SharePoint Online

You can rent SharePoint 2013 direct from Microsoft, hosted in their data centres, for as little as ~£3 per user per month from SharePoint Online. Watch the quoted price though, as they like to play the old “excluding VAT” game.

I rented one of these for a month, just to try it out, and was pretty impressed. It sets itself up with a public site collection, intended to be your company website, and a private site collection, intended to be your intranet. The account admin page lets you distribute your user licenses via email.

For ~£10 per user per month you can get Office included as well, although SharePoint includes the Office Web Apps so you can do basic editing in the browser anyway.

Cancellation turned out to be a little more tricky. There’s no online cancellation – you have to deal with their 1980’s style phone system. For the UK the number was 0800 032 6417, 9:00 – 17:00 Monday -Friday. It only took a few minutes to get served, but when I did I learned that the subscription was for a year and that there is usually a cancellation fee of 25% of the remaining term, which would have worked out at around £25 in my case. I don’t recall that being highlighted during the “hurry! - buy now” process. They weren’t enforcing this though, so I didn’t get stung.

Impressed overall though and would definitely recommend the service to small businesses looking for online collaboration tools.

Updates? What updates?

I’m experimenting with running our standard desktop Windows 7 image as a Hyper-V guest on my laptop. The laptop has Windows 8.1 installed. This means I can do the day-to-day stuff on Windows 8.1 and just switch to the VM when I need to check the experience for the users. There’s no good reason for me to be stuck on old technology just because our environment is always way behind, especially when there’s so much goodness in Windows 8!

It went pretty smoothly. Even though the laptop host OS isn’t a member of the corporate domain it lets the traffic through OK so the guest can join the domain. I had to ask the infrastructure team to update the network switch to allow the additional MAC address. Seems like an outdated security solution, especially given that MAC address spoofing is so easy, but whatever.

The image itself then network installed into the VM (I think we use SCCM for the network installs). The image includes Office 2013 and some other bits and bobs, so after a while I’m good to go.

However, the network icon in the notification tray indicates I have no internet connection, even though I do, and can Google quite happily.

I didn’t expect this to be a problem, but it actually is as some Office stuff, such as OneNote, will not open your SkyDrive notes. Instead we get some twee message about helping me get online. Outlook won’t open SharePoint tasks from their notification emails either.

Initially I thought this might be because IPv6 is on by default, and I know our infrastructure isn’t happy with that, so I disable that on the Hyper-V virtual switch. Still no joy.

Then I wondered if it was because I left my WiFi on the host as well as the plugging in the network cable, but disabling that didn’t fix it either.

Some Googling gets me to a suggestion that this might happen because of outdated network drivers, but this is a guest VM so uses the Hyper-V drivers from Microsoft. Automatic Updates are switched on so we should be up to date.

But I forgot about the “context”. I’m using someone else’s infrastructure, and in this case it’s configured to get updates locally, but never actually gets any updates. I forget what the backstory here is. I’ve a funny feeling they had WSUS installed at some point, but then abandoned it. I manually kick off the update process and tell it to ask Microsoft. 70 important updates are ready for me to download. It does most of these, then stops for a reboot.

When it comes back, sure enough, the VM now detects its internet connection correctly.

UPDATED: Boo. Following an overnight shutdown and restart the VM is back to “no internet connection” again.

Mouseless Admin

Here’s some simple tips for driving Windows 8 from the command line, instead of the mouse.

Just search for it

Windows 7 has a built in search engine running by default. This can index your documents and emails and also Windows applications and utilities. You can usually find what you need by simply typing a keyword.

Pressing the Windows key or Start button will pop up menu with a box to type into. Windows 8 is similar: the Windows key (and Start button which was reintroduced for Windows 8.1) will open the Start screen. If you start typing it will automatically open the Search charm.

