# Friday, January 10, 2014

At one of my customers, the deployment of some new test-servers uncovered a nice chain of issues. Some Windows Server 2012 R2 machines were deployed but the application they were intended for, could not connect to some of the SQL Servers (on a cluster). However, when trying to reproduce the problem for a specific case made of this problem, the application did work as expected. Then after Windows updates were applied to the cluster, the case was reopened again and now reproduction succeeded (as in the application indeed failed to connect).

Troubleshooting at that stage narrowed it down to the fact that Windows 2012 R2 servers could not connect due to authentication issues, whereas Windows Server 2008 R2 machines with the same application had no issues. Must be Windows 2012 R2, or a policy setting that is different. It turned out to be the latter of the two and it was concluded that the policy setting “Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers” to Deny all, caused the behavior. Bottom line, Kerberos authentication didn’t work, NTLM did.

Now with Kerberos authentication to SQL Server being an issue, the case followed its way to me. Well, Kerberos authentication should work. All clustered SQL Servers were configured and tested for Kerberos. But a little more about this particular cluster;

  • 4 Nodes (Windows Server 2008 R2). Originally a 2-node cluster, extended about a year ago.
  • 8 Virtual SQL Servers (2008 R2). Install dates of those virtual servers varying between 3 years to 1 month ago.
  • Each virtual server is installed using a domain account for that particular server.
  • Install is pretty much default, so the installer determines the dynamic tcp-port.
  • After installation, the required SPNs are created.
  • The state for this cluster is TEST/ACCEPTANCE.

This particular case included two clustered SQL Servers having the problem;

  • CL2_SQL_INS2\INS2
  • CL2_SQL_INS5\INS5

To verify the situation, I connected to the node for INS2 and confirmed there were SPNs registered for the service accounts for INS2 and INS5 (SetSPN –L “domain_name\svc_acnt_name”) which returns results like

C:\Users\admin_075>SetSPN -L "organization\srv_sql_ins2"
Registered ServicePrincipalNames for CN=SRV_SQL_INS2,OU=CL2_SQL,OU=SQL_Clusters,OU=Servers,DC=organization,DC=local:
        MSSQLSvc/srv_sql_ins2:12345
        MSSQLSvc/srv_sql_ins2.organization.local:12345

In other words, it looked just like it should, the SPN for INS2 was 12345 and for INS5 was 54321. Next I opened the SQL Server Configuration Manager and retrieved the TCP Port for IPAll for both INS2 and INS5. INS5 was at TCP Dynamic Ports = 54321 (as expected), but INS2 was at TCP Port = 1433! Now this explains why INS2 isn’t working on Kerberos, it’s not registered for 1433. Of course there now is the question why INS2 is forced to listen on 1433 instead of 54321, but at that stage I was more concerned with why INS5 wasn’t authenticating on Kerberos despite the port configuration. Since the Windows Server I currently was looking at, was the active host for INS2 but not for INS5, I connected to the host for INS5 and checked the TCP Port settings. There is was in for yet another surprise: INS2 = tcp-port 12345 and INS5 = tcp-port 1433!

This is the situation that is not supposed to be!!! The active hosts for the respective virtual servers listen at 1433, but the passive hosts are correct (well, turned out INS2 had 2 hosts configured for 1433). I learned these were probably remnants from earlier troubleshooting activities. However I’m still surprised as in a cluster, when one edits the tcp-port number on the active host, it should propagate with a failover. So I edited the port on the active host for INS2 to be 12345 instead of 1433 and brought the resource offline and online again, port remained at 12345 (= OK). Next I did a failover to the other host that still had 1433 listed, expected that the port would become 12345. It didn’t, it remained at 1433. What is broken here (or has never worked correctly at all)?

The broken, or better said, missing part turned out to be checkpoints. Not that this is the first case of missing checkpoints SQL Server as it seems, the way to fix them is hidden inside the kb-article How to change SQL Server parameters in a clustered environment when SQL Server is not online. The title seems to suggest that this only applies when SQL is not online, but the described method 2 has no restriction on SQL Server being online or not. After checking with cluster . resource /checkpoints it turned out that none of the SQL Server Services had a checkpoint. And since the path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL10_50.INS2\MSSQLServer\SuperSocketNetLib\Tcp\IPAll wasn’t covered by the another checkpoint, it is obvious why tcp-port numbers were inconsistent throughout the nodes. After adding a checkpoint for INS2 (from the host where INS2 was running on 1433) and editing the tcp-port number to become a static (not dynamic as on the other host) 12345. Next I conducted a failover to the previous host and verified that it too now had a static IPAll for port 12345. Issue of the missing checkpoints solved. The other 7 instances went the same way.

CAUTION: At step 4 for Method 2, for SQL Server 2008  the syntax is listed as cluster . resource "SQL Server (<InstanceName>)" /addcheckpoints:"HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\MSSQL.x\MSSQLSERVER". Be sure to leave out the HKEY_LOCAL_MACHINE\ part as this results in invalid syntax and take a good look how to replace the MSSQL.x as this would apply to SQL Server 2005, whereas MSSQL10.<InstanceName> would apply to SQL 2008 and MSSQL10_50.<InstanceName> to SQL Server 2008 R2. Hopefully this will be updated based on the feedback I submitted.

For more background on the checkpoints, I found the Windows 2008 (R2) documentation on clustering is rather limited to the “What’s new” stuff and to be honest, even the Windows 2003 documentation is not as clear on the subject as Exchange 2003 on Windows Cluster Architecture (sections Checkpoint Manager and Database Manager under Cluster Service Components).

Friday, January 10, 2014 10:51:14 PM (W. Europe Standard Time, UTC+01:00)
# Wednesday, June 17, 2009
 #
 

I've been holding this one off for quite some time, but finally bit the bullet... migrate the server.Coming from Windows Small Business Server 2003 (32-bit) going to Windows Server 2008 with Exchange 2007 (both x64), including transferring the web site. There were a few nasty pieces in the process and I didn't have/take the time/resources to test it all though before jumping in... so I got a disruption of about one hour for the blog and inbound smtp.

