Shariq Sheikh | Port 389

Microsoft earlier this month released the AD Risk Assessment Program Scoping Tool to public. My look at it tells me that this tool essentially more fancily does what ADRAP Sutiability Scripts did, which came with ADRAP Snapshot Tool, which of course came when you had the official ADRAP engagement and cut a check for it. As beneficial as ADRAP could be for a mid-to-large AD environment, I felt in my experience that it never had enough word of mouth. Very few people seem to have heard of it and there isn’t a lot information publicly available for the program, so until you have it done you have a very little idea on what the program offers. This tool is to do just that, it makes the program more public, it gives you a quick glimpse of what the program is about as well as it readies your environment for the actual ADRAP sweep, hence named Scoping Tool. Below you will see the simple 8 steps process that runs several checks on your AD environment and creates a nice HTML report at the end which you would supposedly send it to your TAM prior to the engagement. Regardless of whether you will have the engagement or not, I think this tool serves as a quick snapshot into your environment. This tool is however intended for premier customers.

Download the tool here

Get white papers regarding Active Directory Risk Assessment Program

Much has been said about the manageability of AD Recycle Bin in Windows Server 2008 R2 via the Microsoft’s intended way i.e via PoSH cmdlets. Though this option stays to be only enable-able via PowerShell, the ability to restore objects (the process of reanimation of objects in earlier ADs) has been extended to GUI by Overall Solutions Inc. The GUI tool is very simple to use and its available for free. Below I show you how to restore a deleted OU with objects inside via this tool. See previous post on how to enable the AD Recycle Bin feature in your Windows Server 2008 R2 forest.

We delete an OU called Chicago which contains a Global Group.

Launch the ADRecycleBin tool (be sure to launch it under administrator’s context)

Right click on the child object of a deleted tree and select all

Click on Restore Deleted Object on top right corner

And its simple as that. Lesson of the story, there is always a window for someone to step in and fill the void. I had earlier posted how Server Core that was intended to be managed via CLI only had made a  U-TURN in R2 release of Windows Server 2008. Personally, I wouldn’t mind having to manage this feature solely from PowerShell, but its nice to have the GUI option available.

Download the tool here.

Launch the PowerShell under Administrator’s account context, and type this cmdlet.

Enable-ADOptionalFeature -Identity ‘CN=Recylcle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=yourdomain,DC=com

Read and understand the warning of this action’s irreversebility, and hit “Y” for yes to continue.

In following screenshot I show you an error not neccesarily applicable to you, the cmdlet complained about not being able to verify the FSMO ownership role. The reason for this was the fact that in my VM Lab environment I had shut down another DC for maintenance and it had not been replicated or talked to.

As I brought that downed DC back online, forced the replication, I was able to proceed. You can then confirm with this cmdlet.

Get-ADOptionalFeature ‘Recycle Bin Feature’

Here is a great post on this hot feaure of Windows Server 2008 R2.

http://msmvps.com/blogs/ad/archive/2009/03/31/taking-out-the-trash.aspx

Perhaps, inspired by Guy’s utility ‘Server Core Configurator’. There is now a menu driven utility call SCONFIG.exe in R2 version of Server Core. This allows you to do all the initial configuration tasks, such as rename the computer, join to domain, set an new IP or DNS, or enabled the RDP etc.

Previously you had to rely on netdom, netsh, and WMIC to perform these initial tasks, unless you had the Server Core Configurator (as mentioned above) installed. Note that this SCONFIG menu is very much similar to that of Hyper-V menu.

Here are a few posts that you may find helpful for the pre-R2 Server Core.

http://www.shariqsheikh.com/blog/index.php/200804/how-to-setup-ip-configuration-of-windows-server-2008-server-core/
http://www.shariqsheikh.com/blog/index.php/200804/how-to-disable-windows-firewall-in-windows-server-2008-server-core/
http://www.shariqsheikh.com/blog/index.php/200804/how-to-enable-rdp-for-windows-server-2008-server-core/
http://www.shariqsheikh.com/blog/index.php/200804/how-can-i-rename-windows-server-2008-server-core/
http://www.shariqsheikh.com/blog/index.php/200804/how-to-activate-windows-server-2008-server-core/
http://www.shariqsheikh.com/blog/index.php/200804/how-to-promote-server-core-to-be-a-rodc/
http://www.shariqsheikh.com/blog/index.php/200805/install-server-roles-and-features-on-server-core/

As briefly discussed before, a feature to offline domain join machines is available in Windows Server 2008 R2. The utility is called “djoin.exe” which is used to perform this task. Here is an official blurb on what the offline domain join is what it would be used for and then I will show you how to perform this simple task.

