Although the default partitions created are good enough or ESX server 3.x to run properly, but there is a lot of room for customization in order to enhance performance, stability and extendibility. Following are some recommendations with their supportive reasons:
The /boot Partition
the default size of 100MB is ample space for the necessary files. This 100MB size, however is twice the size of the default boot partition created during the installation of the ESX2. Thus recommendation is to use 200MB for /boot partition in anticipation of future increase.
The / Partition
The minimum size for this partition is 2.5GB and as VMware has already chosen the double of the same as the default partition size, it should be ok. But we need to consider the fact this is the partition where third party applications/tools would also install by default and definitely they will require their own space. Thus the recommendation is to use 20GB – 25GB for the / (root) partition. Still the most important factor is is to choose a size that fits the comfort for growth.
The SWAP Partition
As we all know, general rule is to create SWAP partition is two provide it with a size equal to two times of the memory allocated to the operating system. The same holds true for the ESX server as well because by default Service Console in ESX 3.x is allocated with 272 MB of RAM and thus SWAP is by default 544MB which is OK). Now the point of consideration is if third party applications are going to install they will also require additional RAM, and than in result Service console will require additional RAM. Here the limit for RAM allocation to service console is 800MB, so if the Service Console is to be adjusted up to the 800MB max, than the SWAP partition should be 1600MB.
The /Var/Log Partition
It’s Typically safe value for this partition, however there is a recommendation. ESX Server user /var partition during the patch management tasks. Since the default partition is /var/log, this means that the /var partition is still under the / (root) partition. Therefore the space consumed in /var is space consumed in / (root). Therefore it is recommended to change the mount point* to /var instead of /var/log and increase the size of space to a larger value like 12GB-15GB.
The VMKCORE Partition
It is the dump partition where ESX server writes/dumps information about a system halt/hang. Size of this partition doesn’t require any alteration.
The VMFS3 Partition
ESX server creates all the other partitions first and than uses the remaining free space for this partition as local VMFS storage, thus it doesn’t require any alteration or considerations.
Therefore the following is the recommended ESX Partitioning Scheme is as follows:
Mount Point* Name
Type
Size
/boot
Ext3
200MB
/
Ext3
25000MB (25GB)
(none)
Swap
1600MB
/var/log
Ext3
12000MB (12GB)
(none)
vmkcore
100MB
(none)
VMFS3
Varies
*Mount Point: In Unix-like systems, the mount point is the location in the operating system's directory structure where a mounted file system appears. Mount Point involves the association of a directory with a partition on the physical disk.
Thanks to VMware forums, Chris McCain, Google and various other authors who shared this information on the internet and by the means of various guides and books available on VMware Infrastructure 3.
I believe that almost all of us has encountered this problem where the systems in our windows environment runs out of the disc space on the system volume. If it is a physical server the option we have is to third party tool such we can use Symantec Ghost to create an image of the machine and than deeply the image back to the machine with larger hard drive. Same thing can be done if it is a virtual machine, but all this require that third party software which comes at a cost. There is an alternative to this and it comes completely at the hand of tools that are already available within ESX and Windows, so you don’t need to bear any additional cost to achieve the same.
following is the procedure to the same:
Note: First things first backup the VMDK file which you want to resize
For example, to increase the size of a VMDK file named server1.vmdk from 20GB to 60GB:
Use the virtual Machine Properties to resize the virtual machine disk file size or you can use vmkfstools command from ESX host.
Mount the server1.vmdk file as a secondary drive in a different virtual machine.
Open a command prompt window in the second virtual machine.
At the command prompt, type diskpart.exe
To display the existing volumes, type list volume.
type select volume <volume number>, where <volume number> is the number of the volume to extend.
To add the additional 40 GB of space to the drive, type extend size=40000.
To quit diskpart.exe, type exit.
shutdown the second virtual machine to remove server1.vmdk.
turn on the original virtual machine to reveal a new, large C drive.
This is valid for older Windows systems such as Windows 2000, 2003 etc, but for Windows Server 2008, as Microsoft has now added the native ability to grow and shrink the system volume making it even easier to make these adjustments without use of any third party tools.
The resolver is a DNS client that which initiates the process of Name Resolution. So as the main job of a DNS server to store DNS name data and serve it when it receive requests, the main job of a DNS resolver it to well, resolve.
To accomplish the task of Name resolution resolvers perform some or all of the Following functions:
Provides the User Interface:DNS Resolver is the interface between the user (both the human user and the software user, such as browser) and the DNS system. That is the reason why you type www.google.com and web page opens without asking you the IP address of the server where the web is located.