First issue I encountered was the installation of the server, which I ordered from Dell without operating system. I am a Microsoft Action Pack subscriber, so I slammed the 64-bit Windows Server from the Action Pack on the system, entered the Product Key and then went on to phone based activation. After putting in the last confirmation code and pushing the next button... my activation wasn't accepted!!! ... to cut a long story short, after dozens of voice menu selections and 4 persons, I found the guy who could help me out: Philip. Though it still toke Philip and me about 20 minutes to find the actual problem... I wasn't an Action Pack subscriber anymore!!! Technical story here, but it happened when Action Pack was integrated more tightly with the Partner Program. Somehow I didn't complete the Action Pack renewal transaction completely in February, but the partner site didn't show that (it only showed I'm still good for the Partner Program).

Couple of days later, I could go ahead with the migration process. It turned out to be easier than I expected after I found a very useful document about Upgrading Small Business Server 2003 to Exchange 2007. Some pointers on using the document though;

  • Transferring the the other FSMO's (Schema Master is described); Determining FSMO Role Holders
  • With Windows Server 2008 you NEED the Exchange 2007 SP1 DVD, Exchange 2007 without SP1 will not pass installation checks.
  • Section Migrate mail send does not cover migrate mail receive. This caused me a bit of downtime... The issue was
    SMTP error from remote mail server after MAIL FROM:<abcd@efg.hi> SIZE=2703:
    host abcdef.ghi [10.10.10.10]: 530 5.7.1 Client was not authenticated

    And can be solved in the following manner in Exchange Management Console:
    • Go to the Server Configuration, Hub Transport. Select your server and add Anonymous to the Default SERVERNAME Receive Connector. While you're there, you can increase receiving message size here too.

And there were parts I did different;

  • I continue to rely on Vamsoft's ORF for the anti-spam. Version 4.3 is fully compatible with Windows Server 2008 and Exchange 2007 and an ease to configure.
  • Since I will continue the same DNS name for OWA and Windows mobile Active Sync, I transferred the Self-signed certificate from the SBS2003 (find it in your IIS, web site, directory security tab) to the new server.

My other bit of downtime was the blog... simply copy from the old server to the new one didn't cut it. So I downloaded the latest release of dasBlog from Codeplex, copied it into the virtual director of new server. Next I had to;

  • Copy my own theme
  • Compare (and adjust) the \SiteConfig files
  • Transfer \Content files and \Logs files
  • Make sure the account running the Application Pool has read on all dasBlog folders and change on \SiteConfig, \Content and \Logs.
  • The Application Pool is running in Classic Managed Pipeline Mode

Guess I can say I didn't plan for the blog to be upgraded... that just had to happen.

Wednesday, June 17, 2009 9:31:05 PM (W. Europe Daylight Time, UTC+02:00)
# Thursday, February 26, 2009

As I blogged before, relog is quite useful. The syntax examples on the TechNet page however are pretty much useless if you want to go to SQL Server. So let's look at a few scenarios and the syntax to make them work, but before that, let's get the DSN and the counter data file.

Configure the Data Source Name to the SQL Server as System DSN based on the SQL Server driver (SQLSRV32.DLL)... Native Client does NOT work. The name of the DSN in the syntax samples will be PerfDB.

Next is the file with performance data. Relog will detect the format from its internal structure (if it is a valid counter log file), so you do not have to specify if your file is comma separated (.csv), tab separated (.tsv) or binary (.blg). Since binary is the most practical format for large amounts of data, the file for the syntax examples will be c:\my perflogs\p_log01.blg (and consecutive numbers for any next file).

One final comment before going to the scenarios; relog creates three tables in the SQL Server database targeted by the DSN (if they do not already exist). These tables are;relog_schema

  • dbo.CounterData (holds the actual values of the counter)
  • dbo.CounterDetails (holds the machine, object, counter and, if applicable, the instance)
  • dbo.DisplayToID (holds information on the perfmon data that was loaded)

Senario 1: Load all counters into the database

relog "c:\my perflogs\p_log01.blg" -f SQL -o SQL:PerfDB!1stRun

All clear, except for the blue 1stRun (and the exclamation mark preceding it). The reason is that it is possible to write multiple logs to the same database. Each time log information is written to the database, a new DisplayToID record is created. The name given in blue is the  DisplayString. If the DisplayString is used before, the data will be added under the same GUID.

Scenario 2: Load all counters between begin and end datetime into the database

relog "c:\my perflogs\p_log02.blg" -f SQL -o SQL:PerfDB!2ndRun -b 26-02-2009 10:00:00 -e 26-02-2009 10:30:00

TechNet says the format for relog date times should be M/d/yyyy hh:mm:ss, which is the internal format of the log files is M/d/yyyy hh:mm:ss.sss, minus the milliseconds. In reality, relog looks at the regional settings, including the customizations you did to the regional settings! The string in the sample is valid for the regional settings Dutch (Netherlands), so dd-mm-yyyy HH:mm:ss. Best way to find out what format relog expects is to run relog /?.

Together with the previous issue of the char(24) storage of a binary converted datetime string, this regional settings dependency is horrible handling of datetime. For globalization support it would be great if relog was given an extra switch to indicate that datetime strings are in ISO 8601 or ODBC format, independent of the regional setting.

Scenario 3: Load a limited set of counters into the database

relog "c:\my perflogs\p_log03.blg" -q -o c:\counters.txt

Edit the c:\counters.txt file to only include the counters to be written to the database.

relog "c:\my perflogs\p_log03.blg" -cf c:\counters.txt -f SQL -o SQL:PerfDB!"select set of counters from the 3rd run"

It is possible to combine scenarios 2 and 3 to load a limited set of counters between two datetimes. Also, if you want spaces in the DisplayString, it can be done with the double quotes as shown in this example.

Thursday, February 26, 2009 3:42:13 PM (W. Europe Standard Time, UTC+01:00)
# Wednesday, March 26, 2008

Finally the results for the 71-646 and 71-647 are being published. I just checked the prometric site after reading Aaron's update on his scores, he passed his, I passed mine. Now all I need to do to haul in the MCITP: Enterprise Administrator is pass either the 70-620 or 70-624... I guess the 70-620 is by far the easier route.

