Our domain is trusting an external domain (not in the same forest) and we need to add a group from the external domain into the Domain Admins group of our domain.

I understand that the Domain Admins group is a global group, so we cannot add groups from other domains into it. But I have seen several workarounds on the internet, but none of these seem to work in our situation.

I tried creating a universal group and a domain local group, but I cannot add either of these to the Domain Admins group and only the domain Local groups lets me add accounts from the external trusted domain.

• Global security group (e.g. Domain Admins)

  • Can add Domain Local group: No
  • Can add Global group: Yes
  • Can add Universal group: No
  • Can add from trusted domain: No

• Universal security group (e.g. Enterprise Admins)

  • Can add Domain Local group: No
  • Can add Global group: Yes
  • Can add Universal group: Yes
  • Can add from trusted domain: No

• Domain Local security group (e.g. Administrators)

  • Can add Domain Local group: Yes
  • Can add Global group: Yes
  • Can add Universal group: Yes
  • Can add from trusted domain: Yes

               |      Group can contain members of type                 |
| Group type   | Global | Universal | Domain local | Trusted Foreigners |
|--------------|--------|-----------|--------------|--------------------|
| Global       | Yes    |           |              |                    |
| Universal    | Yes    | Yes       |              |                    |
| Domain local | Yes    | Yes       |              | Yes                |

The Global Domain Admins group can only contain other Global groups.

And Global groups cannot seems to directly (or indirectly) contain principles from foreign domains.

Workaround

How can I add a group to the Administrators group on every machine in the domain?

Cannot work; a Domain local group cannot contain other Domain local groups.

The only workaround i can see is manually create duplicate accounts for every user in the local domain

Cons: decreased network security, lower user productivity, complicates administration, worse administrative control, inconsistent policies, increased TCO.

Bonus Chatter

From Application Specification for Microsoft Windows Server, Chapter 5. Security Services:

Single Sign-On (SSO) allows enterprise network users to seamlessly access all authorized network resources, on the basis of a single authentication that is performed when they initially access the network. SSO can improve the productivity of network users, reduce the cost of network operations, and improve network security.

• Better network security. All SSO methods available under Windows provide secure authentication and provide a basis for encrypting the user's session with the network resource. Eliminating multiple passwords also reduces a common source of security breaches - users writing down their passwords.

• Improved user productivity. Users are no longer required to remember multiple logons, nor are they required to remember multiple passwords in order to access network resources. This is also a benefit to help desk personnel, who need to field fewer requests for forgotten passwords.

• Simpler administration. SSO-related tasks are performed transparently as part of normal maintenance, using the same tools that are used for other administrative tasks.

• Better administrative control. All SSO-specific information is stored in a single repository, the Active Directory. Because there is a single, authoritative listing of each user's rights and privileges, the administrator can change a user's privileges and know that the results will propagate network wide.

• Consolidation of heterogeneous networks. By joining disparate networks, administrative efforts can be consolidated, ensuring that administrative best practices and corporate security policies are being consistently enforced.

Bonus Reading

• Group scope (archive)

Short version

Long Version

Window Server 2012 DHCP server is currently configured as:

• Subnet: 10.0.x.x (e.g. 10.0.0.0/16)
• Dynamic IP Range: 10.0.0.12 - 10.0.0.120

This is done to limit dynamically assigned addresses to a small range on the subnet (and not overlap into other ranges).

I would like to add another address range to pool of available ranges that DHCP can pull from on our 10.0.x.x subnet:

DHCP Address Pool

• 10.0.0.12 - 10.0.0.200
• 10.0.27.12 - 10.0.27.150

Of course you can't do that because:

Of course it doesn't conflict; it's just being stubbon.

I want the DHCP server to offer addresses from a pool of two ranges on the 10.0.x.x subnet:

DHCP Address Pool

• 10.0.0.x
• 10.0.27.x

How do i do that?

