I was recently performing a restore of some old data that had been archived to tape using Symantec Backup Exec 2010. The restore job appeared to complete fine, without any errors or warnings – however when we came to try and use the data, certain files were corrupt/empty – despite the size being correct.
I inspected the contents of the file by opening in an editor – it turned out that all the affected files just contained null/space characters and no real content, as if they had not restored correctly.
I inspected the BackupExec log and saw some entries that gave me a clue to where the problem may lie…
BEREMOTE: [01/06/12 10:41:48] [0000] [56084] 01/06/12 10:41:48 Tag=IO_REPARSE_TAG_SIS, file=example1.pdf
BEREMOTE: [01/06/12 10:41:48] [0000] [56084] 01/06/12 10:41:48 Reparse data not restored during redirection of example1.pdf.
BEREMOTE: [01/06/12 10:41:48] [0000] [56084] 01/06/12 10:41:48 Tag=IO_REPARSE_TAG_SIS, file=example2.pdf
BEREMOTE: [01/06/12 10:41:48] [0000] [56084] 01/06/12 10:41:48 Reparse data not restored during redirection of example2.pdf.
The server in question was running Windows Storage Server 2008 – which provides the Single Instance Store (SIS) service. SIS basically removes duplicate files from your filesystem by taking a copy of the file, then putting symbolic links to the master file.
There are a couple of simple workarounds to the problem…
1) Do not redirect the restore job – just restore to the original location
2) Restore to another drive that does not have the SIS service enabled on it
Posted in Apps, OS
In my Exchange 2010 environment, we’re using the thumbnailPhoto attribute in active directory, so that users photos appear in Outlook 2010. We also have a custom intranet page that features a company directory which pulls details such as phone numbers from AD. I wanted to also add in the image stored in thumbnailPhoto for each user, so started to create a way of extracting the image that could be used in a web page.
I ended up with a C# ASP page, called userPhoto.aspx with the following contents:
<%@ Page Language="C#" %>
<%@ OutputCache Duration="6000" VaryByParam="u" %>
<%@ Import Namespace="System.DirectoryServices" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">
private void Page_Load(object sender, EventArgs e)
{
String myUser = Request.QueryString["u"];
if (myUser == null)
Response.Redirect("app_graphics/user.jpg");
Response.ContentType = "image/jpeg";
Response.Clear();
Response.BufferOutput = true;
DirectoryEntry de = new DirectoryEntry();
de.Path = "LDAP://OU=Users,DC=domain,DC=local";
DirectorySearcher search = new DirectorySearcher();
search.SearchRoot = de;
search.Filter = "(&(objectClass=user)(objectCategory=person)(sAMAccountName=" + myUser + "))";
search.PropertiesToLoad.Add("samaccountname");
search.PropertiesToLoad.Add("thumbnailPhoto");
SearchResult user;
user = search.FindOne();
String userName;
if (user == null)
Response.Redirect("app_graphics/user.jpg");
else
userName = (String)user.Properties["sAMAccountName"][0];
try
{
byte[] bb = (byte[])user.Properties["thumbnailPhoto"][0];
Response.BinaryWrite(bb);
Response.Flush();
}
catch
{
Response.Redirect("app_graphics/user.jpg");
}
}
</script>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>userImage</title>
</head>
<body>
<form id="form1" runat="server">
</form>
</body>
</html>
You can then use the file by passing a parameter of u on a HTTP GET request, containing the users sAMAccountName.
For example, <img src=’userPhoto.aspx?u=gkendal’/>. Also, don’t forget to set the OU of where your user objects are in AD on line 21, and to add a placeholder image for those users that dont have anything stored in thier thumbnailPhoto attribute!
Posted in Programming, Scripting
After an upgrade to Exchange 2010 SP1, to add the update rollup 3 (v3), OWA stopped logging users in, instead just leaving them on a blank page (This was really a HTTP 500 error page for auth.owa).
Turns out that the “Microsoft Exchange Forms-Based Authentication service” was not restarted after the patching. Starting the service fixes this issue.
Posted in Tips
I’ve always liked the idea of using unsolicited remote assistance to support users, as it’s already built in to Windows, so no need for 3rd party software and additional costs. The downside was it’s inability to handle UAC prompts very well (Which are pretty inevitable if you’re having to use remote assistance to help someone to do anything moderately taxing!).
When you offer remote assistance to a users system, they have a checkbox option of letting you respond to UAC prompts, but that would then require them to provide admin credentials, which is a no-goer. The other situation that is often encountered, is the UAC prompt causing a black screen with a pause icon/symbol to the remote user – another show stopper!
There is however, a simple fix that will allow the UAC prompts to be show to the remote user! You’ll need to use a GPO to force the following security setting: User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
Once this is done, unsolicited remote assistance becomes a very useful tool!