Wednesday, March 26, 2008 10:28:24 PM (W. Europe Standard Time, UTC+01:00)
# Tuesday, January 22, 2008

Just did my 71-647 (70-649 when it comes out of beta), without preparation... I just checked some links;

Permanent Link to 70-647 Windows Server 2008, Enterprise Administrator

Erfahrungsbericht 71-647 (German)

In general, my impression is in line with what Lucas and Noxx experienced. In terms of subjects, my exam was quite a lot of GPO, File Server, Clustering in combination with SQL Server 2005 ;-), AD DS, AD CS, AD FS.

Should I have to take this exam again, there still is a little I would look at based on today's experience. The only subjects I would be looking for are:

  • Feature overview of System Center (and a bit more specific System Center Virtual Machine Manager and SoftGrid)
  • Windows System Resource Manager
  • AD; what's changed from Windows Server 2003 to 2008
  • AD FS

In general, being MCSE 2003, proper preparation for 70-649 and a bit of reading on the four topics above should be enough...

Oh, I added my remarks on 5 out of 71 questions that had some serious flaws or were just plain wrong.

Technorati tags: ,
Tuesday, January 22, 2008 4:12:30 PM (W. Europe Standard Time, UTC+01:00)
# Monday, January 14, 2008
 #
 

... or at least didn't feel things were important enough to post, at least that's the excuse for not writing here for well over a month.

In the mean time, beta-season is opened again and I registered for the 71-647. However, I won't go trough the same depth of preparation as I did for the 70-649... I'll just go in and try to make it on my Windows 2003 and 70-649 prep-knowledge ;-).

The other exam I registered for is the 70-445 and I'm planning to take the 70-446 later this year. Just to get myself started for the preparation of this exam, I collected some links to hold on to:

and I'll be using the Microsoft courseware for the courses 2791, 2792, 2793, 2794 and the MCTS Self-Paced Training Kit (Exam 70-445): Microsoft® SQL Server™ 2005 Business Intelligence—Implementation and Maintenance.

That should keep me busy for a while again...

Monday, January 14, 2008 8:49:23 PM (W. Europe Standard Time, UTC+01:00)
# Friday, November 9, 2007

As I wrote before, I passed my beta-exam and am well underway. Because of my experience preparing for the exam, the folks from NewLevel asked if I could do a presentation for them on Windows Server 2008... for marketing sake.

I said yes, so if you're interested, available on November 27th (13:30 - 16:00) and can be in Amersfoort:

  • Overview of product features and why you might want to use them.
  • How these features map to the new generation certifications and what this new generation certification could mean to you.
  • Training options to prepare for the Windows Server 2008 certifications and job-roles.
  • Besides all the talking, a demonstration deploying Network Access Protection in Windows Server 2008.

If you're interested, contact NewLevel by phone +31 73 599 0 150 or mail to Rein Floris at NewLevel. The presentation will be in Dutch an a small fee is charged.

Friday, November 9, 2007 8:05:57 PM (W. Europe Standard Time, UTC+01:00)
# Monday, November 5, 2007

Just visited the prometric-website, I've passed my 71-649. Also did a quick check on my MCP-transcript, but it's not showing there, yet! The preparation paid off.

Technorati tags: , , ,
Monday, November 5, 2007 11:06:34 PM (W. Europe Standard Time, UTC+01:00)
# Thursday, August 30, 2007

I don't make a habit of copying other people’s blogs, but after my prep-series for 70-649 / 71-649, it’s okay for me on this one. The original can be found at Trika’s blog.

Hi. You probably already heard the update on WS2008 release to manufacturing (RTM), now scheduled for 1st quarter of 2008 instead of end of year 2007. As a result... 
  1. The transition exams 70-648 and 70-649 will be available on October 29, 2007, now. They were scheduled for September 20, but the changes/slip in technology mean some items on our exams are affected, too. 
  2. If you took the beta for either of these exams (71-648 or 71-649), your result should be available no later than October 29 (or a few weeks before).
  3. The MCTS exams are still scheduled for RTM +30 days; the MCITP exams are still scheduled for RTM +60. Don't know what I'm talking about? Read about the WS2008 certification family.

Guess I have to wait for my beta-score a little longer...

Thursday, August 30, 2007 9:25:41 AM (W. Europe Daylight Time, UTC+02:00)
# Friday, August 3, 2007

Well, I should say 71-649, because I sat the beta-exam. But how would I rate my preparations (1, 2, 3, 4, 5, 6, 7, 8) and the exam?

Let me start with the exam, 88 questions on:

  • Windows Deployment Services, about 10 questions.
  • Terminal Services, about 10 questions.
  • Internet Information Services, about 20 questions.
  • Active Directory, about 20 questions.
  • Networking, about 10 questions.
  • Virtual Server, about 5 questions.
  • Not listed in the prep-guide, about 10 questions. These topics include Disk management, WSUS, Clustering, Recovering from boot errors; none of them really hard. I would say (apart from the different boot process and recovery options for Windows 6) basic knowledge is sufficient.

Mapping my preparation to the beta-exam, I can say IIS and Networking were well covered. Though there is one flaw on my IIS prep: .NET Trust Levels… I totally forgot about them.

My feeling on WDS and AD in general is okay, though I should have spend more time on Federation Services and Rights Management Services and gotten some hands-on experience with WDS. Towards Virtual Server, I can say I underestimated it a bit, thinking that my daily usage of Virtual Server 2005 for test and development would cover it. Not, you’ll need to invest in your skills to manage a production environment of legacy OS-es hosted on Virtual Server, including securing (the level of) access to specific machines and scripts.

And then there were Terminal Services, well actually my exam started with them and I was shocked (or maybe stunned) with the level of depth and detail in the questions. Maybe, like with Virtual Server, I underestimated TS. But with VS, I had at least the feeling the questions were fair, some the TS question however were IMHO based on look-up facts, not skill. If the spread of the exam will be the same as on my beta, prep deep and hard at ALL topics on Terminal Services.

That said about my preparation, but will I pass? Hard to say, first of all it’s a beta exam, so it’s also a test for the question pool (and some won’t make the cut). There were errors in at least two questions (which I commented) and I have my doubts about a couple of others (I’ll review what I can remember and answer that on Microsoft’s follow-up mail on the beta exam). Until then, I’ll anxiously await the result.

Friday, August 3, 2007 8:44:12 PM (W. Europe Daylight Time, UTC+02:00)

In a few hours I’m going to find out if my preparations (and expectations) match up with the exam (or should that be the other way around?).

