WaldenL's questions

As part of a security evaluation we've been asked if we can set affinity so that two EC2 instances in the same AZ are not hosted on the same physical machine. Obviously it's very unlikely that two of our instances would end up on the same hardware (in fact I believe AWS tries very hard to make sure it doesn't), but is there any way to guarantee that?

Please note:

1. I'm not asking if we should do this, I understand EC2 hypervisor security and feel this should not be necessary, just wondering if we can.
2. I'm not including dedicated host options, obviously if we pinned the EC2 instances to two different dedicated hosts they'd have to be on different physical machines. I'm talking "normal" VMs here.
3. This is within the same AZ. Two different AZs would have to be different hardware.

Is there a way to change the activation key in Windows before you start the out of box experience (setup) on machines w/windows pre-installed? For example, say you purchase a laptop with Home preinstalled, but you have a Pro key, anyone know how to get that Pro key into that laptop before you do the setup?

Current process is:

1. Perform setup using dummy user
2. Change key after OBE
3. "Reset" Windows back to virgin OBE
4. Perform setup again, this time under real user

Why does it matter you ask? Because Home SKUs cannot join domains, and you want the user to be a domain user, not a personal Microsoft account, so you need to do the initial setup as a dummy user, then flip to pro so you can join AzureAD (or a local domain), and then wipe and redo the OBE as the actual end-user. Ugly!

I've got a CentOS VM (release 6.2) running under HyperV. I have integration services installed (part of base now), and CentOS shows the current clocksource is hyperv_clocksource, however my time in the VM is about 10 minutes fast after a week of uptime. My understanding of the new IC and plugable clocksource is that this shouldn't happen any more. Is there any additional configuration necessary to get the plugable clocksource to "work?"

I know there are plenty of links about setting kernel options to PIT and various stuff like that, but those all seem to pre-date the integrated clocksource support, and as I understand it shouldn't be needed anylonger. Nor should ntpd nor adjtimex.

Edit: Was running 3.2 of IC (what ships w/Centos 6.2), upgraded to 3.3 today, machine has been up for 1 hour 22 minutes and clock is already 5 seconds fast. So I'm now running the latest IC and still have the same problem.

This just doesn't seem correct to me, so I'm looking for someone to tell me how I've misconfigured IIS... Configuration is IIS7.5 (2008R2), without SP1.

I have IIS 7.5 configured w/several sites. ALL sites have hostnames defined in the bindings, there is NO site w/out a hostname. However, if I request an unknown hostname from the server IIS (technically Microsoft-HTTPAPI/2.0) return a 404 error, not a 400 error. I would expect a 400 (or some other major error) rather than a lowly 404.

This causes a problem when I have nginx in front of multiple IISs and want to stop a site so nginx takes it out of rotation. Since IIS still returns a 404 for the request even when there is no active site for that name, nginx doesn't know the server is dead.

NB: IIS returns the 404 regardless of whether there is a server, but it's stopped, or there is no server.

Thoughts? Solutions?

-- Additional info: OK, I added a site on a port other than 80 (5000) and then on a connection to that port asked for a site that doesn't exist, and I get the expected error 400 (Invalid hostname). So, while IIS isn't listening for generic (no host name) connections on port 80 it would seem that something is. Any ideas how to get HTTPSys to dump the list of what it's listening for?

We have SEP 12.1 RU1 Small Business Edition and we're deploying to Windows 2008 R2 machines. It seems that SEP is disabling the native firewall. Has anyone seen this?

Specifically, The SEP Firewall policy on the management server does not have the "Enable this Firewall Policy" checkbox checked -- that is, the policy is disabled. I've pushed the client out to some of our servers and the client is modifying the native Windows firewall, Windows now shows that the native firewall is "Active", but it's also "managed by Symantec" and if you look at the list of active rules there are none. I've confirmed that the firewall is indeed not active by accessing the server on ports that should be blocked. I've also confirmed that I'm setting up the native firewall correctly by doing the same config on another server that doesn't yet have SEP and traffic gets blocked.

