Mark's Windows Server Blog

Snippets of Windows Server information from Mark Wilson
Today's Community Day

I just wanted to say "thank you" to everyone who came along to one of our sessions at today's Community Day at the Microsoft Campus in Reading. I hope you enjoyed it - and please leave feedback on the UK User Groups website (the feedback form should be live next week).

For anyone who missed my sessions - either because you were in another one, or couldn't make it along - or even if you did make it along and you need some more information (I skipped over some content in both the sessions that I had meant to cover), then you can find the slidedecks and videos on my SkyDrive .

In the chalk and talk, we discusseda number of potential subjects for future user group meetings - I'm still not sure how that's going to work out as since Scotty's accident we are leaderless and also have no administrative access to this website to get a list of all the members. Still, I'm sure we'll find a way through! The list we came up with was as follows (in no particular order), but please leave a comment on this post if you'd like to see something else, or if you'd like to deliver a session at a future event (volunteers are welcome - indeed they are positively sought out!):

  • Windows 2003 and 2008 co-existence
  • PKI
  • Real-world Hyper-V deployment
  • iSCSI - Windows Storage Server? Build your own SAN that's affordable?
  • WS08 - clustering - especially stretched
  • IIS 7 - from an infrastructure perspective (owning and operating - not dev.)
  • What's changed 2003-2008 (DHCP, IAS, etc.)
  • Real-world experience of migrations.
  • Microsoft Application Virtualization (was SoftGrid)

I look forward to seeing you at an event sometime soon.

Removing phantom network adapters from virtual machines

Last night, I rebuilt my Windows Server 2008 machine at home to use the RTM build (it was running on an escrow build from a few days before it was finally released) and Hyper-V RC0. It was non-trivial because the virtual machines I had running on the server had to be recreated in order to move from the Hyper-V beta to the release candidate (which meant merging snapshots) and so it's taken me a few weeks to get around to it.

The recreation of the virtual machine configuration (but using the existing virtual hard disk) meant that Windows detected new network adapters when I started up the VM. Where I previously had a NIC called Local Area Connection using Microsoft VMBus Network Adapter I now had a NIC called Local Area Connection 2 using Microsoft VMBus Network Adapter #2. The original adapter still configured but not visible. Ordinarily, that's not a problem - the friendly name for the NIC can be edited but when I went to apply the correct TCP/IP settings, a warning was displayed that:

The IP address ipaddress you have entered for this network adapter is already assigned to another adapter Microsoft VMBus Network Adapter. Microsoft VMBus Network Adapter is hidden from the network and Dial-up Connections folder because it is not physically in the computer or is a legacy adapter that is not working. If the same address is assigned to both adapters and they become active, only one of them will use this address. This may result in incorrect system configuration. Do you want to enter a different IP address for this adapter in the list of IP addresses in the advanced dialog box?

That wasn't a problem for my domain controller VM, but the ISA Server VM didn't want to play ball - hardly surprising as I was messing around with the virtual network hardware in a firewall!

In a physical environment, I could have reinserted the original NIC, uninstalled the drivers, removed the NIC and then installed the new one, but that was less straightforward with my virtual hardware as the process had also involved upgrading the Hyper-V gues integration components. I tried getting Device Manager to show the original adapter using set devmgr_show_nonpresent_devices=1 start devmgmt.msc but it was still not visible (even after enabling the option to show hidden devices). Time to break out the command line utilities.

As described in Microsoft knowledge base article 269155 , I ran devcon to identify the phantom device and then remove it. Interestingly, running devcon findall =net produced more results than devcon listclass net and the additional entries were the original VMBus Network Adapters.