Anyway, here is the final post on the preparations, covering IIS. On top of that, I’ve updated Preparing for 70-649, part 7 of many with the IIS stuff and some extras on activation and WDS.

IIS is huge and not only in terms of its share in the question pool (as reported in many experience reports in on the Internet). Surely I’m pointing at IIS.NET (www.iis.net), even than a sub selection is required. So let me sum up the resources I used, though I must admit I had next to no clues on what to prepare for other than a lot of command-line stuff, in other words: appcmd.exe.

First I had to get in the mood ;)… so I picked two webcasts (I had their links stored sometime when I was browsing resources).

Live From Redmond: Putting the Lego set together: Inside IIS 7.0's Componentization

There is an audio problem in the original webcast starting just after 18 minutes and lasting for about 2 minutes, nothing wrong with your PC (yes, I did restart the presentation).

Exploring the Future of Web Development and Management with Internet Information Services (IIS) 7.0 (Level 200)

I was tempted to only view the admin part of the webcast (~50 minutes), but sitting through the full webcast gives you a good view of what the modularized approach for IIS 7 means in terms of extensibility.

After the webcasts I went through the IIS 7 Resources and read all articles (1, 2, 3, 4, 5, 6, 7, 8) in “Explore IIS 7”. Just to get the complete picture.  A lot of these pages have a “Learn more … ” as their next/last page. This “Learn more” page has undoubtedly useful links, but after having clicked a few I decided to keep away from them to properly manage my time. Note that having viewed the webcasts makes the reading easier.

Basically I wanted to continue reading the rest as well, but that would present an information overflow, which would probably not be relevant to the exam. I already had my doubts if I wasn’t drilling too deep anyway. Looking at the skills in the prep guide, 14 out of 16 skills towards IIS are configuring. What I learned so far from the resources; configuration is stored in XML files machine.config, applicationHost.config and web.config. What I learned from the comments, emphasizing the importance of the command-line, appdom.exe will be the tool to edit these XML files.

I started taking up the configuration tasks with FTP, based on the 9-page guide from iis.net. In this paper the configuration is done against the bare XML for several different scenarios. In preparation terms, I’ll label this link Resource M_1.

Next was configuring certificates, where I was surprised to learn that appcmd.exe is could not be used for a lot of certificate related configuration tasks (Resource M_2).

This link might address two skills, as I’m not sure to what extend the words components, modules and handlers are used interchangeably (Resource M_3).

A link that (in a very simple way) satisfies three skills is this one, labeled Resource M_4.

This link will hopefully satisfy another 3 skills (well, one already covered by M_4), labeled Resource M_5.

In the configuration corner for rights, permissions and authorization, you should have gotten a pretty good impression from the second webcast, but here are the four links I think add some information. 1, 2, 3, 4 (Resource M_6).

There wasn’t information on backup. But hey, how hard can that be… check out appcmd backup /?, by now you should know the IIS team got their act pretty well together.

SMTP is another story, I haven’t looked deeper in there, other than just install it. To me it seemed nothing changed from Windows Server 2003, it even requires all the IIS 6.0 bits to be installed. Then again, the prep-guide could be hinting at configuring SMTP so your apps can send mail.

And finally UDDI, well next to nothing to be found on UDDI on the iis.net, at microsoft.com UDDI points you in various developer directions. Also Microsoft, SAP and IBM seemed to have the plugs pulled on the public UDDI business registry. This makes UDDI an enterprise niche, which will require cooperation between developer teams and corporate administrators. In other words, UDDI should have no place in a MCTS exam and I’m going to take my chances here.

All information in the resources (with exception of M_2) focuses at the underlying XML-configuration, so armed with this knowledge I started to test my skills with appcmd.exe in a VirtualLab. Unfortunately I ran into some troubles with the lab (which all by itself should take just a minute or 10 (out of 90) to complete, so I booted my own VM to play appcmd.exe a bit more. The thing I liked in the VirtualLab was the inclusion of appcmdUI.exe. Speaking of appcmdUI, life with appcmd.exe can become a lot easier; check out Kanwaljeet Singla’s appcmdUI.exe, after the exam... don't get used to it yet ;). Or use one of the other options to manage IIS7;

  • GUI administration
  • Edit the files directly with your favorite XML-editor
  • PowerShell
  • WMI
Friday, August 3, 2007 9:57:26 AM (W. Europe Daylight Time, UTC+02:00)
# Monday, July 30, 2007

Updated 2007-08-03 with added stuff on IIS, WDS and Windows Activation. 

I haven't done much in terms of blogging about my preparations the past couple of days. Mainly because I've taken a more structured approach after I caught myself reading an RFC to prepare for an MCTS exam (see part 5). To keep track of what I did, I use the table below so I can match the skills to be tested to the resources I used. So far I’ve gone about the following route;

Don’t forget you’re an MCSE. Windows Server 2008 is yet another evolution in the Windows Operating System. Your skills will evolve along with it (in other words, there’s only a little real new stuff). Or as Lukas Beeler stated: “An MCSE on 2003 could probably answer 50% of the questions without having touched WS2008”

  • Search resources (find this documented in some of the previous posts).
  • Watch the IPv6 white-paper webcast, followed by selectively reading through the white paper itself. Link (Resource A).
  • Skim / glance trough the reviewers guide (Resource B).
  • Watch the screencasts by Keith Combs (Resource C).
  • Get some hands-on experience with IPv6 (but don’t overdo it). (Resource D).
  • The E-Book, well only the chapters from Windows Server 2008 (Resource E). I haven’t looked at the PowerShell Step-By-Step chapters, as PowerShell is not on the exam.
  • Some background information on Rights Management Services from Windows Server 2003 (Resource F).
  • E-Learning 5934 collection. For a little more detail on the E-Learning and why I didn't add the last clinic, see my previous post.
    • Course 5936 Hindsight, take this after reading the EBook, the clinic is lacking in overview and seems to miss some essential bits (I toke this module before reading the EBook) (Resource G).
    • Course 5937, good clinic but not much new info after having worked with resources B, C and E (Resource H).
    • Course 5938 (Resource I).
  • Windows Deployment Service Role Step-By-Step guide (Resource J).
  • Volume Activation 2.0 Frequently Asked Questions for Windows Vista and Windows Server codenamed "Longhorn"- Beta 3 (Resource K).
  • I’m not sure if "Custom application directory partitions" means the same as in the Windows Server 2003 exams. If yes, check page 5-26 from the MCSA/MCSE Self-Paced Training Kit for Exam 70-291 (isbn: 0-7356-2288-4). Online Chapter 5 included as Resource L.
  • IIS was a story for itself, which I described in my last preparation post. For the table below, I labled this post as Resource M (which means the whole post in general) and some further qualified resources (like M_1, M_2, etc.) with specific links in that post (Resource M).
  • Get some hands-on experience with Server Core (Hindsight, not a priority. Keith’s screencast probably shows enough) (Resource Z).

