Friday Mail Sack: The Year 3000 Edition

Friday Mail Sack: The Year 3000 Edition

  • Comments 1
  • Likes

Hello all, Ned here again. Today we talk DCDIAG, DFSN, DFSR, group policy, user profiles, migrations, USMT, and the fuuuuuuturrrrrrrrre.

Question

I have a mixed environment of Win2003 and Win2008 DCs. When I run DCDIAG.EXE it tells me the Windows Server 2003 DCs are failing a service test around RPCSS:

Starting test: Services

      Invalid service type: RpcSs on DC01, current value

      WIN32_OWN_PROCESS, expected value WIN32_SHARE_PROCESS

   ......................... DC01 failed test Services

I see some Internet posts that say I should change the value using the SC.EXE command. Do you know why this is different and what’s going on? It looks like the difference is being a service in a shared versus isolated process.

Answer

It’s expected and normal for this service’s behavior type to be 0x10 on Win2003 and 0x20 on Win2008 and later. Do not change it based on what DCDIAG says unless you are running the version of DCDIAG that goes with that OS (this is where much of the Internet got confused on causality versus correlation). Win2008 DCDIAG doesn’t know that Win2003 was designed this way so he can’t give you a reasonable answer – he just wants it to be default in 2008 terms.

Your assumption around shared versus isolated is totally correct:

Win2008 R2
clip_image002

Win2003
clip_image002[4]

Between Win2003 and Win2008, the behavior changed for the RPC service, but there was nothing yet to “share” in that svchost.exe process. In Win2008 R2, the new RPCEptMapper service was added to that shared svchost. You can see who would launch in that same process by looking for this value in the service registry keys:

%systemroot%\system32\svchost.exe –k RPCSS

Later versions of Task Manager make this easier too, if you’re allergic to command-line:

image

Svchost.exe exists mainly to lower computer resource usage: the more DLLs that can run in fewer shared processes, the less memory/CPU the OS has to allocate for services. You might think it was OK to change this on Win2003 to stop the error and maybe even get back some resources. The problem with that theory is that on Win2003, you get no resources back (as no one else is going to share that process) and you open yourself up to weird issues – when I tell Windows developers about issues caused services being modified by customers, their first response is “Why on earth would anyone change the service? We don’t test for that at all!”

Playing around with service configurations is not something you do without valid reason and some tool complaining doesn’t meet that bar.

Best long term solution: get rid of those remaining Win2003 servers. Then you get all sorts of advantages, like features unlocked by higher functional levels or magically load-balancing bridgeheads

Plus I get paid.

Question

Is there a way to disable and enable DFS namespace targets from the command-line? We’re building some automation.

Answer

You can use the Win2008/Vista RSAT (or later) versions of dfsutil.exe with this syntax:

dfsutil property state offline <DfsPath> [<\\server\share>]
dfsutil property state online <DfsPath> [\\server\share]

Nicely buried…

Question

When I use RSOP.MSC on a Windows 7 computer, I see a lot of missing entries and errors and whatnot.

Answer

Blink and you may miss the reason why:

image

Since Vista, the OS has been trying to tell you not to use this tool (which is no longer updated and has no idea about a great number of policies). To get a nice, readable resultant set of policy you need to use GPRESULT.EXE /H foo.htm. Mike has yammered about this before.

Question

I was curious - has the team heard what the future is for Active Directory, beyond Win2008 R2?

Answer

Lots (that’s my full time job now) but we cannot discuss anything. Don’t worry, the marketing people won’t keep it a secret one moment longer than necessary. And our fearless leader lets things out every so often.

Question

Can the new MIGAPP.XML included in KB2023591 be used with USMT 3.01?

Answer

[A reprint of a comment reply made to the Deployment Guy site]

The 4.0 migapp.xml does "work" when used with USMT 3.01 - and by that I mean it is schema compatible, will not cause a fatal error during 3.0 scanstate/loadstate, and will not corrupt the store in any way that I have identified. However, under the covers it may be causing issues within the migration. That XML and Office 2010 have not been tested in any fashion with USMT 3 (and never will be), so while it might appear to work fine on the surface, we have zero idea of any more insidious problems.

Now, if you are using USMT 3.01 because you have to - such as migrating from Win2000 or to Win XP - I can offer you a supported workaround: migrate to a computer that has Office 2007 installed, then upgrade the Office install to 2010 after the migration is done but before the users log on. Office 2010 will upgrade the Office 2007 settings (mostly – see that KB for details on the limits). 

Naturally, if you don’t have to use 3… use 4.

Question

We have Windows Server 2003 DFSR and have started to explore adding Win2008 R2 servers. Is mixing supported and are there any known issues?

Answer

Supported all day. You will need to install this hotfix on all Win2003 R2 DFSR servers:

KB2462352 DFSR fails from a computer that is running Windows Server 2008 R2 to a computer that is running Windows Server 2003 R2
http://support.microsoft.com/default.aspx?scid=kb;en-US;2462352

You will also need the Win2008 (version 44) or later AD schema added if you want to use DFSR for RODCs and if you wanted to customize staging compression behavior:

What are the Schema Extension Requirements for running Windows Server 2008 DFSR?
http://blogs.technet.com/b/askds/archive/2008/07/02/what-are-the-schema-extension-requirements-for-running-windows-server-2008-dfsr.aspx

If you want to use Win2008/R2 DFSR throughout and start replacing old servers (and you really should – we’re working pretty hard on the 3rd OS since 2003 came out):

Series Wrap-up and Downloads - Replacing DFSR Member Hardware or OS
http://blogs.technet.com/b/askds/archive/2010/09/10/series-wrap-up-and-downloads-replacing-dfsr-member-hardware-or-os.aspx

Question

I have a large number of users with computers that were in a workgroup. They are now moving to a domain, and we need their user profiles converted. USMT seems to be overly complex for me – is there another way?

[Asked by multiple customers this week, oddly enough. The last gasps of Netware?]

Answer

Yes, we have two ways to do this:

MOVEUSER.EXE - XP and older, comes from the resource kit

Win32_UserProfile WMI - Vista and newer:

These tools correctly change permissions and ProfileList registry settings in order to “move” (i.e. convert) a user profile between local and domain accounts.

Other Dorky Goo

  • This year is gonna be a sci-fi movie bonanza:
I didn’t want to like it… but I did.
The name is Bond. Wyatt Bond.
No shots of Bucky yet.
Close encounters of the eleventyth kind
  • Speaking of which, I was able to fight my way through the e-crowds and get tickets to Comic-Con 2011 for self and the wife. She is not exactly geeky but is an epic people watcher – she especially wants to see the day care center. Her theory being that kids will be wearing little gray suits and power ties to rebel against their parent’s uber-nerdiness. Anyone else going?
  • The latest Cracked photo contest was a zingfest - If Everything Was Made By Apple. My favorite was this subtle dig (pretty timely, having read about their latest iPhone security woes yesterday):

Have a nice weekend folks.

Ned “the future, Conan?” Pyle

  • Only thing missing from the poster is Serenity...