Windows Server 2003 End-of-Life

by Shijaz Abdulla on 24.05.2014 at 06:30

Who remembers Windows Server 2003?

Just in case you’re still running Windows Server 2003 – here’s a reminder – Windows Server 2003 will be “end-of-life” on July 14, 2015. Here’s a countdown timer!

Using Windows File Servers with Macintosh clients

by Shijaz Abdulla on 03.05.2009 at 18:11

This article used to exist on www.shijaz.com before it was taken down in May 2009.

This article gives helpful hints on how to successfully interoperate Windows Server with Mac clients. Areas covered are:

  • Accessing Windows File Server from Macintosh
  • Using Windows DHCP Server with Macintosh clients
  • Using Windows DNS with Macintosh clients
  • Additional tips for Macintosh (How to Ping, NSLOOKUP, etc)

Background

Many organizations such mainly media and advertising agencies have a mixed environment containing Windows and Macintosh machines. This article explains some of common tasks required when operating Macintosh clients in a Windows Server environment.

Making Windows file shares accessible to Macintosh users

Step 1. Configure the Windows file server

  1. Create the folder on the file server
  1. Right-click My Computer, choose Manage.
  1. On the left pane, expand System Tools > Shared Folders
  1. Right Click Shared Folders choose Configure File Server for Macintosh.
  1. On the Configuration tab, under Security, select “Apple ClearText or Microsoft” under Authentication.
    image
  1. If you would like to allow Macs to save the password, put a check mark next to Allow workstations to save password.
  1. You can also specify a logon message for connected Mac users if required.
  1. On the left pane, expand System Tools > Shared Folders > Shares
  1. Right Click on Shares and choose New > Share.
  1. Click Next on the welcome screen.

    image

  1. Put a check mark next to Apple Macintosh users. Click Next.
  1. On the next screen, choose Use custom share and folder permissions and click Customize.

    image

  1. Click on the security tab and add users whom you want to give access.
  1. For read-only access Allow only Read & Execute, List folder contents, Read privileges. For full access, click Modify and Write also.

    image

  1. Click Next and then click Close.

    image

16. In Computer Management, see that a new MACINTOSH share for your folder has been created. Right click the MACINTOSH share for your folder and select Properties.

17. Under SFM Volume Security, Remove the check mark next to This Volume is read-only.

image

  1. Click OK.

Step 2. Configure the Macintosh client

  1. Goto Apple > Chooser
  1. Click AppleShare. Click Server IP Address.
  1. Enter IP address of file server.
  1. Click Connect.
  1. Choose Registered user and enter domain username and password. Click Connect.
  1. Select the folder that you shared on the file server and click Connect. You can also save the password to keychain before clicking connect.
  1. The icon for the shared location will appear on the desktop.

Enabling Macintosh clients to use Windows DHCP (Mac OS X)

  1. Go to Apple > Control Panel > TCP/IP
  1. Select obtain IP addresses through DHCP
  1. Close the window. Click Save when prompted.

Enabling Macintosh clients to use Windows DHCP (Mac OS 10.x/TIGER)

  1. Go to Apple > Control Panel > Networks
  1. Select the Network interface connected to the LAN
  1. Select TCP/IP.
  1. Choose DHCP.

Enabling Macintosh clients to use Windows DNS

  1. Go to Apple > Control Panel > TCP/IP (for Mac OS 10.x, choose Networks > TCP/IP)
  1. Under Name Servers, specify your DNS Server IP address.
  1. You can also specify your domain name suffix under Search Domains.
  1. On your Windows DNS Server, allow both secure & non-secure updates.

Additional Tips

  • For Mac OS 10.x, you can use “ping” command (without quotes) from the Terminal. (Go > Applications > Terminal)

  • For Mac OS 10.x, you can use the “dig” (without quotes) to see the name servers that are being used. In the last four lines of the output, you will see the IP address of the primary DNS server mentioned on a line starting with the word SERVER

SERVER:192.168.2.10#53

How to enable Remote Desktop remotely

by Shijaz Abdulla on 03.05.2009 at 17:54

This article used to exist on www.shijaz.com before it was taken down in May 2009. Originally published in January 2008.

This article explains how you can enable Remote Desktop on a server that you do not have physical access to.

You’ve built new servers, updated them with the latest service pack, and even run Windows Update. Proud of the good job you done, you move upstairs to the comfort of your office to do the rest of the installation, away from the freezing server room. And then you suddenly realize that you did not enable Remote Desktop connections on your new server. Aw, now you need to go back all the way to your data center to enable RDP. The situation is even worse if you pre-configured the server without enabling RDP and shipped it to your branch location in Timbuktu!

