Lync 2010 Publish Topology Crash
Last week I installed Lync 2010 and made it all the way to the end where you are supposed to publish the topology. Unfortunately, I didn't think to install the databases to a new instance and overwrote my existing Live Communication Server databases. Needless to say, LCS didn't like that very much.
After spending a few minutes restoring the old databases and bringing LCS back up, I tried to add the new instance to my topology and publish. The moment I clicked publish, I received a "target invocation exception" error and the MMC crashed. Oops.
After reinstalling Lync several times - even creating a new one (thank you virtual machines!), I figured out that the Lync configuration couldn't possibly be stored on the server itself. Turns out it's stored in Active Directory:
Default naming context > DC=YourDomain > CN=System, CN=Microsoft, CN=RTC Service, CN=Topology Settings
Delete the string in there CN=random GUID.
Voila, you can now publish your topology.
But wait! There's more. You will need to install the database again (even after publishing). Right click on your Site and go to topology > Install Database.
Hope that helps, there isn't a hole lot of documentation out there yet.
New VMWare Certifications! VCAP and VCDX4!
Earlier today I attended a brown bag session organized by Cody Bunch with Jon Hall, technical certification developer at VMWare to discuss the new VMWare certifications.
There are two new certifications (and a VCDX4 is on the horizon!) that have been inserted above VCP:
- VCAP4-DCA (Datacenter Administrator) - Planning and administration side of vSphere, more for the systems administrator. The exam opens July 12th and will be offered at VMWorld. The blueprint isn't available yet, and is marked as "coming soon." Unlike the VCP, this exam will be 100% lab. Because the exam is more lab based, initially there will not be an immediate pass/fail. Expect to shell out $400 for this exam.
- VCAP4-DCD (Datacenter Design) - Design methods/principles, more of an architect type of certification. Not a whole lot discussion around this exam, it's still pretty far out (August). This exam will be multiple choice, but Jon Hall assured us that it would be more involved than the VCP. No word on the cost for this exam.
- VCDX4 (Design Expert) - VMWare has updated the certification website with a certification path (you can find it here) for the VCDX4. The Enterprise Exam is gone and you will be required to get both the DCA and DCD certifications. This means that for any VCDX4 hopeful, you will need to wait until at least August. Thankfully, Jon mentioned that there will be more opportunities for the design defense this year over last.
Exams will still be done by Pearson View.
Partners, there is no requirement at this time, but you may start being more involved in the VCDX design defense panels.
For more information, see VMWare's myLearn web portal.
I hope that answers a lot of your questions and piques your curiosity. I'll post a link to the brownbag recording when it becomes available.
Thank you Jon and Cody for putting on an informative brown bag and I look forward to more!
LDAPS Integrated SVN with Ubuntu 10.04 LTS
And now for something completely different!
I'm a firm believer in the right tool for the job, and when I was recently placed in charge of a couple of development efforts I wanted to make sure the right tools were in place to do my job effectively. The first tool that I needed was a revision control system so that we could keep track of changes. It used to be that CVS was the common choice, but from my quick and dirty research it looked SVN had taken the top spot (later, as it turns out, there are some pretty heated debates about this... some people will tell you git or mercurial).
Since SVN was going to be the system of choice, I decided to put it together on a Linux based virtual machine - mainly because I'm a Windows systems administrator by trade and I like to keep all of my skills sharpened. Some may say it is foolish - especially with such an important system - to run it on a platform that is unfamiliar. The beauty of subversion is that it runs on more than one platform (Windows, even) and you can migrate easily if needed.
The biggest requirement I had was integrating SVN with LDAP(S). I wanted to be able to control access, but through Active Directory and not some sort of file on my SVN server. As it turns out, it wasn't too difficult to do - once I figured out how to do it 
. Here are the commands in a nutshell (all of these commands are to be run as a root user - sudo or just logged in as root doesn't matter):
Install subversion and apache2 with the SVN module:
apt-get install subversion
apt-get install apache2 libapache2-svn
Enable the SVN Apache module:
a2enmod authnz_ldap
Since I use a self-signed certs and I'm too lazy to install my SSL chain, I have to turn off Apache's checks (you may not want to do this). Add to the end of /etc/apache2/apache2.conf:
LDAPVerifyServerCert Off
After troubleshooting, you need to set this in your /etc/ldap/ldap.conf file to avoid errors similar to "[warn] [client x.x.x.x] [636] auth_ldap authenticate: user foo authentication failed; URI /secret [ldap_search_ext_s() for user failed][Operations error]"
REFERRALS off
Now, you need to add it to your apache2 configuration so that you can access it via http. You will need to edit this to suit your own needs, I hope it's relatively self-explanatory, but I've made some comments in red. Add this after your last </directory> statement:
DAV svn
SVNParentPath /data/svn - Your SVN repository data
SVNListparentPath on
SVNAutoversioning On
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthName "svn"
AuthUserFile /dev/null
AuthLDAPURL "ldaps://DOMAINCONTROLLER/DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)" - You want this pointed at your base DN. Also, some (even most) of you may not be running LDAPS (SSL LDAP) - you may need to change this to ldap://.
