Thanks to the k9mail wiki on debugging connection issues and the fact that I already had the Android SDK installed, I was able to solve the 2 related errors I was getting. I would either get an “HTTP 404 not found” or an “HTTP 501 Not Implemented” depending on the settings I chose. With no additional settings other than suggested in the Wiki, I’d get a “501 not implemented”. If I tried to set a mailbox path, or a WebDAV path, I’d get the HTTP 404 Not Found.

In the debugging log, I saw that the system was calling “http://mail.$domain.exchange.ms/”$webDAVpath/Inbox – if I set it to a full URL, the full URL was getting appended. When I attempted to hit those same paths in a full browser, I’d always get an HTTP 404. So, digging in my history in Firefox, I found the following (cleaned) path:
http://mail.$domain.exchange.ms/exchange/$emailaddress/
In this case $emailaddress was my Exchange mail address with the “@” stripped out. Appending “Inbox” to the end of this path resulted in a valid load of my OWA inbox.

Plugging then: /exchange/$emailaddress/ into the WebDAV box in K9Mail, and my email immediately loaded up.

Now I have Android syncing my calendars and contacts, and k9mail is handling my massive inbox!

After four hours on the phone I was able to determine the two tapes that would be needed to recover the 79Gb database file and started reading in the specific saveset that was needed.  Two hours later I was able to start a restore, which failed.  2Gb of the restore file was missing.  After another two hours on the phone with support I was told “Let’s reposition the tape.  It could take a while, on newer technology I’ve seen it take an hour, on LTO1 and LTO2 drives I’ve seen it take 8 hours.”  You guessed it, I have LTO2 drives.  Fortunately I have a multitude of drives to reposition the tapes with so it won’t impact backups, unfortunately I have a time limit on the restore that’s fast approaching.

So what do you do when you backup your file systems?  Do you simply believe that the software you backup with validates your tapes or do you test them regularly?  Are you satisfied with seeing an email at the end of a backup routine stating “SUCCESS”?  Then answer is simply NO.  Your backups are only as good as your ability to restore from them. Keeping that in mind and all the different technologies and services available what do you choose?

For us the answer is simple.  We require low cost, reliable, offsite secure data storage as do most companies nowadays.  TAPE.  We’ve looked into collocated services and replicated SANs with virtual tape backup but the cost far exceeds it’s benefits.  Tape technology has been proven over and over for decades.  There is no cost effective replacement for a good old fashioned tape, even taking into consideration the troubles it can give you.  Our entire datacenter can be put onto 6 tapes costing $25 each.  4.8TB for $150.

Any good backup initiative should be followed up with an equally adequate restore plan.  So next time you recommend a backup solution plan a regular restore plan to test because there’s nothing worse than spending an entire week restoring one file.

On a Samba server joined to AD with winbind, this is easy to deal with because Samba’s winbind can treat the computer accounts just like user accounts, and assign them access to the unix filesystem with whatever backend has been configured. When a Samba server is joined with Likewise, however, the machine accounts are not visible, and the “username is invalid” message comes up.

Fortunately, Samba gives us a method to handle this, in form of the “username map” directive in /etc/samba/smb.conf.  There are two ways to use this, the first is with the username map file.
In smb.conf, to simply add:
[global ]
username map = /etc/samba/smbusers
then create a file named /etc/samba/smbusers and populate it with localuser=aduser pairs, like:
COMPUTER1$ = compacct
COMPUTER2$ = compacct
CITRIXFARM1$ = citrxact
and so on. Lastly, you’ll have to add the local accounts from the pairs above:
useradd -c "Account for AD Computers to use Samba" compacct -G users -u 998
useradd -c "Account for AD Citrix Servers to use Samba" citrxact -G users -u 999
Then, whenever one of the AD computers in the list attempts to access the Samba share, it’ll be mapped to the local account.

The problem with this is when you have a lot of servers, like a Citrix MetaFrame farm, or a Windows Server 2008 R2 Remote Desktop Services farm, that may be changing frequently, because managing that file could get hard. In this case there is the username map script directive, which is added to smb.conf as:
[global ]
username map script = /usr/lib/samba/auth/machine-acct-map.pl
Then download this script and save it in /usr/lib/samba/auth/ and make it executable (chmod +x /usr/lib/samba/auth/machine-acct-map.pl). Then run:
useradd -c "Account for AD Computers to use Samba" compacct -G users -u 998
Now, all computers which access the share will be remapped to the “compacct” user, and you won’t have to manage a file for every time the server farm changes.