After identifying their identifier for the NIC (e.g. VMBUS\{20AC6313-BD23-41C6-AE17-D1CA99DA4923}\5&37A0B134&0&{20AC6313-BD23-41C6-AE17-D1CA99DA4923}: Microsoft VMBus Network Adapter), I could use devcon to remove the device:

devcon -r remove "@VMBUS\{20AC6313-BD23-41C6-AE17-D1CA99DA4923}\5&37A0B134&0&{20AC6313-BD23-41C6-AE17-D1CA99DA4923}"

Result! devcon reported:

VMBUS\{20AC6313-BD23-41C6-AE17-D1CA99DA4923}\5&37A0B134&0&{20AC6313-BD23-41C6-AE17-D1CA99DA4923}: Removed
1 device(s) removed.

I repeated this for all phantom devices (and uninstalled the extra NICs that had been created but were visible, using Device Manager). I then refreshed Device Manager (scan for hardware changes), plug and play kicked in and I just had the NIC(s) that I wanted, with the original name(s). Finally, I configured TCP/IP as it had been before the Hyper-V upgrade and ISA Server jumped into life.

Just one extra point of note: the devcon package that Microsoft supplies in Microsoft knowledge base article 311272 includes versions for i386 and IA64 architectures but not x64. It worked for me on my ISA Server virtual machine, which is running 32-bit Windows Server 2003 R2, but was unable to remove the phantom device on my domain controller, which uses 64-bit Windows Server 2003 R2. I later found that devcon is one of the Support Tools on the Windows installation media (suptools.msi). After installing these, I was able to use devcon on x64 platforms too.

The Windows runas command and the /netonly switch

Earlier today I needed to administer a Windows Server remotely, using a Microsoft Management Console (MMC) snap-in. Unfortunately, the computer I was using was in one domain and the remote server was in a workgroup, meaning that many of the MMC operations failed due to security issues. I tried running MMC as the administrator for the remote machine (using runas /user: remotecomputername \ username mmc ) but kept on getting a message that indicated an authentication failure:

RUNAS ERROR: Unable to run - mmc 1311: There are currently no logon servers available to service the logon request.

Then I found out about an obscure switch for the runas command - /netonly , used to indicate that the supplied credentials are for remote access only. By changing my command to:

runas /netonly /user: remotecomputername \ username mmc

I was able to authenticate against the remote computer without needing the credentials to also be valid on the local computer, as described by Craig Andera .

Customising Windows Server 2008 server core

A few months back, I wrote a post with a few commands to get started with server core on Windows Server 2008. Since then, I've had some fun tweaking server core installations (including some cheekiness installing third party web servers and browsers ).

Sander Berkouwer wrote a series of blog posts last summer that look at changing the look and feel of a server core installation:

  1. Changing regional and language options (international settings) as well as time and date options .
  2. Changing display settings such as screen resolution and color depth, screen saver, window and background colors, cleartype and windows dragging settings .
  3. Changing keyboard and mouse settings/cursors .
  4. Changing the splash screen, logon screen and tweaking the command prompt window .
Server core may be intended for core infrastructure servers in lights-out data centres but even so, some customisation can be useful. Sander's notes should help most people get things started.
Surfing with server core

The whole point of the server core installation mode for Windows Server 2008 is a reduced attack surface - no Windows Explorer, no Internet Explorer, no .NET Framework. That's all well and good but sometimes it's useful to download a file over HTTP to a server core machine.

No problem - just download a version of GNU wget that has been compiled for Windows and use that to download the file. It needed a couple of configuration items to get past my corporate proxy server but worked flawlessly:

set http_proxy=http:// proxyserver : portnumber wget --proxy-user= domainname \ username --proxy-passwd= password http:// uri /

That's probably as far as most people need to go - adding a simple command line utility to a command-line Windows installation - but I wanted to take things a step further (purely out of curiosity) and I installed Mozilla Firefox (v2.0.0.13). It worked, so I decided to try Apple Safari (v3.1) and Opera (v9.26). Safari installed (except the Bonjour component) but has a dependency on the Internet Options control panel applet (which is not present in server core) so I couldn't define any proxy server settings. Meanwhile, Opera had no noticeable issues installing and loading a few test web pages. Next, I tried Internet Explorer 8 beta 1 and, as I expected, the installation failed. Bizarrely, it didn't detect that I was trying to install it on server core but did attempt the installation, before failing and advising a restart followed by visit a web page (presumably using a competitor's browser!) which redirects to Microsoft knowledge base article 949220 .