Resources reviewers guide (B) and E-Book (E) have their respective chapter denoted as well, like (B_2) for chapter 2 from the reviewers guide.

What’s up with the table? First of all, these are the skills being measured from the 2007-05-25 prep-guide with a priority column and a resource column. Each time I encounter a comment on the internet about the skill being heavy tested, it receives a plus. Plusses are direct or inherited from the group, that is; if I felt a comment could be pointed to a group, that’s where the plus landed. Resources point to thing I used, did or read to cover that topic; finally comments are things I want to mention on the particular topic.

One general comment though, the exam is said to heavily focus on command-line tools. So I specifically paid to attention to the command-line tools used in the various topics.

70-649 Priority Resources  Comments
Configuring Network Access    
Configure Remote Access.   B_5, G  
Configure Network Access Protection (NAP) components. + B_5, G  
Configure Network Authentication.   B_5  
Configure data transmission protocols.   B_5, H  
Configure wireless access.   B_5, G  
Configure certificate services. + B_5, E_7, G  
Configure DHCP. + D, B_5, G  
Configure IPv4 and IPv6 Addressing. ++ A, D   
Configure Routing.   B_5  
Configuring Terminal Services +  
Configure Terminal Services Remote Programs. + B_3, I  
Configure Terminal Services Gateway. + B_3, I  
Configure Terminal Services load balancing. + B_3  
Configure resource allocation for Terminal Services. + B_3, I  
Configure Terminal Services licensing. + B_3  
Configure Terminal Services client connections. + B_3, I  
Configure Terminal Services server options. + B_3, I  
Configuring a Web Services Infrastructure +++ B_6 is heavily underpowered to cover the subjects
Configure File Transfer Protocol (FTP) Server. +++ M, M_1  
Configure backup. +++ M,  
Configure Web applications. +++ M, M_4, M_5  
Configure Application Pools. +++ M, M_5  
Configure IIS components. +++ M, M_3  
Publish IIS Web sites. +++ M, M_4  
Migrate sites and Web applications. +++ M, M_5  
Configure SMTP service. +++ M,  
Configure Universal Description, Discovery, and Integration (UDDI) service. +++ M,  
Configuring Security for Web Services +++ B_6 is heavily underpowered to cover the subjects
Configure handlers to reduce attack surface. +++ M, M_3  
Configure .NET Trust levels. +++ M,  
Configure authentication. ++++ M, M_4  
Configure rights. +++ M, M_6  
Configure permissions. +++ M, M_6  
Configure authorization. +++ M, M_6  
Configure certificates. ++++ M, M_2  
Deploying and Monitoring Servers      
Configure Windows Deployment Services (WDS). +++ B_7, J  
Capture WDS images. +++ B_7, J  
Deploy WDS images. +++ B_7, J  
Configure Windows Activation.   C, K  
Create virtual machines. +++ B_2, E_3  
Configure Virtual Server settings. +++ B_2, E_3  
Install Windows Server Enterprise.   C  
Install server core. + C, Z, B_7, E_6  
Configuring Server Roles      
Implement server roles by using Server Manager.   B_7, E_4, E_5  
Configure ADLDS. + B_5, E_7 Formerly known as ADAM (Active Directory Application Mode)
Configure ADRMS. + B_5, E_7, F  
Configure the Active Directory server core. + B_5, E_7  
Configure the read-only domain controller (RODC). +++ C, B_4, H  
Configure Active Directory Certificate Services. ++ B_5, E_7  
Configure Active Directory Federation Services (ADFS). + B_5, E_7  
Maintaining the Active Directory Environment +    
Configure backup and recovery. + B_5, B_7  
Perform offline maintenance. + B_5, E_7, H  
Configure custom application directory partitions. + L  
Configuring the Active Directory Infrastructure +    
Configure communication security for Active Directory. + B_5  
Configure the global catalog. +    

If time is less of an issue, visit the TechCenter which has lots of resources (Step-By-Step guides) to get the knowledge and Hands-On experience.

Monday, July 30, 2007 12:26:27 PM (W. Europe Daylight Time, UTC+02:00)

Review of the free E-Learning collection 5934 towards preparation of 70-649. Certainly not a catch-all resource, but the first three out of four clinics did add value in my preparation.

Clinic 5936, covers Network Access Protection (NAP). Though the E-Learning doesn’t mention it this way, NAP basically is an extension build around NPS (Network Policy Server, Microsoft’s RADIUS implementation and replacement for Win2k3 IAS). To use NAP, you need clients that are NAP-capable and can validate their Health (think Firewall, AV, Malware protection, patching) with the servers for compliance with the companies System health policy. For better results, combine the E-Learning with the Reviewers Guide sections 5.02 and 5.03. I found this clinic quite lacking in terms of providing a decent overview, but it enhances the Reviewers Guide by adding visualization. 

Clinic 5937, focuses at the branch offices. With Windows Server 2008 this means lots of RODC, but also TCP/IP improvements (for WAN), BitLocker, some administration delegation and stopping the AD Service for maintenance (rather than rebooting the server into Active Directory Restore Mode). Good and useful clinic, but also includes some topics that bear no relevance to the exam.

Clinic 5938, with Terminal Services at the core of this clinic. Listen to the intro and stop wondering why it looks like Citrix (in other words, leverage your experience with MetaFrame or Presentation Server). This clinic throws a lot of different scenarios at you, so you may want to combine it with chapter 3 from the Reviewers Guide to keep an overview. This clinic (like the 5936) adds visualization to the Reviewers Guide.

