsers can automatically choose the appropriate proxy server for looking up a given URL. This is done based on a JavaScript function "FindProxyFor URL(url, host)".
To use PAC, you publish a PAC file on a Web server and instruct your browser to read it.
This can be done manually by open a web browser on the client and navigating to: tools - internet options - Connections - LAN settings - Use automatic configuration script and entering the path where the PAC file is located. Of course, it can also be done on a larger scale by defining the PAC file in a client applied GPO.
There is a catch! Due to security restrictions of Windows 2003 servers, you must instruct your web server to declare the mime type of this file to be: application/x-ns-proxy-autoconfig. On Windows 2000 servers, this is not necessary.
The Mime type can be added on your IIS server under the tab "HTTP" and clicking on "MIME".
Examples of PAC-files which can be easily adjusted to your needs.
Simple PAC file
function FindProxyForURL(url, host)
{
if (isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0"))
return "PROXY 192.168.1.1:8080";
else
return "DIRECT";
}
More complex PAC file
function FindProxyForURL(url, host)
{
if (shExpMatch(url, "http://principia.mo.techpaths.com*")) {
return "DIRECT";
}
if (isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0"))
return "PROXY 192.168.1.1:8080";
else
return "DIRECT";
}
Complex PAC file
function FindProxyForURL(url, host)
{
// variable strings to return
var proxy_yes = "PROXY 192.168.1.1:8080";
var proxy_no = "DIRECT";
if (shExpMatch(url, "http://www.mycompanywebsite.com*")) { return proxy_no; }
if (shExpMatch(url, "http://www.myotherwebsite.com*")) { return proxy_no; }
if (shExpMatch(url, "http://www.my3rdlocalsite.com*")) { return proxy_no; }
// Proxy anything else
return proxy_yes;
}
Very complex PAC file
function FindProxyForURL(url, host)
{
// variable strings to return
var proxy_yes = "PROXY 192.168.1.1:8080";
var proxy_no = "DIRECT";
if (shExpMatch(url, "http://www.mycompanywebsite.com*")) { return proxy_no; }
if (shExpMatch(url, "http://www.myotherwebsite.com*")) { return proxy_no; }
if (shExpMatch(url, "http://www.my3rdlocalsite.com*")) { return proxy_no; }
if (shExpMatch(url, "http://192.168.1.100*")) { return proxy_no; }
// Proxy if PC is on local LAN
if (isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0"))
return "PROXY 192.168.1.1:8080";
else
return "DIRECT";
}
With a PAC file we can define how web browsers can automatically choose the appropriate proxy server for looking up a given URL. This is done based on a JavaScript function "FindProxyFor URL(url, host)".
To use PAC, you publish a PAC file on a Web server and instruct your browser to read it.
This can be done manually by open a web browser on the client and navigating to: tools - internet options - Connections - LAN settings - Use automatic configuration script and entering the path where the PAC file is located. Of course, it can also be done on a larger scale by defining the PAC file in a client applied GPO.
There is a catch! Due to security restrictions of Windows 2003 servers, you must instruct your web server to declare the mime type of this file to be: application/x-ns-proxy-autoconfig. On Windows 2000 servers, this is not necessary.
The Mime type can be added on your IIS server under the tab "HTTP" and clicking on "MIME".
Examples of PAC-files which can be easily adjusted to your needs.
Simple PAC file
function FindProxyForURL(url, host)
{
if (isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0"))
return "PROXY 192.168.1.1:8080";
else
return "DIRECT";
}
More complex PAC file
function FindProxyForURL(url, host)
{
if (shExpMatch(url, "http://principia.mo.techpaths.com*")) {
return "DIRECT";
}
if (isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0"))
return "PROXY 192.168.1.1:8080";
else
return "DIRECT";
}
Complex PAC file
function FindProxyForURL(url, host)
{
// variable strings to return
var proxy_yes = "PROXY 192.168.1.1:8080";
var proxy_no = "DIRECT";
if (shExpMatch(url, "http://www.mycompanywebsite.com*")) { return proxy_no; }
if (shExpMatch(url, "http://www.myotherwebsite.com*")) { return proxy_no; }
if (shExpMatch(url, "http://www.my3rdlocalsite.com*")) { return proxy_no; }
// Proxy anything else
return proxy_yes;
}
Very complex PAC file
function FindProxyForURL(url, host)
{
// variable strings to return
var proxy_yes = "PROXY 192.168.1.1:8080";
var proxy_no = "DIRECT";
if (shExpMatch(url, "http://www.mycompanywebsite.com*")) { return proxy_no; }
if (shExpMatch(url, "http://www.myotherwebsite.com*")) { return proxy_no; }
if (shExpMatch(url, "http://www.my3rdlocalsite.com*")) { return proxy_no; }
if (shExpMatch(url, "http://192.168.1.100*")) { return proxy_no; }
// Proxy if PC is on local LAN
if (isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0"))
return "PROXY 192.168.1.1:8080";
else
return "DIRECT";
}
Manually demoting a DC
Demoting a DC is not easy when this domain controller has replication and connectivity problems with the other DC's. This can happen if for example a DC in a remote site is unable to contact the main site when the link is down.