Forming and Sending Queries:DNS resolver creates appropriate query using the DNS messaging system, determines what type of resolution to perform, and send the query to appropriate name server.
Processing Responses: The DNS resolver must accept back responses from the DNS server to which it sent its query and decide what to do with the information within the reply.
Caching the Responses: Like Name/DNS servers, DNS resolvers can cache the results of the name resolutions they perform to save time if the same resolution is required again. (Not necessary that all DNS resolvers perform caching.)
STUB Resolver When a network is setup in such a way that the resolvers on each client machines do nothing more than hand resolution requests to a local DNS Server and let the server take care of it. In this case, the client DNS resolver is known as Stub Resolver.
How do you view replication properties for AD partitions and DCs?
By using replication monitor
go to start > run > type replmon
What is the Global Catalog?
The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers.
Why not make all DCs in a large forest as GCs?
There can be replication traffic issues. Also, if there is a single domain forest, there is no reason for multiple GCs, if there is a multiple domain forest, a single GC, and infrastructure master (on separate servers) for each domain will do.
What are the Support Tools? Why do I need them?
You need them because you cannot properly manage an Active Directory network without them.
Here they are, it would do you well to familiarize yourself with all of them.
LDP is the tool in the Windows Server 2003 toolkit , use full in migration of database from open ldap to Microsoft platform
LDP is the leak detection pump. It is located along the frame on the left side, just in front of the canister.
What is REPLMON?
Replmon is the first tool you should use when troubleshooting Active Directory replication issues. As it is a graphical tool, replication issues are easy to see and somewhat easier to diagnose than using its command line counterparts. The purpose of this document is to guide you in how to use it, list some common replication errors and show some examples of when replication issues can stop other network installation actions.
References: Google, http://technet.microsoft.com, WikiAnswers.com and various other online and offline resources.
The Windows Server 2003 System Volume (SYSVOL) is a collection of folders and reparse points in the file systems that exist on each domain controller in a domain. SYSVOL provides a standard location to store important elements of Group Policy objects (GPOs) and scripts so that the File Replication service (FRS) can distribute them to other domain controllers within that domain.
You can go to SYSVOL folder by typing : %systemroot%/sysvol
Name the AD NCs and replication issues for each NC
Name the AD NCs and replication issues for each NC
*Schema NC, *Configuration NC, * Domain NC
Schema NC This NC is replicated to every other domain controller in the forest. It contains information about the Active Directory schema, which in turn defines the different object classes and attributes within Active Directory.
Configuration NC Also replicated to every other DC in the forest, this NC contains forest-wide configuration information pertaining to the physical layout of Active Directory, as well as information about display specifiers and forest-wide Active Directory quotas.
Domain NC This NC is replicated to every other DC within a single Active Directory domain. This is the NC that contains the most commonly-accessed Active Directory data: the actual users, groups, computers, and other objects that reside within a particular Active Directory domain.
What are application partitions? When do I use them
An application directory partition is a directory partition that is replicated only to specific domain controllers. A domain controller that participates in the replication of a particular application directory partition hosts a replica of that partition. Only domain controllers running Windows Server 2003 can host a replica of an application directory partition.
Application directory partitions are usually created by the applications that will use them to store and replicate data. For testing and troubleshooting purposes, members of the Enterprise Admins group can manually create or manage application directory partitions using the Ntdsutil command-line tool.
One of the benefits of an application directory partition is that, for redundancy, availability, or fault tolerance, the data in it can be replicated to different domain controllers in a forest
How do you create a new application partition
When you create an application directory partition, you are creating the first instance of this partition. You can create an application directory partition by using the create nc option in the domain management menu of Ntdsutil. When creating an application directory partition using LDP or ADSI, provide a description in the description attribute of the domain DNS object that indicates the specific application that will use the partition. For example, if the application directory partition will be used to store data for a Microsoft accounting program, the description could be Microsoft accounting application. Ntdsutil does not facilitate the creation of a description.
To create or delete an application directory partition
Open Command Prompt.
Type: ntdsutil
At the ntdsutil command prompt, type: domain management
4. At the domain management command prompt, do one of the following:
· To create an application directory partition, type: create ncApplicationDirectoryPartitionDomainCo...
References: Google, http://technet.microsoft.com, WikiAnswers.com and various other online and offline resources.
Active Directory is a network-based object store and service that locates and manages resources, and makes these resources available to authorized users and groups. An underlying principle of the Active Directory is that everything is considered an object—people, servers, workstations, printers, documents, and devices. Each object has certain attributes and its own security access control list (ACL).
What is LDAP?
