2 comments

SCDPM: Backup SQL and Truncate SQL Logs

Published on Friday, December 23, 2011 in ,

First off it’s been a while since I added a new post. I’ve been busy for work with non technical stuff… So less war stories to blog about :( Also I’ve got zero practical experience with SCDPM, all I found out below is from my google skills.

Lately one of my customers had a FIM Service service outage. Quickly we found out the SQL transaction log was completely filled up and had no more room to expand… Not really a healthy situation. They have System Center Data Protection Manager in place which is configured to take backups on a regular base. Now what we were seeing is that the SQL log was never releasing any space. So the free space within the file became smaller and smaller.

Now for the sake of clarity, in a typical scenario if you take a backup of a DB you are supposed to make sure the log is truncated. Do not confuse this with shrinking. Shrinking is making sure the log file itself is smaller in size. Shrinking is something which you don’t have to do on a scheduled based. Truncating on the other hand is making sure there's more free space within the file. If you fail to do this the file will keep on growing and growing regardless the size of your database.

As a side note, for this to work the database has to be in full recovery mode, if that’s not the case transaction logs aren’t stored anyhow. And you don’t need to do anything specific.

clip_image002

This is how the backup was configured before our changes:

clip_image001

This was obviously not good as we had a full log file. At first sight I didn’t found anything in the DPM GUI so I did some research and I came up the following statements:

Have you scheduled to take incremental backups for the SQL Server databases? Express full backups do not truncate logs. Incremental backups which are in fact log backups truncate logs. [http://msgroups.net/microsoft.public.dataprotectionmanager/DPM-transaction-logs-truncation-on-SQL-Server]

Ok, so we need Incremental backups, now where’s that checkbox…

SQL will truncate the logs files after each DPM Synchronization (incremental backup). However truncation is not the same as shrinking. Once a log file grows, you will need to shrink it manually. If the time between synchronizations is set for something like 12 or 24 hours, then the log file has already grown and you will need to shrink it manually, then reduce the synchronization period to keep it to a reasonable size. If the synchronization selection is ‘Just before a recovery point’ then incremental backups won’t get scheduled. This option is a way of telling DPM, that the user is interested only in express full backups and not incremental backups. [http://social.technet.microsoft.com/Forums/en-US/dpmsqlbackup/thread/f81f0ea7-cfd6-4e8f-a3e3-9ae4d207eabd]

So the following setting was modified:

clip_image003

Here’s a screenshot of the log file size before:

clip_image005

And here after one of the synchronization runs, you can clearly see that the log file has been truncated and thus the free space is nearly 100%. As expected! As we set the interval to 15’ this happened really fast.

clip_image007

8 comments

Outlook: Cannot Send This Item

Published on Tuesday, October 25, 2011 in ,

A customer of mine was struggling with the following error in Outlook:

image

Microsoft Outlook: Cannot send this item

It started appearing after they introduced a new Exchange 2010 infrastructure and had migrated some pilot users from their Exchange 2003 environment. At first the repro we found was: start a new mail, type some random stuff in it and then wait. After some time (10 – 15’) hit send and see if you get the error. Now that was really lousy to reproduce…

On the internet we found a workaround: whenever the error would popup, you can choose the “Format Text” tab en switch between HTML and Rich Text. Then just hit send again.

image

We weren’t satisfied though, because of this formatting workaround we were suspecting a problem with the html of the signature in the mails. We found a hotfix regarding GIF images and outlook but that didn’t seemed to solve it. Besides that, our issue wasn’t always reproducible and time seemed to be a factor… So we shifted away from the formatting issues and looked further.

After some network tracing, lots of coffee and patience we seemed to have found the culprit. By clicking right on the outlook tray icon (while holding ctrl down) you can view some connection statistics:

image

And:

image

The picture is a bad example as I’m actually disconnected, but you get the idea. What we were seeing was that we had quit some failed requests. However this wasn’t really noticeable in the Outlook from the user point of view. Now we could reproduce our problem by opening several mails and just waiting until a failure popped up in the statistics. After such a failure we couldn’t send any of those mails we had open.

Once we learned this, we involved some networking guys to check all involved devices: firewalls, load balancers, … and they found out some device was malfunctioning (dropping packets).

Summary: if you are hitting the “outlook cannot send this item” error. Don’t go for the easy workaround by learning your users to change the format back and forth.  In stead do some troubleshooting and check the health of your network, at least if you are seeing connection failures in the statistics…

0 comments

Exchange 2010 SP1: Split Permissions

Published on Monday, October 24, 2011 in , ,

This evening I was installing an Exchange 2010 SP1 in a Lab environment which didn’t had Exchange before, and when going through the installation wizard I came across a checkbox I hadn’t seen before:

clip_image002

If I read the documentation correct, this could be an answer for those environments where Exchange management tasks are performed by an other team than the typical AD user management tasks. Here’s some TechNet info on the subject:

This might come in handy whenever you are designing your delegation model for an Active Directory environment.