Command line

The traditional command line is still available. You can press Windows Key + R to open the Run dialog. Enter a command and hit Enter to execute it. This is great for simple single commands: see list below. If you want more interaction then you can use the Run dialog to open a command window by entering cmd, or a PowerShell window with powershell.

cmd	Open a command window
powershell	Open a powershell window
shutdown /s	Shuts the computer down
shutdown /r	Reboot
shutdown /l	Logoff or signout
c:\	Opens a Windows Explorer window to the root of the C drive, for example. Works with any path.
%UserProfile%	Opens a Windows Explorer window to your personal files

Switches

Most commands will take switches. In the list above I showed 3 switches that can be given to the shutdown command.

Most commands will take the /? switch which makes the command display some help. You’ll need to be in a command window to see the output.

Environment variables

The %UserProfile% command actually resolves an environment variable. In this case the variable, called UserProfile, contains the path to your personal file store area. When the Run dialog is given a path it opens it with Windows Explorer.

You can see the full list of environment variable by using the set command, but you’ll need to be in an interactive window to see the output.

Interactive commands

Here are some more commands, but these all require some interactivity to be useful.

set	Displays current environment variables. Can also change them.
exit	Quits the command line session and closes the window.
whoami	Displays your username. Useful for verification when having permissions problems.

PowerShell

PowerShell is the command line’s big brother. You almost certainly want to use this in preference to the command line.

Elevating

Many administrative tasks require administrator rights, which are not available by default due to the User Account Control (UAC) security feature which was introduced in Windows Vista. You almost always want to leave UAC on. To do anything that requires administrator privileges simply elevate your PowerShell window, for example.

First launch a PowerShell window as described above. This won’t be elevated by default.

Now use that PowerShell to launch an elevated PowerShell:

Start-Process PowerShell –Verb RunAs

This will open another PowerShell window, this time with admin rights. Note the title of the window starts with Administrator: to indicate this.

Start-Process

You can save yourself a few keystrokes by using start instead of Start-Process. start is a PowerShell alias that simply maps back to the Start-Process commandlet.

You can use Start-Process to launch other applications, for example, and even URLs, which will open in your default browser:

Start-Process “http://google.co.uk”

File paths will open Windows Explorer and we can use built-in environment variables to refer to our home folder, for example:

Start-Process c:\users
Start-Process $home

You can use get-variable to list all the current environment variables.

You can also use Start-Process to switch to another account, which is useful if you typically run as a normal user, but have a special high-rights account for doing some tasks.

Start-Process PowerShell –Credential domain\hi-rights-user
Start-Process dsac

The first command launches PowerShell as another user. It will popup a window to ask for your password then open another PowerShell window. Use that for the second command, which launches the Active Directory Administrative Centre, for example and assuming you have it installed: search for Remote Server Admin Tools (RSAT) to get it.

Mouseless Hyper-V VM stuff

Here is a brief collection of stuff I found useful when switching from using mouse to keyboard for launching virtual machines.

This is all on Windows 8.1, but some or all may work on earlier versions.

You can list the virtual machines using get-vm. This will produce a list which includes the VM names.

You can then use the names to start and stop the VMs using start-vm and stop-vm. They both take the VM name as the first parameter and support wildcards. stop-vm shuts down the image by default, but you can use -Save or –TurnOff switches: use get-help stop-vm for more details.

I usually use Remote Desktop to interact with VMs. You can launch this by calling the client application. The following command line will connect in full screen. Use mstsc /? to get more help.

mstsc /v:machinename /f

You can break out of the VM session by pressing Ctrl+Alt+Home. The screen may seem the same, but the focus is now back with the local host machine, not the virtual machine, so your key presses are passed to the host. You can now Alt+Tab through the other applications running on the host, including other Remote Desktop sessions, so you can use this to switch between sessions.

Web Traffic Analysis

While Google Analytics are great for traffic analysis, they show you a particular version of reality. Google tracks using javascript & attempts to track unique visits, which isn’t 100% reliable, but still gives a good idea about real world traffic through your site.

At the other extreme are your web server log files which, if switched on, will contain an entry for every URL request made to your site. This gives a more complete picture of what the server has actually been doing.

Looking at the raw logs isn’t much use, however, being just massive lists of dates, times & URLs. Something is needed to process these and provide an overview. My boss just sent me a link to an old favourite of his that I’ve not used before: Analog is a simple, free log analysis tool that understand IIS log files, for example, out of the box.