AuthLDAPBindDN "DOMAIN\User" - Any user will do, since by default Windows allows any user to query active directory for auth. I suggest making a separate user for just this.
AuthLDAPBindPassword Password
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
Require ldap-group cn=svn,ou=securitygroups,ou=IT,dc=domain,dc=com - This is optional, but allows you to limit SVN access to a specific group.
Once you're done, it's time to create your first repository:
svncreate /data/svn firstrepository
Now you need to change the owner to www-data so apache2 can read/write it:
chown -R www-data svn
chgrp -R www-data svn
chmod -R g+rws svn
And voila! You should be able to go to http://yourIPorHostname/svn and view your first repository!
PowerCLI – Windows VM Partition Alignment
In an effort to keep my blog from becoming an wasteland, I bring you a modified version of a script I found here that enumerates virtual machines and then does a WMI call against each one to determine if the partition is aligned.
The original version only does it for one value (65536) - this one does it for both 65536 and 32768.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 | $myCol = @() $vms = get-vm | where {$_.PowerState -eq "PoweredOn" -and ` $_.Guest.OSFullName -match "Microsoft Windows*" } | Sort Name foreach($vm in $vms){ $wmi = get-wmiobject -class "Win32_DiskPartition" ` -namespace "root\CIMV2" -ComputerName $vm foreach ($objItem in $wmi){ $Details = "" | Select-Object VMName, Partition, Status if ($objItem.StartingOffset -eq "65536"){ $Details.VMName = $objItem.SystemName $Details.Partition = $objItem.Name $Details.Status = "Partition aligned" } elseif ($objItem.StartingOffset -eq "32768"){ $Details.VMName = $objItem.SystemName $Details.Partition = $objItem.Name $Details.Status = "Partition aligned" } else{ $Details.VMName = $objItem.SystemName $Details.Partition = $objItem.Name $Details.Status = "Partition NOT aligned" } $myCol += $Details } } $myCol | Export-Csv -NoTypeInformation "C:\Temp\PartitionAlignment.csv" |
There are several things you will need to know about this script prior to running it:
- This requires PowerCLI (from vmware.com).
- Because this script uses WMI, it will use the credentials of the user you are logged in as. You can use something like this if you need to specify credentials.
- If you want to add additional offsets, simply copy the elseif statement and paste it below the } for 32768.
Hope it helps!
iPhone users can’t hide from netflow!
I couldn't resist blogging about this one.
Last Friday I wrote a blog post about how netflow was making my users happy. This week I'm going to talk about how netflow is still making my users happy - except for one.
After a few days of watching CPU usage on my routers, I added a second site to my netflow collector and started investigating.
The first thing I noticed was more users backing up to the wrong location (we're now performing an audit). The second thing I noticed was someone transferring a lot of data from Akamai - and I started looking into what it was.
The IP in question didn't have a DNS entry, so I got curious. I used nmap to find out more information and lo and behold:
Running: Apple iPhone OS 3.X
OS details: Apple iPhone mobile phone (iPhone OS 3.0 - 3.0.1)
An iPhone?!
After realizing it was an iphone, and not even a user's computer - I decided to take action against the offending device. After all, we're having bandwidth issues! Because we're using DHCP, I took a look at our DHCP leases to find out the MAC address of the iPhone:
Now that I had the MAC address, I could send it to the /dev/null blackhole. I logged into my wireless access point and went to work. I would outline the CLI commands, but I must confess to using the web interface. As you can tell from these instructions, it's much easier (on the surface) to do it that way. Also, as it turns out Cisco WAP's don't play nice if you configure through both the GUI and CLI.
Essentially what I did was create a filter for the particular offending MAC address. If you are doing this yourself, be careful! By default it will set the Default Action to "Block All," meaning you will knock everyone off.
This is how I set it up:
Yeah, I know - I'm a terrible person - the poor user can't get on our ultra fast (not really) wireless network! Well, the way I see it is there isn't a single business use case where a user would need to transfer 120+ MB worth of data to their phone. That's what the cell phone carrier network is for! Let AT&T handle it says I!