LDAP is an Internet standard protocol used by applications to access information in a directory. It runs directly over TCP, and can be used to access a standalone LDAP directory service or to access a directory service that is back-ended by X.500.
Can you connect Active Directory to other 3rd-party Directory Services? Name a few options.
Yes. Microsoft Identity Integration Server (MIIS) is used to connect Active Directory to other 3rd-party Directory Services (including directories used by SAP, Domino, etc).
Where is the AD database held? What other folders are related to AD?
AD Database is saved in %systemroot%/ntds. You can see other files also in this folder. These are the main files controlling the AD structure
ntds.dit
edb.log
res1.log
res2.log
edb.chk
When a change is made to the Win2K database, triggering a write operation, Win2K records the transaction in the log file (edb.log). Once written to the log file, the change is then written to the AD database. System performance determines how fast the system writes the data to the AD database from the log file. Any time the system is shut down, all transactions are saved to the database.
During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size of each is 10MB. These files are used to ensure that changes can be written to disk should the system run out of free disk space. The checkpoint file (edb.chk) records transactions committed to the AD database (ntds.dit). During shutdown, a "shutdown" statement is written to the edb.chk file. Then, during a reboot, AD determines that all transactions in the edb.log file have been committed to the AD database. If, for some reason, the edb.chk file doesn't exist on reboot or the shutdown statement isn't present, AD will use the edb.log file to update the AD database.
The last file in our list of files to know is the AD database itself, ntds.dit. By default, the file is located in\NTDS, along with the other files
References: Google, http://technet.microsoft.com, WikiAnswers.com and various other online and offline resources.
Alright, I know what might have caused this. But how do I fix it?
In IIS 6.0, its possible use sub-authentication to manage passwords for anonymous accounts and to do so, your configuration must meet the following requirements:
For applications for which you grant anonymous access, the worker process must run as LocalSystem.
The sub-authentication component, Iissuba.dll, must be registered.
The AnonymousPasswordSync metabase property must be enabled (set to true).
Which I hope most of us will never want to do, Why? we all know and I don’t think I need to answer that, but still due to potential security risk. So, now what is the alternative? Alternative or preferred solution is to manually synchronize the username/password of the anonymous user principle in IIS with that of the real user principle. So let’s see how we can do to get it fixed:
1. First place to start troubleshooting this issue is Security Logs in Event Viewer, and what are we looking for failure logs
2. Failure Event Log will tell us as to why the authentication for Anonymous user principle (IUSR) is failing, it may list reasons as follows:
Logon Failure: Reason: User not allowed to logon at this computer
Logon Failure: Reason: Account locked
Logon Failure: Reason: User not allowed to logon at this computer
Logon Failure: Reason: The user has not been granted the requested logon type at this machine
Logon Failure: Reason: Account logon time restriction violation
2. So now we know what exactly has caused it, hence it’s real easy to fix the same:
Fixing: Bad username or Unknown password
1. Finding Locations/Node where anonymoususerpass value is listed:
a. Open command prompt (Click Start > Run > Type : cmd) b. Navigate to the C:\inetpub\adminscripts directory. c. Enter the following command:cscript adsutil.vbs find anonymoususerpass d. Press Enter: This will return a listing of all the nodes where the anonymoususerpass appears in the metabase. Ideally it should display only the W3SVC node/location (it may also appear in the MSFTPSVC node if you are running FTP).
If it displays locations “under” W3SVC (i.e. W3SVC/1/root or so) then we should delete these entries,
Output Example Non-ideal output : Microsoft (R) Windows Script Host Version 5.6 Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. *Property anonymoususerpass found at: W3SVC W3SVC/1/ROOT W3SVC/5/ROOT
2. Removing additional anonymoususerpass value if listed. To delete additional entries use the following syntax:
cscript adsutil.vbs delete “node/location”/anonymoususerpass For Example : If the response is as mentioned above * following commands are to be executed. cscript adsutil.vbs delete W3SVC/1/root/anonymoususerpass cscript adsutil.vbs delete W3SVC/5/root/anonymoususerpass
Output Example: Microsoft (R) Windows Script Host Version 5.6 Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. deleted property "anonymoususerpass"
Once it is ensured that the password is set only for a single location, next step is to “sync” the password with the one in the SAM database or AD database.
3. Retrieving password for Anonymous user principle (IUSR) stored in IIS metabase:
a. In Notepad, open Adsutil.vbs located in c:\Inetpub\adminscripts. b. On the Edit menu, click Find, type IsSecureProperty = True, and then click Find Next. c. Change "IsSecureProperty = True" to "IsSecureProperty = False". d. Save the changes to Adsutil.vbs, and then close Notepad. e. Open command prompt (Click Start > Run > Type : cmd) f. Navigate to the C:\inetpub\adminscripts directory. (Type CD c:\Inetpub\adminscripts and press enter) h. Enter the following command:cscript adsutil.vbs get W3SVC/anonymoususerpass .