Clinic 5939, focuses at the “initialization” (initial configuration tasks and adding roles and features) and management of a server. Many topics however, aren’t relevant to the exam (PowerShell, Remote Management, Troubleshooting and Diagnostics). It is a useful clinic in getting to know some new features of Windows Server 2008, but with next to no relevance to the exam. The parts that are relevant to the exam, are already covered by Keith’s screencasts, the EBook and the Reviewers Guide.

Monday, July 30, 2007 12:16:37 PM (W. Europe Daylight Time, UTC+02:00)
# Tuesday, July 24, 2007

Today I decided my efforts to get hands-on experience with Windows Server 2008 Beta 3 were noble as well as inefficient. To be honest, I don’t really think it’s inefficient in terms of getting to know the product better, but it is in terms of time management towards the exam on August 3rd.

How did I get to that conclusion? I was playing with DHCPv6 and DNS and all of a sudden I found myself reading an RFC (3596 for those interested). What was I doing? Getting DHCPv6 to lease addresses and see those addresses being registered in DNS, both the AAAA records and the PTR records. But I had a little trouble getting the ip6.arpa zone created (and in the end it turned out just to be a matter of knowing what exactly to type in the wizard). That was the detail, but I am also preparing for (just) a MCTS-exam on a broad range of topics and skills.

Anyway, this scenario will be the last “getting my hands in the dirt” for a while. After that, I will look in to the free E-Learning and the free E-Book, probably followed by working my way through IIS7. Based on all info I found, IIS7 is topic #1 on the 70-649.

There is just one possible topic I’m uncertain of: PowerShell. The PowerShell book is recommended Microsoft Press self-paced training products on the Prep-guide. However PowerShell isn’t mentioned in the skills tested and I haven’t read any comments about PowerShell questions in the various experiences. Does any of the 71-649 veterans care to drop a word on PowerShell?

Tuesday, July 24, 2007 10:21:59 PM (W. Europe Daylight Time, UTC+02:00)
# Monday, July 23, 2007

The new VM (to be named Win2k8-Full-01) installed overnight, first things first: VM additions and a larger screen size (going graphical now). Second, not being able to do a thing with DHCP on the core-install (Win2k8-Core-01) still bugged me and while in Initial Configuration Tasks on Win2K8-Full-01 I started looking around the roles and features. There it was under features: Remote Server Administration Tools, but no remote tool for DHCP *now what*… well I just installed the DNS Server tool. Next the system wanted to REBOOT ?!? WinNT 3.51 déjà vu, I hope these kinds of reboots won’t make the final product.

The DNS Server tool on Win2K8-Full-01 threw an error “A security package specific error occurred”. I only could stop, restart or pause the DNS Service over at Win2k8-Core-01 and view the DNS Event log. I tried to see what happened if I made changes to DNS on Win2k8-Core-01 using dnscmd. Again the changes didn’t show in the DNS Server tool (although they were visible in the DNS Event log). Time for an upgrade to an Active Directory environment, I installed the role Active Directory Domain Services (reboot again), dcpromo followed by an expected reboot. After the reboot, it was apparent that the roles DNS Server and File Services were installed at Win2k8-Full-01 too.

The thing I realized after kicking off dcpromo was I didn’t look at the domain functional level. I went with the Windows Server “Longhorn” forest functional level, which made the wizards questions about domain functional levels obsolete. Hence I looked it up; Appendix of Functional Level Features a link I think will be useful when going into the Configuring Server Roles (see prep-guide), which is pretty heavy on AD-stuff.

Next step, enlist the Win2k8-Core-01 in the newly created longhorn.local domain (use NETDOM JOIN). Sounds easy, but it wasn’t. The ADSL-router (being DHCP and DNS server) complicated things, so I had to switch to manually configure DNS registration over at Win2k8-Full-01 through netsh. Once I had that setup over IPv6, the join worked.

Unfortunately after the Win2k8-Core-01 joined the domain, I was still unable to connect to its DNS Server as it kept insisting on the error “A security package specific error occurred”. In the mean time, I also found the Core Server Step-by-Step Guide. Hindsight knowledge says I should have read this paper before getting my fingers in the dirt. Anyway I think I’ve played enough with this Core server thing towards the exam.

Next stop: DHCP, DNS and AD. Win2k8-Full-01 already acting a DC, DHCPv4, DHCPv6 and DNS. Threw the Win2k8-Core-01 from the disk and now installing Win2k8-Full-02. In the mean time watching TechNet Webcast: Technical Overview of Active Directory Domain Services in Windows Server 2008.

I also want to share this link: Exam impression by Lukas Beeler.

Monday, July 23, 2007 8:27:36 PM (W. Europe Daylight Time, UTC+02:00)
# Sunday, July 22, 2007

Commenting on my blog works again; Captcha issue resolved (a.k.a. disabled).

Didn't really do much in terms of preparation yesterday, just read over the IPv6 white paper. Today I fired up my Win2k8 Core VM and started to play around with IPv6. However, before getting to play, there was Product Activation. I had seen on one of the screencasts by Keith Combs that there is this vbs-tool (which you should probably know about on the exam): slmgr. Strange part was that when I checked the expiration date, it told me I had 26 days left, even though I had auto-activation on Internet connection checked when I installed. Well, must be one of those beta-thingies, but slmgr –ato toke care of the situation. Second thing I tried was installing the Virtual Machine additions. It didn’t auto-run, but manually going for setup.exe, installing and rebooting did give me the VW-additions.

Next I went through the commands and tools mentioned on the IPv6 config page. All well, I have ipconfig, route and netsh where the interface ipv6 will be important. Since IPv6 is said to be really easy auto configuring, I tried ping and it started with timed out requests. So much for easy, but knowing my environment (dual-homed Win2k8 VM with one interface connected on the physical interface of my Vista system and also a non-IPv6 ADSL-router plus a WinXP SP2 with IPv6 installed), I started troubleshooting with IPv4. Router okay, Vista okay, WinXP not okay (turned out to be the firewall, disabled it). Next I tried pinging the WinXP system again on IPv6, twice! The first Win2k8 VM always tried first on the non-connected interface (which has ZoneID 3), and then the connected interface with ZoneID 2. Same story when pinging the Vista host. Also Win2k8 quickly forgets the interface it used to successfully connect to the two clients. Forgetting about the interface to use is quickly solved by including the (local) zone ID though, which basically represents the interface trough which the other systems can be reached. So ping fe80::5581:4002:53a2:fef1%2 or something the likes based on your environment should prevent failure (or have a properly setup infrastructure ;) ) You can view what IPv6 knows about the surrounding network via netsh interface ipv6> show neighbors.