Finally, I decided to go to the other extreme and try a text-mode browser. I found a version of Lynx that has been compiled for Windows but in order to get past my proxy server it needed the same environment variable as wget :

set http_proxy=http:// proxyserver : portnumber

Even with this, it is incapable of performing authenticated proxy operations so I kept getting an HTTP 407 response. The workaround is to use the NTLM Authorization Proxy Server (NTLMAPS) , which depends on Python (for which I found a 64-bit MSI package for Windows). Basically, NTLMAPS acts as a local proxy, configured to add the authentication headers and pass the request to the upstream server.

By editing the server.cfg file to include the following entries (all other configuration items were left at their defaults) and running the start runserver.bat command to launch the NTLMAPS server I was able to get NTLMAPS to prompt me for my password at startup and listen for HTTP requests (but not HTTPS) on port 5865:

PARENT_PROXY: proxyserver

NT_DOMAIN: domainname
USER: username

Then, I ran the following:

set http_proxy=http://localhost:5865/ lynx

and was able to successfully browse the Internet through my corporate proxy server.

In all seriousness, I can't really think of a good reason to install a full browser on server core but the wget command is probably useful. Even so, it's still good to know that there are a few options for emergency surfing from a server core installation.

Upgrading from the Hyper-V beta to RC0

One of the problems when you ship a beta product with a released product is that people will use it . Damn those users!

Yeah, well, I’m one of those users and it’s all very well including a comment in the Hyper-V beta release notes warning us that it will not be possible upgrade VMs from the Hyper-V beta to subsequent releases (I think there was such a comment, but I can only find the RC0 release notes now) but someone is just going to do it. I figured that as long as I have the virtual hard disk (.VHD) then recreating a child partition (virtual machine) shouldn’t be too big an issue. Right?

The exact words in Microsoft’s instructions for installing the Windows Server 2008 Hyper-V RC are:

“Migration of virtual machine configurations from Hyper-V Beta is not supported. All virtual machine configurations must be recreated using Hyper-V RC. However, customers will be able to migrate VHD files for released operating systems (Pre-release version of Windows Server 2008 will need to be recreated with the RTM version). There are several important factors to consider and steps to be followed for migrating VHDs to Hyper-V RC. […] Please refer to for instructions on how to move VHDs created on Hyper-V Beta to RC.”

What Microsoft knowledge base article 949222 fails to point out is that the process of deleting snapshots does not always complete successfully. As John Howard points out in his recent post about the availability of the Hyper-V release candidate (RC) release :

“If you have any virtual machines running on Hyper-V Beta which have snapshots, these are not compatible with Hyper-V RC0. Deleting the snapshots will cause the changes to be merged back to the parent VHD, but this does take some time to complete (and due to a bug in Hyper-V beta, the merge does not always kick in).”

If you suffer from the bug that John mentions, there is a workaround (unsupported), which is under NDA (so I can’t write the method here), but Ben Armstrong gives a pretty big clue when he describes virtual machine snapshotting under Hyper-V and says:

“You can also delete a snapshot. If you delete a snapshot that has no descendants (snapshot with differencing disks that reference the snapshot being deleted) then the files associated with the snapshot will just be deleted. If you delete a snapshot with only one descendant the configuration and saved state files for the snapshot will be deleted and the snapshot differencing disks will be merged with those of it’s descendant . If you delete a snapshot with more than one descendant the snapshot configuration and saved state files will be deleted - but the differencing disks will not be merged until the number of descendant snapshots is reduced to one.”

