Monday, January 31, 2011

Microsoft Lync Server 2010 Enterprise Pool SQL Database Permissions

As with one of my previous posts that documents the file share permissions of a Microsoft Lync Server 2010 Enterprise Pool (http://terenceluk.blogspot.com/2011/01/microsoft-lync-server-2010-enterprise.html), I had some time over the weekend to document the SQL database permissions of a Lync Server 2010 Enterprise Pool.  Most administrators will probably never have to check the database permissions during entire life cycle of their Lync Server 2010 but I’m sure there will be a few out there that will find themselves having to verify the security permissions of these databases while troubleshooting services which are dependent on them.  This post serves to list out the security objects created and the permissions they have for each database.

Once you’ve successfully deployed a Lync Server 2010 Enterprise Pool with a SQL backend server, you’ll see the following databases and security logins created:

Databases (excludes Monitoring and Archiving databases)

  • cpsdyn

image

  • lis

image

  • rgsconfig

image

  • rgsdyn

image

  • rtc

image

  • rtcab

image

  • rtcab1

image

  • rtcdyn

image

  • xds

image

Logins

  • RTCComponentUniversalServices
  • RTCHSUniversalServices
  • RTCUniversalConfigReplicator
  • RTCUniveresalReadOnlyAdmins
  • RTCUniversalServerAdmins

image

The method I usually use to do a quick audit of databases is actually to execute the stored procedure: sp_helplogins which will allow me to quickly have a look at which account has what permissions.  With that being said, since there may be administrators reading this post who are not familiar with SQL, I will paste the screenshots for the properties of each login before I paste the table:

RTCComponentUniversalServices

image image

image image

--Skipping Securables and Status tabs--

RTCHUniversalServices

imageimage

image image

--Skipping Securables and Status tabs--

RTCUniversalConfigReplicator

image image

image image

--Skipping Securables and Status tabs--

RTCUniversalReadOnlyAdmins

image image

image image

--Skipping Securables and Status tabs--

RTCUniversalServerAdmins

image image

image image

As I mentioned earlier, the method I usually use to perform a quick audit of databases is actually to execute the stored procedure: sp_helplogins which will allow me to quickly have a look at which account has what permissions.  The following is what the tables look like when you execute the stored procedure:

image

The table of interest in the 2 above is the second one at the bottom where it will list out all the services and their respective role membership.  The following is the table copy and pasted into a table:

LoginName DBName UserName UserOrAlias
##MS_AgentSigningCertificate## master ##MS_AgentSigningCertificate## User
##MS_PolicyEventProcessingLogin## master ##MS_PolicyEventProcessingLogin## User
##MS_PolicyEventProcessingLogin## msdb ##MS_PolicyEventProcessingLogin## User
##MS_PolicyEventProcessingLogin## msdb PolicyAdministratorRole MemberOf
##MS_PolicyTsqlExecutionLogin## msdb ##MS_PolicyTsqlExecutionLogin## User
##MS_PolicyTsqlExecutionLogin## msdb PolicyAdministratorRole MemberOf
SOMEDOMAIN\RTCComponentUniversalServices cpsdyn SOMEDOMAIN\RTCComponentUniversalServices User
SOMEDOMAIN\RTCComponentUniversalServices cpsdyn ReadWriteRole MemberOf
SOMEDOMAIN\RTCComponentUniversalServices rgsconfig SOMEDOMAIN\RTCComponentUniversalServices User
SOMEDOMAIN\RTCComponentUniversalServices rgsconfig ReadWriteRole MemberOf
SOMEDOMAIN\RTCComponentUniversalServices rgsdyn SOMEDOMAIN\RTCComponentUniversalServices User
SOMEDOMAIN\RTCComponentUniversalServices rgsdyn ReadWriteRole MemberOf
SOMEDOMAIN\RTCComponentUniversalServices rtcab SOMEDOMAIN\RTCComponentUniversalServices User
SOMEDOMAIN\RTCComponentUniversalServices rtcab ServerRole MemberOf
SOMEDOMAIN\RTCComponentUniversalServices rtcab1 SOMEDOMAIN\RTCComponentUniversalServices User
SOMEDOMAIN\RTCComponentUniversalServices rtcab1 ServerRole MemberOf
SOMEDOMAIN\RTCHSUniversalServices rtc SOMEDOMAIN\RTCHSUniversalServices User
SOMEDOMAIN\RTCHSUniversalServices rtc ServerRole MemberOf
SOMEDOMAIN\RTCHSUniversalServices rtcdyn SOMEDOMAIN\RTCHSUniversalServices User
SOMEDOMAIN\RTCHSUniversalServices rtcdyn ServerRole MemberOf
SOMEDOMAIN\RTCUniversalConfigReplicator xds SOMEDOMAIN\RTCUniversalConfigReplicator User
SOMEDOMAIN\RTCUniversalConfigReplicator xds ReplicatorRole MemberOf
SOMEDOMAIN\RTCUniversalReadOnlyAdmins cpsdyn SOMEDOMAIN\RTCUniversalReadOnlyAdmins User
SOMEDOMAIN\RTCUniversalReadOnlyAdmins cpsdyn ReadOnlyRole MemberOf
SOMEDOMAIN\RTCUniversalReadOnlyAdmins rgsconfig SOMEDOMAIN\RTCUniversalReadOnlyAdmins User
SOMEDOMAIN\RTCUniversalReadOnlyAdmins rgsconfig ReadOnlyRole MemberOf
SOMEDOMAIN\RTCUniversalReadOnlyAdmins rgsdyn SOMEDOMAIN\RTCUniversalReadOnlyAdmins User
SOMEDOMAIN\RTCUniversalReadOnlyAdmins rgsdyn ReadOnlyRole MemberOf
SOMEDOMAIN\RTCUniversalReadOnlyAdmins rtc SOMEDOMAIN\RTCUniversalReadOnlyAdmins User
SOMEDOMAIN\RTCUniversalReadOnlyAdmins rtc ReadOnlyRole MemberOf
SOMEDOMAIN\RTCUniversalReadOnlyAdmins xds ConsumerRole MemberOf
SOMEDOMAIN\RTCUniversalReadOnlyAdmins xds SOMEDOMAIN\RTCUniversalReadOnlyAdmins User
SOMEDOMAIN\RTCUniversalServerAdmins cpsdyn SOMEDOMAIN\RTCUniversalServerAdmins User
SOMEDOMAIN\RTCUniversalServerAdmins cpsdyn ReadWriteRole MemberOf
SOMEDOMAIN\RTCUniversalServerAdmins lis AdminRole MemberOf
SOMEDOMAIN\RTCUniversalServerAdmins lis SOMEDOMAIN\RTCUniversalServerAdmins User
SOMEDOMAIN\RTCUniversalServerAdmins rgsconfig SOMEDOMAIN\RTCUniversalServerAdmins User
SOMEDOMAIN\RTCUniversalServerAdmins rgsconfig ReadWriteRole MemberOf
SOMEDOMAIN\RTCUniversalServerAdmins rgsdyn SOMEDOMAIN\RTCUniversalServerAdmins User
SOMEDOMAIN\RTCUniversalServerAdmins rgsdyn ReadWriteRole MemberOf
SOMEDOMAIN\RTCUniversalServerAdmins rtc AdminRole MemberOf
SOMEDOMAIN\RTCUniversalServerAdmins rtc SOMEDOMAIN\RTCUniversalServerAdmins User
SOMEDOMAIN\RTCUniversalServerAdmins rtcdyn AdminRole MemberOf
SOMEDOMAIN\RTCUniversalServerAdmins rtcdyn SOMEDOMAIN\RTCUniversalServerAdmins User
SOMEDOMAIN\RTCUniversalServerAdmins xds SOMEDOMAIN\RTCUniversalServerAdmins User
SOMEDOMAIN\RTCUniversalServerAdmins xds PublisherRole MemberOf
sa cpsdyn db_owner MemberOf
sa cpsdyn dbo User
sa lis db_owner MemberOf
sa lis dbo User
sa master db_owner MemberOf
sa master dbo User
sa model db_owner MemberOf
sa model dbo User
sa msdb db_owner MemberOf
sa msdb dbo User
sa rgsconfig db_owner MemberOf
sa rgsconfig dbo User
sa rgsdyn db_owner MemberOf
sa rgsdyn dbo User
sa rtc db_owner MemberOf
sa rtc dbo User
sa rtcab db_owner MemberOf
sa rtcab dbo User
sa rtcab1 db_owner MemberOf
sa rtcab1 dbo User
sa rtcdyn db_owner MemberOf
sa rtcdyn dbo User
sa tempdb db_owner MemberOf
sa tempdb dbo User
sa xds db_owner MemberOf
sa xds dbo User

If you’re not familiar with the table and the cells, try reconciling it with the following examples:

 image image

Notice how I right-clicked on the user RTCUniversalReadOnlyAdmins under the database cpsdyn (sorry the screen got cut off but take my word for it) and you see how only ReadOnlyRole was checked?

image image

Sorry about the cut off for the screenshot but the RTCUniversalServerAdmins account was selected under the database cpsdyn and notice how the role ReadWriteRole was listed in the permissions spreadsheet.  Note that ReadOnlyRole isn’t listed because ReadWriteRole includes that permissions.

Hope this helps anyone that may come across a problem where their Lync Server 2010 front-end pool’s database permissions has been tampered with or modified unintendedly and needs to reference default settings.