“Offline domain join is a new process that computers that run Windows® 7 or Windows Server® 2008 R2 can use to join a domain without contacting a domain controller. This makes it possible to join computers to a domain in locations where there is no connectivity to a corporate network. For example, an organization might need to deploy many virtual machines in a datacenter. Offline domain join makes it possible for the virtual machines to be joined to the domain when they initially start after the installation of the operating system. No additional restart is required to complete the domain join. This can significantly reduce the overall time required for wide-scale virtual machine deployments.

A domain join establishes a trust relationship between a computer running a Windows operating system and an Active Directory® domain. This operation requires state changes to Active Directory Domain Services (AD DS) and state changes on the computer that is joining the domain. To complete a domain join in the past using previous Windows® operating systems, the computer that joined the domain had to be running and it had to have network connectivity to contact a domain controller”

I created the metadata as known as “blob” on one of my DC for a Server named 2008R2RC2 that I wanted to join to domain offline (i.e the target machine not connected to the network) and saved it to a txt file called computer_prov, then as usual I run the help on the utility to learn what syntax it has available. Here is the command syntax I ran to provision the computer account and to create the metadata.

djoin /provision /domain techevan.lab /machine 2008R2RC2 /savefile c:computer_prov.txt

I then jumped on the target machine, copy the txt file over and try to run needed syntax with the djoin utility

djoin /requestODJ /loadfile c:computer_prov.txt /windowspath %SystemRoot% /localos

I get an error that I am not running the Shell with elevated privileges, I get out and get back in with the “run as administrator” option, and get the same error.

Perhaps its a bug in RC release, I then tried the same syntax from the conventional CMD line window and was successful.

I then restarted the target computer and machine had been joined to the domain.

For more information please see, http://technet.microsoft.com/en-us/library/dd392267(WS.10).aspx

A couple years back someone made a recommendation on Microsoft Exchange Forums that equivalent to Exchange BPA, it would be nice for AD Admins to have an AD Best Practices Analyzer, this was passed on to the AD Team. Though I am not if this particular thread was the driver behind it, but starting in Windows Server 2008 R2, AD Admin will have the BPA.

“Active Directory Domain Services (AD DS) Best Practices Analyzer (BPA) is a server management tool that can help you implement best practices in the configuration of your Active Directory environment. AD DS BPA scans the AD DS server role as it is installed on your Windows Server 2008 R2 domain controllers, and it reports best practice violations. You can filter or exclude results from AD DS BPA reports that you do not need to see. You can also perform AD DS BPA tasks by using either the Server Manager graphical user interface (GUI) or cmdlets in the Windows PowerShell command-line interface.”

ADBPA is a great idea, it gives you a quick glance into the new DC you have just stood up. It points you toward setting the NTP settings correctly if the DC is also PDC. It lets you know if your OUs are not set to be protected from accidental deletion. It also reminds you that certain directory partitions (NC) have not been backed up since a certain of period time. You can access the ADBPA from the Server Manager -> ADDS.

You may notice that if you are running the Windows Server 2008 Beta version, there seems to be a bug with ADBPA rule. One of the non-compliant complain is about the DC’s inability to reach a DNS server to retrieve DC specific records even when the DC itself is also the DNS and the pertaining records are existing. This behavior has been corrected in the RC version.

The compliant section also shows where your DC meets the expected configuration, such as when it advertises itself as a DC in its local site. One downside I see with ADBPA is that it cannot be self-launched into its separate MMC. Or unlike the Exchange BPA, it is only accessible in a small window from within the Server Manager. So there if is large number of non-compliant/compliant messages, the browsing ability is not that great.

How does ADBPA gather this data ?

“When you run the AD DS BPA scan on a domain controller, the BPA engine invokes the AD DS BPA Windows PowerShell script that collects configuration data from the AD DS environment that this domain controller belongs to. The AD DS BPA Windows PowerShell script then saves the collected AD DS configuration data to an XML document. The BPA run-time engine validates this XML document against the XML schema.”

For more information on ADBPA. See this.

It is version 47 in RC and it may very well change when R2 gets RTM. You can check the objectVersion attribute of your current forest on the Schema Naming Context (NC) via ADSIedit.msc.