I added the emphasis in that quote and it may be useful to note that the Edit Virtual Hard Disk Wizard can be used to merge a differencing disk (which is what a snapshot is) into it’s parent (from the Windows Server 2008 Technical Library ).

Thankfully, I didn’t have to go down that route (at least not on my notebook - I’ve not been brave enough to upgrade my server at home yet as I’ll also need to upgrade the parent partition from escrow build 6001.17128.amd64fre.longhorn.080101-1935 to RTM build 6001.18000.amd64fre.longhorn_rtm.080118-1840 - you can check what version a server is running by examining the BuildLabEx string at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ in the registry). When I tried to take a backup of all the VM files (including snapshots), I found that some of them were locked - even after a reboot. That was because Hyper-V was (very slowly) merging the contents of the .AVHD files into the .VHDs. I wasn’t convinced until I saw .AVHD files disappearing before my eyes and disk space miraculously appearing on my hard drive, although I have a feeling that the process may have stalled a couple of times and a reboot kicked things off again.

There are two clues that the merge is not yet complete:

  1. The presence of some .AVHD files in the snapshots folder for the virtual machine.
  2. The <disk_merge_pending type="bool">True</disk_merge_pending> line in the corresponding XML file.

Once the merge is complete, the .AVHD files should be deleted and <disk_merge_pending type="bool">True</disk_merge_pending> should read <disk_merge_pending type="bool">False</disk_merge_pending> .

After my snapshots were merged and I had removed the beta integration components from my VMs, the upgrade process was quite straightforward - document everything, apply the Hyper-V RC0 upgrade package (no need to remove the beta first), install the RC (including restarting the computer), remove and recreate any virtual machines (even though they may still be visible in Hyper-V Manager, attempting to start one of virtual machines will result in an access denied error - it’s a simple enough process to delete the virtual machine and recreate it using the original virtual hard disk), set up the virtual networking and install the latest integration components (depending on the operating system in use for each child partition).

Thankfully, I shouldn’t have to endure this pain with subsequent releases (like RC0 to RTM) - Microsoft’s Hyper-V FAQ states that:

“Microsoft is encouraging all customers and partners to test and evaluate the RC of Hyper-V. With RC, Hyper-V is now feature complete and provides a seamless upgrade path to RTM of Hyper-V.”


Introducing the Microsoft Deployment Toolkit 2008

One of the sessions that I managed to catch at UK customer launch for Microsoft’s 2008 products last week was Julius Davies’ and Jason Stiff ’s presentation on Windows Server 2008 (and Windows Vista) deployment. I recently spent some time brushing up my deployment skills but there have been a few developments since then - not least the rebranding of the Microsoft Solution Accelerator for Business Desktop Deployment (BDD) as Microsoft Deployment.

With Windows Vista and Windows Server 2008 now sharing a common codebase, the same techniques can be applied to both client and server deployment. Conseqently, whilst still consisting of a combination of documentation and tools to provide guidance for deployment best practice, the Microsoft Deployment Toolkit (MDT) 2008 is equally applicable to Windows Vista (including SP1) and Windows Server 2008 (as well as certain downlevel operating system releases) - hence the removal of the emphasis on the business desktop.

As for its previous incarnations (I recently wrote an overview of BDD 2007 ), Microsoft Deployment 2008 provides for “lite touch” or “zero touch” deployment. Lite touch deployment is primarily about the creation of images for deployment from DVD, using Windows Deployment Services (WDS) or another method. Zero touch deployment relies on Microsoft System Center Configuration Manager (SCCM) to provide a management framework but both use the same core tools (Windows PE, ImageX, etc.).

As with BDD 2007, MDT 2008 includes a deployment workbench with an information center (documentation, news, and components), distribution share (operating system, applications, packages - e.g. language packs, and drivers), task sequences (with major OEMs to provide their own extensions to the XML), and deployment (deployment points and database) - now including multicast support (which even Microsoft note is overdue) using Windows Deployment Services. With the zero touch installation, MDT is used to extend the SCCM site server and provide similar concepts to the deployment workbench, including the ability to import task sequences from MDT and take them further (for example to provide role or feature-based installations).