Get the file here.

But there are are still a lot of tools only written for 32-bit systems.  That is to say, MMC consoles and VBScripts that just act… funny on 64-bit servers.  So, here’s some errors, and how to quickly fix them.

For VBScripts, you’ll often just get an error similar to:
scriptname.vbs(48, 1) Microsoft VBScript runtime error:
ActiveX component can't create object:
It doesn’t matter what the object is, and if you register the supporting DLL or reinstall the application that provides the function, it still won’t work. The fix? c:\windows\syswow64\cscript scriptname.vbs or c:\windows\syswow64\wscript scriptname.vbs, depending on if you want it run in a console (cscript) or popup windows (wscript). I personally write everything for cscript, cause I can redirect the output to a log file. This trick I found here, and reminded me to write this up with my next fix.

For MMC consoles, what often happens is you just don’t see the tab you’re looking for, or you can’t even find the console to add the snap-in to the MMC. No error messages, and nothing shows up that you’re looking for. Luckily, this is also an easy fix. Click the Start button, then “Run…” then type in “mmc /32″ or “mmc -32″ in the box and click “OK”. You’ll now be presented with an empty MMC, but you can now add the snap-ins you want, and the 32-bit programs (such as the “Additional Account Information” from acctinfo.dll from the Windows Resource Kit Tools) will have their tabs show up properly.

• AIX: iptrace: /usr/sbin/iptrace [ -a ] [ -b ][ -e ] [ -u ] [ -PProtocol_list ] [ -iInterface ] [ -pPort_list ] [ -sHost [ -b ] ] [ -dHost ] [ -L Log_size ] [ -B ] [ -T ] [ -S snap_length] LogFile
• FreeBSD: tcpdump (I think): tcpdump [ -adeflnNOpqRStuvxX ] [ -c count ] [ -C file_size ] [ -F file ] [ -i interface ] [ -m module ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -E algo:secret ] [ expression ]
• HP-UX: nettl: nettl requires a daemon start, and other setup: /usr/sbin/nettl -traceon kind… -entity subsystem… [-card dev_name...] [-file tracename] [-m bytes] [-size portsize] [-tracemax maxsize] [-n num_files] [-mem init_mem [max_mem]] [-bind cpu_id] [-timer timer_value]
• Linux 2.4 and higher:
  • tcpdump (some distros): tcpdump [ -AdDefKlLnNOpqRStuUvxX ] [ -c count ] [ -C file_size ] [ -G rotate_seconds ] [ -F file ] [ -i interface ] [ -m module ] [ -M secret ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ] [ -E spi@ipaddr algo:secret,... ] [ -y datalinktype ] [ -z postrotate-command ] [ -Z user ] [ expression ]
  • wireshark (some distros, used to be called “ethereal”): GUI-config, no command-line, use tethereal (now tshark) for that
  • tshark: tshark [ -a <capture autostop condition> ] … [ -b <capture ring buffer option>] … [ -B <capture buffer size (Win32 only)> ]  [ -c <capture packet count> ] [ -C <configuration profile> ] [ -d <layer type>==<selector>,<decode-as protocol> ] [ -D ] [ -e <field> ] [ -E <field print option> ] [ -f <capture filter> ] [ -F <file format> ] [ -h ] [ -i <capture interface>|- ] [ -l ] [ -L ] [ -n ] [ -N <name resolving flags> ] [ -o <preference setting> ] … [ -p ] [ -q ] [ -r <infile> ] [ -R <read (display) filter> ] [ -s <capture snaplen> ] [ -S ] [ -t ad|a|r|d|e ] [ -T pdml|psml|ps|text|fields ] [ -v ] [ -V ] [ -w <outfile>|- ] [ -x ] [ -X <eXtension option>] [ -y <capture link type> ] [ -z <statistics> ] [ <capture filter> ]
• Mac OSX: tcpdump (among others): tcpdump [ -adeflnNOpqRStuvxX ] [ -c count ] [ -C file_size ] [ -F file ] [ -i interface ] [ -m module ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -E algo:secret ] [ expression ]
• Solaris: snoop: snoop [ -aPDSvVNC ] [ -d device ] [ -s snaplen ] [ -c maxcount ] [ -i filename ] [ -o filename ] [ -n filename ] [ -t [ r | a | d ] ] [ -p first [ , last ] ] [ -x offset [ , length ] ] [ expression ]
• Windows 2000, XP, 2003, Vista, 2008 and beyond:
  • netmon (not installed by default): GUI config, filter creation info here
  • wireshark (available by download): GUI-config, no command-line

