Friday 27 February 2009

WSUS under Server 2008

I configured a WSUS server under Server 2008 and created a GPO to instruct all the other Windows VMs in my test environment to point to it. Although the GPO was being pushed out, the WSUS console did not detect any computers.

After speaking to some colleagues about this (thanks Rob!), I tried manually running a Windows Update from one of the clients. This produced the following error: 80072EE6

Googling this suggested the problem was an "unknown protocol" and one post suggested checking that the GPO settings for the intranet server included the "http://" prefix before the hostname. I checked and found I didn't have that setting. Adding it in and then forcing a gpupdate worked and the clients have started to appear.

Sunday 8 February 2009

Joining an OpenSolaris CIFS server to an AD domain

These notes are rough, but might prove useful in the future (or to someone else who had the same problem). I wanted to join my newly created OpenSolaris 2008.11 installation to my experimental Windows Server 2008 Active Directory. I followed the tutorial in the Solaris CIFS Administration Guide, but when I attempted the actual join command, it failed with LOGIN_FAILURE.

Here's the answer:

Firstly, make sure you have the IP address setup correctly, name added in /etc/hosts, DNS setup correctly in /etc/resolv.conf and /etc/nsswitch.conf. You make sure you are on the same domain as the Active Directory ("windows.zone" in my case).

Secondly, make sure your system clock is synchronized with the domain controller:

# ntpdate dc01.windows.zone

Then setup Kerberos by editing /etc/krb5/krb5.conf. This is documented in the manual.

Install the SMB Server using the package manager and start it up using:

# svcadm enable -r smb/server

Then try to join the domain:

# smbadm join -u administrator windows.zone

For me, this is where it failed. The mailing lists suggest that the problem might be related to smb signing. On the DC, I opened up the Group Policy Management tool and changed the following:

Computer Configuration\Policies\Administrative Templates\System\Net
Logon\Allow Cryptography Algorithms Compatible with Windows NT 4.0 -> Enabled

I then ran a gpupdate /force.

Finally, I read that the sharectl command on the OpenSolaris server should be run to use NTLMv2 authentication:

# sharectl set -p lmauth_level=2 smb

I re-ran the join command, and it worked properly. OpenSolaris CIFS server now part of the Active Directory domain.

Installing OpenSolaris into VMware ESXi

I've just created a very small VM for installing OpenSolaris onto my ESXi box. The ISO CD booted in live mode to the desktop and I selected the option to install to disk.

The installer loaded, but at the point of "Finding Disks", the installer seemed to hang and no disk was found, even though format was displaying the disk okay.

Upon further investigation, I realised that the amount of RAM I had assigned to the VM (512MB) was causing a problem. By increasing this to 1GB, the disk was found and the installer worked as expected.

My guess is that this is due to Solaris deciding that with only 512MB of RAM, that some swap would be necessary, but it's not able to create it. Only a guess, but at least I now have a workaround.