Pinging the Win2k8 WM from the two Windows clients didn’t work; again it’s the firewall which is enabled by default on Windows Server 2008. I disabled it through netsh firewall>set opmode DISABLE and pinging the connected interface worked, naturally pinging the disconnected interface doesn’t work as the server isn’t configured as router.

All of a sudden another question popped my mind (those poor 70-431 candidates completely taken by surprise): simulations!!! I didn’t read anything about them yet, so I Googled a bit and landed at Trika’s blog (where else ;) ): Are there simulations on the upgrade exams? No.

Afterwards I installed DHCP and DNS servers on the Win2k8 Core using ocsetup (warning: case-sensitve). DNS Server Service started, DHCP Server wouldn’t. The later indicating through net start “DHCP Server” it is disabled or has no associated devices. Trough netsh dhcp> I got the impression it needed Active Directory.

Not having a graphical UI in these circumstances is no help, so I wanted to see how far I could get from Vista… not far until I gave the administrator a password (not new to Windows Server 2008, but one to remember: a user account without password is inaccessible from the network (under the default policy settings)). Not much use either; I could initially connect with computer manager now, to have the errors thrown at my head one level deeper. I guess I will need a full install, partially to be able to manage the server and to be able to setup Active Directory. Now installing the new VM…

Sunday, July 22, 2007 11:48:50 PM (W. Europe Daylight Time, UTC+02:00)
# Saturday, July 21, 2007

Another day with some hours of preparation for the 70-649. Although I have enough resources to keep me company until August 3rd, I do still spend some time looking for real gems (and keeping a tap on the buzz for this wave of beta tests). It was through Technorati and Elan Shudnow’s Blog that I learned about Keith Comb’s Blahg. This particular nerd on the grid has a series of Screencasts (currently 5, with a duration between 5 and 18 minutes) on Windows Server 2008. From the looks of his blog, he’ll frequently pour out useful info, so his feed is added to my reader (and blogroll).

What did I do besides watching Keith’s screencasts? I compared the skills being measured between 70-648 and 70-649 (and thus added some topics to the list), have been reading through the reviewers guide and watching the IPv6 white paper as downloaded webcast (sit back and relax). I can recommend the downloaded version, it's easy to pause and if needed go back a slide, very welcome as it is nearly two hours of information. Second tip is about IPv4, if you feel your IPv4 kowledge is sub-optimal, first review your IPv4 stuff. It's on the skills list too and the webcast refers quite a bit to your IPv4 knowledge. From the webcast I learned there are parts of the white paper itself I will read for further understanding.

Saturday, July 21, 2007 12:18:03 AM (W. Europe Daylight Time, UTC+02:00)
# Friday, July 20, 2007

Okay, so 70-648 is a subset of 70-649? Well almost;

  • 70-648 has more skills on "Maintaining the Active Directory Environment"
  • There is a smal difference in skill when it comes to "Configuring the Active Directory Infrastructure"
  • 70-648 has the extra skills domain of "Configuring the Domain Name System (DNS)"

See the full compare in the table below (based on the prep-guides as they were on 2007-07-20). Changes are not likely during the beta round, which by the way ends August 3rd, but I'd be surprised if there were still seats to be taken. However, should you hit this page when the exams are live, be sure to check the (then) current skills at their respective links: 70-648 & 70-649

70-649 6416A 70-648 6415A 6416A
Configuring Network Access Configuring Network Access  
Configure Remote Access. X Configure Remote Access. X  
Configure Network Access Protection (NAP) components. X Configure Network Access Protection (NAP) components. X  
Configure Network Authentication. X Configure Network Authentication. X  
Configure data transmission protocols. X Configure data transmission protocols. X  
Configure wireless access. X Configure wireless access. X  
Configure certificate services. X Configure certificate services. X  
Configure DHCP. X Configure DHCP. X  
Configure IPv4 and IPv6 Addressing. X Configure IPv4 and IPv6 addressing. X  
Configure Routing. X Configure routing. X  
Configuring Terminal Services  
Configure Terminal Services Remote Programs. X      
Configure Terminal Services Gateway. X      
Configure Terminal Services load balancing. X      
Configure resource allocation for Terminal Services. X      
Configure Terminal Services licensing. X      
Configure Terminal Services client connections. X      
Configure Terminal Services server options. X      
Configuring a Web Services Infrastructure  
Configure File Transfer Protocol (FTP) Server. X      
Configure backup. X      
Configure Web applications. X      
Configure Application Pools. O      
Configure IIS components. X      
Publish IIS Web sites. X      
Migrate sites and Web applications. X      
Configure SMTP service. X      
Configure Universal Description, Discovery, and Integration (UDDI) service. X      
Configuring Security for Web Services  
Configure handlers to reduce attack surface. X      
Configure .NET Trust levels. X      
Configure authentication. X      
Configure rights. X      
Configure permissions. X      
Configure authorization. X      
Configure certificates. X      
Deploying and Monitoring Servers Deploying Servers  
Configure Windows Deployment Services (WDS). X Configure Windows Deployment Services (WDS). X  
Capture WDS images. O Capture WDS images. X  
Deploy WDS images. O Deploy WDS images. X  
Configure Windows Activation. X Configure Windows activation. X  
Create virtual machines. X Create virtual machines. X  
Configure Virtual Server settings. X Configure Virtual Server settings. X  
Install Windows Server Enterprise. X Install Windows Server Enterprise. X  
Install server core. X Install server core. X  
Configuring Server Roles Configuring Server Roles  
Implement server roles by using Server Manager. X Implement server roles by using Server Manager. X  
Configure ADLDS. X Configure ADLDS. X  
Configure ADRMS. X Configure ADRMS. X  
Configure the Active Directory server core. X Configure the AD server core. X  
Configure the read-only domain controller (RODC). X Configure the read-only domain controller (RODC). X  
Configure Active Directory Certificate Services. X Configure AD Certificate Services and PKI. X  
Configure Active Directory Federation Services (ADFS). X Configure Active Directory Federation Services (ADFS). X  
Maintaining the Active Directory Environment Maintaining the Active Directory Environment  
Configure backup and recovery. X Configure backup and recovery. O X
Perform offline maintenance. X Perform offline maintenance. O X
Configure custom application directory partitions. X Configure custom application directory partitions. O X
    Configure AD DS auditing. O X
    Configure audit policy by using GPOs. O X
    Monitor Active Directory. O X
Configuring the Active Directory Infrastructure Configuring the Active Directory Infrastructure  
Configure communication security for Active Directory. X Configure communication security for Active Directory.   X
Configure the global catalog. X      
    Configure authentication. X  
    Configuring the Domain Name System (DNS)  
    Configure zones. X  
    Configure zone resolution. X  
    Configure DNS client settings. X  
    Configure DHCP and WINS for DNS. X  
Friday, July 20, 2007 10:24:52 PM (W. Europe Daylight Time, UTC+02:00)
# Thursday, July 19, 2007

