I recently created a new virtual machine under Hyper-V not noticing the default was a dynamic disk and the disk size was set to 127 gig (oops). So I thought okay I will convert it to a fixed disk using the Hyper-V tools and then shrank the partition to 50 gig in windows using disk manager without any problems.
After a quick search with my favourite search engine it seemed I needed a tool called VhdResizer . This was because the VHD was still seen as a 127 gig disk so I needed to chop off all that unallocated space.
So my first attempt went like this:
Opened VhdResizer
Selected the source and destination
Set the size for the new disk
So I was ready to go at this point but the resize button was still greyed out. This turned out to be that the free space was in the middle of the drive because there was a 300 meg bitlocker partition on the disk and the minimum size I could select was the whole 127 gig!
After much head scratching I decided to boot the VM from Gparted CD image and move the bitlocker partition. To my surprise this worked fine and the VM booted without issue (phew). I then ran VhdResizer again and selected the minimum size which was the size of the C: drive partition but the resize button was still greyed out (grrrrr) I then increased the size by 1 gig and the button was available to start the process. The process ran to completion and I updated the VM to use the new disk. Job done!
So if you want to resize a VHD you must do the following things.
Resize your partition in disk manager
Make sure the free space is at the end of the disk (Use a tool like Gparted if necessary)
When VhdResizer states a minimum size you must select 1 gig above that.
Hope this helps someone with the same issue.
Friday 24 August 2012
Monday 26 March 2012
Domain Controller NTP Time Synchronisation
If you work with Windows Domains and Active Directory and Kerberos you will know there will be issues if your clients clock are not within 5 minutes of your servers. As standard your domain joined clients should synchronise their time with the PDC emulator on the domain. This is not usually an issue and works well by default (usually!).
When you do start to get issues is when the clock on your PDC emulator starts to skew and all the clients skew to match it. This does not cause issues for your network but the time on all the computers is wrong an inevitably people will start complaining.
So lets just synchronise with one of those nice NTP clocks on the internet, that's easy right you just look at the clock options and set it there like on standard Windows 7 etc. Well unfortunately it's not that easy as you do not get the option to do that instead you need to go through a fairly complicated set up and take a few things into consideration.
Lets start with the service that controls the time
w32time
and the command you use to configure various options:
w32tm
You can use the following command to check a couple of things:
1. You can see if you can access the NTP server.
2. You can see how far your clock is out according to the NTP.
w32tm /stripchart /computer:time.server.com /samples:3
If you can't contact the NTP server then try another server or check your firewall isn't blocking it.
The port for NTP is port 123 UDP
If all is well you can check the current config by diving into the registry under:
HKLM\SOFTWARE\Policies\Microsoft\W32time\Parameters
or you can use the command:
w32tm /dumpreg /subkey:Parameters
The screenshot above is from my home PC but the settings will be the same on domain joined PCs except the NTP client mode which is the 0x9 next to time.windows.com. On your domain the settings for the time source will use the 0x8 client mode which sets the local computer to operate in client mode in association with the preceding time server.
To set the time server you can use the following command:
w32tm /config /manualpeerlist:time.server.com,0x8 /syncfromflags:MANUAL /reliable:yes
Make sure you substitute the time server address you want to use in that command. pool.ntp.org comes highly recommended for a reliable time source.
All you need to do then is stop and restart the service: and give it a chance to refresh it
net stop w32time && net start w32time
If you want to force a refresh you can use the command:
w32tm /resync /nowait
The last step in troubleshooting is to check the settings for type under the subkey parameters.
In the screenshot above the type is NTP which is right for the server (PDC Emulator) that you want to be contacting the external time source. The setting on your clients must be NT5DC though as this means they seek the time from the domain hierarchy ie the PDC emulator (I may have mentioned that before ;-) )
To fix your client settings from the command line you can execute the command:
w32tm /config /syncfromflags:domhier /update
This should not need doing as by default this should be the normal setting.
Now working in a domain environment you can also use Group Policy to control these settings:
These are located in the following location:
Computer Configuration > Administrative Templates > System > Windows Time Service
I have used a GPO to target all the domain controllers with the NTP settings. You may want to filter that more in your environment.
So there you have it, the idea sounds simple but once you start looking into it, it's a lot more complicated!
When you do start to get issues is when the clock on your PDC emulator starts to skew and all the clients skew to match it. This does not cause issues for your network but the time on all the computers is wrong an inevitably people will start complaining.
So lets just synchronise with one of those nice NTP clocks on the internet, that's easy right you just look at the clock options and set it there like on standard Windows 7 etc. Well unfortunately it's not that easy as you do not get the option to do that instead you need to go through a fairly complicated set up and take a few things into consideration.
Lets start with the service that controls the time
w32time
and the command you use to configure various options:
w32tm
You can use the following command to check a couple of things:
1. You can see if you can access the NTP server.
2. You can see how far your clock is out according to the NTP.
w32tm /stripchart /computer:time.server.com /samples:3
If you can't contact the NTP server then try another server or check your firewall isn't blocking it.
