Thursday, July 09, 2015

Replicating and then migrating Server 2003 ADAM instance to Server 2012R2 AD LDS

OK, so yes, we're one of those organisations that still have Windows Server 2003 floating around, at least it's all patched up...

One of the things we're using it for is an ADAM instance that supplies users/credentials for an Extranet service, though the servers involved are also domain controllers...

With 2003 on it's way out (5 days away!), we've been working our way around our servers upgrading or migrating as appropriate.

So as for our srv2003 domain controllers, we simply added a srv2012R2 server and dcpromo'ed it, largely job done...

But then there's the ADAM instance. 
Tried a backup and restore into AD LDS, no dice.
Tried simply copying the DB files, no dice.
Tried programmatically recreating the structure/accounts in a fresh AD LDS instance, no dice (our application didn't like something about the schema...)

So I tried adding AD LDS as a replication partner to the existing ADAM instance, no dice!
What?  This is supposed to work!

Looking through the error logs I found that there was an encryption error, which lead me to this article:

So I scheduled a time to install the hotfix and tried it out...

First up, the article says you don't need to reboot... But the hotfix asks you to reboot (now or later).
I elected not to reboot, which is what the article suggested.  No dice...

So I rebooted...

No dice...

Still the same error.

So I uninstalled the AD LDS instance and created a new one, just the same way (using the Wizard to set up a replicated instance).  And after waiting 10-15 minutes for the replication to complete (not because it's big, it just seems to do things on a sparse schedule), boom! It worked.

So, key take away: if you're getting the encryption error when syncing ADAM to AD LDS, don't just install the hotfix (and apply the reg key), but recreate the AD LDS instance as well.

Next steps for us:
  1. Switch the master over to be the AD LDS instance
  2. Add a second AD LDS instance for DR
  3. Remove the old ADAM instance.
I'll update this article if that proves interesting.

Tuesday, July 23, 2013

USB 2.0 Memory Stick Performance – An informal benchmarking

OK, so I’ve been getting more and more disappointed in the performance of the various USB sticks I have lying around.  I tend to use them for transferring photos, videos and ISOs to and from machines that aren’t able to communicate via a common network (and are are too big to just push up to the likes of SkyDrive or Google Drive) or for OS installations (e.g. Win7, Win8 and recently Windows Server 2012 R2 Essentials Edition).

While read speeds are bearable, the write performance is just abysmal and I’m seriously contemplating investing in a fast USB 3.0 based stick of decent size (64Gig+).

But in the mean time I dropped Crystal Disk Mark 3.0.2 on my HP Pavilion dv6 (INTEL i7 2630QM 2GHz with 8Gig RAM, running Win7SP1 x64) and popped each stick into one of the USB 3.0 ports, to see just how bad the performance really is…

Here’s the various sticks I tested:


From left to right:

  • A free Windows 7 branded 1gig
  • An EMTEC 8Gig I bought (cheap pack of three)
  • A free IBM branded 2Gig
  • A free Norton Security branded 8Gig (see it does pay to fill out those surveys!)
  • A free Microsoft Branded 16Gig
  • A cheap/generic “DT101 G2” 32Gig (cheapest 32Gig I could find at the time)
  • A SanDisk Cruzer 4Gig
  • A SanDisk Cruzer 8Gig (used to be on my key ring, so it’s a little worse-for-wear)
  • A Toshiba 4Gig
  • A Toshiba 8Gig

And the results are:

Read (MB/s) Write (MB/s)
USB Stick Sequential 512K Random 4K Random 4K Random Queue Depth 32 Sequential 512K Random 4K Random 4K Random Queue Depth 32
Toshiba MK7575GSX SATA 70.63 20.45 0.266 0.4 57.16 21.9 0.576 0.583
BlueWindows 7 1Gig 10.58 10.54 5.612 7.113 2.202 1.334 0.029 0.029
EMTEC 8Gig 19.24 19.65 6.397 7.011 4.739 0.485 0.005 0.004
IBM 2Gig 16.99 16.86 4.441 5.789 2.962 0.547 0.007 0.007
Norton Security 8Gig 29.56 29.28 7.838 10.46 11.34 3 0.06 0.061
Orange Microsoft 16Gig 19.68 18.54 5.121 7.02 4.079 1.182 0.013 0.014
Orange Microsoft 16Gig x64 19.68 19.52 5.158 7.012 4.074 1.184 0.013 0.014
Purple DT101 G2 32Gig 17.45 17.43 5.499 6.022 3.183 0.319 0.003 0.004
SanDisk Cruzer 4Gig 20 20.18 4.063 4.03 4.059 0.717 0.324 0.059
SanDisk Cruzer 8Gig 21.29 21.37 4.551 4.355 3.322 0.43 0.472 0.087
Toshiba 4Gig 25.02 24.91 7.722 8.706 11.97 1.839 0.017 0.018
Toshiba 8Gig 24.95 24.88 7.497 8.56 5.789 0.906 0.008 0.008

While the Toshiba sticks put in a good showing, the Norton Security branded stick comes out top or 2nd in nearly every test. Quite remarkable for a free memory stick.

Still, I think I’ll be on the hunt for for something a bit more performent and bigger…

Friday, July 19, 2013

Windows 8 RT

[Here's another one I wrote, same time as the ASUS review]

OK, so thanks to our account manager at Microsoft, I've got an ASUS Vivo Tab RT for a week.  In reality, this means my girls get to play lots of Windows 8 games for a week.

So I thought I'd write about our experiences with this Windows 8 RT device.  I've pushed the hardware side into another article, and this one is just about Windows 8 RT.

I've got my laptop (HP Pavilion dv6, i7 quad, 8gig, Radeon HD6770, Bluray, 15.3" screen) dual booting Win7 x64 and Win8Pro x64. So I've played with Win8 a bit, though mainly I've been using it for it's solid Hyper-V support to run SharePoint VMs. I've also got an iPad (gen 2 which I barely use), an iPod Touch gen 3 (which I use to watch movies in the spa) and an iPhone 4s (which I play games on, on the train and read FaceBook and Twitter...)

This time round, though, it's a coffee-table device (like say an iPad or 'droid tablet) from Microsoft/ASUS and it's the first multi-user device I've come across in this form-factor.

This is great, my girls (nearly 10 and 11) already have Windows Live accounts (hooked into Family Safety) so they were able to log straight in and have their email and contacts ready from the get-go.

Unfortunately, this is where the quirks set in. As each one logged in, they were presented with their pre-loaded apps in the Metro UI and 23 app updates.  That's right, every user that logs in, has to update the same apps, separately.  It continues, because the App Store is tied to their Windows Live account, even as an administrator, you can't install apps for anyone except yourself (not that I've found, yet, anyway) it doesn't even us a local cache of already downloaded apps to speed up the download/install when a second user installs the same app as another user.

This might not be a big deal on your average desktop PC with terrabytes of disk, but this little tablet with a 32gig MMC "disk", which only has about 12gig free, is soon eaten up by apps and Windows updates (after a single weekend, we're down to 6gig free.)

Windows 8 supports Family Safety right out of the box, though I've yet to find a way to lock down my girls installing every free game they can find.  Though I haven't looked very hard, I'm assuming it's there somewhere.  And yes, this is something I use on the iPad, though of course it's managed entirely on the device, which also means my daughters iPod Touch is separately managed, as is our Apple TV device... would be handy to centralise this Apple!

My girls are loving it, primarily because they can play all the games they want.  They've both figured out the iPad very quickly, but only the older one (age 11) has gotten further than swiping and clicking on the Metro UI.  She's discovered the Gems and figured out where and when she needs to use them and easily flicks between the desktop (creating documents in Word) and Metro Apps.
And they've both managed to get Win8 to lock up, or get into some kind of loop (lock screen is active, you swipe or type to login and are presented with background theme graphic, do a ctrl-alt-delete [thankyou keyboard] and the only action that does anything is to lock the screen, so I had todo a hard power-off, with no way of knowing if the device was shutting down [no power lights] or starting up again...)