Output Example: Microsoft (R) Windows Script Host Version 5.6 Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. deleted property "anonymoususerpass"
4. Changing the IUSR passwords to the one retrieved in above steps using Active Directory Users and Computers or Computer Management.
Fixing: Account locked
This video demonstrates how to unlock a locked windows user account and how to configure the lockout policies. Credit: Robert Walden Copyright: Robert Walden
Fixing: User not allowed to logon at this computer
Using the Active Directory Users and Computers Snap-in
Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
In the console tree, click the container that contains the user account that you want.
In the right pane, right-click the user account, and then click Properties.
Click the Account tab, and then click Log On to.
Provide the appropriate Computer names.
Fixing: The user has not been granted the requested logon type at this machine
Verify permissions as per the following KB from Microsoft.
Only caveat to this is that this article didn’t ask you to look into the following parties and doesn’t say that User principle referred should not be part of the following policies;
Deny Logon as a Batch Job
Deny Logon Locally
Deny Access to this computer from Network
So please be careful and check the same.
Fixing: Account logon time restriction violation
Method 1: Using the Active Directory Users and Computers Snap-in
Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
In the console tree, click the container that contains the user account that you want.
In the right pane, right-click the user account, and then click Properties.
Click the Account tab, and then click Logon Hours.
Click All to select all available times, and then click Logon Permitted.
Method 2: Using the Net User Command-line Statement
Click Start, and then click Run.
In the Open box, type cmd, and then click OK.
Type net user username /time:logon_times (where username is the name of the user account, and where logon_times are the days and times that you want to allow access to the domain), and then press ENTER.
Use the following information to help you use the /time switch:
Days can be spelled out (for example, Monday) or abbreviated (for example, M,T,W,Th,F,Sa,Su).
Hours can be in 12-hour notation (1PM or 1P.M.) or 24-hour notation (13:00).
A value of blank means that the user can never log on.
A value of all means that a user can always log on.
Use a hyphen (-) to mark a range of days or times. For example, to create a range from Monday through Friday, type either M-F, or monday-friday. To create a range of time from 8:00 P.M. to 5:00 P.M., type 8:00am-5:00pm, 8am-5pm, or 8:00-17:00.
Separate the day and time items with commas (for example, monday,8am-5pm).
Separate day and time units with semicolons (for example, monday,8am-5pm;tuesday,8am-4pm;wednesday,8am-3pm).
I feel at some point of time each and every administrator who had managed and IIS has definitely encountered this error. It’s not the first time some one is trying to talk about this error, nor that the resolution for the same is not available, It’s there but I feel that this information is scattered in different places so this blog is an attempt to present the whole information in one place. Enough of talking let’s begin working.
First and Foremost: What is Anonymous Authentication in IIS 6.0?
As per Microsoft “Anonymous authentication gives users access to the public areas of your Web or FTP site without prompting them for a user name or password. By default, the IUSR_computername account is used to allow anonymous access.”
A common misconception by users “If I enabled anonymous access in IIS, everything should work and I should never see Access Denied”
As David Wong has written “As for enabling anonymous authentication in IIS - this merely tells IIS to automatically log in with a pre-configured user identity to execute the request, regardless of authentication attempted. There is no special Windows account that magically passes access checks and has access to everything. In fact, the user identity used for anonymous access can be the target of allow/deny ACLs, just like any other Windows user, so it is still possible to see "Access Denied" when you have anonymous authentication enabled.”
So, the most common cause for HTTP 401.1 in case of Anonymous Authentication is configured anonymous user credentials stored in the IIS metabase configuration file has different password stored than the user principle's credentials in reality (i.e. mismatched password). This happens because by default, the sub-authentication component, Iissuba.dll, is not enabled in IIS 6.0. In earlier versions, Iissuba.dll allowed IIS to manage passwords on anonymous accounts, which created a potential security risk.
Besides above there are some other reasons that I am aware of is is as follows:
Anonymous user principle in IIS doesn’t have login rights to the system.
Anonymous user principle in IIS is configured to deny access to the system during specific hours.
Anonymous user principle in IIS is locked.
Security Event Logs are full.
Looking for a solution to above, please look at my blog Troubleshooting: “HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials” when website is configured to use Anonymous Authentication in IIS 6.0 with default IUSR account.”
