Thursday, November 26, 2009

Runas for Windows Explorer

We do a lot of our support for clients remotely. The offer remote assistance functionality in SBS is a real timesaver for us. Although, offering assistance based on username rather than computer would be a nice touch.

Today I was providing remote assistance to a desktop computer that was out of disk space. The user didn't have sufficient permissions to clean up the disk and I didn't want to work outside of the user's profile. So, I wanted to run Windows explorer a Administrator.

Here's the command line:
runas /user:domain\username "explorer /separate"

Saturday, November 7, 2009

Ballad of the Duplicate SPN

So, here's the scenario. We need to replace defective hardware with a new computer. We don't need to restore anything in particular, we're just going to put a new server in with the same name as an old one to save some reconfiguration issues.

Step 1: Dcpromo down the server
Step 2: rename Server1 to Oldserver so there is no conflict
Step 3: rename new server as Server1
Step 4: Join Server1 to domain

So far, so good. However, after joining the domain we get this error:
The security database on the server does not have a security account for this workstation trust relationship

Verify that the computer account is there and try several combinations of different rejoining and deleting the computer account. No resolve.

After a bunch of searching, it turns out that there is a property of a computer account that cannot be repeated in other computer accounts. The servicePrincipalName propery cannot have conflicting values with other computer accounts. Each computer account should have values that correspond only to its own computer name. However, sometime when you rename computers, not all entries in the attribute get updated.

You can view the entries for a single computer account by using ADSI Edit. However, that doesn't really help you find conflicts. Instead you can you this command to list the SPNs for all computer accounts and then look for duplicates associated with another computer.

Ldifde -f C:\spn.txt -t 3268 -d dc=domainname,dc=local -l serviceprincipalname
-r (serviceprincipalname=*) -p subtree

Looking in this text file we found that the computer account for Oldserver still had references to Server1. We didn't need Oldserver. So, we deleted the computer account for Oldserver and all was good. We could also have used ADSI Edit to change the entries.

Tuesday, November 3, 2009

Virtualization on Windows 7

Windows 7 has a nifty new feature called XP mode that uses Windows Virtual PC in the background. My first surprise is that I had to download the software for this from MS which was about 500GB. However, that was the least of my worries.



It turns out that Windows Virtual PC will only run with hardware assisted virtualization. On AMD processor systems this isn't an issue because almost all AMD processors have hardware assisted virtualization. Intel, on the other hand, has been using hardware assisted virtualization as a differentiator between upper and lower end chips for the last several years. Basically trying to get a premium out of it. Many computers with Intel processors do not have hardware assisted virtualization. Unfortunately, my laptop is one of these.



Fortunately, even though it is unsupported (like I'd be calling for support) Virtual PC does run on Windows 7. A blog documenting it is here: http://blogs.msdn.com/virtual_pc_guy/archive/2009/08/19/running-virtual-pc-2007-on-windows-7.aspx.



You can also get Virtual Server 2005 to install on Windows 7 if you really want to, but it is a pretty nasty process. Details are here: http://tfl09.blogspot.com/2009/08/windows-7-and-virtual-server.html.

UPDATE: Microsoft has released an update for XP Mode and Windows Virtual PC so that hardware visualization is not required. See http://support.microsoft.com/kb/977206