24 comments

Win 8 Client (Dev Preview): Manage Wireless Networks, Where Art Thou?

Published on in

When I started using Windows 8 I wanted to manually define a Wireless Network to connect to. Win 8 really does it best to make this as dummy proof as possible. One of the options I was missing was an overview of all networks I had been connected to in the past. In fact this is what I was looking for:

image

I might be missing the obvious, or It might be hidden somewhere in the new shiny Metro UI, but I didn’t found it. Here’s how you can start it:

just copy paste “explorer.exe shell:::{1fa9085f-25a2-489b-85d4-86326eedcd87}” in your start – run or a command prompt.

If I ‘m correct, I believe in Windows 7 you can find a shortcut to this in the Network and Sharing Center.

0 comments

Windows 8 (Dev Preview): Install A Domain Controller

Published on Saturday, October 22, 2011 in ,

As I’m curious what might have changed in the Windows 8 Developer Preview I decided to promote a server to a Domain Controller. As I’ve done plenty times before I just did “start – run – dcpromo”:

image

However this time a message pops up that we can no longer do this and have to use the Server Manager experience. Fine by me.

image

So off we go: the Server Manager has been revamped and extended. Just click add roles.

image

image

There seems to be a scenario-based installation,but that’s just for Remote Desktop Services.

image

Some fancy server selection options.

image

Just Check AD DS

image

Required features to be added

image

Now this is convenient: you get the choice to add some additional features on your way out

image

Next

image

Install

image

Tumdidum

image

Ready

image

Back in the server manager we will see a message saying we now need to execute the domain controller configuration part.

image

Click it, you’ll see an overview of pending tasks.

image

Scroll to the right and click “Promote this server to a domain controller”
Choose a name for your root domain

image

I just picked the new Windows Server 8 DFL/FFL

image

Defaults for my lab or just fine

image

Now we are presented with an overview of the settings. Read carefully, it says: “The NetBIOS name of the domain: automatically calculated”. Often this might be just fine, but whereas in the past you could specify it in the GUI when following the advanced route, now we will have to go command line.

image

And very nice: the view script button shows us the outcome of our clickings in the equivalent PowerShell script:

image

When clicking next some prerequisites are checked. The outcome was red, I didn’t saw that one coming. It seems to be complaining about the DFL I picked…

image

Back to the DFL selection I lowered it to Windows 2008 R2 and went forward again.

image

All is fine now.

image

However I backed out the GUI as I wanted to try to PowerShell script:

#
# Windows PowerShell Script for AD DS Deployment
#

Import-Module ADDSDeployment
Install-ADDSForest `
-DatabasePath "C:\Windows\NTDS" `
-DomainMode "Win2008R2" `
-DomainName "addict.local" `
-DomainNetBiosName "ADDICT" `
-ForestMode "Win2008R2" `
-InstallDNS:$true `
-LogPath "C:\Windows\NTDS" `
-RebootOnCompletion:$false `
-SafeModeAdministratorPassword (Read-Host -AsSecureString -Prompt "Enter Password") `
-SYSVOLPath "C:\Windows\SYSVOL"

I could have set "RebootOnCompletion”, but I wanted to see the result of the command.

image

After rebooting I decided to check the DFL/FFL raising again:

image

image

So I guess we will have to wait for that. In the near future I might be adding additional postings regarding Windows 8 Server. However this is all pretty early and stuff might be left out in the final version of course.

0 comments

ISA 2006/TMG 2010 Link Translation: Replace Something With Nothing

Published on Monday, September 19, 2011 in ,

Recently I assisted a colleague in a case where they had to publish some web service using ISA 2006. Now the problem was in fact that their was a lot of legacy code/folder structure and for the publishing to work we had the following mapping configured:

Jep, that does include dots in the 2nd level folder… Basically if you retrieved an URL like http://www.publicurl.com/homepage.html it would contact the internal webserver at http://srvweb01.custdom.local/www.customer.com/homepage.html The problem we were seeing is that some of the returned HTML page still contained paths like <script=”/www.customer.com/scriptresource.axd?aze232LKJ22LJ”. So that problem is the explanation of this post. We wanted to replace /www.customer.com with nothing. ISA was configured to add that path to internal requests anyway…

The translation table on which ISA/TMG base their logic is built from the mappings specified by the publishing rule. But one can add as many custom translations as desired.

clip_image001

Now if you take the link translation tab, you can click the Mappings button. You’ll see all the mappings ISA is currently maintaining. They were all preceded by http://srvweb01.customer.local We wanted to add a mapping which replaced /www.customer.com with “” [nothing]. We really just wanted to get rid of it… However in the to field you are obliged to enter something… So TechNet to the rescue! I posted my question up on the forums and got some good tips really fast: ISA 2006:Link Translation: Replace Part of path with nothing

Tip #1: replace  ="/folder  with  ="/ 

Tip #2: replace /folder with /.

