lewisroberts.com

Yes, I’m finally, FINALLY Microsoft certified. I’ve been doing this stuff successfully for ten years without the compulsion to get myself certified but I decided recently to add credence to my experience by taking the exams.

This is step one on the MCITP Enterprise Administrator track and hopefully this logo should grow and finally become an MCITP (Microsoft Certified IT Professional) in the next few months as I prepare and take the exams required.

Once I’ve got my MCITP I’ll follow up with the CCNA and then back to Microsoft for Exchange (Messaging) and probably SCCM to round things off. The next few months should be interesting and if I’m honest, I’m looking forward to it!

-Lewis

…is not made easy by our friends at VMWare.

Oh sure they’ll provide you with a tool called VMWare Converter Standalone which purports to convert your VMWare workstation guests in to fully fledged ESXi compatible versions but does it actually work? In short, no, it doesn’t.

I’m sure that statemt’ll wrangle some VCPs and possibly VMWare themselves but I simply can’t give it anything that could be misconstrued as a seal of approval. The damn piece of software just doesn’t work.

Let me quantify that statement with an example: Last weekend I began the process of building my new ESXi 4 server. Having an existing one that I wanted to tear down and use some parts from, I decided I’d use VMWare Converter Standalone to take the machines from ESXi 4 and put them on my Workstation installation for a short spell while I decommissioned and tore down the old server for parts. Now, to give it its dues, VMWare Converter worked wonderfully for this part of the process and I was left confident that I would be able to reverse the process once the new server was built. Oh how wrong I was.

Having built my new ESXi 4 server, the following 3 days turned in to a litany of disasters and failed attempts to persuade VMWare Converter that if it REALLY tried hard enough, it might actually successfully convert a machine and put it on the ESXi 4 server.

I had two machines I wanted to convert. One is a Fedora 13 install (the one that runs this site) and the other is a Windows Server 2003 R2 box which I run my non Exchange mail server from. Nothing special about these machines and only the Windows box has a second hard drive that is used to store the mail databases so it should be easy.

Fedora 13 box has 1 x 40GB thin provisioned VMDK. The Windows server has 1 x 12GB thin provisioned VMDK and 1 x 30GB thin provisioned VMDK for the databases.

Attempt 1: Simple conversion of Windows Server. Failed to clone disk 1. Time = 3 hours.
Attempt 2: Simple conversion of Windows Server. Failed to clone disk 1. Time = 3 hours.
Attempt 3: Copy of source files of Windows Server to ESX server. Failed to identify source disk V7. = 3 hours.
Attempt 4: Creation and deployment of OVA for Windows Server. Failed to deploy.
Attempt 5: Use Workstation 7 for creation and deployment of OVA for Fedora 13. Success! Huzzah. Quick tinker with settings and it was up and running.
Attempt 6: Use Workstation 7 for creation and deployment of OVF for Windows Server. Failed to deploy. Checksum error.
Attempt 7: Investigate alternatives. Spend two hours banging my head off the desk trying to come up with a solution.
Attempt 8: Copy the files like in attempt 3. Run vmkfstools to convert (clone) the disks directly on the ESX server. Manually rename the disk file name references in the VMX file. Cross fingers, arms, legs, toes, hair folicles. Success!

Yes ladies and gentlement, the only viable option for converting a VMWare Workstation  7 guest to an ESXi host is copy/paste and vmkfstools.

To give you the full info, the command I ran to convert the disks was:

vmkfstools -i "my-source-disk.vmdk" -d zeroedthick "my-destination-disk.vmdk"

I ran the command (obviously swapping the names appropriately) on each of the disks and then manually edited the VMX file to replace the old names with the new disks and it worked. I had some additional playing about to do with the CD-ROM and a couple of other bits and pieces but it took at least eight attempts and a number of clumps of my hair to get those guests on to ESXi.

Not a process I want to have to repeat again any time soon.