It’s simple to get going. Full instructions are in the how-tos, which are also included in the download, but you basically download, unzip & fiddle a couple of settings in a configuration file. The exe then processes the raw logs and burps out an html report file with images.

There might be more sophisticated tools available, but this one’s so easy it’s a good one to begin with.

Making Notes

I used to use notepad or notepad++ to take simple notes, but a few months back I converted to Microsoft OneNote. This is part of the Office suite, was included on my Surface RT and has a free store app version for Windows 8 and Windows 8 Phones. It has a simple tabs & pages interface and automatically syncs across my devices via Skydrive.

To Do

You can also mark a paragraph as being a to-do item which gives it a simple tickbox. So Onenote has also become my default to-do list tool, although I use Trello for projects. Ctrl+1 will cycle the current paragraph through the 3 states: tick box unticked; tick box ticked; no tick box.

Screenshots

I often grab screen shots when making notes. I don’t usually want the whole screen, just the relevant part. These will paste into Onenote OK and the desktop version will let me grab a clip via Insert > Screen Clipping, but I often need to grab a clip from a dev box which I haven’t installed Onenote onto.

The old-school route is to use the Print Screen (PrtScn) key found on a standard keyboard. This places a copy of the screen into the clipboard where it can then be pasted into something like Paint, cropped and then saved as a file. Alt+PrtScn will just grab the active window instead.

Windows 7 included a tool called Snip which fits in the middle here. It lets you grab a screen area and then copy it to the clipboard, save it to file or email it. This is ideal to take a clip from a machine without installing anything else.

It’s missing from Windows Server 2012 by default though. You can get it back by activating the feature through PowerShell, for example. Run PowerShell with Administrator rights.

Install-WindowsFeature Desktop-Experience

This required a reboot of the server afterwards in this case. You can use the following to list the features and sub-features and see which are installed:

Get-WindowsFeature

Windows 8 seems to contain the snip tool still, at least it has on the builds I’ve seen. You can also press Windows Key + PrtScr in Windows 8 to take a screenshot and drop it directly into your Pictures > Screenshots folder as *.png files.

Maths

Something I only recently noticed is that OneNote will spot simple maths as you type it and put in the answer for you. I just happened to type the monthly cost of SharePoint Online and multiply by 12. I typed the equals sign and pressed space and OneNote filled in the answer, including the pound sign (it omitted the trailing zero though, so not quite perfect):

£7.80 * 12 = £93.6

How to create an open DNS resolver

In previous posts I mentioned how I set up Windows DNS to handle DNS for my internal dev environment. This was internal only, using 2 Windows servers which both host Active Directory and DNS. The next requirement was to handle external DNS queries because I wanted to expose some services, such as email & ADFS, to external clients.

I used a subdomain of our main domain as my internal name for Active Directory. Assume our live external name is example.co.uk and I chose devtest.example.co.uk for my dev environment’s Active Directory name. Internally my account names are fredsmith@devtest.example.co.uk.

I don’t actually want to use that externally so I got another domain from an ISP. Let’s call that anotherexample.com. I want mail.anotherexample.com to be available externally and to land on my internal mail server.

My first move is simple, but wrong. I added anotherexample.com as a forward lookup zone to my existing DNS, populated it with the external aliases, configured our ISP to forward DNS to our servers and then exposed my DNS servers to the internet!

While this works I’m guessing that someone with nslookup, for example, can start sending DNS queries to my server and ask it questions about my internal host names. Not ideal, but it’s a dev environment and making mistakes is allowed.

It turns out to be more serious though, as it allows the server to be used as part of a type of distributed attack against other hosts because I’ve created an Open DNS Resolver. In effect, any external DNS client can now ask my DNS servers to do lookups and the clients can spoof (fake) their IP address. My servers will then attempt to resolve those queries. If they are not answerable locally, then my servers will pass the query up the chain to the wider internet DNS. Eventually the answer(s) will return to the spoofed IP address. If lots of open resolvers are attacked at once using the same spoofed address then they will all start generating traffic back to the target spoofed IP. Or something like that.