In terms of roadmap for MDT, an update is expected in June 2008 to support System Center Configuration Manager 2007 service pack 1 as well as enhanced OEM support and further configuration elements. Further out “deployment 5″ is expected to include an expanded product knowledge and cater for role based deployments using a “hydration” process for common applications.

Whilst on the subject of deployment, Garry Martin sent me a link to Dan Cunningham’s Workstation Migration Assistant - effectively a wrapper for the Microsoft User State Migration Toolkit (USMT). It looks like it could be a useful tool in the migration engineer’s arsenal - The Deployment Guys have more information on their blog .

Hyper-V release candidate

For a couple of days now, I’ve been itching to write something about the Microsoft Hyper-V release candidate (RC), which was made available to beta testers earlier this week. Well, the wait is over as the (feature-complete) product was officially announced earlier today .

According to Microsoft:

The RC forms an important milestone in the development of Hyper-V and being feature complete, customers can now start to evaluate the final implementation scenarios with the knowledge that the upgrade path to the RTM of Hyper-V will be largely non-disruptive in terms of VM settings, VHDs, etc. In this release candidate of Hyper-V, there are 3 new areas of improvement including:

  • An expanded list of tested and qualified guest operating systems including: Windows Server 2003 SP2, Novell SUSE Linux Enterprise Server 10 SP1, Windows Vista SP1, and Windows XP SP3.
  • Host server and language support has been expanded to include the 64-bit (x64) versions of Windows Server 2008 Standard, Enterprise, and Datacenter - with English, partial German, and partial Japanese language options now available and the ability to enable the English version of Hyper-V on other locales.
  • Improved performance & stability for scalability and throughput workloads.

I’ll be upgrading my Hyper-V installations over the coming weeks but even running the beta has been a remarkably good experience, although so far I’ve failed to get the Linux integration components working (on SUSE or RHEL, 32 or 64-bit). I’m also pleased that Microsoft has released Hyper-V management tools for Windows Vista SP1, removing the requirement for another Hyper-V server in order to manage Hyper-V on a Windows Server 2008 server core installation .

There’s more information on the Hyper-V RC at the Windows Virtualization team blog and in the official press release .

UK customer launch for Microsoft’s 2008 product wave

Exhibition hall at the Microsoft Heroes Happen Here 2008 customer launch

I’ve just got home from the UK “Heroes Happen Here” customer launch event for Windows Server 2008, Visual Studio 2008 and SQL Server 2008 in Birmingham. It’s been a long time since I was this closely involved with a launch event and I’m pretty exhausted! I did manage to get some time off from the stand to attend some of the sessions so, after I manage to catch up with the inevitable mountain of e-mail that will greet me after a couple of days out of the office, I’ll try and blog something from the sessions I attended. In the meantime, most of the key messages were covered in the post I wrote after the press launch last month .

Hyper-V and networking

For those who have worked with hosted virtualisation (Microsoft Virtual PC and Virtual Server, VMware Workstation and Server, Parallels Desktop, etc.) and haven't experienced hypervisor-based virtualisation (paravirtualisation), Microsoft Hyper-V is fundamentally different in a number of ways . Architecturally, it's not dissimilar to the Xen hypervisor (in fact, there are a lot of similarities between the two) and Xen's domain 0 is analogous to the parent partition in Hyper-V (effectively, when the Hyper-V role is added to a Windows Server 2008 computer, the hypervisor is "slid" underneath the existing Windows installation and that becomes the parent partition). Subsequent virtual machines running on Hyper-V are known as child partitions.