Here are some older Schema versions.

13=Win2k
30=2003
31=2003R2
44=2008

Here is more detail of schema changes in Windows Server 2008 R2 RC.

http://technet.microsoft.com/en-us/library/dd378828(WS.10).aspx

Who needs ADRAP or ADHC when you have this in front of you. This is a modification of “Good code, Bad code” by the author credited on the picture.

Have no more than 1200 DCs in your domain..say new scalability limits.

I wonder if anyone realistically has reached that limit without a need to break down the domain into multiple domains/forest, this limitation lies in FRS’s ability to keep things sane with the SYSVOL replication. The new Active Directory Maximum Limits – Scalability recently published has very interesting pieces of information. I am highlighting below some key bullet points.

• Each domain controller in an Active Directory forest can create a little bit less than 2.15 billion objects during its lifetime.

• There is a limit of approximately 1 billion security identifiers (SIDs) over the life of a domain.

• Security principals (that is, user, group, and computer accounts) can be members of a maximum of approximately 1,015 groups.

• Fully qualified domain names (FQDNs) in Active Directory cannot exceed 64 characters in total length, including hyphens and periods (.).

• The maximum length for the name of an organizational unit (OU) is 64 characters.

• There is a limit of 999 GPOs that you can apply to a user account or computer account.

• The recommended maximum number of members in a group is 5,000. Production environments have been reported to exceed 4 million members, and Microsoft scalability testing reached 500 million members.(Thanks to LVR).

• For Windows Server 2003, the recommended maximum number of domains when the forest functional level is set to Windows Server 2003 (also known as forest functional level 2) is 1,200.

Even though this technet-published-content puts Windows Server 2008 in context as identified in the applies to section, unfortunately details do not dive into direct scalability improvements for native Windows Server 2008 and R2 Forests. All in all even with a Windows Server 2003 forest, the limitation mentioned here are rarely to be hit in a production environment.

Creating an additional Password Policy (known as Password Settings Object) in Windows Server 2008 is very easy with QAD Cmdlets. Create a PSO with New-QADPasswordSettingsObject for example as shown below,

[PS] C:\Windows\System32>New-QADPasswordSettingsObject -name "Traders-Password-Policy" `
>> -passwordhistorylength 9 `
>> -passwordcomplexityenabled $true `
>> -minimumpasswordlength 7 `
>> -minimumpasswordage 1 `
>> -maximumpasswordage 15
>>
...

Name Type DN
---- ---- --
Traders-Password-Policy msDS-Passwor... CN=Traders-Password-Policy,CN=Password Settings Container,CN=System,D...

To check what other password’s attributes can be defined, see help for New-QADPasswordSettingsObject. The -appliesto parameter lets you define the PSO for a Group or individual user as well from right within the cmdlet shown above, but you can also do this.

[PS] C:\Windows\System32>Add-QADPasswordSettingsObjectAppliesTo 'traders-password-policy' -AppliesTo joe.blow

Name Type DN
---- ---- --
Joe Blow user CN=Joe Blow,OU=Users,OU=Chicago,DC=techevan,DC=lab

Unfortunately, there is no Set-QADPasswordSettingsObject cmdlet yet that lets you modify an existing PSO. You can use ADSIEDIT.msc to do that. Launch ADSIEDIT, and go to \domain node\System\Password Settings Container. Find the relevant PSO and go to its properties and make your modifications.

If you log on as the user who we just applied this PSO to in our above example, you will be notified that your password expires in 14 days. Its a great feature in Windows 7.

For more information see these links :

http://technet.microsoft.com/en-us/library/cc753481.aspx#BKMK_2

http://windowsitpro.com/article/articleid/99929/use-powershell-to-manage-fine-grained-password-policies-in-windows-server-2008.html

Apparently there is a bug with Add-Computer cmdlet in PowerShell V2 version of Windows 7. This cmdlet according to the help (examples) allow you to join a machine to the domain. I was successful in renaming the machine with the Rename-Computer cmdlet but had issues adding the machine to the domain. Keep in mind that in Windows 7 and Windows Server 2008, you have to launch PoSH with elevated privileges, even if you are logged on as an Admin. You have to right click on the shortcut and do “run as administrator”, see screenshot 1 for the error you receive, if you don’t.