If you’re looking for the full breakdown of what I did:

1. Use Browse datastore to create a folder for the source guest’s files.
2. Upload the source machines guest files to the folder created above.
3. On the ESXi host machine, enable the Remote Tech Support Mode (SSH) from Troubleshooting Options. F2 > Login > Troubleshooting Options
4. Download Putty (an SSH client) and connect to your ESX server. Login as root with your password.
5. Change directory in to the folder where you uploaded your guest’s files. This is usually located in /vmfs/volumes/[datastore]/[Folder created in step1]
6. Use the vmkfstools command to import your VMDK. This process will create a new VMDK that is compatible with ESXi.
   

   vmkfstools -i [source.vmdk] -d zeroedthick [destination.vmdk]

7. Rename your original source vmdk file(s) by using the mv command:
   

   mv [source.vmdk] [source.vmdkOLD]

8. Open the VMX file with Vi (a text editor)
   

   vi [source.vmx]

9. Find the references to the [source.vmdk] files and edit them to reflect the new names of the [destination.vmdk] files. Use the Insert key to edit and then press Esc when you have finished editing.
10. Save the edited VMX file. :w
11. Exit Vi. :q
12. Back in vSphere Client, Browse datastore and import the virtual machine VMX file.
13. Your VM should start up.
14. It’s up to you if you want to delete your [source.vmdk] files to save space.

-Lewis

My usual process for deploying Windows Server boxes involves the installation of VNC for remote console management. I know Remote Desktop is the best practice way to do this but as they say, old habits die hard.

When I recently deployed a Windows Server 2008 R2 x64 box for the purposes of running IIS7.5 at another site, I followed my usual process and of course installed VNC Enterprise (4.5.1).

We have a fairly modest application server farm so investing time and effort in deployment techniques for .NET 4 web applications to just a few servers seems a little like overkill so we generally just use VNC’s rather useful copy/paste to dump the binaries on the box. Now we’ve been using this method on our Windows Server 2003 R2 IIS6 application servers for a couple of years without any issues whatsoever. Again, I realise this isn’t “best practice” but there’s little point jumping through hoops and over-complicating matters as it just means spending more time than is really required.

However, after deploying several copies of our application to our IIS6 app servers and then the same copy of the application to the first IIS7.5 app server, we were a little perplexed to see that the IIS7.5 box wasn’t playing ball and was giving strange errors when we tried to access the back-end services. The error seemed to take us in the direction of a 32-bit application incompatibility but even after forcing 32-bit (WOW64 mode) for the application pool, we still got the same error message.

All this occurred on a Sunday and obviously being in weekend mode, I didn’t investigate quite as thoroughly as I should have. The box is pre-production so it wasn’t a huge concern that the app didn’t work though it was cause for some concern and would require investigation to resolve.

After discovering a really useful alternative tool to BgInfo called DesktopInfo, I thought I’d copy it over to the Windows Server 2008 R2 x64 app server this morning to give it a try. The server isn’t in production yet so it seemed the perfect time to give it a go. I fired up VNC and simply copied and pasted the folder with the binary over to the target server. After the copy completed successfully, I executed the binary only to be told it wasn’t a valid Win32 application. Err, what? OK, I know this is a 64-bit OS but it’ll still run 32-bit binaries… oh… hang on a minute!

I immediately dropped the VNC connection, fired up Remote Desktop and re-copied the folder, executed the binary and had no problems at all so I re-copied the previously failing application to the Windows Server 2008 R2 x64 box using Remote Desktop. I fired up the application in Internet Explorer and it worked without a problem!

Obviously I’ll have to write this one down to experience. Maybe the latest version of VNC Enterprise 4.5.4 has rectified the binary file copy corruption that seems to occur when using the copy/paste functionality on a target that is Windows Server 2008 R2 x64 but until I’ve tested that, I think I’ll stick to Remote Desktop.

The old habit might just have to die after all…

-Lewis

I thought I’d post quickly about automating FTP using explicit TLS/SSL with cURL. No, this isn’t a particularly advanced subject in the grand scheme of things (the command line is very simple) but some of the connectivity issues you might see if you’re doing this in an enterprise environment could boggle your mind, so I’ll try to explain them.