In this paravirtualised approach, a new virtual switch (vswitch) is created and the physical network adapter (pNIC) is unbound from all clients, services and protocols, except the Microsoft Virtual Network Switch Protocol. The virtual network adapters (vNICs) in the parent and child partitions connect to the vswitch. Further vswitches may be created for internal communications, or bound to additional pNICs; however only one vswitch can be bound to a particular pNIC at any one time. Virtual machines can have multiple vNICs connected to multiple vswitches. Ben Armstrong has a good explanation of Hyper-V networking (with pictures) on his blog.

One exception relates to the connection of virtual machines to wireless network adapters (not a common server scenario, but nevertheless useful when Windows Server 2008 is running on a notebook PC). The workaround is to use Internet connection sharing (ICS) on the wireless pNIC and to connect that to a vswitch configured for internal networking in Hyper-V . Effectively, the ICS connection becomes a DHCP server for the network, presented via the internal vswitch and I'm pleased to find that the same principle can be applied to mobile data cards. Interestingly, Hyper-V seems quite happy to bind directly to a Bluetooth connection.

Using this approach, on my system, the various network adapters are as follows:

  • Dial-up adapters, including an HSDPA/HSUPA modem which I have shared to allow a VMs to connect to mobile networks in place of wired Ethernet.
  • Local Area Connection - the pNIC in my notebook PC, bound only to to the Microsoft Virtual Network Switch Protocol. Wireless Network Connection - the WiFi adapter in my notebook PC (if there was WiFi connectivity where I am today then this could have been shared instead of the data card.
  • Local Area Connection 3 - the Bluetooth adapter in my notebook PC.
  • Local Area Connection 4 - the external vswitch in my Hyper-V installation, connected to the external network via the pNIC.
  • Local Area Connection 5 - another vswitch in my Hyper-V installation, operating as an internal network, but connected using the method above to the shared HSDPA/HSUPA modem.

This gives me plenty of flexibility for connectivity and has the useful side-effect of allowing me to circumvent the port security which I suspect is the cause of my frequent disconnections at work because the physical switches are configured to block any device presenting multiple MAC addresses for the same port

Burning CDs/DVDs in Windows Server 2008

One of the downsides of running Windows Server 2008 as a workstation operating system is the lack of native CD/DVD-burning capabilities. Quite why Microsoft decided that administrators don't need to write optical discs from servers is anybody's guess but it's kept me busy for the last hour or so.

First, I installed the copy of Nero 7 Essentials (v7.8.5.0) that was supplied with my notebook PC. That looked good (apart from the number of "essentials" that it provides) until I came to create a CD and found that it would only let me record to an "Image Recorder" and not to the drive in my notebook (despite having been provided by Fujitsu-Siemens with the computer, it seems that this OEM copy doesn't work with my hardware).

Next up, I tried cdburn.exe from the Windows Server 2003 Resource Kit. That didn't want to co-operate with my 64-bit Windows Server 2008 installation ( it may work on a 32-bit installation as I used it on my previous machine with Vista ).

A few years back, I wrote about Alex Fienman's CreateCD and the latest version is called ISO Recorder . Even though v3 works on 64-bit Windows (Vista and so presumably Server 2008) it didn't recognise my drive.

Then I stumbled across a post from Aali, who had exactly the same issue burning discs in Windows Server 2008 - ImgBurn (v2.4.0.0) successfully burned the .ISO that I'd created with Nero to a blank disc and could even have done the whole job for me.

Update: I later found that ImgBurn and Nero were both quite happy to burn CDs/DVDs for me if I ran them as Administrator.

Some more on using Active Directory for Linux/Mac OS X user authentication

Last year I wrote a post about using Microsoft Active Directory (AD) to authenticate users on a Red Hat Enterprise Linux (RHEL) computer (and a few weeks back I followed it up for Mac OS X ). This week, I've been re-visiting that subject, as I built a new FTP server at home and wanted to use AD for authentication.

