HowTo: Reset the Domain Admin password on Windows Server 2008 / R2

How to reset the Domain Admin password for Windows Server 2008 / R2 with only a Windows 2008 Server installation media if youre the type to lose passwords.

1.    Boot into install disc
(Windows Server 2008)
2.    Select language options and click next
3.    Click Repair (bottom left) > Next
4.    Click Command Prompt
5.    (cd to C:\Windows\System32)
6.    >move Utilman.exe Utilman.exe.bak
7.    >copy cmd.exe Utilman.exe
8.    Restart and boot into server 2k8
9.    Keyboard Shortcut : Windows + U
10.    Command prompt opens
11.    >net user administrator (password)
12.    Or just type ‘net user’ to see syntax help and figure out what you want to do

Obviously rename the files back once you are finished to avoid any issues down the track.

DSM SA Data Manager Service starting

After reboot the DSM SA Data Manager Service takes about 10 minutes to start, during this time cannot login either remote or at the console.

Answer from Dell:

Regardding the Datamanager taking too long to boot, we have found this issue when we install OMSA on a Server that has “SQL Server Integration Services” or Oracle services. Reason for the delay is the race condition which prevents command reaching the storlib. There is a race condition between the SQL integration service and DSM data manager service.

To avoid this a dependency can be created as per the below Microsoft knowledgebase. This will prevent from this condition.  

http://support.microsoft.com/kb/193888

Create a dependancÿ:

  1. Browse to the service in the register which needs to be started later. The key can be found under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<Service name>
  2. Create a new dependency:
    select the subkey representing the service you want to delay, click Edit, and then click Add Value. Create a new value name “DependOnService” (without the quotation marks) with a data type of REG_MULTI_SZ, and then click OK. When the Data dialog box appears, type the name or names of the services that you prefer to start before this service with one entry for each line, and then click OK.

    The name of the service you would enter in the Data dialog box is the exact name of the service as it appears in the registry under the Services key

You may see “Media is Write Protected” Error or VDS error 80070013 after bringing SAN disk online via Diskpart in Windows Server 2008

When a LUN is presented from a SAN to Windows Server 2008, the following error may pop up and Event ID: 10 may be logged in the Event log when trying to use the disk for the first time.

Error Message:

“The Media is Write Protected

System Event Log:

Log Name: System

Source: Virtual Disk Service

Date:

Event ID: 10

Task Category: None

Level: Error

Keywords: Classic

User: N/A

Description:

VDS fails to write boot code on a disk during clean operation. Error code:

80070013@02070008

In Windows Server 2008 there is a policy new to Windows related to SAN disks. This “SAN policy” determines whether a newly discovered disk is brought online or remains offline, and whether it is made read/write or remains read-only.

On Windows Server 2008 Enterprise and Windows Server 2008 Datacenter, the default SAN policy is VDS_SP_OFFLINE_SHARED. On all other Windows Server 2008 editions, the default SAN policy is VDS_SP_ONLINE.

SAN Policies:

VDS_SP_ONLINE: All newly discovered disks are brought online and made read-write.

VDS_SP_OFFLINE_SHARED: All newly discovered disks that do not reside on a shared bus are brought online and made read-write.

VDS_SP_OFFLINE: All newly discovered disks remain offline and read-only.

If the policy is such that newly discovered disks are set to offline and readonly, then the administrator can use DiskPart at the command line or Diskmanagement from Server Manager\storage to prepare the disks for use.

When using the diskmanagement snap in to Online a disk, the new disk will be set to online and read-write. When using DiskPart, only those flags you specify will be changed. Thus if you issue the command to bring a disk online, it will only be put into online state. You must issue a separate command to make the disk read/write. In this way, Diskpart allows you to have finer control than Disk Management.