However, it is possible, and this is how:
First: We need to demote the DC with the dcpromo command. To do this we open the run command box and type "dcpromo /forceremoval". This switch will make sure the DC will remove all it's AD features without contacting the other domain controllers. Of course, the metadata on the remaining DC's will have to be cleaned up, otherwise they won't realise the DC has been demoted to a member server.
To do this, we use the ntdsutil tool.
These are the required steps to follow:
Click Start, point to Programs, point to Accessories, and then click Command Prompt.
At the command prompt, type
ntdsutil
Type
metadata cleanup
Based on the options given, the administrator can perform the removal, but additional configuration parameters need to be specified before the removal can occur.
Type
connections
This menu is used to connect to the specific server on which the changes occur. If the currently logged on user does not have administrative permissions, alternate credentials can be supplied by specifying the credentials to use before making the connection. To do so, type
set creds domain
Type
connect to server
You should receive confirmation that the connection is successfully established. If an error occurs, verify that the domain controller being used in the connection is available and the credentials you supplied have administrative permissions on the server.
Note: If you try to connect to the same server that you want to delete, when you try to delete the server that step 15 refers to, you may receive the following error message: Error 2094. The DSA Object cannot be deleted0x2094 Note: Windows Server 2003 Service Pack 1 eliminates the need for steps 3 and 4.
Type
quit
Type
select operation target
Type
list domains
A list of domains in the forest is displayed, each with an associated number.
Type
select domain
where number is the number associated with the domain to which the server you are removing is a member. The domain you select is used to determine if the server being removed is the last domain controller of that domain.
Type
list sites
Type
select site
Type
list servers in site
Type
select server
Type
quit
Type
remove selected server
You should receive confirmation that the removal completed successfully. If you receive the following error message:
Error 8419 (0x20E3) The DSA object could not be found
the NTDS Settings object may already be removed from the Active Directory as the result of another administrator removing the NTDS Settings object, or replication of the successful removal of the object after running the DCPROMO utility.
Note: You may also see this error when you attempt to bind to the domain controller that is going to be removed. Ntdsutil needs to bind to a domain controller other than the one that is going to be removed with metadata cleanup.
Type
quit
at each menu to quit the NTDSUTIL utility. You should receive confirmation that the connection disconnected successfully.
Remove the cname record in the _msdcs.root domain of forest zone in DNS. Assuming that DC is going to be reinstalled and re-promoted, a new NTDS settings object is created with a new globally unique identifier (GUID) and a matching cname record in DNS. You do not want the DC's that exist to use the old cname record.
As best practice you should delete the hostname and other DNS records. If the lease time that remains on Dynamic Host Configuration Protocol (DHCP) address assigned to offline server is exceeded then another client can obtain the IP address of the problem DC.
Now that the NTDS setting object has been deleted we can now delete the following objects:
1. Use ADSIEdit to delete the computer account in the OU=Domain controllers,DC=domain...
Note: The FRS subscriber object is deleted when the computer object is deleted, since it is a child of the computer account.
2. Use ADSIEdit to delete the FRS member object in CN=Domain System Volume (SYSVOL share),CN=file replication service,CN=system....
3. In the DNS console, use the DNS MMC to delete the cname (also known as the Alias) record in the _msdcs container.
4. In the DNS console, use the DNS MMC to delete the A (also known as the Host) record in DNS
However, it is possible, and this is how:
First: We need to demote the DC with the dcpromo command. To do this we open the run command box and type "dcpromo /forceremoval". This switch will make sure the DC will remove all it's AD features without contacting the other domain controllers. Of course, the metadata on the remaining DC's will have to be cleaned up, otherwise they won't realise the DC has been demoted to a member server.
To do this, we use the ntdsutil tool.