I've got a Windows Home Server v1 on the network, with our entire photo (150gis), music (200gig) and video (1.7TB) collections. Without adding any 3rd party apps, I found I had to map the shares (for each individual user), then add them (for each individual user) to the Photos, Music and Videos Libraries. Then wait and wait and wait and give up waiting for the Music and Video Metro apps to crawl the content. The Photo App didn't pick it up at all, which was strange. This of course is all happening on a per user basis, so I hate to think how much local storage 2x indexes (Music/Videos) times three users is taking up. The Music app does a reasonable job of organising by artist/album/etc (aren't ID3 tags great?!) but the video (a mix of movies, recorded TV episodes and home movies) is just one big lump of alphabetically sorted files, I guess thumbnails will turn up at some point...

Admittedly, most of the DLNA based apps I've used (on iPod/iPhone/iPad and our Sony TV) suffer the same issue (lame sorting, no support for folders) though I have got a couple of UPNP apps that work well with folders.  Must be time video metadata was standardised, across container formats please! (we have MKV, WMV, MOV, Divx, AVI, MP4, M4V, and MPG off the top of my head)

Printing (or not as the case may be)
I have three printers at home, a new (late last year) Brother MFC-J4510DW, an old Lexmark E232 and a very old Brother MFC-210C.  All of these work with Win7 (32bit only for the 210C and all my Win7 machines are x64 now...) and there are Win8 drivers for both the newer Brother and the Lexmark.  None of these have drivers from MS or Brother/Lexmark for Win8RT...

Not sure if it's the ASUS Tab or WinRT, but the sound keeps dropping out and I need to reboot to get it back.

Also noticed that since you don't seem to be able to close Win8 Apps, they still take up resources in the background and with only 2gig and the potential for multiple users logged in at once, it disappears fast... And impacts on performance

Managed to play an MP4 (it crashed after a few seconds the first time, but then worked fine the 2nd time) and an AVI (DivX) OK, though the playback quality seemed worse than on my Win7 laptop (using Windows Media Player).  It also reported that I had "new apps that could play this file"... Turns out it was the pre-installed Music app... I guess "Video" and "Music" are the same apps with some different skin...

Screen brightness
Is all over the place.  While I've been typing this, the screen brightness has been fading between a low-power dullness, which is nearly too dark, and full brightness, which looks sharp and great.
And while full bright is great for the desktop and apps in general, it's still pretty dark for playing back video, though that might mean I really need to mess with the contrast...

Had some fun with a game today, first time I'd played it and the gyroscope seemed fairly quirky.

I've heard reports of people having trouble with 802.11n networks. At home my primary WiFi is only 802.11g and while the tablet didn't have any trouble with the WiFi connection (four or five bars, everywhere I went in the house), it did seem to loose connectivity with MS's online services fairly freqently.
In the office is a different matter, I thought we were running 802.11n, but looks like it's actually still 802.11g and the tablet keeps dropping off or reporting poor connectivity.

I know Flash is built-in to IE10, but thanks to it being limited to a while-list of sites, my girls couldn't do their Mathletics homework.  I guess that will improve over time as MS add more sites to the white-list.

Review: ASUS Vivo Tab RT

[I wrote this a few months ago and have only just noticed that I hadn't published it]

OK, so our great account manager at Microsoft managed to arrange a loan of the ASUS Vivo Tab RT, my boss wasn't interested (he's still smarting from upgrading his personal laptop to Windows 8 Pro) but I was still quite keen to spend some quality time with A) Windows 8 RT and B) a tablet device.

This post is about the hardware that makes up the Tab RT, I've split my review of Win8RT off into a separate article.

First up, my work PC is a Dell OptiPlex 780 [Core 2 Duo, 4gig RAM, Radeon HD3400 and dual 20" LCD screens] and my personal laptop is an HP Pavilion dv6 [i7 quad, 8gig RAM, Radeon HD6770 and 15.4" LCD] and I also have an iPad v2 16Gig.  So this is what I'm comparing with.