Then I take a look at the help and confirm that the syntax being passed is the right one and try with the computername,

A different error as if the credentials being password are not sufficient which is not the case as they are of Domain Admins’

While that bug gets fixed, Kirk from over at PowerGUI forums has this QAD cmdlet alternative for you as the solution.

C:\PS>new-qadObject -ParentContainer 'OU=ComputersOU,DC=company,DC=com' -type 'computer' -name 'comp1' -ObjectAttributes @{sAMAccountName='comp1'}

Lets wait for Add-QADComputertoDomain too, perhaps !

Here is a useful 55 page white-paper that describes the changes in Functionality From Windows Server 2008 to Windows Server 2008 R2

As expected, and just like its counterpart you can’t run guest OS, (child partitions) within Hyper-V when Hyper-V itself is installed as a guest VM. Of course there are several tweaks out there that let you modify VMkernel and supposedly let you run guest VMs in ESX environment. I have yet to come across one that does the trick for Hyper-V. Perhaps its not possible due to some substantial differences how hypervisor of Hyper-V is different than hypervisor of ESX(i) that of VMware. Greg Sheilds recently wrote in length regarding correctly explaining the difference between two products.

Rich Brambley on the other hand installed Hyper-V R2 under VMware Workstation but didn’t proceed to install VM as a guest on it, which in my opinion was against the whole purpose. You can’t really begin to play around with its feature set until you have a hand full of workloads running on it.

I gave it a spin, and I came across the “No, No, you can’t do this” issue. I have Hyper-V R2 installed as a guest on VMware Workstation 6.5.2. As posted in last post, Hyper-V is being managed via Windows Server 2008’s Hyper-V Management feature.

Ever since Microsoft joined VMware in handing out their introductory type-1 hypervisor solutions (without management software) out for FREE, there is a fair share of confusion in IT community regarding the standalone Hyper-V. Hyper-V is a standalone product that will run on a bare-metal box and will need to be managed via Windows Server 2008 Hyper-V Management (feature). Hyper-V is built on Windows Server 2008 Server Core and Windows Admins will find it easy to adjust to managing it. Especially those who have had experience with Server Core.

I wrote a few posts earlier on managing Server Core, regarding the initial configuration, opening the needed ports thru firewall, network configuration etc. You will find that there is another layer of managment window on top of that CLI window you are used to seeing in Server Core. That window is there for you to manage the Hyper-V.

As you log in to Hyper-V both windows the CLI and Hyper-V Configuration pop up, with first one in the background. On Hyper-V configuration window, there is 16 options (sub-menu) that are pretty self explanatory and allow you to setup initial configurations such as adding the server to domain, configuring NIC, enabling RDP, and remote management (WinRM) and so forth.

Remember that with the substantial feedback from IT pros, this new version of Server Core (that Hyper-V is built upon) now has the limited .NET layer added which will make the server management easier but as expected it adds to its size to its previous versions. This is of course only part of recently released Hyper-V R2.

Here are some screenshots of Hyper-V R2.

Lets you know if the account’s status on current DC (you are connected thru ADUC) is locked/unlocked. I did a post earlier regarding account lockouts in Windows Server 2003. This small feature is good to have.

A long awaited PowerShell version 2 will be released with Windows Server 2008 R2 and Windows 7 (currently both in beta). As Microsoft intends to push PoSH as the management/interactive/command driven shell, you will find the PoSH short-cut in your quick launch toolbar. In addition to what PoSH v2 has to offer such as remote management capabilites, a notable difference is the number cmdlets over version 1. PoSH v2 will have total of 235 native cmdlets where version 1 only had 129.

Watch a quick (first) screencast I did on this.

I will tell you that  ‘if’ but first off, for those not aware, meet ADAC, the successor for your ADUC.

Active Directory Administrative Center, an idea long awaited for by AD Admins. Starting in Windows Server 2008 R2 and RSAT tools in Windows 7, you will have a richer administrative console for your Active Directory that will replace the good old ADUC (Active Directory Users & Computers). This is perhaps the first revamped console to manage AD since the very inception of Active Directory in year 2000.

Built on Windows PowerShell™ command-line interface technology, Active Directory Administrative Center provides network administrators with an enhanced Active Directory data management experience and a rich graphical user interface (GUI). Administrators can use Active Directory Administrative Center to perform common Active Directory object management tasks through both data-driven navigation and task-oriented navigation

Yet there is a catch before you take advantage of this powerful tool in your current production environment. You need to have atleast one Windows Server 2008 R2 running DC in your domain. This is a little downside for the early adopters of the technology who would like to take advantage of the extended tool in their current production environment. And without the required scenario as mentioned here, you are likely to see the error as shown below.