Well, here’s the good news. You can actually enable remote desktop remotely. All you need to do is open up the registry of that server remotely, and make some changes and then initiate a remote restart of the server. Well, that’s the only downside – you normally don’t need a restart if you enable it physically.
1. On your Windows workstation, open Registry Editor (Start –> Run –> Regedit.exe –> OK)
2. On the File menu, choose Connect Network Registry.

Regedit1
3. Select the name of the computer that you want to enable RDP on. Make sure the logged in user has administrator rights on the remote server.

enable1

 

4. On the remote computer, Navigate to the key HKLMSYSTEMCurrentControlSetControlTerminal Server. Find a value named fDenyTSConnection and change it to 0 (zero).

5. Restart the remote computer by typing the following command in the Command prompt of your workstation.

shutdown -m \myserver -r

where ‘myserver’ is the name of your server.

6. Wait for the server to restart and connect to it using Remote Desktop Connection (MSTSC) from your Windows PC.

Server service not starting: “Access Denied”

by Shijaz Abdulla on 25.11.2008 at 09:15

Recently, I noticed that many of the computers running Windows Server 2003 SP2 had the Server service in the stopped state. When I tried to manually start the service I got an Access Denied error. A restart of the server didn’t help.

The Server service is critical because file sharing depends on it. If the service is stopped, shared folders and administrative shares on the server cannot be accessed. This is especially critical on file servers, and on domain controllers for replication/access to SYSVOL folder for group policies.

The problem got resolved when I installed all the latest updates from Microsoft Update and restarted the machine. This is a security vulnerability listed in the security bulletin MS08-067 released by Microsoft this Sunday.

Unlocking files that are in use

by Shijaz Abdulla on 22.10.2008 at 21:20

Sometimes you cannot delete or rename a file that is currently in use. You might receive an access violation error, or simply a message telling you that your action could not be completed because the file is open in another program.

image

You may have already come across the Unlocker freeware tool that lets you "unlock" files that are in use by some application.

Here is another way (let’s call it the ‘techie’ way) to unlock files that are in use. It makes use of the Process Explorer tool from Windows SysInternals.

  • Download the Process Explorer tool. Execute procexp.exe
  • Choose Find > Find Handle or DLL option

image

  • Type the name of the file you want to unlock and hit Search.

image

  • The process EXE locking the file and the path to the file are listed. Double click on the result.

image

  • The file handle will be highlighted. Right-click on it and choose Close Handle.

Your file is now unlocked and can now be deleted, moved or renamed.

A little disclaimer here, closing handles might cause data inconsistency, loss and/or other undesirable effects. Make sure you understand what you’re doing before you do it.

Slow Remote Desktop on Dell PowerEdge 2950 running Windows Server 2003 R2 x64

by Shijaz Abdulla on 15.05.2008 at 13:30

I’ve seen this problem when I prepare Dell PowerEdge 2950 servers using the Dell OpenManage Server Assistant 5.3 to install Windows Server 2003 R2 x64 with Service Pack 2.

Once the OS installation is complete, if you enable Remote Desktop and connect from a Windows Vista machine using RDP, the RDP session/screen refresh is kind of slow. This only happens with x64 edition of Windows Server 2003.

The problem seems to disappear when I install all the latest updates from Microsoft Update/Windows Update so I guess the issue is addressed in one of the fixes.

Crash-proofing the Enterprise Root CA

by Shijaz Abdulla on 08.04.2008 at 07:24

Your enterprise root CA is an important piece of your enterprise network. Especially if you issue a lot of certificates for a wide variety of purposes to your users.

A root CA also needs to be highly secured, both physically and over the network, because it contains the private key. A downtime on the root CA is seldom noticed because there is minimal need for using the server – except while issuing or renewing certificates. In fact, the Microsoft best practice is to power down your root CA when not in use.

Now, what to do if your enterprise root CA crashes? Information about the enterprise root CA is written on the Active directory, in the registry of the Windows Server hosting the CA, and most important of all, the private key is also stored on this machine.

Quite obviously, In the event of a total failure, a backup is required. Taking a backup of the root CA is often neglected. Believe me, it takes virtually no time to take a backup and it’s the only way to restore your CA with all private keys intact.

Microsoft KB Article 298138 explains how you can backup your CA and move it to separate hardware. The procedure is also applicable if the hardware running your root CA crashes totally and you want to set up the same CA on a new server hardware.

In this post, I will explain how you can automate a backup of the CA. Restoration can be done as per the article mentioned above. Write a script “backupCA.bat” with the following code:

certutil -backup D:backup
certutil -backupkey D:backup
certutil -backupdb D:backup
reg export HKLMSYSTEMCurrentControlSetServicesCertSvcConfiguration D:backupregbackup.reg

Make sure the D:backup folder is picked up by your centralized tape backup solution. Be extra careful with the tape because this contains the private key of your CA. Your organization should have the handling of tapes included in the security policy.