In the process, I came across a couple of extra resources that might be useful:

As I was using an almost-new AD (not the old one that I have been tweaking for years), I found that RHEL5 (and Mac OS X 10.5) did not need me to disable digital signing of communications as recent versions of Samba include client side signing. The Samba documentation suggests that it is necessary to set client use spnego = yes in smb.conf when authenticating against a Windows Server 2003 domain controller but I did not find that to be the case with Samba v3.0.23c and Windows Server 2003 R2 with SP2 (perhaps that is the default?).

The following notes may also be useful:

  • SSH does not require any further configuration but if Samba is configured to use the default separator for domainname and username (\) then you will need to escape it - so the connection command would be ssh domainname \ username @ hostname .
  • This also works for FTP ( ftp domainname \ username @ hostname ) but I've not found a way to make a simple ftp hostname use AD for authentication.
  • Even though Linux/Unix usernames are case-sensitive, Windows ones are not, so any combination of lower and upper case is valid for domainname \ username . Passwords do need to be entered in the correct case (as in Windows).
Problems with Hyper-V, ISA Server 2006 and TCP offloading

For the last few days, I've been trying to get an ISA Server 2006 installation working and it's been driving me nuts. I was pretty sure that I had my networking sorted, following Jim Harrison's article on configuring ISA Server interface settings (although a colleague did need to point out to me that I didn't have a static route defined on my ADSL router back to the ISA Server's internal network - doh!) but even once this was checked there was still something up with the configuration.

My server has three NICs - a Broadcom NetXtreme Gigabit Ethernet card, connected to my Netgear ProSafe GS108 switch and two Intel PRO/100+ Management Adapters - one connected to a NetGear DS108 hub and the other disconnected at the moment but reserved for remote management of the server (the first two are both bound to Hyper-V) virtual switches.

The theory is that the Gigabit connection will be used for all my internal IT resources and the Fast Ethernet hub is just connected to the ADSL router. The server will run a few virtual machines (VMs) - the ISA Server (running with Windows Server 2003 R2 and connected to both virtual switches), another VM with Active Directory and DNS (also running Windows Server 2003 R2), my mail server and various test/development machines.

According to Microsoft:

"There are two rules to remember when setting up DNS on ISA Server. These rules apply to any Windows-based DNS configuration:
  • No matter how many network adapters you have, only assign DNS servers to a single adapter (it doesn’t matter which one). There is no need to set up DNS on all network adapters.
  • Always point DNS to either internal servers or external servers, never to both."

[ Configuring DNS Servers for ISA Server 2004 ]

Following this advice, my internal DNS Server is set to forward any requests that it can't resolve to my ISP's servers. The problem was that this DNS server couldn't access the Internet through the ISA Server. ISA Server could ping hosts on all networks (so the network configuration was sound) and monitoring the traffic across the ISA Server showed the outbound DNS traffic on port 53 but nothing seemed to be coming back from the ISP's DNS servers.

I checked another colleague's working ISA Server 2006 configuration and found nothing major that was different (only an alternative DNS configuration - with the external NIC pointing to the internal DNS server where my external NIC has no DNS server specified - and the addition of the Local Host network in the source list for the Unrestricted Internet Access firewall access rule that is included in the Edge Firewall network template).

Then, after seeking advice from more colleagues and spending the entire day (and evening) on the problem, I finally cracked it...

Because the ISA Server was configured to use the internal DNS server for lookups (which, in turn, couldn't get back through the ISA Server), nslookup domainname . tld didn't work; however nslookup domainname . tld alternativednsserveripaddress did (e.g. nslookup ). HTTP(S) traffic seemed fine though - if I used IP addresses instead of domain names, I could access websites via the web proxy client.

Meanwhile, on the ISA Server, I could use nslookup for local name resolution but not for anything on the Internet. And pinging servers on the external side of the ISA server gave some very strange results - The first packet would receive a reply but not the subsequent ones.