Among other things you can do with ADAC, here is a couple of features:

• Connect to one or several domains or domain controllers in the same instance of Active Directory Administrative Center, and view or manage the directory information for those domains or domain controllers
• Filter Active Directory data by using query-building search

Some greats blogs have been written on this subject, take a look :

http://policelli.com/blog/?p=305
http://wss-id.org/blogs/bobby/archive/2009/03/24/windows-server-2008-r2-active-directory-administrative-center-first-look.aspx
http://blogs.technet.com/activedirectoryua/archive/2009/01/30/introducing-active-directory-administrative-center.aspx

With Windows Server 2008 having role specific snap-ins installed for each role, if you have to demote a Windows Server 2008 DC thru normal “dcpromo” command. You will notice that the DC specific roles from within the Server Manager will not be uninstalled. Even though the DC has been fully demoted,  Active Directory has been uninstalled, the Server has been rebooted but the snap-ins for roles such as AD and DNS are still there (in case your DC was also a DNS). It causes a bit of nuisance as its not as if these snap-ins will serve you like “adminpak” and you could manage AD from other DCs from this member server now. As of course for that you will need the RSAT tools. See the screenshots below to see the problem and error if you try to use the snap-in, and finally see the wizards to remove the lingering roles.

Using PowerShell, you can get a report of patches that are installed on a remote workstation/server. Launch the PowerShell and run the following command where testworkstation is the name of your computer.

Get-WmiObject -Class Win32_QuickFixEngineering -ComputerName testworkstation

If you need to provide another set of credentials for the domain-joined machine you are after, or if you get access-denied error. Use the Get-Credential cmdlet to provide the credentials.

You can see above the default output of the cmdlet, but you can narrow down the results with the following option.

Get-WmiObject -Class Win32_QuickFixEngineering -ComputerName testworkstation | select description,hotfixid,installedon

I would further export it to a CSV for an easier review and analysis with the following export option.

Get-WmiObject -Class Win32_QuickFixEngineering -ComputerName testworkstation | select description,hotfixid,installedon | export-csv c:\Testworkstation_Hotfixes.csv

As you can see that this cmdlet relies on the WMI object class. It is necessary to have the pertinent ports open between the workstation you are running this from to the target. WMI is an entity of shared DCOM ports/services. If there are firewall issues you can’t overcome then perhaps run the PowerShell cmdlets from within the same subnet of your target machine.

One of the exciting features of Windows Server 2008 is Powershell (command-line interactive shell and scripting language). Powershell allows Admins to achieve control over their Active Directory/Servers environment and accomplishes the remote management tasks which used to be done with VB, WMI and ADSI scripts. Where WMI and ADSI calls are still part of Powershell cmdlets pronounced command-lets (commands that trigger the call in the interactive PS shell), the number of lines and the need to know the ’scripting’ has substanially been lowered.

Powershell v1.0 can be installed as a feature in Windows Server 2008 or can be individually installed on Windows XP SP2 or Windows Server 2003 SP1 from here as RTW. This provides 130 cmdlets that enable easier system administration and accelerated automation. On top of that Quest Software has released ActiveRoles Management Shell for Active Directory (for free) that provides another set QAD (Quest Active Directory) cmdlets that extend the AD specifics management tasks. You can get the Quest Management Shell and subsequent cmdlets from here (http://www.quest.com/powershell/activeroles-server.aspx)

While Quest cmdlets run in their own shell, the quest snap-in can also be registered in the Powershell by running the following command, after installing Quest Management Shell.

Add-PSSnapin Quest.ActiveRoles.ADManagement

You may run Get-PSsnapin to validate

Alternatively you can work directly within the Quest Management Shell where you will have all the native PS cmdlets available to you. To find out all the QAD related cmdlets, run get-commad *-qad*.

And lastly give one of the QAD cmdlets a test drive, for instance to create a new user in AD and to find out how the New-QADuser can be used, run the Get-Command New-QADuser -detail to learn the full syntax and available options.

Here are a couple of great resources to hit the ground running with Powershell and Quest Management Shell (a.k.a QAD Cmdlets).