Has anyone configured SEP 12.1 SBE and left the native Windows firewall enabled? If so, how? And before you suggest I just enable the SEP firewall, I'd need a different policy for each server as there are different needs/services on each server so that just seems like a silly thing to do.

I have a W2K8R2 Server Core install with the DNS role. I want to disable recursion on this server as it exists only to respond to DNS requests for which it is authoritative.

I have run the "dnscmd /config /norecursion 1" command and dnscmd /info shows fNoRecursion with a value of 1, that is, do not do recursion. My forwarders list is also empty, although I don't think that even matters if I'm not doing recursion. I have cleared the cache and stopped and restarted the DNS service.

However, if I connect to this server from a remote machine the server is doing recursive lookups for me. I can connect to it and ask it to resolve www.cnn.com and it will do so. Any ideas?

I want to tell a server 2008 R2 machine to NOT register it's IP addresses in DNS. I go into the Advanced tab on IPv4 and turn off "Register this connection's addresses in DNS" simple! But... the addresses are updated in DNS anyway! And actually the A record is eventually removed from the DNS server.

I've confirmed that the checkbox is off by looking at it myself, and by checking the RegistrationEnabled registry value for that adapter. Both confirm that the registration is off.

I've turned of DNS debug logging on the DNS server and I can see DNS Update requests coming from the server in question! This should not happen.

What's even odder is that eventually (several hours) the A record for the server (which I added by hand!) is removed from the DNS server. I've also confirmed that scavaging is off on both DNS servers in the domain.

Ideas?

Edits: Per the comment: The server has static IP addresses. However, it's got two of them on one adapter.

Since I'm in a VM (HyperV) environment I just spun up a second adapter and moved the second IP to the second adapter. I set the first adapter to auto-register (since that's the IP I want anyway) and the second adapter to NOT auto-register. We'll see if this is any better.

Not any better. On a reboot of the server the registration was removed from DNS. Seems both cards are still contacting the server. Based on the DNS log the card that shouldn't register in DNS is registering a 'delete' request. And then the card that should register is registering an add request but that's ignored. I'm totally confused at this point.

I've got a scheduled task setup in Windows 2008 R2 to send me an email if a specific event is logged to the event log. This works great. However, I'd like to include the event description from the event in the email. I don't see a way to do this. Anyone have any ideas (within scheduled tasks / event manager -- I'm sure I could buy / get a 3rd party app to do it)

In a corporate environment most machines will be domain joined and therefore get their time from the DCs. However, sometimes you get a machine that isn't in the domain. By default these machines will use time.windows.com as their time source.

Does anyone see a down side to adding a DNS entry for time.windows.com that points to the internal time source? This would result in all non-domain-joined machines still syncing their time to the domain time source.

What are the opinions on allowing virtual memory inside a virtual machine?

For example, a host machine w/8 Gig of memory, I could run 4 VMs each w/2 Gig (roughly) and there would be no host swapping. However, in each VM I could have a 2Gig page file so the virtual server had 4Gig of usable memory, 2 physical 2 virtual.

OR... I could give each VM 4 Gig of "memory" and have the host use 8Gig of real memory and 8G of virtual memory and have no page file in each VM. Each VM would still have "4Gig" but the paging would occur on the host.

The warm-fuzzy part of me says setup paging in each guest like you would a real server and you're good. But the analytical side of me sees two major advantages to overcommitting the host memory and having no paging in the VM. First, the IO for the virtual memory is then handled by the host OS, which is closer to the bare metal, so it should be quicker. And second, paging would only be required if the host didn't have the memory available. If the guest wanted 4Gig, but other guests weren't using their memory then no paging would be required.

Thoughts?

Win 2003 R2 setup. I can push the printer via group policy, and pushprinterconnections.exe, but the printer isn't set as the default printer. Any ideas on how to set the default printer for an XP box via group policy?