There are a number of flavours of file transfer with FTP. A few of the favourites are, of course FTP (in the clear FTP), SFTP (SSH File Transfer Protocol), FTPES (FTP over explicit TLS/SSL) and FTPS (FTP over implicit TLS/SSL).

For the purposes of this post, I’ll be concentrating on FTPES.

FTPES will happily listen on TCP/21 and generally, that is how it is implemented. The main reason for this is so that providers can offer normal (unsecured) FTP on TCP/21 at the same time as FTPES. When the client wishes to use a secure channel, it simply issues the AUTH TLS command and in most clients I have seen, the normal standard is for clients wishing to use FTPES to immediately send the AUTH TLS command when connected. A client wouldn’t (shouldn’t) authenticate in the clear and then ask for a secure connection, that would defeat the object of having a secure connection.

The only serious problem with this implementation of a secure FTP data transfer method is that modern Unified Threat Management (UTM) devices as deployed in enterprises the world over try to enhance security of FTP by watching for outbound connections to TCP/21 using an often well hidden feature called the “FTP helper service”. This is all well and good up to the point where you need to connect to an FTPES server…

When a typical FTP session begins, the client will connect to TCP/21 and issue the USER command, followed by the PASS command with everything sent in the clear. The client connects, downloads the list of files in the directory and the FTP helper service on the enterprise firewall is happy to deal with that data because it looks like it should, FTP data.

When a typical FTPES session begins, the client will connect to TCP/21 and issue the AUTH TLS or AUTH SSL command. The FTP helper service allows the command because it is sent in the clear. It is at this point that the command channel, and thus data, sent back by the server is encrypted. Unfortunately, it is because of this encrypted data that the FTP helper service spits out its dummy because it was expecting simple clear text FTP commands. As a result of seeing what the FTP helper service deems to be garbage (actually just encrypted data), the UTM device will kill the session.

There is nothing that can be done to resolve this situation without disabling the FTP helper service on the UTM device or (if it is powerful enough) by enabling it to process encrypted sessions using a transparent man-in-the-middle style interception (intercept-decrypt-analyse-reencrypt-forward).

If the provider of the service is offering FTPES on TCP/21 then there is a fairly safe bet they offer FTPS (Implicit TLS/SSL) on TCP/990 also. The only issue here is that there is a good chance that TCP/990 isn’t a port that your firewall administrators would typically allow you to connect to, so it becomes a tough situation to resolve satisfactorily.

The main issue here is that the FTP helper service is getting in the way of the secure connection. The best way for enterprise firewall admins to think of this problem is that it’s like trying to scan HTTPS traffic as it traverses TCP/80 and expecting it to be normal HTTP traffic. The engine dealing with the scanning of data sees garbage (because the data is encrypted) so it just drops the packet.

Unfortunately the list of options at this junction is very short and very ugly from a security perspective:

1. Disable the FTP helper service on the UTM device – generally this is a non-starter because doing so effectively renders the firewall incapable of scanning normal FTP (unencrypted) data for everybody that might connect to an FTP site. The purpose behind this change is to prevent the UTM device from trying to scan the traffic as normal (in the clear) FTP traffic – for FTPES the traffic is encrypted, so it simply won’t work.
2. Connect to the service provider’s FTPS service on TCP/990 – If they’re offering FTPES, they’re probably also offering FTPS (FTP over implicit TLS/SSL) too but you will need to persuade your firewall administrator that opening TCP/990 is OK. They will be able to secure the IP and port combination and the FTP helper service won’t interfere on this port so this is the preferred fix.