I’m not sure which options my colleague tested, but he reported back that a small variation, namely “”/www.customer.com" with “”. Only use what’s between quotes, including the leading “.

Thanks Kai and f3rrix!

0 comments

Provisioning Mail Enabled Users with FIM 2010

Published on Saturday, September 10, 2011 in ,

Using FIM it’s easy to provision mailboxes for users. In my current project we also needed to provision mail enabled users. The difference between a mailbox enabled and mail enabled is that the latter only has an email address associated with it’s account. The mailbox is typically located at an external organization.

Here’s a table from Exchange Provisioning using ILM 2007 and FIM 2010

It shows which attributes to flow for each recipient type. As we are going to provision mail enabled users we only need to flow

  • mailNickname
  • targetAddress

I like to use the sAMAccountName for the mailNickname. The reason why we wanted to mail enable some users is that we’d want external users (like consultants) to appear in the GAL. The customer itself was using a (fictive) domain like @internalAD.local.

At first I had my rules configured as:

  • sAMAccountName –> mailNickname
  • TargetAddress –> targetAddress

Where TargetAddress has values like “thomas@setspn.com”.

The result:

image

While it looks ok at first sight, when you look for the user in the GAL, it will appear with an e-mail address of the customer his address space...  Not exactly what we were looking for.

image

I did some testing using the Exchange Management Console, and the what I wanted to achieve seemed to be possible using the GUI, I must have done something wrong! It seems the targetAddress attribute in AD is supposed to contain “SMTP:emailaddress” and not merely “emailaddress”. So I changed the rules:

  • sAMAccountName –> mailNickname
  • TargetAddress –> “SMTP:”+targetAddress

And now my user looks like:

image

You can clearly see that the “primary” address is now the external address. And below you can see the difference in the GAL lookup. The first entry is bad, the second entry is OK.

image

0 comments

FIM 2010: Config Migration: Import Attribute Flow Rules Update Failed

Published on Tuesday, August 30, 2011 in

One of the steps is to import the FIM Synchronization configuration when performing a FIM Configuration Migration. During my last migration I received the following error message nearly at the end of the process:

clip_image001

In words:

An error was encountered while trying to update the metaverse configurations The synchronization rule’s boolean constant flow must only use ‘true’ or ‘false’. Import attribute flow rules update FAILED.

So I opened up the Synchronization Service management console and started to look for an SR with a boolean in it’s flow.

clip_image002

Found!:

clip_image003

It seems we have “membershipLocked” being set to false for an ISR. This information (the attribute flow updates) are stored in the MV.XML file which are located in the directory you exported to/ are importing from.

clip_image004

When you search for that attribute you will see that the export replaced the “false” by “0”. Simply change it back to “false” and rerun the import.

clip_image005

0 comments

FIM 2010 R2 [BETA]: FIM MA Dedicated Event Log

Published on Tuesday, August 2, 2011 in

I’m currently setting up a lab with FIM 2010 R2 (BETA) and I was struggling to get my FIM MA created…

image

I encountered some issues with time sync before, so I started looking for issues with my connection to the  SQL Server/Database. Eventually I noticed a new Event Log on the FIM Server: Forefront Identity Manager Management Agent!

image

It was already populated with quit some errors:

image

In words:

System: System.UriFormatException: Invalid URI: The format of the URI could not be determined.
   at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind)
   at MIIS.ManagementAgent.RavenMA.InitializeConnection(XmlNode connectionInformationNode, XmlNode encryptedAttributeNode, Boolean runInitialization)
   at MIIS.ManagementAgent.RavenMA.UIInitialize(String pszInitString, Int32& pfValid, String& ppszResult)

When I saw this it immediately came clear that I didn’t used the http://***:5725 notation. Now when you install an all in one box, during the FIM Service and Portal installation wizard you are asked like 10 times for your FIM Service base address. During this wizard you just have to specify the URL. However in the FIM MA configuration you have to include the http and the port… Getting rusty ; )

Summary: FIM 2010 R2 seems to come with a new dedicated event log for FIM MA event log entries. This will be great help for troubleshooting FIM MA related issues for sure!