Windows DNS, even in Windows Server 2012, can’t be configured to behave differently depending on whether the request originated from inside or outside my environment, so the next move here would be to spin up another pair of DNS servers and use those just for handling any requests for my external DNS zone (anotherexample.com). These can be configured such that they do not recursively resolve, so they will not be Open Resolvers – they will only answer for their configured domain and will do nothing else. You need a pair because most ISPs need you to provide a primary and secondary DNS server. My existing DNS servers can have the external DNS removed and external access removed and return to their original purpose of handling DNS for my internal clients.

In this case though, my external DNS needs are minimal so it’s not worth the effort. Instead I closed the DNS off again, deleted the anotherexample.com zone from my DNS servers, and added the handful of host entries from anotherexample.com directly into the ISP DNS, having also removed the forward to my DNS servers.

As for why Windows DNS can’t do this, I guess you’d have to ask who else, apart from someone messing about as I am, would want to do this? A proper DNS sysadmin wouldn’t even dream of mixing internal and external server roles on the same box in the first place and would have started out with two sets of servers in the first place anyway.

Windows Server 2012–language & keyboard settings broken

Just installed Windows Server 2012 and selected United Kingdom for language and keyboard layout during the install, just like I have done for every other Windows install in the last 15 years.

Broken. The server comes up in a US timezone and with US keyboard layout.

How does this stuff even get out the door? It’s not released, so much as inflicted upon us.

WDS & Windows Embedded Standard 7

I just spent most of a day failing to get Windows Embedded Standard 7 deploying via Windows Deployment Services (WDS). We have some IBASE SI-08 PC’s nailed on to some flat screen monitors which we want to use for digital signage. They came pre-packaged with some truly awful management software running on Windows Embedded Standard 7. We’ve decided to dump the free software and use PADS 4 instead and now we’re thinking about deploying our own Windows Embedded image with PADS instead of the pre-installed image.

I already have WDS installed and running on Windows Server 2012 and have used that to deploy vanilla Windows 7, 8 and Server 2012 images over the network.

After downloading the Windows Embedded 7 Standard ISO from MSDN and adding the WIM file from the Sources folder we tried PXE booting the device and got in as usual (had to fiddle with the BIOS to enable network boot, but wasn’t hard to find). I approved the request on the server via the WDS UI as usual and the boot image then fails to load. 0x00000001. A device connected to the system isn't responding.

This turned out to be a network time out issue, probably caused by incompatible packet sizes. WDS 2012 has an auto-negotiate feature which can be switched off in the WDS server properties. In the TFTP tab clear Enable variable window extension.

This moves us along. The boot image now boots, and we get a Windows Setup GUI, but it errors out with: WdsClient: An error occurred while starting networking: a matching network card driver was not found in this image. Please have your administrator add the network driver for this machine to the Windows PE image on the Windows Deployment Services server.

According to the specs for SI-08 we need a RealTek network driver so we download and unzip that and add it to WDS and apply it to the boot image. Boot again and we get along a little more. We give the setup our locale (English: UK) and admin logon credentials and then get to choose an install image. Or we would except it won’t show us any. The event log on the server shows errors when enumerating the images. We reboot the server. Now the WDS service will not start. We have event ID 257 An error occurred while trying to start the Windows Deployment Server (0xC1020201) in the event log and An error occurred while refreshing the image cache.

I removed and re-added the WDS role, but got the same problem. I did it again and this time I deleted the c:\remoteinstall folder, trashing my handful of install images (the ISOs are still around so adding them back should be simple enough). The WDS service now starts OK. I add the Windows Embedded 7 Standard install image and the x86 boot images again and try to install on a test laptop. It gets through to the Windows Setup OK but can’t offer me an install image. The errors are back again on the WDS server and the service won’t restart again after a reboot.

There’s clearly something fishy about this WIM image file and a bit of googling around WDS and Windows Embedded Standard 7 reveals that the WIMs are not directly deployable via WDS.

It looks like WDS will let me add the WIM, but then breaks when asked to enumerate them for a client or when restarting the WDS service. This time I deleted just the Windows Embedded Standard 7 image via the WDS UI, which works even without the service running, and then the WDS service starts.