Workaround

i suppose i could do it with exclusions:

• Range: 10.0.0.0 - 10.0.255.255
• Exclude: 10.0.0.0 - 10.0.0.11
• Exclude: 10.0.0.151 - 10.0.0.255
• Exclude: 10.0.1.0 - 10.0.26.255
• Exclude: 10.0.27.0 - 10.0.27.11
• Exclude: 10.0.27.151 - 10.0.26.255
• Exclude: 10.0.28.0 - 10.0.255.255

But that idea is so dumb that I won't even bring it up.

Bonus Reading

• How to add extra range of IP in DHCP of Windows Server 2008 R2 (archive)
• Adding another IP Range to DHCP (archive)
• KB255999 - Increasing the number of IP addresses on a subnet in DHCP Server

Bonus Chatter

How does DHCP work?

Dynamic host configuration protocol can be used to automatically configure network devices with information they need:

• Network subnet mask (e.g. 255.255.0.0)
• DNS server (e.g. 10.0.42.7, 10.0.13.29)
• Domain name (e.g. stackoverexchange.com)
• Default gateway (e.g. 10.0.241.1)

In addition to being able to configure host options, it can automatically give clients an IP address. The DHCP server is given a block of IP addresses it can assign to clients, e.g.:

• 10.0.0.12 -10.0.0.100
• 10.0.0.200 - 10.0.0.245
• 10.0.3.100 - 10.0.3.200

And when a client shows up needed an IP address, it looks in it's available pool of addresses, picks one, and gives it to the machine:

• 10.0.0.12 - Unassigned
• 10.0.0.13 - Unassigned
• 10.0.0.14 - Unassigned
• ...
• 10.0.0.98 - Unassigned
• 10.0.0.99 - Unassigned
• 10.0.0.100 - Unassigned
• 10.0.0.200 - Unassigned
• 10.0.0.201 - Unassigned
• 10.0.0.202 - Unassigned
• ...
• 10.0.0.243 - Unassigned
• 10.0.0.244 - Unassigned
• 10.0.0.245 - Unassigned
• 10.0.3.100 - Unassigned
• 10.0.3.101 - Assigned to de-ad-be-ef-ba-ad (IANBOYD)
• 10.0.3.102 - Unassigned
• ...
• 10.0.3.198 - Unassigned
• 10.0.3.199 - Unassigned
• 10.0.3.200 - Unassigned

I want to add more ranges of IPs to the available pool of IPs to be assigned.

Other DHCP servers do it

Of course other DHCP servers can do this:

But i already know how to do it in other DHCP servers. I'm asking how to do it in the DHCP server that ships with Windows Server 2012.

If Windows Server 2012 DHCP server cannot do it: it's ok to say it:

It cannot be done; Windows Server 2012 does not support this feature that other DHCP servers support.

But i'm hoping it does support it. DHCP has been around a long time; and Microsoft has had a long time to get it right.

Normally in Windows, you can create a Virtual Hard Disk (VHD), see it in the Disk Management, right-click, and remove it:

No problem.

Storage Spaces Hides Disks

I want to test the resiliency of Storage Spaces, and the ability to migrate them between servers. Once a disk has been added to a Storage Pool, it no longer appears in Disk Management. I need to surprise remove a VHD from the server, but there's no UI option to do it.

If i were using a physical disk, it would be trivial to disconnect the drive from the computer (thus ensuring that Storage Spaces doesn't expect it, and has no chance to rebalance beforehand):

How to unplug a vhd?

But once a disk is added to a storage pool, there is no longer any UI options for that disk. I don't want to use the Storage Spaces UI to Remove a physical disk from the pool:

Because:

• storage spaces will migrate data from that disk onto other disks in the pool (defeating the point of a surprise removal)
• storage spaces will migrate data from that disk onto other disks in the pool (defeating the point of the test of migrating disks to another server)

I need the surprise removal

In the same way i can unplug a physical hard disk, how do i unplug a virtual hard disk?

Microsoft has the exact PowerShell commandlet to disconnect a vhd:

Dismount-VHD

Dismounts a virtual hard disk.