OK, and with that out of the way, if you don’t have an enterprise UTM device trying to be overly helpful, this is a typical cURL command line to upload a file to an FTPES server.

curl.exe -T "d:\myfile.txt" ftp://username:password@server.domain.com -k --ftp-ssl

% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
 Dload  Upload   Total   Spent    Left  Speed
100  315k    0     0  100  315k      0  89899  0:00:03  0:00:03 --:--:-- 90708

This will upload a file called myfile.txt from D:\ to ftp://server.domain.com (on the default port TCP/21!) and will authenticate as username with the password password, ignoring any certificate errors (-k) and authenticating using FTPES (–ftp-ssl).

Of course if you’re automating on Windows (like me) you’ll need a windows binary for cURL that has the SSL library compiled in. You can get that from the cURL downloads page. Scroll down to Win32 – Generic and select the binary with SSL support. [At the time of posting, the latest release is 7.21.0 and the binary I used was built by Günter Knauf]

Don’t forget to read the man[ual] page that comes with the download for more details on automating at the command line with cURL.

Hope this helps you!

EDIT: You may be concerned that when you connect to an FTPES or FTPS server using cURL that you have to specify the -k option to ignore certificate validation errors  and it seems that the server’s certificate isn’t verified by a trusted root CA. This doesn’t necessarily mean that the server’s certificate is invalid. In the most recent binary builds, cURL no longer comes bundled with the public keys of valid root CAs like Verisign, Thawte etc. so, you have two options. 1. Use the VBScript that’s included with the binaries to generate your own (when I ran it, it didn’t work so YMMV) or, 2. Provide your own bundle of verified public root CA certificates by visiting the cURL website, click the “CA Extract” link in the menu, download the cacert.pem file in to the same directory as your cURL binary and rename it to curl-ca-bundle.crt. All of these instructions can be found at http://curl.haxx.se/docs/sslcerts.html which is also mentioned in the error message about the cert that cURL spat out when you connected to the server without the -k option.

-Lewis

In preparation for an upcoming DR test I was aware of a limitation of using Standby/Read-only SQL databases that may be required to be brought online and immediately accessed by user accounts that didn’t exist on the DR database server.

When you configure log-shipping, the process essentially exports a copy of the database and imports it in to the target server in Standby/Read-only mode (this isn’t the only option, it’s just the one I use).

When you wish to bring that database online, either for the purposes of a DR test or because of an actual disaster, you execute:

RESTORE DATABASE [database] WITH RECOVERY;

Where database is the name of the database you wish to bring online.

This is great, up until the point that your application attempts to access the database. You will likely receive an access denied message, most likely because you haven’t created a duplicate user account on the DR database server, so you merrily create the account on the DR server and…you still get an access denied message.

Why? Well, when you created the new user, you probably used the GUI interface or a command like the following:

CREATE LOGIN [mylogin] WITH PASSWORD=N'mypassword',
DEFAULT_DATABASE=[master],
CHECK_EXPIRATION=OFF,
CHECK_POLICY=OFF;

When this command executed or you click OK on the GUI pages, it creates the user account but in the background, the SQL server also generated a security id (SID) for the new user account.

The reason you cannot use the new user account to access the restored database is because the SID for the account you just created does not match the SID that is stored in the DR database ind despite having the same name and password, it is a completely different account as far as SQL Server is concerned. If you are in a DR scenario, you would probably just grant the new user account access to the database and everything would begin to work, but do you really want to be doing that in a DR scenario? I know I don’t.

If you are preparing your DR environment and your database is still in Standby/Read-only mode then you can’t grant the newly created user account access to the databases, so what do you do?

Thankfully, the answer is fairly straightforward because the CREATE LOGIN command in SQL Server 2005 allows you to specify the SID. Great..but what’s the SID of the original account?

Well, because we aren’t yet in a DR scenario (thankfully), we can identify the SID of the original account by executing a simple command on the active database server.

SELECT sid from dbo.syslogins WHERE name='mylogin';
Result: 0x417410CE04CDFB4296AF4AAAB4404348

Now that we have the SID of the original account, we can create the new/shadow account on the DR server and specify the SID at the time of creation. You can only do this in the New Query window, the GUI doesn’t allow you to specify the SID.