Windows Multi-boot cliff

My laptop has a legacy Windows 7 boot image on it that I want to preserve, but I want to also install Windows 8 and set that up as a development box so I can work on the move if necessary.

I used the built in Disk Management to shrink my Windows 7 partition and create ~200 GB free space, which I left unallocated.

I boot the Windows 8 install disk, create a 128 GB partition and install Windows and some dev tools. Ok so far – I can boot back to Windows 7 whenever I want to.

Next I decide to create another partition for data, so in future I can reinstall Windows without worrying about rebuilding source code repositories’ working folders, etc. I use Disk Management in Windows 8 (WinKey+X to access a handy cheat popup of tools). It warns me that to do this it will need to convert the drive to Dynamic Disks or something. Hmm.

Cancel and reboot to Windows 7. Same thing. Oh well. I can’t be the first person in the world to want more than 3 partitions. I accept the warning and watch as the partitions change from Basic to Dynamic.

I reboot. Windows 8 goes into repair mode and starts fixing things. After a few minutes it lets me login, but I’m worried I didn’t get asked whether I wanted Windows 7 or Windows 8. I reboot. Straight back to Windows 8 – no way to boot to Windows 7.

Disk Management in Windows 8 shows my Windows 8 partition and my new Data partition as both being Basic again. The other partitions are gone – just showing as Unallocated space. Oopsy. Not the end of the world and I intended to rebuild my Windows 7 at some point, just not right now.

Wikipedia has some good info on basic disk partitioning. It seems that there really is a cliff after 3/4 partitions. My laptop already had a small FAT32 partition and a recovery partition that were factory installed, so adding my 5th partition triggered some pretty drastic changes (and a warning I, um, ignored, *ahem*).

TestDisk is a free utility that I ran from within Windows 8 which showed my my old partitions and let me undelete them.

Then I booted from a Windows 7 Repair disk I made ages ago and lobbed into a desk drawer. This auto-detected boot problems and fixed them. Now the pretty Windows 8 boot loader shows me two options: “Windows 8 Enterprise” & “Windows 7 Professional (recovered)” both of which boot.

SharePoint 2010 Workflows broken OOTB

I just setup a Disposition Approval workflow in SharePoint 2010 on a wiki site. More SharePoint functionality that is broken out-of-the-box (OOTB).

What I’d like to do is get reminders to review wiki content periodically so we can tidy up stale information – seems simple enough.

SharePoint 2010 appears to offer this through it’s Disposition Approval (who names these things?) workflow. This turns out to be fairly complicated to configure. There’s an Information Management Policy Settings link to find on the library settings page which kicks off the workflow, and a timer job that only runs once a week by default.

The workflow is defined on the wiki site’s page library, but relocating the workflow once it is created is a pain as not all “workflow settings” buttons go to the same place. The tasks, however, get created in another list under the wiki site, so are a sibling to the wiki pages.

The whole feature looks like it’s bolted together out of pre-existing parts that don’t really fit.

However, after running that gauntlet I find the following 3 total fails that make the whole feature more trouble that it’s worth:

1. The tasks created by the workflow don’t get assigned to anyone. It expects you to come and look for them. Setting up an alert on the task list gets around this.
2. The bulk workflow tool from 2007 is missing or hidden or something in 2010 so you have to open each task individually, which makes the whole thing too much effort to bother with.
3. There’s a stupid bug which means all my existing wiki pages throw an error when I try to open them for editing. Chasing down the correlation id in the logs (blech) and googling the stack trace leads me to some mumbo-jumbo about some missing Data Association XML or some-such.

In the end I just switched off the retention approval again and deleted the workflow. Too much pain for a crap little feature.

UPDATE: Now when we try to create a page in the wiki we get an Article Page instead of an Enterprise Wiki Page. I deactivated the SharePoint Server Publishing feature from Site Settings, but this didn’t fix it and also caused this error when I tried to save an existing wiki page after editing it:

System.ArgumentException: Invalid SPListItem. The SPListItem provided is not compatible with a Publishing Page

I activated the feature again and can now edit existing wiki pages without error. Eventually I found Site Settings > Page Layouts and Site Templates > New Page Default Settings. This was “Inherit Default Page Layout From Parent Site”. Changed to “Select The Default Page Layout > (Enterprise Wiki Page) Basic Page” and now new pages are wiki pages again.