PS C:> Dismount-VHD –Path c:\test\testvhdx.vhdx

Unfortunately it doesn't work - for the same reason. The VHD is "gone", "invisible", absorbed into the Storage Pool, gone from any ability to interact with it:

PS C:\Windows\system32> Dismount-VHD –Path D:\VirtualMachines\StorageSpaceTest\StorageSpaceTest1.vhdx
Dismount-VHD : Windows cannot dismount the disk because it is not mounted.
At line:1 char:1
+ Dismount-VHD –Path D:\VirtualMachines\StorageSpaceTest\StorageSpaceTest1.vhdx
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (Microsoft.Vhd.P...mountVhdCommand:DismountVhdCommand) [Dismount-VHD], VirtualizationOperationFailedException
    + FullyQualifiedErrorId : InvalidParameter,Microsoft.Vhd.PowerShell.DismountVhdCommand

It seems once a VHD has been added to a storage pool, it cannot be dismounted.

How do i dismount a VHD that has been added to a storage pool?

DiskPart

The command line tool diskpart has a command to detach a virtual disk:

DISKPART> select vdisk file="F:\Foo\Contoso37.vhd"

DiskPart successfully selected the virtual disk file.

DISKPART> detach vdisk

Virtual Disk Service error:
The virtual disk is already detached.

But it fails for the same reason, the .vhdx has already been "detached" when it went into the StoragePool.

Bonus Chatter

The current VHDX files are sitting in D:\..., which itself is a Parity Space. I cannot simply turn off the PC and simply rename the files. Not only is turning off the server not a viable option right now, it defeats the point of the test: having Storage Spaces react while it is running

Edit: Same thing happens in Windows Server 2016

i meant to assign an SQL Server login to the

• db_datareader
• db_datawriter

database roles. But if a moment of sore tummy and tiredness, i accidentally give that user schema ownership of them instead:

Ignoring for the moment what it can conceptually mean for a user to "own" those two built-in schemas. And ignoring for the moment if it is even a problem if a user owns those two schemas (e.g. if i want to delete the users will the built-in schemas go with it).

My question is: How do i undo it?

i randomly hit keys on my keyboard, and it came out:

ALTER AUTHORIZATION ON SCHEMA::[db_datareader] TO [db_datareader]F5

But that didn't do anything; so now it's time to consult the experts.

Microsoft SQL Server 2005 - 9.00.5057.00 (Intel X86) Mar 25 2011 13:50:04 Copyright (c) 1988-2005 Microsoft Corporation Standard Edition

i am trying to perform an INSERT operation against a linked server:

DBCC TRACEON (3604, 7300)

BEGIN TRANSACTION

INSERT INTO LIVE.Contoso.dbo.Events (EventGUID, EventDate, LoginGUID, UserGUID, EventType, Notes, TargetGUID) 
VALUES ('{494D023F-CD5A-11E2-9F18-C86000D0B92A}', getdate(), '{3B4F90C0-CD5A-11E2-9F18-C86000D0B92A}', '{494D023D-CD5A-11E2-9F18-C86000D0B92A}', 1, N'Test notes', '{494D023E-CD5A-11E2-9F18-C86000D0B92A}')

ROLLBACK TRANSACTION

and it returns the error:

OLE DB provider "SQLNCLI" for linked server "LIVE" returned message "Cannot start more transactions on this session.".
Msg 7395, Level 16, State 2, Line 3
Unable to start a nested transaction for OLE DB provider "SQLNCLI" for linked server "LIVE". A nested transaction was required because the XACT_ABORT option was set to OFF.

This local database was moved from 2000 (where queries worked) to 2005 (where queries no work). The remote server is 2008 R2.

What have you tried?

The exhaustive list of things from this question that i asked two years ago.

How did you create the linked server?

--EXEC master.dbo.sp_dropserver @server = N'LIVE'
EXEC master.dbo.sp_addlinkedserver @server = N'LIVE', @srvproduct=N'', @provider=N'SQLOLEDB', @datasrc=N'vader'
EXEC master.dbo.sp_addlinkedsrvlogin @rmtsrvname = N'LIVE', @locallogin = NULL, @useself = N'False', @rmtuser = N'Contoso', @rmtpassword = N'Battery Horse Staple Correct'

But what have you tried?