First impressions
It's nice, the 10.1" wide screen is clear, crisp and quite usable inside, though suffers somewhat from reflections. I have large hands and being a wide 10.1" it fits quite nicely in my hand in portrait mode. It thin and light, even with the keyboard attached (which is how I've predominantly used it.)

The keyboard is pretty good, has a nice feel without being too clicky, but it's really too small for me. My girls (aged nearly 10 and 11) love it and are quite happy typing away.

Battery life is good, though I found multinational charging plug a little finicky and I had to pull it apart and put it back together a couple of times to get it to charge.  Plugging into a USB2 port on my wife's laptop was able to power the tablet, but wouldn't charge it at the same time.  It possibly would charge it when off/suspended.
Charge times seemed quite long, though I didn't specifically measure it, but having the extended battery in the keyboard is a must.  Discharge and charge are both smart, with discharge favouring the keyboard battery and charging favouring the tablet battery.

Sound is good, loud enough that when my daughters play games in the same room, we get them to turn the sound off :)

The cameras seem to do a reasonable job, but I've not tested them in a variety of situations.

The scratch pad is OK and I'm getting used to using it for gestures (it has support for a subset of what the touch screen can do), but it's buttons are naff.  Because they are part of the touch surface, you
have to make sure you're not touching any other part of the scratch pad, to make them work and when you click, the whole scratch pad depresses and clicks.

The orientation sensor is a little over zellous, and tends to flip the screen at about 45 degrees, which can be a little early.

The volume buttons are well placed and don't depress very far, but I suspect they'll be the first thing to break, as they're quite tinny.

There's no lights on the tablet itself, so if the screen is blank, you can't tell if the device is on or not, which usually isn't a big deal (touch the screen, press the power button, type on the keypad to wake it up) but if you're having to force a power-off or restart, there are times it would be useful to know if the device is powered up or not.

In the most part it seems pretty good, the UI keeps up with everything I've tried to do and I've only seen it struggle with some games and anything to do with disk IO (the MMC "disk" maxes out at 10MB/s).  Windows updates are a pain and very slow.  I ran the Peacekeeper browser benchmark and it scored about 410 I think, which put it well down the pack, but ahead of the Surface RT.

The disk is also quite small, 32Gig originally, 4gig reserved for a recovery partition and about 16gig for Windows and a handful of ASUS's own apps, leaving you about 12gig tops, which may seem a lot, but after some Windows updates and a weekend of the girls installing games, we're down to 6gig already.  No wonder it's the 128gig Surface Pro's that everyone wants.

SharePoint 2013 - Proxies, CRL Checks and the App Store...

OK, so I've been messing with SP2013 for a little while now.  Built a VM when when it first came out, ignored all the errors and warnings and built a little RSS based workflow.

More recently I've been taking it more seriously and have been working with AutoSPInstaller to get a clean, consistent, working Dev install (single server + separate SQL2012SP1).

It's been a bit of a mission, not because of AutoSPInstaller, but primarily because our environment sits behind an authenticating proxy.  Which means I get a lot of CRL Check failures.  "No worries" you say, "AutoSPInstaller has a disable CRL check setting!" which is true, unfortunatly it doesn't cover all the CRL checks (which might not even be possible).

I found that if I disabled the CRL checks (using AutoSPInstaller) then my Distributed Cache service would be highly unstable and basically repeatedly crash as it started up.

So in comes plan B, set up a non-authenticating proxy, courtisy of Fiddler. We have a handful of VMs that are able to connect to a non-authenticating proxy so that they can connect to the internet (yes, they all happen to be SP2010 machines...) so I just run Fiddler on one of those and set it to be my proxy on the SP2013 machine.

OK, so next is to figure out which accounts need proxy access... what fun, it seems that the SPFarm, SPServices and SPContent accounts all do CRL checks...  So I figure I'll write a little PowerShell to set the proxy for each service account... Long story short (account has to be running, IE has to have created it's reg settings...) it didn't work.  Not entirely sure why, so I just abandoned the script and now I manually launch IE as each user, set the proxy and close IE.

