Microsoft Windows

image.png

Disable Java Update using Group Policy

0
5 days ago
by Jason Shuler in
share
 

The Java Updater is horrible.

  1. It throws up a UAC prompt without warning / explanation / asking first
  2. It doesn’t work half the time
  3. It installs the Ask toolbar if your aren’t careful to opt out

Even though Java needs to be kept up to date, we simply cannot have users being harassed by a utility that doesn’t work, then installs crapware when it does.

Turning off the Updater is as simple as setting a registry value – the catch is that most instructions online do not account for 64-bit windows.

The registry item on a 32-bit machine is a DWORD in the key HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy called EnableJavaUpdate. Set it to 0.
On a 64-bit machine, it could be in the previous location, and/or it could be in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Update\Policy

 

The way I chose to do it was with Machine Group Policy Preferences – Registry items. I use Item-level targeting to make sure the values exist before updating them.

image
This is a screenshot of the Registry items – showing where to place the Item-level targeting, and what settings to use

(The main reason for the targeting is to prevent it from creating the Wow6432Node on 32-bit machines)

image.png

Trying out System Center 2012 RC… or not

0
4 weeks ago
by Jason Shuler in
share
 

I have evaluated several versions of System Center Essentials over the years, and after getting past the initial “ooh, shiny MMCs” reaction (the the terrible installation experience), I generally have found them to be lackluster.

 

System Center 2012 comes around and even makes the news: Microsoft is of course “all-in” to the cloud, so SC2012 is hyped to help create and manage your “Private Cloud”. Additionally, Microsoft has streamlined the licensing process so that instead of Several different products (Configuration Manager, Operations Manager, Data Protection Manager, Virtual Machine Manager, Service Manager) there is just one product (well… two, but they only differ in virtualization instance counts) including all the technologies, and the price is fairly reasonable. The product now contains the following components:

  1. App Controller – (new) “Cloud”-style application management (App-V, server configuration templates), application performance monitoring (J2EE & .NET – Visual Studio Integration)
  2. Configuration Manager – Software deployment, update management, configuration compliance / enforcement, administration
  3. Data Protection Manager – Backup (server, workstation, bare metal)
  4. Endpoint Protection – Anti-Malware, firewall configuration
  5. Operations Manager – Performance / availability monitoring
  6. Orchestrator – (formerly Opalis) Data Center workflow management (?)
  7. Service Manager – Helpdesk, trouble tickets, process compliance
  8. Virtual Machine Manager – Self explanatory

I realize I’m probably demonstrating my naïveté here, but there does seem to be some overlap – Configuration Manager, Orchestrator and Service Manager all list process / configuration automation in the feature list. Considering these used to be separate SKUs I understand why this might be, but it makes for a very unpolished appearing product. If I want to deploy an application to users machines, do I use the “App Controller”? Or Configuration Manager”? Or do I  “Orchestrate” it?

Sounds like the answer is “sure.”

 

Getting Started

The download for System Center 2012 is available here: http://technet.microsoft.com/en-us/evalcenter/hh505660.aspx?ocidotc-f-corp-jtc-DPR&wt.mc_id;TEC_103_1_33

Out the gate, things are not looking good. Despite touting the new “System Center 2012 Unified Installer,” the download includes 8 files of various names and extensions, none of which are instructions.
image

Also of note: the creepy total size: 6.66 GB…

image

There should be some documentation hidden here: Microsoft Private Cloud Evaluation Resources

So I have my VM ready to go, but no idea how to proceed. Checking the Unified Installer user guide – which is really poorly written – I discover than you need a separate server for each component, except for Service Manager, which requires two. So I hope you have a powerful virtualization server… or a bunch of extra workstations lying around, because that is a whopping 8 servers to perform a complete install.

That’s right – System Center 2012 requires it’s own private cloud just to run. (Our data center only has about 8 servers to be managed!) That is 8 windows licenses. That might even be enough to cause a TechNet static activation key to stop working. One could virtualize, but the Standard license only allows you to manage two virtual machines… this thing isn’t even licensed to manage itself.

 

 

Conclusion

At this point, even after spending the time setting up VMs for it, I am tempted to scrap the whole thing. Too many servers, too many manual steps, poor documentation, and a high likelihood of fatal-non-resumable-installer-errors-after-hours-of-non-reversible-changes (see SCE 2010) all sums up to a poor allocation of resources.

I can do 90% of what System Center 2012 does with Group Policy (free with Windows Server), WSUS (free), Microsoft Security Essentials (Free) and Zabbix or Quest FogLight (free or free to a point).

 

 

Update – To Be Continued…

Three more virtual machines later, and I have all the necessary servers. I went through with the installation successfully and will post the steps soon.

Sysprep Windows Server 2008 R2 and use Windows Server Backup

0
4 weeks ago
by Jason Shuler in
share
 

Windows Server 2008 R2 comes with sysprep pre-installed – it is at c:\windows\system32\sysprep\sysprep.exe – best to run it from an elevated command line.