• i disabled all MSDTC security options on both servers

  

• checked that the clocks are in sync (which for some unknown reason will break various authentication schemes if they're out of sync)

  

• i disabled firewalls on both servers (no screenshot; you'll have to just trust me)

• leaving the rejoining the domain

What are the versions of the servers?

• Local: Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86) Oct 14 2005 00:33:37 Copyright (c) 1988-2005 Microsoft Corporation Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2)
• Linked remote: Microsoft SQL Server 2008 R2 (SP2) - 10.50.4000.0 (X64) Jun 28 2012 08:36:30 Copyright (c) Microsoft Corporation Enterprise Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1) (Hypervisor)

i'm trying to install Windows Server 2012, and i'm being prompted that the Administrator account password does not meet the password security requirements:

The password you typed does not meet the password complexity requirements set by the administrator for your network or group. Get the requirements from your administrator, and then type a new password.

Now since Windows Server hasn't even been installed yet, there is no administrator who has set anything.

So what i need is a way to alter the Windows Server 2012 password complexity requirements before a server has been installed (i.e. before i can configured the password complexity requirements).

How do i alter the Windows Server 2012 password complexity requirements, to meet my password complexity requirements - before installing Windows Server 2012?

SQL Server Management Studio sits stuck, after scripting all objects in a database. Except it didn't script all objects in a database.

i scripted all the objects in an SQL Server 2008 database from SQL Server Management Studio (three times):

And it says it scripted all the objects, except it never actually completes - sitting there stuck:

It does manage to script three objects:

But not all the objects.

You'll notice:

• the UI says it sucessfully scripted all 189 objects
• the UI is stuck; the Close button is disabled
• the folder that contains the "successfully" scripted database objects doesn't contain all the successfully scripted database objects.

Which begs the question:

How do i script the objects of an SQL Server 2008 databasein SSMS?

Update: It can script any VIEW, STORED PROCEDURE, or FUNCTION, without issue. But if i choose to script just the first table, it fails:

It also fails if i script tables:

• A - M
• O - Z
• A - G

This never-ending bug was the reason we bought SQL Compare four years ago; you couldn't trust Microsoft's tool to script a database correctly (silently omitting tables).

Update: Scripting options

Here's the set of scripting options in use

• ANSI Padding: True
• Append to File: False
• Continue scripting on Error: False
• Convert UDDTs to Base Types: False
• Generate Script for Dependent Objects: False
• Include Descriptive Headers: True
• Include If NOT EXISTS: False
• Include system constraint names: False
• Schema qualify object names.: True
• Script Bindings: False
• Script Collation: True
• Script Create: True
• Script Defaults: True
• Script Drop: False
• Script Extended Properties: True
• Script for Server Version: SQL Server 2008
• Script Logins: False
• Script Object-Level Permissions: False
• Script Statistics: Script statistics
• Script USE DATABASE: True
• Script Change Tracking: False
• Script Check Contraints: True
• Script Data: False
• Script Data Compression Options: False
• Script Foreign Keys: True
• Script Full-Text Indexes: True
• Script Indexes: True
• Script Primary Keys: True
• Script Triggers: True
• Script Unique Keys: True

• My related question from 4 years ago: SQL Server Management Studio not scripting all objects

i have a user in Active Directory that i cannot delete:

If i try to delete:

i get the error:

If i try to rename the user, i get the error:

If i try to view Properties of the user, i get the error:

What's up with that?

From the SQL Server 2008 R2 Books Online:

Server Memory Options

When SQL Server is using memory dynamically, it queries the system periodically to determine the amount of free physical memory. SQL Server uses the memory notification API QueryMemoryResourceNotification to determine when the buffer pool may allocate memory and release memory.

From the SQL Server 2005/2008 Books Online:

Server Memory Options

When SQL Server is using memory dynamically, it queries the system periodically to determine the amount of free physical memory. Under Microsoft Windows 2000, SQL Server grows or shrinks the buffer cache to keep free physical memory between 4 MB and 10 MB depending on server activity. Maintaining this free memory prevents Windows 2000 from paging. If there is less memory free, SQL Server releases memory to Windows 2000.

