CC.'s questions

I don't think there's any way to do this after looking through Microsoft's password policy documentation, but on the off-chance that someone was particularly clever:

Is it possible to create a policy so that only business days count towards password expiration? The idea being that a password that expired on Saturday would not necessitate a helpdesk call until Monday, and VPN users would be able to continue to get in.

We're Server 2008 R2 here. The best workaround I can come up with is to enable this in Outlook Web Access:

https://technet.microsoft.com/en-us/library/bb684904

But not sure how this will play with our Duo two-factor.

I'm open to third-party stuff if that will work. I don't see this as a PowerShell opportunity, but tell me if I'm wrong.

I have a GPO that installs an application using the Software installation policy under Computer Configuration. I assign this GPO to the OU with our desktop/laptop computers, and my clients all install the software fine.

I have another separate OU that covers our new Server 2012 RD session hosts. Previously, we've manually installed applications on our one Terminal Server. Now we have one Broker and two Session Hosts. I'd like to take my existing GPO, assign it to the session hosts, and have it install on the next reboot after a gpupdate so I'm sure that each is identically configured.

Given this info:

1. Should I be able to install applications via GPO to Session Hosts?
2. Will Group Policy automatically install the applications as if I put the session host into /install mode, or do I need to do that?

I'm at my wits' end on this one.

Scenario

End-user is trying to print at home to her wireless printer, a LaserJet Pro M1217nfw. Every time she tries to connect, it asks for admin privileges to install the driver.

After some research, I find this article:

http://theintegrity.co.uk/2010/08/allow-users-to-install-local-printers-on-windows-7-using-group-policy/

I make the changes to the two printer classes in Group Policy. I've ensured that the GPO has been applied to the laptop. Using a laptop with the same GPO, I was able to get my home USB printer to connect (using my normal user privs, no elevation). Great!

When my user tries it at home, though, she isn't able to get any farther than a UAC prompt. This happens when she tries to do this wirelessly or via a USB port to tes.

My theory is that I need to add another device type. If there is a way for me to determine what Device Class that printer is asking for, I suspect I could just add the GUIDs to the GPO, but I don't know how to determine that. Nothing is leaping out at me in Event Viewer.

So:

1.) What am I doing wrong for laptops accessing home printers?

OR

1A.) Is this not a best practice at all to let users install printers on work laptops? If that's the case, how do you manage users' home printing?

2.) If my solution is just to add a Device Class, how do I find out what Device Class a peripheral is identifying itself?

What is an acceptable level of hard write errors on tape? Specifically, what is acceptable on HP LTO-2 media? Is it a hard number of errors, a ratio of hours in use to errors, or something else entirely?

Further background

We are using a MSL6000 library with one LTO-2 drive using Backup Exec 11d (for now). Backup Exec always shows some soft errors for most of the drives, but some are starting to show hard errors. Backups are done with immediate verification, and the verify has yet to fail, so I don't have reason to be alarmed right now.

While I can find the duty cycle for the drive (250,000 hrs), I can't seem to find any hard numbers as to when a particular tape should be should just be retired.

If there's a best practice for rotating media out, I'd love to hear that, too. We're also soon migrating to LTO-4 media, so thoughts on errors there would also be helpful.

Edited to add:

I don't have hard error on every tape. To give an idea of what I'm looking at:

Tape    Hours in Use    Hard Errors
A       142             11
B       255             0
C       159             2

The vast majority of my tapes are like B and C. A is the outlier.

I'm looking for some sort of best practice here. The tapes are verifying OK. I don't want to have a tape fail just when I want to restore, but I also don't want to toss a tape with a handful of errors if it's unnecessary.

The short question: can I share file and block level traffic on the same SAN? Perhaps more importantly, should I? The gory details are below...

I'm hopefully putting the finishing touches on a new SAN design, and our new planned storage (EMC VNXe3100) will support being an iSCSI target, our original goal. It also supports file-level storage as well via CIFS and NFS. Some of the features we hope to use (particularly deduplication) are only available via file-level shares.

The VNXe3100 has 2 controllers with 2 NICs per controller. Each NIC is going to a different switch, so either the controller or the switch can fail, and we should still be in business. This means that both file and block traffic would need to be enabled on each NIC. I'm assured by our rep that this is possible.

My plan is to put the VNXe and the 5 host servers on the same VLAN and subnet (call it 192.168.1.x). This should keep my block-level iSCSI stuff only in that VLAN with no route out. But I would have a route out to the rest of the network for the file-level traffic on a different subnet (192.168.55.x). So each NIC would have an IP address for block traffic in the 1.x range and another for file traffic in the 55.x range.

Since we are new to the world of iSCSI and the world of SAN/NAS devices, I want to make sure this isn't some horrible intermingling. But it would be really nice to expose our VMWare as NFS and get the VMs deduplicated on our hardware, and not having to maintain another file server would also be a bonus.

If there's something else I'm overlooking, I'm all ears.

My previous question covered disk-to-disk backup to reduce our backup window, and now I also need to take the disk backup and move it to tape. Is this something I can do with Networker and deduplicated backup?

I know that an ideal solution would be to replicate the Data Domain elsewhere, but we are one site only. Another Data Domain and datacenter space somewhere else is a bit too rich for us. So the new plan is to backup our storage over an iSCSI SAN to a Data Domain 600 using EMC Networker, then have Networker make full backups from Data Domain (not the live data) to tape on a weekly basis. This should give us a fast backup, but allow for offsite disaster recovery.

So can this be done with Networker? If not, is there an alternative?

We're looking to get a new SAN, and so we're re-examining our storage, network and backup issues. Our plan is to get an EMC VNXe 3100 with SAS drives for production data, then buy an expansion shelf and populate half of that with SATA (6 TB raw) drives. Our backup software will then use the SATA as the target.