If you are looking to create a sysprepped image using the built in Windows Server Backup, you will be sorely disappointed – WSB does not run after running sysprep (if you choose the Exit option) – in fact very little will run.

The workaround is simple but non-intuitive (backup first; sysprep second):
1: Run the backup first.
2: Load the backup on a different machine (or virtual machine).
3: On first boot, ensure the network is disconnected!!
4. Run sysprep (be sure to select generalize) and have it reboot.
5. Repeat as needed.

Uninstalling Windows 8 when using UEFI

0
3 months ago
by Jason Shuler in
share
 

So you went ahead and dual booted the Windows 8 Developer Preview with your Windows 7 machine, but decided you don’t want it anymore. There are lots of instructions online for how to remove it when you are using a standard boot, but if you are using UEFI your life is much simpler. (I’m not going into detail since if you figured out how to dual boot, you probably can handle a partition or two)

Using Disk Management, delete the volume for your windows 8 installation. Optionally, expand the volume for your Windows 7 install to get the space back.

If you want to speed up the boot process a bit, Open the Advanced System Settings (rt click Computer, Properties, Advanced System Settings), click Settings… under Startup and recovery, and make sure the check box next to “Time to display list of operating systems” is unchecked, (and that Windows 7 is the default operating system).

 

All done! No need to edit the BCD when using EFI boot, it appears that windows automatically removes the windows 8 entry when you delete the partition. (I ran bcdedit just to check)

Microsoft tool for creating bootable USB drive

0
4 months ago
by Jason Shuler in
share
 

Not sure when this happened, but MS has a tool on Codeplex that will copy a bootable iso to a USB flash drive and make it bootable. I haven’t tried it, but it’s nice to finally have a purpose-built tool for the job..

Have a look here:
Windows 7 USB/DVD Download Tool

Note: the comments say it works with windows 8 as well – probably works with server 2008 r2 as well.

Using dsamain to browse disconnected ntds.dit

1
4 months ago
by Jason Shuler in
share
 

If you want to peek into the past contents of your Active Directory, you used to have to perform a complete server restore. (By used to, I mean server 2003)

Server 2008 has a tool that allows you to mount the ntds.dit file from your backup as an LDAP server, which can then be browsed using ADSI Edit. Once you get it to work, it is much quicker than a full backup if you are able to extract just the database files. The first step is to install the AD DS role on a member server – I would not recommend doing this on a domain controller proper. This will get you the tools you need to proceed.

As usual, I am posting this because the internet demonstrated epic fail when it came to debugging the process.
When I first attempted to use dsamain.exe on the ntds.dit file, I received the following errors:

dsamain /dbpath ntds.dit /ldapport 1492
EVENTLOG (Error): NTDS General / Internal Processing : 1168
Internal error: An Active Directory Domain Services error has occurred.
Error value (decimal): -550
Error value (hex): fffffdda
Internal ID: 40878
EVENTLOG (Error): NTDS General / Internal Processing : 1003
Active Directory Domain Services could not be initialized.
The directory service cannot recover from this error.

Because my AD database copy was taken in a “naughty” manner, the solution to this issue is to use the esentutl utility to recover the database (apply the log files) then repair the database.
I had a heck of a time with esentutl not working at first – it complained about missing references and such. The solution:
1. Make sure you have the database file AND the log files. Sometimes these are placed on separate volumes
2. the ESENTUTL recovery command takes a 3-character logfile prefix as the parameter, NOT the database file name
3. The utility determines the database file path from the logfiles. You need to place all the files from your original Domain Controller into the same folder on your member server (eg: C:\windows\NTDS). If esentutl complains, you may need to check your paths.
4. Open an elevated command prompt, change the folder containing your files, and run “esentutl /r edb” It should just work

Next, check the integrity of the database. It will probably find some errors
“esentutl /g ntds.dit”

Finally, run a repair on the database, and be sure to click “Yes” (or OK) on the prompt
“esentutl /p ntds.dit”

Now you can use dsamain to try mounting the database:
“dsamain /dbpath ntds.dit /ldapport 1492″

If you are like me, you will get an error along the lines of 1809 JET_errPermissionDenied, Permission denied
(meta note: the phrase “JET_errPermissionDenied” was painfully absent from any meaningful pages in the internet before now.)

The solution to this error: use the allowupgrade option when running dsamain. (I’m guessing this is happening because the member server is not running the same exact version of AD DS as the Domain Controller).

Using this command:
“dsamain /dbpath ntds.dit /ldapport 1492 /allownonadminaccess /allowupgrade”

It updated the database, and mounted the sucker. (I do receive an error about exclusive access to a port – haven’t resolved it, but as long as your LDAP port is ok, you should be fine)

Now run ADSI Edit, connect to localhost:1492 (or your port of choice) select your desired naming context, and enjoy the time travelling experience!

Go to Top