CREATE LOGIN [mylogin] WITH PASSWORD=N'mypassword',
SID=0x417410CE04CDFB4296AF4AAAB4404348,
DEFAULT_DATABASE=[master],
CHECK_EXPIRATION=OFF,
CHECK_POLICY=OFF

The account will be created and, because the SID of this new/shadow account matches to the SID in the Standby/Read-only database, when you do have a disaster, you don’t need to run any scripts or tinker with SQL user account permissions or your application configuration.

-Lewis

I’ve spent a few minutes thinking about this one this morning and came up with what I believe is a decent solution to a common problem. Despite trawling the net for ten minutes or so, I haven’t seen this solution elsewhere, though I have seen some overwhelmingly over-complicated solutions which probably work.

NB: Importantly, this solution won’t work in an automated fashion so it may not suit you.

Problem: In order for Sky to show non-PG movies and content throughout the day that would otherwise be unsuitable for children, Sky apply a requirement for PIN code entry on protected channels. The problem with this is that Windows Media Center can’t handle the entry of PIN codes for protected channels and is totally unaware of what messages are being displayed on-screen. Essentially, this renders automated recording of protected channels pretty much useless.

Solution: Firstly, you may need to change your PIN. Main reason is that we are going to create a channel in Media Center that contains the first three digits of your PIN. As such, you will need to change your PIN to something that doesn’t exist as an actual channel. Something like 3003 because channel 300 doesn’t exist.
We’re going to enter the PIN essentially by changing channel to 300 and then to another channel that starts with 3.
Basically, the only requirement is to simply add a channel to Media Center called Sky PIN with digits 3 0 0. I’m going to assume you know how to add custom channels – if not, RTFM.

1. Now, fire up Live TV and obviously the video will be displayed.
2. Change channel to the desired protected channel – let’s say Channel 303.
3. You’re presented with the PIN entry screen.
4. Now simply change channel on Media Center to “Sky PIN” by typing in 300 (the channel number you assigned as the first three digits). Those intelligent ones among you are probably asking why I haven’t created a 4 digit channel that enters the entire PIN code. Well, the problem there is that because the Media Center configuration for the set-top-box was configured to only supply 3 digit channels. Trying to add a 4 digit channel just didn’t work, I tried.
5. OK, your Digibox has the first three digits of your PIN entered now so all you need to do is change channel back to the desired channel (303) for viewing. The IR blaster now sends 3-0-3 to the Digibox. The first digit of the channel (3) completes your PIN code (300, then 3) and the channel unlocks for viewing.
6. The remaining two digits (0 and 3) are eventually ignored because you didn’t complete the channel change and your Media Center thinks you’re watching the channel you actually want to watch.

You might ask why would you bother doing this? Well, the answer is, TV streaming. I employ my Sky Digibox along with a Hauppauge USB TV Dongle and VLC Media Player to allow me to view Sky TV (and movies!) from any web enabled machine.

-Lewis

If you want to slow down or alter how quickly the Windows Media Center Remote Control and IR Blaster solution sends IR commands to your set top box, you only get three options during the Media Center (sic) setup procedure; Fast, Medium and Slow.

Sometimes your set-top-box is too slow to pick up even the slowest setting provided out of the box during the setup process but don’t despair, there’s a reg key for that (as opposed to there being an app for that.)

Open Registry Editor and find the following key: please bear in mind that the hardware ID I’ve highlighted below will be entirely different on your computer. Open up the IDs until you find the one that contains a UserSettings sub-key.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Video\Tuners\{A799A800-A46D-11D0-A18C-00A02401DCD4}\{E06733DE-0FFB-4615-B18B-C6F43A13161E}\UserSettings]

Edit the STBCode string value and edit the value in milliseconds shown between the <keyinterval> tag. By default, this will be 250 if you selected the “Slow” option during Media Center setup.

Once you have edited the value, you must reboot your PC for the setting to take effect. In order to get my Sky Digibox as shown in the image above to work every time, I had to adjust the keyinterval value to 500ms.

-Lewis