PowershellPro Tutorials
PowerGUI and QAD Wiki
PowerGUI Forums
Windows Powershell Forums

We are all aware how helpful the repadmin tool has become (available thru Windows Support Tools in Windows Server 2003 and earlier) for troubleshooting the replication issues. In Windows Server 2008, this tool along with others come pre-packaged within the OS. You no longer have to install the Support Tools to rein in the benefits of handy command line tools such as, dcdiag, netdiag, rendom and many others.

Here is one repadmin syntax I have become used to as it gives me a snapshot of source DCs and the Destination DCs and their replication status. The command is repadmin /replsum

In above scenario there are two DCs (both Windows Server 2008) showing their latest largest delta times. The Source DC is one that changes have gone out from, where as Destination DC is one who adopted changes from other DC, hence replicated.

What needs to be noticed here is under normal circumstances both DCs would show up under Source and Destination, but since the VM08-02 is a read-only domain controller it can only grab changes from other DC and can’t replicate changes out from it. It only shows up under Destination DC and shows that it was at the receiving end of applying changes to it in terms of Active Directory replication. While read-write domain controller (RWDC) shows changes replicated out from it i.e VM08-01.

The fail/total %% and error column comes very handy when somewhere out there one of your DC has stopped talking to others or hasn’t been talked to due to an issues such is incorrect firewall settings.

Repadmin is one handy tool that all AD Admins should invest a little time learning. For more information on repadmin /showrepl command, click here.

So its no news that this past Monday VMware released VMware ESXi for FREE, previously sold for $495. As witnessed by many, this is a right move in the right direction in terms of competing with Microsoft, with its free offering of Hyper-V – their flavor or native virtualization product.

However, there are things to keep in mind. While ESXi and ESX (most renowned in the market) match in the core functionality, VMware does not make the VirtuaCenter Server piece free. You would still need a licensed VMware Infrastructure 3 Suite in order to use VirtualCenter to manage multiple hosts, provision VMs easily and most importantly to take advantage of powerful tools such as HA, DRS and consolidated backup for VMs.

Nonetheless, I am excited at this prospect as many SMBs will now really be able to get the true taste of VMware ESX for their virtualization needs. I myself have run my home lab environment previously on VMware Server 1.0 and now on Virtual Server 2005 R2 (both non-native virtualization, running on top of other OS) as the news broke of FREE ESXi, I immediately wanted to know if this will run on my Dell PowerEdge 1800, a dual core Xeon processor machine. As I searched I didn’t find a definitive answer and found the provided HCL list of ESXi of no help.

I decided to give it a try and moved my Virtual Server 2005 VMs over to another storage. Got the ISO for VMware ESXi and ran the installation. It installed painlessly (following the Install Guide that comes in an email when you register for your free copy and includes the license key) and I now had a much better hypervisor performance VMware ESXi machine ready to go. I plan on migrating my Virtual Server 2005 VMs using VM converter which is available in the install when you download the eval. copy of VirtualCenter Server 2.5, and it gives you all previously mentioned features for 60 days. After the trial is over you can continue to use your Virtual Infrastructure Client to manage VMware ESXi and the VMs. I am looking forward to revamping my lab VMs and using the VirtualCenter features. Note, I installed VIC and VirtualCenter Server 2.5 on an XP machine and it works great. In future, I plan on installing the VirtualCenter Server piece on a Vista machine.

Lastly, most companies who have paid thousands of dollars for ESX and VI3 Suite should perhaps look into creating their Dev and QA environment using ESXi while utilizing their already paid license for VirtualCenter to manage multiple ESXi hosts. There is potential cost savings there.

Grab your free copy of VMware ESXi from here.

P.S – After you have installed it, don’t forget to license it with the key received in email from the Configuration tab and License option in VIC.

What is it ?

Windows Server 2003 includes support for a startup switch that lets you tune the allocation of use of memory and memory address space. Regardless of the amount of physical memory in your system, Windows uses a virtual address space of 4 GB, with 2 GB allocated to user-mode processes (for example, applications) and 2 GB allocated to kernel-mode processes (for example, the operating system and kernel-mode drivers). On systems that have 1 GB or more of physical memory, the startup switche can be used to allocate more memory to applications (3 GB) and less memory to the operating system (1 GB). This additional virtual address space helps reduce the amount of memory fragmentation.

How beneficial is it ?