Added secondary AD & DNS

I just installed a second Active Directory server into my test domain. Dead easy – just install the role on Windows Server 2008 R2 SP1 and follow the prompts. I chose to install DNS at the same time (the AD setup wizard defaults to ticking this so don’t need to change anything).

At the end it synched my AD domain from the original server. It brought over all my DNS zones automatically, including: both the AD forward lookup zone and a manual forward lookup zone; my reverse lookup zone and DNS settings such as my forwarder IP addresses (which the server uses to resolve external DNS names on behalf of clients).

More details here.

Now I have two DNS servers I can point my clients (including the DNS servers themselves) at both of them and should have basic networking (AD logons & DNS) even if one server goes down.

I also added the new DNS server to the DHCP Server Options so the new DNS server should get offered to DHCP clients automatically. My Windows 7 client picked this up without needing a DHCP release/renew which makes me suspect it got the new DNS server IP from somewhere else. I removed the new DNS server IP from the DHCP Server Options again and will check to see if clients are finding it on their own somehow.

SharePoint / SQL Gotcha: Massive Log Files

My backup scripts on my test SharePoint 2010 box have been running but not producing backups for the last few days. I tried a manual backup via Central Admin and found that the backup estimate was more than 10GB, which is odd for a test server.

A bit of hunting with Sequoia View showed that SharePoint_Config.ldf was more than 10GB (the database data file itself was only 100MB).

It seems that the database was set to the Full Recovery model, which I’ve been bitten with before. In this mode SQL will not throw away the transaction log after a database backup, you have to backup the transaction log as well. If you do a lot of updates to the same data you can end up with large log files (compared to the actual data file).

Thinking about why you might want this makes my head spin a bit. Presumably if you have the previous backup plus the log file you can recover anyway – you just need to get the log off the server in case it goes bang. I guess if you have all the transactions you don’t even need the data file backup – you could rebuild to any point from the accumulated transaction logs. I’m sure there are lots of useful things you can do in this mode, but I don’t know of any so I don’t “need” it at the moment.

In SQL Server 2010 R2’s Management Studio you can view the properties of a database and see how large the files are. You can also use Tasks > Shrink > Database and Tasks > Shrink > Files to see how much space is available in a file (SQL keeps some free space and can auto-grow when it gets low so you can strike a balance between “wasted” free space and disk fragmentation.

The Shrink dialog told me that the log had 0% free space available. I tried a transaction log backup (Tasks > Backup > Backup Type > Transaction) but there wasn’t enough free disk space for it (failed with error 112, but couldn’t give me a descriptive message). Oh well, I don’t need it as it’s a test box and I can stand to lose some data if I need to do a restore. My very simple PowerShell scripts will get SharePoint to do a full weekly backup and daily differential backups so I should be good if something goes wrong – I think I’m only exposed for up to a day’s loss (assuming I notice if the backup itself fails – there’s no error reporting in the script at the moment).

I’m mainly just playing with the SharePoint installation – I know there are third-party tools that will automate this for me and I know that Data Protection Manager (or whatever it’s called now) can do automated SQL Backups, for example. I’m just interested in what you can easily do out-of-the-box.

Anyway, I set the SharePoint_Config database to the Simple Recovery model, and then using Tasks > Shrink > Files, I could see that now 99% of the log file was available. Shrinking it recovered that space, freeing up 10GB.

While I was there I set the model database to Simple Recovery too so any future databases created on the box will “inherit” that. I also set all the databases that were Full recovery to Simple. It turns out there was a 50-50 split. I’m not sure why some were already in Simple mode. Possibly SharePoint will set some non-critical things to Simple by default and leave the reset to “inherit” from the model database?

So a sort-of lesson learned is to watch out for Full Recovery model databases in future. If you need this, you also need to figure out what to do with all those transaction logs.