Posted in OS, Tips, Uncategorized
I bound one of our new iMacs to our MS AD a while back, however a week later it stopped working out of the blue. After unbinding and trying to bind again I recieved the following error:
Unable to add server. The daemon encountered an error processing the request (10002)
After a bit of investigation, it turned out that the issue was due to the clock drifting on the Mac, and causing kerberos authentication to fail. Fixed by setting the clock to sync with a domain controller (will prevent the issue from recurring), after this it rebound straight away.
Posted in Networking, OS
We have a couple of requirements in our environment, firstly Admin users need access to all mailboxes, then all users need reviewer (Read only) access to everyone elses calendars.
To achieve this, I have the following powershell script scheduled to run overnight…
$userAccounts = get-mailbox -resultsize unlimited
ForEach ($user in $userAccounts)
{
Add-MailboxPermission -Identity $user -User "DOMAIN\Domain Admins" -AccessRights FullAccess
Add-MailboxFolderPermission -Identity ($user.UserPrincipalName + ":\Calendar") -User entire-company -AccessRights Reviewer
}
I initially tried using the ‘Default’ user for the calendar permissions, but this caused some odd results and errors in outlook, so I put that back to ‘AvailabilityOnly’ and used a mail-enabled active directory group that contained the whole company instead!
There might be a nicer way to set default mailbox permissions at the time of account creation, but I’ve yet to find this!
Posted in Scripting
When trying to move the Schema Master FSMO role from a 2003 to 2008 R2 server, I came accross an issue. In order to transfer the Schema master role, you need to run the following command:
regsvr32 schmmgmt.dll
Once you’ve done this, you should be able to load the AD schema MMC snap-in, however I kept getting the following error when I ran it.
The module “schmmgmt.dll” was loaded but the call to DllRegisterServer failed with error code 0×80040201
Simple solution to the problem: Run the command from an elevated command prompt, or use the ntdsutil command to do it (But RTFM!)
Posted in Networking, OS
During the testing of Hyper-V live migration on a freshly built failover cluster (2008 R2), all seemed to work well apart from one Linux (CentOS) VM. It had been running fine on a single Hyper-V server with the integration components installed, however when I tried to do a live migration it failed, not giving much clue why.
Moving the VM to the other node and starting it using the Hyper-V manager, generated the following error…
‘SV04′ failed to start.
Microsoft Emulated IDE controller (Instance GUID): Failed to power on with error ‘a device attached to the system is not functioning’
Failed to open attachment: C:\ClusterStorage\Volume1\Hyper-V\Virtual Hard Disks\SV04.vhd. Error – A device attached to the system is not functioning. (0x8007001F)
After some investigation, I found that the VM would only start on whichever cluster node was the owner of the CSV (Custer Shared Volume). I later discovered that disabling the AV (Sophos in this case) on the node that wasn’t the CSV owner resolved the issue – Odd, as I had added an exclusion for scanning on c:\ClusterStorage\*, seems that the exclusion didn’t quite work with it being CSV due to the way it links into the filesystem… Adding an exclusion for *.vhd, then renabling the AV fixed the issue.
Posted in Apps, OS, Tips
A large percentage of my users access their corporate email and calendars via their iPhones, ActiveSync and Exchange 2007/2010. I started looking into the possibility of a solution where I could remotely wipe the devices when they get lost/stolen/eaten – turns out I already had the functionality but never knew it!! If you’re users have access to Outlook web access they can even do it themselves!
EMC: Fire up the Exchange management console, navigate to recipient config, then mailbox, and find the user that left their phone on the train. Select manage mobile phone from the actions pane. You can then select to remote wipe the device.
OWA: As I mentioned, users can do this themselves… Log into OWA, navigate to options, then phones – you’ll see all your mobile devices, and also a wipe device option. Fantastic!
Posted in Tips
After migrating to Exchange 2010, a small number of users couldn’t get thier iPhones to sync with Exchange, depite managing to verify the account in the iPhone setup. The thing ther users had in common, was that there were created as Administrators by an old SBS2003 system.
When trying to view the inbox from the iPhone, the following appeared in the application log on the exchnage mailbox server…
Exchange ActiveSync doesn’t have sufficient permissions to create the “CN=Freg Smith,OU=Users,OU=XXXXGroup,DC=XXXX,DC=local” container under Active Directory user “Active Directory operation failed on XXXXXXXXXX. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03151E04, problem 4003 (INSUFF_ACCESS_RIGHTS)
This problem is Exchange not having access rights to the user object in active directory, as the SBS account creation tool disabled this for Admin users. To fix the issue, goto the propeties of the user in question in Active Directory Users & Computers, navigate to the security tab, then advanced button, and tick the inherit permissions box. This will allow the required permissions to apply to the user, and mail should start syncing!
Posted in Networking