Articles on enabling Remote Desktop

by Shijaz Abdulla on 17.02.2008 at 12:38

It’s been some time since I’ve written new articles on shijaz.com 🙂

I have added two new articles on Remote Desktop:

“Setup failed to install ADAM in replica mode”

by Shijaz Abdulla on 05.02.2008 at 08:14

If you have already have ISA Server 2006 Enterprise Edition installed and you are trying to installing ISA Server on another server and configuring it as a replica of the Configuration store, you may get the following error on Windows Server 2003 R2:

“Setup failed to install ADAM in replica mode.”

Setup then exits and you are unable to complete the installation. This usually happens if there was a previous failed installation from the machine that you’re trying to join to the array. You will need to cleanup the values related to the server you’re installing from the ADAM installed on your first configuration store, which stores config information for the array.

A simple solution to this is to ensure that both nodes are running Windows Server 2003 R2 and then edit the ADAM to remove the orphaned server on which installation is failing:

  1. Open WindowsADAMADAM-ADSIEDIT.msc on the existing ISA Config Storage server.
  2. Navigate to CN=Configuration, CN=Sites, CN=Default-First-Site-Name,CN=Servers.
  3. Delete the server on which you have the installation problem.

Re-run the installation, it should succeed now.

The day the Exchange cluster died

by Shijaz Abdulla on 24.09.2007 at 08:48

I installed Windows Server 2003 Service Pack 2 on a client’s Exchange Server 2003 cluster on Thursday night (Yeah, I hear you – what a way to spend a weekend!). Everything went well, installation completed, rebooted and everything was happy and kicking.

…until on Friday morning when the Exchange HTTP Virtual Server Instance failed. Since this resource was configured to ‘affect the group’, the failure forced a failover of the whole Exchange cluster group to the passive node.

Within no time, Exchange HTTP Virtual Server Instance failed again, this time on the passive node! Someone press the Panic button!! The initial understanding of the situation was clear – Installation of Windows Server 2003 Service Pack 2 brought the mighty Exchange cluster to its knees.

I rebooted both nodes and normal operation ensued. But after a couple of hours it happened again. In the event logs, I could see things like:

Event Type: Warning
Event Source: MSExchangeIS Mailbox Store
Event Category: General
Event ID: 1115
Description:
Error 0xfffffbbe returned from closing database table, called from function JTAB_BASE::EcCloseTable on table DeletedFolders. For more information, click http://www.microsoft.com/contentredirect.asp.

Event Type: Error
Event Source: MSExchangeCluster
Event Category: Services
Event ID: 1005
Description: Exchange HTTP Virtual Server Instance 100 (servername): The IsAlive check for this resource failed. For more information, click http://www.microsoft.com/contentredirect.asp.

Event Type: Error
Event Source: Srv
Event Category: None
Event ID: 2019
Description: The server was unable to allocate from the system nonpaged pool because the pool was empty. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I couldn’t find much on these errors on the Internet, and this is the reason for this post. Here’s what the problem is.

My client is running Windows Server 2003 on a 32 bit server. 32-bit versions of Windows, as we all know, support a maximum of 4 GB RAM. By default, Windows slices the total memory right down the middle: 2 GB is reserved for the OS and 2 GB for the applications. Out of the 2 GB reserved for the OS, 256 MB is reserved for non-paged pool memory.

My client is using the /3GB switch, which forces Windows to limit itself to 1 GB RAM and let the applications use 3 GB. But this causes the non-paged pool memory reservation to be reduced to 128MB instead of 256MB.

Now, 128 MB is a tight little space. IIS uses non paged pool memory for processing requests. On Windows Server 2003 and Windows Vista, IIS stops processing requests once the available non-paged pool memory goes below 20 MB. Event 2019 is evidence for that.

Of course you know, Exchange relies heavily on IIS. So that explains why the Exchange HTTP Virtual Server resource went down! But wait – what’s hogging up the non-paged pool memory? And how do we fix this?

That’s when Microsoft sent in their Poolmon utility, that grabs information on whats in there. The culprit? – Broadcom’s NetXtreme II network card driver! It was incompatible with scalable networking features bundled with Windows Server 2003 SP2 (and the Windows Scalable Networking Pack) and caused a memory leak! I disabled the TCP Chimney with the following command:

Netsh int ip set chimney DISABLED

I also disabled the registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersEnableTCPA registry value setting by it to zero on both nodes and other steps mentioned in KB936594. That was all it took to solve the problem!

See my earlier related post: Delayed Logins: Change Password feature in ISA 2006

< Previous posts