Bingo, all my CRL check errors are gone!

Until I try to install Apps from

Turns out, the Apps part of SP2013 uses the local IUSR account to do the CRL check (go figure). So how am I going to set the default proxy for that account?

Turns out:
netsh winhttp set proxy ";*"
is enough.

Note: is the domain I'm using to host my SP apps, you should set yours to match whatever you've configured up in Central Admin for your App URL.

Production will be similar, though I should be able to set the proxy to be the proper non-authenticating proxy, rather than my Fiddler proxy.

Isn't it time MS realised that many organisations run authenticating proxies and that products need to provide better support for this scenario? (Ever tried running the Twitter PowerView demo?)

Oh well, I'm a happy camper now, I have a working SP2013 environment, with Apps! (Still working on some other errors though....)

Tuesday, April 09, 2013

SharePoint and SSRS (integrated mode) gotch-a

Hey People,

hit a doozie recently.  Set up SharePoint 2007 with SSRS 2008R2 (using the SSRS 2008 add-in) in Integrated mode, on the same server (accessing SQL 2008R2 DB and SSAS 2008R2 on another server).

Got all the Kerberos sorted (a mission as usual) and then found that somewhere between SharePoint and SSRS the users credentials were being cached, so that every user appears in SSRS as the first user to login (until the session timesout).

Turns out, there's a little flag in the rsreportserver.config file:


By default it's set to true and the documentation says to set it to false when you've got a proxy sitting between your user and the SSRS server. Actually, it gets worse than that. the rsreportserver.config file has EnableAuthPersistence with an E, however the documentation refers to EnableAuthPersistance with an A. (I've logged a community addition to the page to get this rectified)

So, while SharePoint technically isn't a proxy and the Kerberos should be taking care of the user context, turns out, you need to set EnableAuthPersistence to false and have every connect to the SSRS server authenticated, as SharePoint re-uses it's connections to SSRS and doesn't seem to force new credentials.  The down side: every request is now done twice, once anonymously and then again with the correct user credentials.

Thanks to Ning at Microsoft Premier Support for figuring this out for me and I look forward to hearing if this is a bug in SP, SSRS or Kerberos or "by design" :)

Oh, better check my SP2010 instances to see if they suffer the same issue.


Update: Ning wasn't really able to expand on the "why", other than to say:
"If we set “EnableAuthPersistence” to False, it means the reporting service will not cache the previous authentication result. So we can see 401 challenge happens in new http log, it is required by each new authentication, which is an expected behavior. Our user account should be delegated by service accounts rather than server, so even though we have SSRS and SP installed in the same server, the authentication will go through all identities of the services in server."

Monday, January 07, 2013

The Trains, The Trains!

Oh dear, not even two weeks into 2013 and I'm having a second rant already... doesn't bode well...

OK, so today was my first day back at work, admittedly somewhat electively (wanted to get some things done during the day that would normally need out-of-hours outages. And I want to get along to the girls school camps later in the year.) and I knew the trains were going to be fun...

In case you hadn't heard, many of the Auckland stations are currently being upgraded (putting up awnings/roofs that actually might be waterproof... somewhat essential in Auckland) and they're also in the middle of finally electrifying the Auckland rail network (is it just me, or is it about time they linked all the electrified bits of the main trunk line?), so there's construction all over the place and busses replacing trains between Newmarket and Britomart.

So I get to my station early (Greenlane), just in time to watch a train pull out, doh! But another one arrives in about 5 minutes, ahead of what I was expecting (I thought it was supposed to be a Sunday timetable still), so I was stoked at the prospect of getting into work early.

The train pulls up at Newmarket and everyone's off, most looking find the busses into Britomart. Of course, getting out of Britomart requires swiping your AT (travel) card at the barriers, so you've only been charged for the trip to Newmarket, but then, they're inconveniencing us with busses, so that's fair. We sardine onto the bus, with most people left behind for the next bus. There's no ticket inspection, though I did proffer my AT card.