DistributedCOM Event ID: 10016 error logged on Windows Server 2008 R2 64-bit

I was recently made aware that Event ID: 10016 errors were logged on a server every time it was rebooted and was asked to have a look at it to see if I could quickly fix it.  Taking a look at the System logs on the server shows the following:

image

The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID

{24FF4FDC-1D9F-4195-8C79-0DA39248FF48}

and APPID

{B292921D-AF50-400C-9B75-0C57A7F29BA1}

to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

image

Since I’ve come across similar errors such as these in the past with SharePoint deployments, I began the troubleshooting by trying to figure out exactly which DCOM object this CLSID and APPID belonged to.  To do this, copy either of the identifiers (CLSID or APPID) because they reference the same object, open up the registry editor with (regedit), then do a search for the string:

image

image

Once the find completes, you’ll be at the location: Computer\HKEY_CLASSES_ROOT\Wow6432Node\CLSID\<identifier>

Notice how the left window pane has the CLSID and the right window pane has the APPID listed?  As the window shows, this is actually the DCOM object: Quarantine Private SHA Binding class

image

What’s special about this DCOM object is that you won’t find it listed when you open up Component Services from the Administrative Tools under the DCOM Config folder:

image

To find the DCOM object that maps to Quarantine Private SHA Binding class, you need to take the APPID unique identifier from the registry and map it to the APPID in Component ServicesDCOM Config folder.  As shown in the screenshot above, the DCOM object is actually named NAP Agent Service under Component Services:

image

Unfortunately, there isn’t much you can do if you open up the properties of the DCOM object as all the settings are grayed out:

image

After some research on this, the fix is to change the service’s startup property to Automatic instead of Manual.

image

image

So why does this happen?  While there are various reasons that can cause this, it’s usually because you have some other application that relies on this service and hence causes this error to be thrown when that application makes an attempt to launch this object (in our case, an application was trying to launch this object during startup).  For more information about this service, see the following link: http://technet.microsoft.com/en-us/network/bb545879.

Saturday, January 29, 2011

VMware Converter P2V / Cold Clone Process

The cold clone process when using the VMware Convert Cold Boot CD is pretty straight forward but in case anyone out there who haven’t tried using it before and would like to know what it looks like, this post serves to show the step-by-step instructions for using it to clone a physical server.

Before I start, I find that many people ask me why I prefer this cold clone process over a hot clone (live), the reasons are as follows:

  1. Changes to the server if it’s left turned on.
  2. Active Directory computer password changes.
  3. Database applications (Exchange, SQL, etc).
  4. Crash consistency.

I won’t go into the details but those are usually the key points I talk about when asked for justification.  Unless the server has static content that doesn’t get updated dynamically and/or a server that is not joined to AD, I usually recommend shutting it down and cloning it this way.

Preparation

Prior to actually cloning, you should prepare as much information about your physical servers as possible.  While the following list doesn’t cover all the items, it should give you an idea of what you need:

Inventory spreadsheet/documentation for the physical servers you’ll be virtualizing.  This should include the current configuration, performance data (if possible), and virtualized configuration.  The reason why you would need this information is because you may way to adjust settings such as number of CPUs or memory for the virtual machine as well as having to re-enter the IP once the p2v process has completed.

Prepare the VLANs required on your ESX/ESXi host.  The last thing you want to do during the middle of the night of a p2v window is to scramble and figure out which VLAN you need to put those virtual machines on after you’re cloned them from the physical server.  ESX/ESXi hosts are typically configured to use trunk ports for their NICs so plugging in a cable from your host to the port where your physical server used to be plugged in isn’t going to be an option.

Document and validate datastore for the virtual machine.  Along with the inventory spreadsheet containing information about your physical servers, you should spend some time to right-size the virtual machines’ disks and ensure that all of them are going to fit onto the datastores(s) you’ll be using.

Prepare your cold clone CDs and make sure they have the proper drivers if you’re cloning old servers (whether on a CD, USB or injected into the cold clone CD).  The cold clone CD doesn’t have drivers for all of the servers ever manufactured so there will be times where it won’t be able to read the physical server’s OS.

As I indicated earlier, this above is not a complete list so remember to add items to it during your planning and preparation phase.