The port for NTP is port 123 UDP
If all is well you can check the current config by diving into the registry under:
HKLM\SOFTWARE\Policies\Microsoft\W32time\Parameters
or you can use the command:
w32tm /dumpreg /subkey:Parameters
The screenshot above is from my home PC but the settings will be the same on domain joined PCs except the NTP client mode which is the 0x9 next to time.windows.com. On your domain the settings for the time source will use the 0x8 client mode which sets the local computer to operate in client mode in association with the preceding time server.
To set the time server you can use the following command:
w32tm /config /manualpeerlist:time.server.com,0x8 /syncfromflags:MANUAL /reliable:yes
Make sure you substitute the time server address you want to use in that command. pool.ntp.org comes highly recommended for a reliable time source.
All you need to do then is stop and restart the service: and give it a chance to refresh it
net stop w32time && net start w32time
If you want to force a refresh you can use the command:
w32tm /resync /nowait
The last step in troubleshooting is to check the settings for type under the subkey parameters.
In the screenshot above the type is NTP which is right for the server (PDC Emulator) that you want to be contacting the external time source. The setting on your clients must be NT5DC though as this means they seek the time from the domain hierarchy ie the PDC emulator (I may have mentioned that before ;-) )
To fix your client settings from the command line you can execute the command:
w32tm /config /syncfromflags:domhier /update
This should not need doing as by default this should be the normal setting.
Now working in a domain environment you can also use Group Policy to control these settings:
These are located in the following location:
Computer Configuration > Administrative Templates > System > Windows Time Service
I have used a GPO to target all the domain controllers with the NTP settings. You may want to filter that more in your environment.
So there you have it, the idea sounds simple but once you start looking into it, it's a lot more complicated!
Sunday 25 March 2012
Smoothwall Guardian Unblock iPlayer Content
At work we use the excellent Smoothwall Guardian for our web filtering needs.
After recent issues I decided the box needed a fresh install as we were having a few issues which were undoubtedly because the install was over 4 years old and had lots of chopping and changing done to the config.
The new install went very smoothly as I was following our documentation and I am very familiar with the product (well you would hope so after four years of use). The only thing I couldn't get working was BBC iPlayer for our normal users despite entering all the domains I had entered previously. After contacting support the following solutions was provided:
Add the following URLs to the authentication bypass:
static.bbc.co.uk
bbcimg.co.uk
bbci.co.uk
edgefcs.net
Now this is the solution I had in our documentation but it didn't seem to work.
The next suggestion was to open port 1935 for streams on the Firewall. Now I know for a fact that this hadn't been done before so god only knows how it was working fine on the old install.
Anyway I entered the new rule into ISA not thinking it would do anything but sure enough iPlayer content started working. To make sure I disabled the rule and Iplayer content stopped working.
So there you go working iPlayer. Now I believe this rule may need some refinement to limit it to certain sites as it may open a lot of other sites that maybe undesirable. I will work on that soon.
After recent issues I decided the box needed a fresh install as we were having a few issues which were undoubtedly because the install was over 4 years old and had lots of chopping and changing done to the config.
The new install went very smoothly as I was following our documentation and I am very familiar with the product (well you would hope so after four years of use). The only thing I couldn't get working was BBC iPlayer for our normal users despite entering all the domains I had entered previously. After contacting support the following solutions was provided:
Add the following URLs to the authentication bypass:
static.bbc.co.uk
bbcimg.co.uk
bbci.co.uk
edgefcs.net
Now this is the solution I had in our documentation but it didn't seem to work.
The next suggestion was to open port 1935 for streams on the Firewall. Now I know for a fact that this hadn't been done before so god only knows how it was working fine on the old install.
Anyway I entered the new rule into ISA not thinking it would do anything but sure enough iPlayer content started working. To make sure I disabled the rule and Iplayer content stopped working.
So there you go working iPlayer. Now I believe this rule may need some refinement to limit it to certain sites as it may open a lot of other sites that maybe undesirable. I will work on that soon.
Getting Rid Of The Hibernation File
On one of my machines I have an older small SSD drive on which I have tried to install the minimum amount of programs and installed the rest to my other hard drive.
Recently I have been struggling for space even though I have done a lot of different things to take things off the drive by changing paths or by using symbolic links.
The hibernation file will be 75% the size of your total ram by default so in my case it was 3 gig as I have 4 gig in that particular computer.
To turn it off you need to an elevated comand prompt and use the command:
powercfg -h off
Now I have a nice bit of space on that drive :-)
Recently I have been struggling for space even though I have done a lot of different things to take things off the drive by changing paths or by using symbolic links.
The hibernation file will be 75% the size of your total ram by default so in my case it was 3 gig as I have 4 gig in that particular computer.
To turn it off you need to an elevated comand prompt and use the command:
powercfg -h off
Now I have a nice bit of space on that drive :-)
Subscribe to:
Posts (Atom)