What's up with "Configure Windows Activation"?

The reviewers guide talks about Windows Activation Service and Windows Process Activation Service as if it is one thing. Search through the guide on WAS and WPAS (search case-sensitive, was is a pretty common word ;)). Now it could be that this is important, because from what I remember from the things I read on one of the links below, IIS7 is a very major topic. However, I still feel it's that nasty Windows Product Activation that is featured under "Configure Windows Activation". This feeling is based on the location in the prep-guide and this line in the reviewers guide.

In addition, because product activation can be done within a grace period (typically 30 days), and is not critical for the initial configuration of the server, the Activate Your Server command, present on the Manage Your Server window in Windows Server 2003, has been removed from Initial Configuration Tasks.

That's however all I found on product activationin the reviewer guide (maybe that, and how to invoke activation after deployment is all you need to know on the exam).

Experiences from others on 70-649 in general:

http://www.mcseboard.de/mcse-forum-pruefungen-33/mcse-mcsa-upgrade-2008-beta-pruefungen-117512.html (German; forum which had already 3 pages in the thread when I checked)

http://www.techlog.org/archive/2007/06/08/windows_server_2008_upgrade_ex

http://blogs.infosupport.com/ericd/archive/2007/07/17/Exam-70_2D00_649.aspx

http://blog.tiensivu.com/aaron/archives/1171-Took-71-649-will-be-70-649-today-Upgrading-MCSE-2003-to-2008.html

Thursday, July 19, 2007 11:47:37 PM (W. Europe Daylight Time, UTC+02:00)

Yesterday I registered for the transitioning beta-exam for MCSE 2003 to three MCTSes for Windows Server 2008, I also started my preparations towards this exam.

First thing, create a new virtual machine with Virtual Server 2005 and install Windows Server 2008 Beta 3 on it. This takes a while, so I started hunting for resources. By looking at the prep-guide you’ll learn that 70-649 is comprised of the exams 70-640, 70-642 and 70-643 (oh yeah, for the people transitioning their MCSA 2003, leave out 70-643).

I looked at the topics and most of them already are familiar from Windows Server 2003, but there were a few where I know I have to dig in to:

  • IPv6.
  • UDDI.
  • WDS (though my first guess I’ll find a lot of similarities with RIS).
  • Windows Activation (currently I just hate it, if it is what I think it is).
  • The whole story on Server Roles.

Some resources are directly pointed at from the prep-guide, others I already know and I think it’s useful to share them here. I’ll just restrict myself to the free resources:

IPv6-stuff start’s here, has a White Paper from MS and somehow I have a gut feeling this page will be important.

Windows Activation, I’m tapping a bit in the dark currently on what this is. My first (dreadful) guess is nagging product activation. But searching the Microsoft sites I also found some references to phrases like “Windows Activation Service” and “Windows Process Activation”. If anyone could shine a bit of light on the subject, you can comment on this blog for free.

Not free, but worth mentioning: 6416A, both as Instructor Led Training ($/€ = ?, Three day course) maybe at a CPLS near you or as E-Learning ($ 319.99, Three year subscription).

That’s it for now, though I have little time left for my preparations, I will blog about them as much as I can. Including other resources I encounter and the impression and result on the exam. So stay tuned on RSS or Atom.

Thursday, July 19, 2007 9:58:11 PM (W. Europe Daylight Time, UTC+02:00)
# Wednesday, July 18, 2007

MCSA/MCSE 2003 invited to beta WS2008 transition exams...

Just scheduled mine, going to have a shot at 71-649 August 3rd (if I don't have to reschedule). The exam is called Transitioning your MCSE on Windows Server 2003 to Windows Server 2008 Technology Specialist. Smart move, not calling it upgrading, even though you get three MCTS certification from this one exam. Important to note, this exam is fully tied to your MCSE 2003 status. Don't have one? Don't go for this exam, you won't receive any credits from it.


Similar, there is a transitioning exam for MCSA 2003 as well: 71-648. It credits you for two MCTS certifications (yes a subset from the MCSE transition). Again, be MCSA, or you'll be wasting your time.


Want more details or the promo-code, go check out Trika's blog.
Meanwhile I've no time to delay building my Windows Server 2008 image Virtual Server and start looking for resources to aid me with my studies (as always, the prep guide will not be spelling out all you need to know, but I'll be checking it out anyway).

 

Wednesday, July 18, 2007 4:43:44 PM (W. Europe Daylight Time, UTC+02:00)
# Wednesday, July 11, 2007

From Mary-Jo's blog: SQL Server 2008 ("Katmai") will be released launched February 27th 2008, together with Windows Server 2008 ("Longhorn") and Visual Studio 2008 ("Orcas").

Read also Microsoft's Press release.

<Update date="2007-07-12">

Old title: SQL Server 2008 release date: 2007-02-27

Something very stupid happened to me in the title before the update! I put in the current year, shame on me!

But wait, that's not all. There is also something about the distinction between launch and release (aka RTM), thanks to Euan Garden for pointing that out on his blog. The release of SQL Server 2008 is set for somewhere in the second quarter of 2008 (source Michael J. Murphy). So mixing up the words launch and release was my second stupid thing.

<Update/>

Technorati tags: ,
Wednesday, July 11, 2007 9:05:38 AM (W. Europe Daylight Time, UTC+02:00)