Using diskpart to online a disk does not change the read only attribute. This needs to be done manually using the following steps:

1. Run DiskPart

2. List and select the disk that needs to be made available.

LIST DISK

SELECT DISK )

3. If the disk is offline, bring it online by running ONLINE DISK

4. View the attributes by running DETAIL DISK

The command DETAIL DISK may give an output similar to the following

DISKPART> detail disk

Disk ID: ########

Type :

Bus : #

Target : #

LUN ID : #

Read-only : Yes

Boot Disk : No

Pagefile Disk : No

Hibernation File Disk : No

Crashdump Disk : No

5. To clear the read only flag, run ATTRIBUTE DISK CLEAR READONLY

6. Exit DiskPart

You should now be able to write to the disk.

Link; http://support.microsoft.com/default.aspx?scid=kb;EN-US;971436

Windows 2008 Multipath I/O Overview

Adding and removing MPIO support
To install Multipath I/O on a computer running Windows Server 2008, complete the following steps.

To install Multipath I/O
1.Open Server Manager.

To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager.

2.In the Features area, click Add Features.

3.On the Select Features page of the Add Features Wizard, select Multipath I/O, and then click Next.

4.On the Confirm Installation Selections page, click Install.

5.When installation has completed, click Close.

Source: http://technet.microsoft.com/en-us/library/cc725907.aspx
Documentation: [wpdm_file id=”18″]

How to move Terminal Services CALs from one license server to another in Windows Server 2003 or in Windows 2000 Server

To move Terminal Services CALs from one Terminal Services license server to another, follow the procedures in the following sections.

The documents that you must have available

Before you start to perform the procedures that are described in the following sections, you must have the paper agreement that you received when you purchased the CALs. The agreement number or the enrollment number from the agreement will be required to receive the new CAL Pack ID that is described in the “How to move the CALs” section.

How to move the CALs

To move the CALs, follow these steps.

Note After you move the CALs, you must deactivate the old license server. (See step 10.)

1.     Install Terminal Services Licensing on the target server.

2.     Activate the license server.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

325869 (http://support.microsoft.com/kb/325869/ ) How to activate a License Server by using Terminal Server Licensing in Windows Server 2003

3.     On the new Terminal Services license server, click Start, click Administrative Tools, and then click Terminal Server Licensing.

4.     In the Terminal Server Licensing snap-in, right-click the Terminal Services license server, and then click Properties. In the Installation method list, click Telephone, and then click OK.

5.     Right-click the Terminal Services license server, and then click Install Licenses. The Welcome to the Terminal Server CAL Installation Wizard dialog box appears.

6.     Click Next. In the Obtain Client License Key Pack dialog box, you will find the license server ID.

7.     Use this license server ID to obtain a CAL Key Pack ID. To install CALs on the new license server, you must have a CAL Key Pack ID. You can receive a CAL Key Pack ID from the Microsoft Clearinghouse or by visiting the following Microsoft Web site:

https://activate.microsoft.com (https://activate.microsoft.com)

To contact the Microsoft Clearinghouse, use the following telephone number:

1-888-571-2048

The representative at the Microsoft Clearinghouse will give you a new CAL Key Pack ID. You can also contact Microsoft Customer Support Services at the following telephone number:

1-800-936-3100

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

319726 (http://support.microsoft.com/kb/319726/ ) Phone numbers for Microsoft Technical Support

8.     In the Obtain Client License Key Pack dialog box, type the CAL Key Pack ID (from step 7) in the Type the client license key pack ID in the boxes below field.

9.     Click Next. You will receive a message that states that the CALs have been installed successfully.

10.  After you verify that the new license server is functioning correctly, deactivate the old license server. To do this, uninstall the Terminal Services Licensing component on the old server.

source: http://support.microsoft.com/?kbid=953918

Dell OMSA LiveCD 6.0.1

Dell OMSA LiveCD 6.0.1 provides the following features

• Safe environment to perform diagnostics or data recovery
• Access to disk diagnostics (Dell Online Diagnostics)
• Access to tape diagnostics (xTalk and IBM ITDT)
• DSET tool built into operating system
• Built in FTP and SMB shares to easily transfer files
• Built in telnet, SSH and VNC servers for remote troubleshooting
• Webex support for Dell technical support access
• OMSA 6.0.1 built in for local and remote access

Read the PDF: http://linux.ins.dell.com/files/openmanage-contributions/omsa-601-live/Guide.pdf

Download the iso: http://linux.dell.com/files/openmanage-contributions/?C=M;O=A

Which Communication Ports does Symantec Endpoint Protection 11.0 use?