Our initial sales rep said that would work fine, followed by another EMC sales rep (not coincidentally trying to sell a backup storage appliance, Data Domain) saying that you should never ever put the backup set on the same storage. I'm sure that would be better, but budget is a concern for us, and using the SATA seems a reasonable compromise, but I'd like to be sure.

In my mind, the disk backup target on SATA is to give us 1.) smaller backup window, and 2.) convenient tapeless recovery. We'll still be using tape for disaster recovery and using the backup software to move the disk backup to tape. We only have one site, so replication isn't a great option. Since budget is a concern for us, this seems reasonable as opposed to buying a special device.

The only failure mode I can think is if both controllers on the VNXe fail simultaneously, we're not going to be able to get to either production disk or disk backup. But the odds seem really low for that. Seems that if that happened, we'd be looking for the tapes anyway, because the server room would be gone.

So, am I crazy? Is there anyone else doing something similar?

So I have a batch script for robocopy. Running this from the command line does exactly what I want.

robocopy "D:\SQL Backup" \\server1\Backup$\daily /mir /s /copyall /log:\\lmcrfs4g\NavBackup$\robocopyLog.txt /np

Then I create a Scheduled Task in Windows Server 2008. If I set up the task to use my Domain Admin account, great. But I'm trying to get it to run as a separate domain account for Scheduled Tasks. If I use that account, folders get created, but files aren't copied. I get the following error:

2011/02/17 15:41:48 ERROR 1307 (0x0000051B) Copying NTFS Security to Destination Directory D:\SQL Backup\folder\ This security ID may not be assigned as the owner of this object.

I've verified my domain\Scheduled Tasks account has Full Control NTFS permissions on both the source and destination, and the Full Control Sharing on my hidden \server1\backup$ share. Just for giggles, I've tried adding the domain account to the local Administrators group on both servers. This works fine, but that seems like a lot of privileges just to copy files. Any ideas on what I'm missing?

EDIT TO ADD:

I've tried using the robocopy \copy:DATSO flag rather than \copyall (I can skip the auditing info), but I still get the same error.

I've also tried using runas \noprofile \user:my Scheduled Tasks user for the robocopy command. I get the same error again.

I'm not averse to simply adding the user to a Built-In group, though Administrators seems like it would be overkill. I'd be interested to know how others handle their Scheduled Tasks.

We have a VMWare ESXi 3.5 server that we are trying to get performance information on via esxtop logging, but I can't get an SMB share to mount so I can store the logs there. What am I missing?

The command I'm trying to use (per the vendor's instructions) is:

mount -t smbfs -o username=esxshare //WindowsShare/esxshare /mnt/esxshare

I have verified that I am logged in as root, and that the /mnt/esxshare directory has been created.

My biggest concern is that my web research so far indicates that ESXi can't actually mount SMB shares, only ESX can. I also would need to enable the firewall on VMWare to allow SMB, but ESXi doesn't seem to have an interface to that either. Am I correct?

I'm open to other suggestions on how to get a share mounted, but I'm a Linux newb. My only other theory would be to do an NFS share somewhere, mount that in the Service Console, and then get on with the esxtop logging I need to do. I've also got a message in to our vendor asking for help, but I'm hoping to understand what exactly is failing to get a better understanding of the VMWare guts.

Any help would be greatly appreciated. Thanks!

CC

UPDATE

So it doesn't appear like my prospective vendor has any options for this, either. We're still new to virtualization, so we'll consider using ESX Server when we upgrade from our current 3.5 installation in the next year or so.

In the meantime, the best we can do is measure peak IOPS of our current system, and get stats from other non-VM systems that connect to our SAN. Hopefully that will be enough.

I'm planning some expansion on an HP MSA1000 SAN. My boss says that we need to have two separate arrays on the new enclosure, one for Bays 1-7, the other for Bays 8-14. Is there any reason that we need to do this?

My plan was to have the entire expansion shelf be 1 array, then create RAID 6 logical drives from that. I don't understand what splitting drives into separate arrays gain us. We don't have dual controllers, so there's no benefit there.

Thanks, CC

We need to make a backup of a MS SQL Server 2005 database. The computer on which the database resides is in it's own workgroup and is not on our domain. It also doesn't appear the vendor will support us adding the PC to the domain. So we need to find a way to get the SQL backup to save on to our domain.

I'm not a SQL guru, but I can see that the SQL maintenance plans we run for other databases let us specify where we wish to place the backup. But the databases, users and shares that we use are all on our domain. It seems our hang-up is that the SQL maintenance plan has to run as the local admin on the non-domain PC, but then I don't have a good way of giving that user rights to our network share.

The only other option I can come up with is a hidden share on our domain with Everyone R/W access, and that makes my skin crawl.

I'm sure we could script a file copy after the SQL maintenance plan runs locally. We would just embed credentials in the script. But we think it would be better if the Maintenance Plan could take care of this itself--less moving parts, in my mind.

I feel like I'm being thick on a Monday, and this should be simpler than I'm making it. What am I missing?

Thanks for your help! CC

We seem to have a problem with rogue devices on our network. From DHCP (on Win2003), I can see names of devices that are clearly not ours. From the name, I suspect it's a wireless AP (WGR614 looks like a Netgear to me). I can't ping it now, but I want to A.) be certain it's gone, and B.) stop it from coming back.

My initial theory is to block the MAC address at the switch. I'd also like to find which port the MAC address was connected to so I can find the location it was connected.

We have different flavors of HP ProCurve switches, with our primary switch a 4200. How would I go about doing this as a one-off task? I'm not a network admin really, so please be gentle.