These are the required steps to follow:
Click Start, point to Programs, point to Accessories, and then click Command Prompt.
At the command prompt, type
ntdsutil
Type
metadata cleanup
Based on the options given, the administrator can perform the removal, but additional configuration parameters need to be specified before the removal can occur.
Type
connections
This menu is used to connect to the specific server on which the changes occur. If the currently logged on user does not have administrative permissions, alternate credentials can be supplied by specifying the credentials to use before making the connection. To do so, type
set creds domain
Type
connect to server
You should receive confirmation that the connection is successfully established. If an error occurs, verify that the domain controller being used in the connection is available and the credentials you supplied have administrative permissions on the server.
Note: If you try to connect to the same server that you want to delete, when you try to delete the server that step 15 refers to, you may receive the following error message: Error 2094. The DSA Object cannot be deleted0x2094 Note: Windows Server 2003 Service Pack 1 eliminates the need for steps 3 and 4.
Type
quit
Type
select operation target
Type
list domains
A list of domains in the forest is displayed, each with an associated number.
Type
select domain
where number is the number associated with the domain to which the server you are removing is a member. The domain you select is used to determine if the server being removed is the last domain controller of that domain.
Type
list sites
Type
select site
Type
list servers in site
Type
select server
Type
quit
Type
remove selected server
You should receive confirmation that the removal completed successfully. If you receive the following error message:
Error 8419 (0x20E3) The DSA object could not be found
the NTDS Settings object may already be removed from the Active Directory as the result of another administrator removing the NTDS Settings object, or replication of the successful removal of the object after running the DCPROMO utility.
Note: You may also see this error when you attempt to bind to the domain controller that is going to be removed. Ntdsutil needs to bind to a domain controller other than the one that is going to be removed with metadata cleanup.
Type
quit
at each menu to quit the NTDSUTIL utility. You should receive confirmation that the connection disconnected successfully.
Remove the cname record in the _msdcs.root domain of forest zone in DNS. Assuming that DC is going to be reinstalled and re-promoted, a new NTDS settings object is created with a new globally unique identifier (GUID) and a matching cname record in DNS. You do not want the DC's that exist to use the old cname record.
As best practice you should delete the hostname and other DNS records. If the lease time that remains on Dynamic Host Configuration Protocol (DHCP) address assigned to offline server is exceeded then another client can obtain the IP address of the problem DC.
Now that the NTDS setting object has been deleted we can now delete the following objects:
1. Use ADSIEdit to delete the computer account in the OU=Domain controllers,DC=domain...
Note: The FRS subscriber object is deleted when the computer object is deleted, since it is a child of the computer account.
2. Use ADSIEdit to delete the FRS member object in CN=Domain System Volume (SYSVOL share),CN=file replication service,CN=system....
3. In the DNS console, use the DNS MMC to delete the cname (also known as the Alias) record in the _msdcs container.
4. In the DNS console, use the DNS MMC to delete the A (also known as the Host) record in DNS
Adminpak on Vista
Those of you who have already tried to run the adminpak on your Vista computer will have noticed the installation goes fine but you are unable to open the snap-ins.
In order for the snap-ins to work, you have to add some dll's to the registry.
So first install the correct adminpak (currently: adminpak W2k3 SP1) on your PC.
Then create a new file on your desktop and name it for example "adminpak.reg".
Copy these dll's in the file.