To open firewall ports for SEP you need to know the following ports:

Number Port Type Initiated by Listening Process Description
80, 8014 TCP SEP Clients svchost.exe (IIS) Communication between the SEPM manager and SEP clients and Enforcers. (8014 in MR3 and later builds, 80 in older).
443 TCP SEP Clients svchost.exe (IIS) Optional secured HTTPS communication between a SEPM manager and SEP clients and Enforcers.
1433 TCP SEPM manager sqlservr.exe Communication between a SEPM manager and a Microsoft SQL Database Server if they reside on separate computers.
1812 UDP Enforcer w3wp.exe RADIUS communication between a SEPM manager and Enforcers for authenticating unique ID information with the Enforcer.
2638 TCP SEPM manager dbsrv9.exe Communication between the Embedded Database and the SEPM manager.
8443 TCP Remote Java or web console SemSvc.exe HTTPS communication between a remote management console and the SEPM manager. All login information and administrative communication takes place using this secure port.
9090 TCP Remote web console SemSvc.exe Initial HTTP communication between a remote management console and the SEPM manager (to display the login screen only).
8005 TCP SEPM manager SemSvc.exe The SEPM manager listens on the Tomcat default port.
39999 UDP Enforcer Communication between the SEP Clients and the Enforcer. This is used to authenticate Clients by the Enforcer.
2967 TCP SEP Clients Smc.exe The Group Update Provider (GUP) proxy functionality of SEP client listens on this port.

 

The Symantec Endpoint Protection Manager (SEPM) use two web servers: Internet Information Services (IIS) and Tomcat. IIS uses port 80 (or 8014) and 443 – Tomcat uses port 9090 and 8443. The communication between IIS and Tomcat uses the HTTP protocol. IIS uses port 9090 to talk to Tomcat, Tomcat uses port 80 to talk to IIS.

Client-Server Communication:
For IIS SEP uses HTTP or HTTPS between the clients or Enforcers and the server. For the client server communication it uses port 80 (or 8014) and 443 by default. In addition, the Enforcers use RADIUS to communicate in real-time with the manager console for clients authentication. This is done on UDP port 1812.

Remote Console:
9090 is used by the remote console to download .jar files and display the help pages.
8443 is used by the remote console to communicate with SEPM and the Replication Partners to replicate data.

Client-Enforcer Authentication:
The clients communicate with the Enforcer using a proprietary communication protocol. This communication uses a challenge-response to authenticate the clients. The default port for this is UDP 39,999.

http://service1.symantec.com/SUPPORT/ent-security.nsf/2326c6a13572aeb788257363002b62aa/edda0cd89141a6788025734e004b6a02?OpenDocument

iDRAC 6 – Poorten

iDRAC6 Server Listening Ports

Port Number Function
22* SSH
23* Telnet
80* HTTP
443* HTTPS
623 RMCP/RMCP+
5900* Console Redirection keyboard/mouse, Virtual Media Service, Virtual Media Secure Service, Console Redirection video
* Configurable port

 

iDRAC6 Client Ports 

Port Number Function
25 SMTP
53 DNS
68 DHCP-assigned IP address
69 TFTP
162 SNMP trap
636 LDAPS
3269 LDAPS for global catalog (GC)

Disabling the Windows Logon Screen Saver

Screen savers are not necessary for virtual machines, to disable Windows Logon Screen Saver:
  1. Click Start > Run, type regedit, click OK.
  2. Locate the following registry key:

    HKEY_USERS\.DEFAULT\Control Panel\Desktop

  3. Double-click the ScreenSaveActive string value item in the Details pane.
  4. In the Value data box, replace the number 1 with the number 0 , and then click OK.

Alternatively, you can save the attached registry file and double click it. The key above is set for you (Windows 2000 and 2003 only).