Cold Clone Process

Once you’re ready to clone your physical server, insert the cold boot CD into the CD/DVD drive and boot from it.  The following screen doesn’t show the option for hitting F6 to install drivers but you’ll see it upon booting into the cold boot CD’s WInPE OS:

image

image

image

As the WinPE’s VMware vCenter Converter boots, you’ll see a small status window indicating what’s being processed in the background:

Installing hardware devices

Setting display resolution

Starting networking

Finishing WinPE

image

image

Accept the EULA as we always do:

image

Just before you actually get into the VMware vCenter Converter, you’ll be prompted for network settings.  This screen is important because unless you use DHCP for your servers, you’ll need to assign the WinPE OS you’re booting in with an IP address, subnet mask, default gateway (if your vCenter is not on the same subnet) and DNS settings (if you choose to use the DNS name to get to your vCenter):

image

You’ll find that it’s confusing at times when you have more than 1 NIC port (most servers do) so what I typically do is just configure the first network adapter available and swap out the cable at the back of the server if necessary:

image

You’ll also find that you get options in the Advanced tab as you normally would if you navigate to the NIC’s properties in Windows:

image

I’ve actually never used the Network Drives tab before but it looks interesting:

image

Once you’ve completed configuring the network settings, you’ll see the following window of the VMware vCenter Converter:

image

You’ll notice that there are quite a few tabs available so before I start showing the process, I’ll paste the screenshots of the options available under each tab:

image

image

image

image

image

image

Now that I’ve shown all the options available under each tab, we proceed with clicking File –> New –> Import.  This will start the vCenter Converter Import Wizard:

image

image

Proceed with clicking Next to allow vCenter Converter to detect the operating system of your physical host:

image

image

If you run into an error: Unable to determine Guest Operating System please see the following post: http://terenceluk.blogspot.com/2011/01/how-to-inject-storage-raid-controller.html

Once the operating system has been detected, you’ll see the following screen:

image

I typically don’t like to use the Import all disks and maintain size. option and prefer to use the Select volumes and resize to save or add space. option because you get more control over how the disks are virtualized.  The options available will allow you to right-size the drives as you’ve planned during the planning phase:

image

I also find it important and consider it as best practice to check the Create a separate disk for each volume. option so that separate VMDKs are created for each disk.  You’ll also sometimes find small partitions that are created by your server’s installation disks (usually recovery partitions) so uncheck those as you won’t need them once the virtual machine has been virtualized:

image

Once you’ve completed the configuration of the disks, continue on through the wizard:

image

Once you get to the following screen, choose the appropriate destination.  Since we’re going to clone this physical server to the a vCenter server, choose the vSphere Virtual Machine option as the destination type:

image

image

The following screen will now allow you to enter the vCenter server address and credentials.  I used to have problems back in the VI3 days where IPs didn’t appear to work but I have since tried both in vSphere and haven’t come across any problems so which one you use is up to you:

image

Once you’ve entered the credentials and click Next, the converter will reach out to your vCenter and validate the credentials:

image

If you’ve entered the incorrect credentials, you’ll see the following error message:

The system could not log you in. Please verify that the user name and password are correct, then try again. Passwords are case-sensitive.

image

Once the credentials have been validated, you’ll see the following screen where you can choose the virtual machine inventory location:

image

Proceeding to the next screen will give you the option of choosing which host, cluster or resource pool within a host or cluster you would like to place the virtual machine on:

image

The next screen will allow you to choose the specific host within the cluster you’ve chosen.  This is important if you have servers that rely on other high availability options such as Windows NLB or MSCS where you would not want the active or passive node running on the same host:

image

Once you’ve selected the host you’d like the virtual machine to be hosted on, you’ll get to choose the datastore for the virtual machine:

image

Once you click the Next button, the wizard will verify datastore’s capacity before proceeding:

image

The next screen will allow you to modify the NICs for the virtual machine.  The wizard will always default to the amount of NICs that your physical server has so if you have more than you need, now is the time to change it.  I also prefer to uncheck the Connect at powered on checkbox because I prefer to boot up the virtual machine after the p2v process has completed but it’s really just preference:

image

The next screen will give you the options:

  1. Install VMware Tools
  2. Customize the identity of the virtual machine
  3. Remove all System Restore checkpoints

I usually prefer to select option #1 and # but not #2 because if I needed to change the virtual machine’s properties, I prefer to do it after it’s been virtualized.

image

The last screen will provide you with a summary of the virtual machine and what you’ve selected during the configuration as well as provide you with the option: Power on the new virtual machine after creation.  While it’s not the default, I also select that option and this is why I prefer not to check the Connect at powered on checkbox:

image

Once you’ve completed the configuration through the import wizard, the task will start immediately as shown here:

image

How long the process will take always varies depending on how much data you need to virtualize and the network speed settings.  Always remember to check what your physical server as well as your vCenter server network is connected at as there’s a significant difference between 100Mbps and 1Gbps.

As the process continues, you can monitor the progress in the Task Progress tab at the bottom of the window:

image

Once you’ve completed the cloning process, remember to perform cleanup tasks to remove any old vendor hardware specific devices hidden away in device manager.  Also, newer versions of the converter typically fix the HAL for the process (Uniprocessor vs multiprocessor) but I always check the device manager to make sure it has been changed.  For an idea as to what these pre and post p2v tasks are, see one of my previous posts: http://terenceluk.blogspot.com/2011/01/post-cleanup-tasks-after-p2v-ing.html.