regsvr32 /s adprop.dll
regsvr32 /s azroles.dll
regsvr32 /s azroleui.dll
regsvr32 /s ccfg95.dll
regsvr32 /s certadm.dll
regsvr32 /s certmmc.dll
regsvr32 /s certpdef.dll
regsvr32 /s certtmpl.dll
regsvr32 /s certxds.dll
regsvr32 /s cladmwiz.dll
regsvr32 /s clcfgsrv.dll
regsvr32 /s clnetrex.dll
regsvr32 /s cluadmex.dll
regsvr32 /s cluadmmc.dll
regsvr32 /s cmproxy.dll
regsvr32 /s cmroute.dll
regsvr32 /s cmutoa.dll
regsvr32 /s cnet16.dll
regsvr32 /s debugex.dll
regsvr32 /s dfscore.dll
regsvr32 /s dfsgui.dll
regsvr32 /s dhcpsnap.dll
regsvr32 /s dnsmgr.dll
regsvr32 /s domadmin.dll
regsvr32 /s dsadmin.dll
regsvr32 /s dsuiwiz.dll
regsvr32 /s imadmui.dll
regsvr32 /s lrwizdll.dll
regsvr32 /s mprsnap.dll
regsvr32 /s msclus.dll
regsvr32 /s mstsmhst.dll
regsvr32 /s mstsmmc.dll
regsvr32 /s nntpadm.dll
regsvr32 /s nntpapi.dll
regsvr32 /s nntpsnap.dll
regsvr32 /s ntdsbsrv.dll
regsvr32 /s ntfrsapi.dll
regsvr32 /s rasuser.dll
regsvr32 /s rigpsnap.dll
regsvr32 /s rsadmin.dll
regsvr32 /s rscommon.dll
regsvr32 /s rsconn.dll
regsvr32 /s rsengps.dll
regsvr32 /s rsjob.dll
regsvr32 /s rsservps.dll
regsvr32 /s rsshell.dll
regsvr32 /s rssubps.dll
regsvr32 /s rtrfiltr.dll
regsvr32 /s schmmgmt.dll
regsvr32 /s tapisnap.dll
regsvr32 /s tsuserex.dll
regsvr32 /s uddi.mmc.dll
regsvr32 /s vsstskex.dll
regsvr32 /s w95inf16.dll
regsvr32 /s w95inf32.dll
regsvr32 /s winsevnt.dll
regsvr32 /s winsmon.dll
regsvr32 /s winsrpc.dll
regsvr32 /s winssnap.dll
regsvr32 /s ws03res.dll
Execute the file. Normally you will receive a message box stating the entries are succesfull in the registry. Then you can delete the file you just created.
In order for the snap-ins to work, you have to add some dll's to the registry.
So first install the correct adminpak (currently: adminpak W2k3 SP1) on your PC.
Then create a new file on your desktop and name it for example "adminpak.reg".
Copy these dll's in the file.
regsvr32 /s adprop.dll
regsvr32 /s azroles.dll
regsvr32 /s azroleui.dll
regsvr32 /s ccfg95.dll
regsvr32 /s certadm.dll
regsvr32 /s certmmc.dll
regsvr32 /s certpdef.dll
regsvr32 /s certtmpl.dll
regsvr32 /s certxds.dll
regsvr32 /s cladmwiz.dll
regsvr32 /s clcfgsrv.dll
regsvr32 /s clnetrex.dll
regsvr32 /s cluadmex.dll
regsvr32 /s cluadmmc.dll
regsvr32 /s cmproxy.dll
regsvr32 /s cmroute.dll
regsvr32 /s cmutoa.dll
regsvr32 /s cnet16.dll
regsvr32 /s debugex.dll
regsvr32 /s dfscore.dll
regsvr32 /s dfsgui.dll
regsvr32 /s dhcpsnap.dll
regsvr32 /s dnsmgr.dll
regsvr32 /s domadmin.dll
regsvr32 /s dsadmin.dll
regsvr32 /s dsuiwiz.dll
regsvr32 /s imadmui.dll
regsvr32 /s lrwizdll.dll
regsvr32 /s mprsnap.dll
regsvr32 /s msclus.dll
regsvr32 /s mstsmhst.dll
regsvr32 /s mstsmmc.dll
regsvr32 /s nntpadm.dll
regsvr32 /s nntpapi.dll
regsvr32 /s nntpsnap.dll
regsvr32 /s ntdsbsrv.dll
regsvr32 /s ntfrsapi.dll
regsvr32 /s rasuser.dll
regsvr32 /s rigpsnap.dll
regsvr32 /s rsadmin.dll
regsvr32 /s rscommon.dll
regsvr32 /s rsconn.dll
regsvr32 /s rsengps.dll
regsvr32 /s rsjob.dll
regsvr32 /s rsservps.dll
regsvr32 /s rsshell.dll
regsvr32 /s rssubps.dll
regsvr32 /s rtrfiltr.dll
regsvr32 /s schmmgmt.dll
regsvr32 /s tapisnap.dll
regsvr32 /s tsuserex.dll
regsvr32 /s uddi.mmc.dll
regsvr32 /s vsstskex.dll
regsvr32 /s w95inf16.dll
regsvr32 /s w95inf32.dll
regsvr32 /s winsevnt.dll
regsvr32 /s winsmon.dll
regsvr32 /s winsrpc.dll
regsvr32 /s winssnap.dll
regsvr32 /s ws03res.dll
Execute the file. Normally you will receive a message box stating the entries are succesfull in the registry. Then you can delete the file you just created.
Subscribe to:
Posts (Atom)