In future SQL Server and SharePoint installations I will need to watch out for default options that I might have chosen badly. It seems to me that new databases should use Simple Recovery by default – Full Recovery is more an advanced option. Maybe this is down to the edition of SQL Server that was installed?

VMware, Windows 2008 Server R2 & Windows Updates

I have started playing with VMware because I needed to set up a test environment to play with zEntity. I tried a Windows Server 2008 install in VirtualBox on a Windows 7 host, but was getting some strange crashes. A passing consultant recently recommended VMware to me, and it seems we already have a VMware ESXi server running so I might as well get used to it.

The potential benefit here is that I can create and run a virtual machine locally and then move it off to the server if I want to keep it semi-permanently.

The consultant recommended VMware Server (which is actually a desktop product), but it seems this is reaching its end of life very soon. The internet recommends VMware Workstation as a replacement, but it’s a pay-for product and I’m just playing with it at this point. VMware Player seems to be the way to go – the current version allows a virtual machine so be created (I’m guessing earlier versions didn’t, hence ‘Player’). Very confusing nomenclature.

As I have access to an Action Pack I can get hold of install disks for lots of Microsoft stuff – they come with a variety of trial periods so there’s no immediate issue with licenses, and if we decide to keep something we have budget to get licenses after the trial. My laptop has some Roxio disk burning software bundled with it so I have used that to copy the install disks to the hard drive as ISO images which can then be mounted into the virtual machine and installed from. Handy if I need to reinstall as I won’t need to get the physical disk again.

It seems that Windows 2008 Server R2 is 64-bit only. I’m running 32-bit Windows 7 Ultimate on a Dell Precision M6400, which has 4GB RAM and a Core 2 Duo CPU @ 2.26 GHz. VMware doesn’t seem phased by this and happily lets me create a blank Virtual Machine (VM) and install Windows 2008 Server R2 from the ISO. It defaults to the Data Centre Edition for some reason, so I delete it and start again, this time choosing the Standard Edition.

I got the server installed and found 54 updates waiting. No problem – I let those install. It stops at update 31. Just sits there. Downloading, it says, but nothing happens. I cancel the download and ask it to reboot. It quits my desktop and starts installing the 31 updates. This never completes. The screen is updating the status dots, but the install is stuck. I cycle the power to the VM and it comes back up. I carry on installing updates and also install SQL Server 2008. Another update sticks. Cycling the power won’t unstick it – it refuses to download it. The Server Manager also won’t show me what roles or features are installed or let me add more. This is going to be a problem as I need to get IIS running and I didn’t install it yet.

Eventually I decide to start again and delete the VM. This time I give the VM 2GB of RAM – the first attempt only had the default 1GB. I also decide to install updates in batches of ~10 – earliest first and with a reboot between each batch. I’m only installing the ‘important’ updates – I ignored the optional ones previously and will do so again for now. The following table summarises the sets of updates that were applied.

Date range	Updates
2009	3
Jan-Jun 2010	9
Jul-Nov 2010	11
Dec 2010	10
Jan-Mar 2011	6
Apr 2011	10
May 2011	2

I opt to leave IE 9 uninstalled for now and I also install the Security Update for .Net Framework 3.5.1 and the Windows Malicious Software Removal Tool update individually at the end.

This appears to have worked. All the updates went on without me needing to manually power-cycle the VM and the Roles and Features stuff in Server Manager is still operational.

DPM causes IIS read access forbidden (403 2)

I have just spent several hours trying to figure out why Microsoft (MS) Security Center Essentials 2007 (SCE) isn’t able to serve MS Updates to its clients anymore. This looks like it was working 6 months ago, but not any more.

I tracked it to IIS problems – pretty much every request from another machine was getting sent back with error 403 sub-error 2 read access forbidden despite the fact that everything looked fine in IIS Manager.

It looks like MS Data Protection Manager (DPM) locks down IIS pretty tightly and, sure enough, the box has DPM 2007 installed on it too.

More info: http://blog.mattrudge.net/2009/07/05/error-403-2-read-access-forbidden-on-iis/