You may have read many articles on this subject before. This discussion has been going on for many years now and at times has almost reached epic proportions due to the conflicting information available from Microsoft. Long story short is that by and large, you should NOT use the /3GB switch unless you meet specific criteria, please read the following article as it demystifies the whole theory. Or read the excerpt below.

http://blogs.technet.com/askperf/archive/2007/03/23/memory-management-demystifying-3gb.aspx

The /3GB option was intended as a short term solution to allow applications such as database servers to maintain more data in memory than a 2GB address space allowed. However, using the /3GB method to increase the user-mode memory space comes at a cost. If we have to allocate an additional 1GB of this address space to the user-mode space, then the System space is cut in half. Drivers, Heap, Paged & NonPaged Memory all have only half the resources to work with now. However, because of the way memory mapping works, cutting the kernel space in half does a lot more than just reducing the address space. Many of the structures within the kernel virtual memory space are cut back by far more than 50%.

For a process to access the full 3GB address space, the image file (application process) must have the IMAGE_FILE_LARGE_ADDRESS_AWARE flag set in the image header.

If the flag is not set in the image header, then the OS reserves the third gigabyte so that the application won’t see virtual addresses greater than 0×7FFFFFFF. You set this flag by specifying the linker flag /LARGEADDRESSAWARE when building the executable. This flag has no effect when running the application on a system with a 2-GB user address space. Therefore if you enable the /3GB switch, then applications that do not have this flag set can only use the standard 2GB of User mode memory, and the Kernel is still limited to the 1GB space – which means that 1GB of virtual memory is basically wasted !

All that is required to make it happen is a switch in the boot.ini file. The switch, /3GB, is placed
at the end of the line that executes the WinNT loading process.

Example:

[operating systems] multi(0)disk(0)rdisk(0)partition(2)\WINNT="Windows NT
Server Version 4.00" /3GB

Or you may add an additional line in your boot.ini as above to have the option to boot into either environment, with or without the switch.

What to keep in mind ?

This topic deals with the the virtual memory address space and has no relevance with the physical memory, it is however a limitation of a 32bit OS if you are running 64bit OS this not applicable. At the end of the day you must decide if your application is capable of handling this switch as an added benefit. Often times, if you are having to up the threshold of your OS handling of things and or things such as over-clocking your processor to keep up, one might worry about the logic behind it. Perhaps go for 64bit OS to begin with.

Sounds like a no-brainer, but there is catch. I installed DHCP role on my Server Core that I had previously set up as Read-only Domain Controller, using this command.

start /w ocsetup DHCPServerCore

And then I went ahead and set the service configuration to “auto” with this command,

sc config dhcpserver start= auto (note the space between the equal sign and auto)

And then finally when I tried to start the DHCP service with the following command, it failed with these errors.

net start dhcpserver

A system error has occured

System error 50 has occured

The request is not supported

So the catch was, that since RODC can’t write back to the AD to create the needed DHCP security groups i.e DHCP Administrators and DHCP Users, the service would fail.

After creating those domain local security groups on another Windows Server 2008 RWDC, the service does run successfully and you can manage the DHCP Server (that is running on Server Core) from another server using RSAT.

Yes there is. Inevitable as it was, we the System Admins like to accomplish easy tasks from the tip of our fingers, and do things in a graphical click-ing environment. You might have heard of this utility, which came out few months back called ‘Server Core Configurator’ by Guy Teverovsky. I had been reading about the bugs and fixes at Guy’s site and hadn’t given a try. I have now downloaded a copy thats has been fixed up and fine tuned per the request of other readers and users who tried out this utility. I installed it on my Server Core copy and I haven’t been disappointed, it lets you do a lot of common tasks such as adding the machine to the domain, running DCPROMO on it, changing NIC settings, changing display and time zone etc. which would otherwise require you know the command line or registry edit.

While this utility will come in very handy (until Microsoft perhaps comes out of their own), remember its Microsoft’s attempt to offer a small footprint OS of Core features with the likes of Linux based DHCP, and DNS system such Infoblox, and they have tried to persuade the System Admins to learn the powerful capabilities of Cscripts, WMI and Netsh. This does take us the other way a little bit. But I sure am happy to see an option that allows to me do all those initial configuration tasks GUI-ily.

You be the judge and give it a try, download it from here,

http://blogs.microsoft.co.il/files/folders/guyt/entry68860.aspx

P.S You can only launch the application from the folder where it was installed, i.e change the directory to the C:\Program Files\Server Core Configurator where it installs by default.