After hours of Googling, I came across some good advice in a TechNet forum thread - download and run the ISA Server Best Practices Analyzer (BPA) tool . The ISA BPA presented me with a number of minor warnings (for example, that running ISA Server in a virtual environment can't protect the underlying operating system) but two seemed particularly significant:

"Receive-side scaling (RSS) is enabled by the Windows Server operating system. If a network adapter installed on the local ISA Server computer supports RSS, ISA Server may function incorrectly. [...]"


"TCP-Acceleration (TCPA) is enabled by the WIndows Server operating system. If a network adapter installed on the local ISA Server computer supports TCPA, ISA Server may function incorrectly. [...]"

I made the registry edits to disable RSS and TCPA (Further details are available in Microsoft knowledge base articles 927695 and 936594 ), restarted the computer and crossed my fingers.

Even after this change, I still couldn't successfully ping resources on the external side of the ISA Server from the private network, but I was sure I was onto something. I stopped looking for problems with ISA Server and DNS, and instead I focused my efforts on TCP Offload issues with Hyper-V. That's when I found Stefaan Pouseele's post about ISA Server and Windows Server 2003 service pack 2 . Stefaan recommends not only disabling RSS and TCPA but also turning off TCP offload and the TCP chimney .

A big more googling and I found a TechNet Forum thread about ISA Server 2006 in a virtual environment where (Virtual PC Guy) Ben Armstrong and VistaGuyRay (Raymond Comvalius) had discussed disabling TCP offloading in the VM. As it happens, only yesterday, Ray blogged about how disabling TCP offloading in the virtual machine (not on the host) had resolved his problems with a Broadcom gigabit Ethernet adapter and Hyper-V (further details are available in Microsoft knowledge base article 888750 ). So, after making this change (but not doing anything with the TCP chimney) and a final reboot of my ISA server, I noticed that Windows wanted to apply some updates. That meant that name resolution was working, which in turn meant that the internal DNS server was successfully forwarding requests to the ISP servers via the ISA Server and my ADSL router. Result.

The final set of registry changes that I made were as follows: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] "EnableTCPA"=dword:00000000 "EnableRSS"=dword:00000000 "DisableTaskOffload"=dword:00000001

I've only made the registry changes on the ISA Server at the moment and the VM running AD/DNS seems to be fine, so this might not be an issue for all virtual machines connected to the Hyper-V virtual switch bound to the Broadcom NetXtreme NIC. What does seem reasonably certain though is that Hyper-V, ISA Server 2006 and TCP offloading don't play nicely together in this scenario.

Windows Server 2008 product activation for volume license customers

When Windows Vista was launched, I wrote a post about the volume activation (VA) 2.0 activation process . With Vista SP1, reduced functionality mode has been removed although there is still the same legal obligation to run properly-licensed copies of Windows. ( Microsoft has published a Q and A sheet on the changes made to their anti-piracy programme ).

A number of people have asked where they can get a 180-day evaluation copy of Windows Server 2008 and, as far as I'm aware, there isn't one. Instead, it is possible to install the product and it will attempt online activation (there is no longer an option in setup to deselect this). If activation fails, then a 60-day grace period will commence, during which the product will have full functionality and can be activated at any time, using a key management server (KMS) if one is available, or alternatively by entering the multiple activation key (MAK) in the system properties. Re-arming is also available, allowing 3 re-arms (so up to 240 days total use before activation). That should be more than enough time for evaluation and further details are available in Microsoft knowledge base article 948472 ).

Windows Server 2008 and wireless networking

Last week I wrote about how Windows Server 2008 can be used as a great workstation OS too ... then I realised that I didn't have any wireless networking capabilities. Although Device Manager reported that my device was working properly, there were no networks available for connection. I wondered if that was because my Intel 4965AGN card was one of the devices that won't play nicely with Windows Vista SP1 (and hence possibly not Windows Server 2008 either) but it turns out to be a little simpler than that - as Ambrish Verma highlights on a TechNet Forum post , the Wireless LAN service is not enabled by default on Windows Server 2008. After adding this feature in Server Manager, I could browse the available wireless networks and connect successfully.

More Posts Next page