Any others anyone wants added (or corrected), just comment or email and I’ll update this.
(Edit 7/29/08 – change tcpdump link)
(Edit 10/13/08 – add tshark info, thanks Jefferson!, and wireshark on Windows)
(Edit 12/27/09 – update IBM iptrace man page link)

1. Guy Teverovsky (Microsoft MVP) has created the CoreConfigurator which gives a small GUI to many of the initial setup pieces of Server Core, so you don’t have to follow my detailed (cryptic) instructions.
2. Create Shadow Copies on your Server Core file server with
   vssadmin add shadowstorage /for=C: /on=D: /maxsize=900MB
vssadmin create shadow
at 7:00am /every:M,T,W,Th,F,S,Su "vssadmin create shadow /for=c:"

   MaxSize can be bytes (/maxsize=10240), KB, MB, GB, TB, PB, or EB (/MaxSize=1EB), assuming your disk is that big.

I haven’t used CoreConfigurator myself, but I did create my shadow copies again finally on our main server today. There’s a backup that’s amazingly great to have.

Edit on July 8, 2008:  I forgot the”/for=c:” in my paste back to here -I was configuring another Windows Server 2008 Server Core file server and couldn’t figure out why the scheduled task wasn’t creating shadow copies properly.  Sorry to anyone who used this note and had issues.

1. The guide mentions “Join the new server to the domain” as part of the DCPromo process. I like to separate this out as a way of verifying the join goes well, and that the server can get fully patched more easily. There is a 7 day limit to having 2 SBS 2003 servers live on the network at the same time, and it’s enforced by the old server shutting down after 1 hour uptime. However, this limit isn’t enforced untill after you run the second part of the SBS setup (the first part is the OS setup, the 2nd is the Windows mode “double-click to run” setup). This gives you time to patch and prepare the OS prior to that time limit starting.
2. Once the 2nd part of setup has been run, migrate your users immediately.
3. Migrating users includes moving their mapped drives to the new server. The Client Side Caching Tool from Microsoft will make this much easier. I normally do this change as follows:
   1. Create the share on the new server, if you’re not using the default SBS \Users share.
   2. Edit all user’s profiles to point to the new location. I’ll post a script for this later, but all of the ones I have at this time are protected by IP contracts, and therefore non-sharable. I believe there’s at least a stub for this at either Don Jones’ Scripting Answers or Microsoft’s Script Center.
   3. I have yet to see an SBS environment with no laptops. Therefore, you’ll want to move the Client Side Cache for the My Documents of your users.
      1. Copy csccmd.exe to your NetLogon share on your DC (c:\WINDOWS\SYSVOL\sysvol\domain.local\scripts by default)
      2. Find the current path, and new path (\\dc01\Users for current, and \\dc02\Users for new, below)
      3. Make the logon script be: “\\domain.local\netlogon\csccmd.exe /moveshare:\\dc01\Users \\dc02\Users”
      4. When all the laptop users have logged in and run this script, unlink the GPO but keep it around for documentation (knowing how documentation is in most Small Businesses I’ve visited). This will speed up logons for everyone.
4. Now you can finish the Exchange / SharePoint / ISA setup. This will require downtime, but is easy to do, if you’re following the document referenced above.
5. Finish up cleanup of Exchange prior to the 7 day timeout value. you’ll need to replicate all the Public Folders, OAB, and Free/Busy data as documented in the “Migrating to new Hardware” document.
6. Uninstall Exchange on the original server.
   1. Requires “Modify”ing the Small Business Server roll in “Add/Remove” programs. choose to uninstall Exchange.
   2. This cleans up a huge number of items in AD, and makes future migrations simple. Also cleans up potential problems down the road.
7. DCPromo the original DC, so it’s not a DC on the original network. Just run “dcpromo” and remove the server from being a DC.
8. Now you can shut down the old DC and have no issues.

However, if you follow my guide directly, you’ll run into a single issue: https://servername/oma (or Exchange ActiveSync) will fail with an error: Server Error in '/OMA' Application.
Collection was modified; enumeration operation may not execute. You will only see this error if you try to access the site directly from the new SBS2003 server. Remotely, you’ll just get a generic error.