OK, so far so good, I'm easily on time and we're moving.
Then we hit Kyber Pass Road, and stop, and move forward a bus length, then stop. 35 minutes later!, we get to the Grafton Station (on the road past the hospital), where a) the bus driver asks if anyone wants to get off (no-one does) and b) we see two empty busses waiting to take people from the Grafton Station to Britomart. Turns out there's roadworks all over Kyber Pass and basically no-one is using Grafton Station (I guess most of it's customers would be from the Hospital and perhaps Uni), so that was a good choice of route, given that Uni is off for summer and I'd like to think it's relatively quiet at the moment.

Finally we get to Britomart, the bus dropping us off next to where we should catch it back home again, all-in-all a 45 minute trip and I'm late for work. BTW the train would take about 5 minutes...

OK, so then, later in the day, it's home time. I head off to catch the bus/train home, from the same place I'd been dropped off at, in the morning.
There's a huge queue of people and three busses, turns out they're using an normal bus stop and most of the people there are waiting for the normal bus, because a quick query to one of the half-dozen Auckland Transport staff reveals that the front bus is heading to Britomart, so I jump on, flashing my AT card (it was more than enough in the morning, so I figured it was the protocol for going home too) and take a seat (yup, not quite sardines this time).

As we head off to Newmarket (again via Grafton, where again no-one gets on or off) a ticket conductor springs out of no-where and starts working his way up from the back of the bus. Now you can't buy tickets on trains anymore (you have to have an AT card [which most people seem to have], or buy a paper printed ticket on the platform - or the manned booths at some of the bigger stations) and yet, this guy is wandering through the bus trying to get people to buy paper tickets, with cash. Every second person protests and tries to explain that all they have is an AT card (with either stored cash, or a monthly pre-pay), they're getting grumpy and so is he. Turns out, if you're using a cashed AT card, they expect you to go to Britomart, go down two escalators and swipe, but not go through, a gate, then come all the way back out of Britomart and off to the bus, where you say "yes sir, I have swiped my AT card at Britomart), otherwise you get a scowl and two attempts to extract cash before he moves along (monthly users only get asked for cash once).
The trips not too long, about 15 minutes, which is probably about what it should be for this time of year.

Then it's into Britomart, past the dozen or so AT Transport staff, sitting around the square, mostly smoking, swipe through the gates and down to the platform, where two trains await (both covering my stop) with the first to leave in a couple of minutes, the second about 5 minutes later. I get on the former and take a seat. About five minutes later, we haven't left and there's an announcement that the crew hasn't arrived for the train.
So I jump off and climb onto the other train, the doors close a moment later, to an announcement that the other train has been cancelled due to "operational difficulties". I guess the crews in the square didn't make it back from smoke-o in time...

I get off at my stop and swipe off the platform and get home about 25 minutes later than if I'd only had to catch the train, not too bad all things considered.

So where's this going? After all that's a lot of drivel I've put you through so far!
Today was the first day back at work for a lot of people, but next Monday will be way worse as most offices in the CBD will be properly open, if not fully staffed, but the busses will still be replacing trains. So unless Auckland Transport get their act together, there's going to be a lot of annoyed commuters.

And it's not like Auckland Transport have a good rep, with frequent delays and multiple outages of the entire rail network (caused by system failures in Wellington apparently) and we wont even talk about what happened during the Rugby World Cup....

But what can they do?
Set expectations?
Set up swipe posts at the bus stops (or better yet, get them on the busses, you're going to have to do it anyway when the systems finally merge) or give your conductors mobile units, don't expect people to have to revert to a system you've just spent months telling people is gone.
Use your stats to tell you where people are likely to be going, so you don't run your busses via overly long tedious routes.
Don't expect people to pay more for a worse experience.
If you're still expecting a single swipe-on and off for a multiple hop/vehicle journey, then you've got to provide a way to get from one mode of transport to the next. And that's just not happing currently.

Oh well, back to work again tomorrow...