This is caused by .NET Framework 2.0 being installed *prior* to Exchange 2003. If you join the domain with the DCPromo and do patching *after* the fact, this probably won’t come up, because .NET Framework 2.0 won’t install untill after Exchange 2003 is installed. If, however, Exchange 2003 is installed first, you’ll probably get this error.

Good news, it’s a simple fix:
c:
cd\windows\Microsoft.Net\Framework\v1.1.4322\
aspnet_regiis -sn W3SVC/1/ROOT/OMA/
iisreset /restart

It might take 2 minutes to initialize, but OMA and ActiveSync should now work flawlessly.  As is always implied, contact us somehow if you have issues!

FIrst, you have to install the server and set an IP address – my previous posts on IP changes on DCs all used netsh commands as well, so if you followed thouse, you should be somewhat prepared for Server Core. I already had a WIndows Server 2003 DC in the environment, so that will be my primary DNS server for the install, untill DCPromo edits the settings.
netsh interface ipv4 set address local static 10.1.1.6 255.255.255.0 10.1.1.1 10
netsh interface ipv4 set dns local static 10.1.1.5
netsh interface ipv4 set wins local static 10.1.1.5

Now networking is set up, we can rename the computer: netdom renamecomputer %computername% /NewName:dc02 and join the domain with netdom join dc02 /domain:foo.local /UserD:FOO\Administrator /reboot:5 /PasswordD:*. The “5″ after the reboot flag says to reboot 5 seconds after completion, and the “*” at the end says to prompt you for your password. I join the system to the domain manually first, because then I can WSUS patch it (if WSUS is in the network), or open up the firewall for any other patching software I have.

Once the server is back from reboot, activate, update the firewall to allow remote MMC connections (if you’re not doing that through GPO already), and install new roles.
slmgr.vbs -ato
netsh advfirewall firewall set rule group="Remote Administration" new enable=yes

The following roles are optional, depending on the service of the server. Mine has DNS and the File Server roles, but not DHCP. None of these are required to install AD Domain Services!
start /w ocsetup DNS-Server-Core-Role
start /w ocsetup DHCPServerCore
start /w ocsetup FRS-Infrastructure
start /w ocsetup DFSN-Server
start /w ocsetup DFSR-Infrastructure-ServerEdition

If this is the first Windows Server 2008 DC in your environment, you’ll need to take the Windows Server 2008 DVD to the DC with the Infrastructure Master role (required for /gpprep only) and run the following (E: assumed as DVD-ROM drive):
e:\sources\adprep\adprep.exe /forestprep
e:\sources\adprep\adprep.exe /domainprep
e:\sources\adprep\adprep.exe /domainprep /gpprep (Also run adprep /rodcPrep if you plan on building RODCs.)

Now you’re ready to do the DCPromo itself. Create an unattend.txt file. To add a DC to an existing domain, you can use:
[DCInstall]
AutoConfigDNS=Yes
ConfirmGc=Yes
DatabasePath=E:\Windows\NTDS
LogPath=c:\windows\NTDS
RebootOnSuccess=Yes
ReplicaDomainDNSName=foo.local
ReplicaOrNewDomain=Replica
ReplicationSourceDC=dc01.foo.local
SafeModeAdminPassword=passwordhere
SysVolPath=e:\windows\SysVol
UserDomain=foo.local
/Password:passwordhere

DCPromo will wipe out the passwords when it starts, or you can fill in “*” instead of the password, to be prompted. When it’s done, the server will reboot and be a new Global Catalog / DC in your domain. DCPromo will install neccessary binaries and configure the firewall for DC Services for you. It’s quite slick.

And as promised, here are the DCPromo Unattend Options for reference for creating your own unattend.txt.

I was having the problem on a Virtual system in VMWare ESX 3.5, so it was easy to disconnect a disk to get past the error, but downloading and installing the updated RC seemed like the better fix for the first DC in a new test lab.

What apparently is going on is if you have 2 hard drives that have never been partitioned or initialized, then the Setup.exe program gets confused. You can remove one of the disks temporarily, format them with another boot medium (BartPE, anyone?), or just not use Win2k8 RC0. According to the support note, the only fix for Vista is to format the drives.  I bet you can remove one of them and Vista will work, too, but haven’t tested.

Of note is a response for T. Colin Dodd regaring his short and sweet post regarding Red Hat Flaws according to Secunia. In short, Mr. Dodd (please correct me if the address is wrong), yes, Red Hat should be proud of what they’ve accomplished, but…

Well, that’s 2 pages of text that’s not yet finished.