Under Windows Server 2003, SQL Server uses the memory notification API QueryMemoryResourceNotification to determine when the buffer pool may allocate memory and release memory.

i understand that SQL Server manages its own memory usage. If the server gets low of free memory, SQL Server releases some memory (starving itself). This is the default, ideal, preferred behavior. But i've seen a lot of situations where SQL Server is not releasing memory when there are other starving applications (i.e. suffering from large amounts of paging faults).

Then i found mention that it can take days for SQL Server to actually release memory:

Professional Microsoft SQL Server 2008 Administration, Memory Usage

SQL Server is one of the best behaved server applications available. When the operating system triggers the low memory notification event, SQL will release memory for other application to use, actually starving itself of memory if another memory-greedy application is running on the machine. The good news is that SQL will only release a small amount of memory at a time, so it may take hours, and even days, before SQL will start to suffer. Unfortunately, if the other application desperately needs more memory, it can take hours before SQL frees up enough memory for the other application to run without excessive paging.

Does this sound right? SQL Server is a well-behaved server application that will cripple a server for days?

Is there an option (aside from setting an upper-limit on SQL Server memory usage) to speed up the rate at which SQL releases memory?

How can i add a group to the sysadmin fixed server role in SQL Server 2008 R2?

See my related question for details step-by-step screenshots detailing showing that you're not allowed to add groups to the sysadmin role.

Background information

Before SQL Server 2008 R2, members of the local Administrators group were automatically added to the sysadmin fixed server role. Starting with SQL Server 2008 R2 that group is no longer added. The new recommended mechanism is to:

...create a separate Windows group containing the appropriate DBAs and grant that group the sysadmin role in the database.

How do i "grant a Windows group the sysadmin role"?

See also

• Adding a Member to a Predefined Role (SQL2000)

  ...users who are members of the BUILTIN\Administrators group are members of the sysadmin fixed server role automatically.

• Server-Level Roles (SQL2008R2)

• BUILTIN\Administrators member of SYSADMIN fixed server role

Related questions

• Cannot add a user to sysadmin role in SQL Server (you can't)
• How to add sysadmin to user in SQL Server 2008 when no sysadmin accounts exist (reinstall)
• MS SQL Server 2005 server role problem
• SQL Server 2005 Accidentally removed a user from public role, can't add user back into role

When i try to connect to SQL Server (2008 R2) using Windows authentication:

i cannot:

Checking the Windows Application event log, i find the error:

Login failed for user 'AVATOPIA\ian'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: ]

• Log Name: Application
• Source: MSSQLSERVER
• Event ID: 18456
• Level: Information
• User: AVATOPIA\ian
• OpCode:
• Task Category: Logon

i can login to the computer itself using Windows authentication. i can log into SQL Server using the local Windows Administrator account.

We can connect to 8 other SQL Servers on the domain using Windows Authentication. Just this one, whitch is the only one that is 2008 R2 is failing. So i assume it's a bug with **2008 R2*.

Note: i cannot logon locally, or remotely, using Windows authentication. i can login locally and remotely using SQL Server Authentication.

Update

Note: It's not limited to SQL Server Management Studio, standalone applications that connect using Windows authentication:

fail:

Note: It's not a client problem, as we can connect fine to other (non-SQL Server 2008 R2 machines):

i'm sure there's a technote or knowledge base article describing why SQL Server 2008 R2 is broken by default, but i can't find it.

Update 2

Matt figure out the change that Microsoft made so that SQL Server 2008 R2 is broken by default:

Administrators are no longer administrators

All that remains is to figure out how to make Administrators administrators.

One of these days i'm going to start a list of changes around Microsoft's "broken by default" initiative.

Steps to reproduce the problem

How do i add a group to the sysadmin fixed server role? Here's the steps i try, that don't work:

1. Click Add:

   

2. Click Object Types:

   

3. Ensure that you have no ability to add groups:

   

   and click OK.

4. Under Enter the object names to select, enter Administrators:

   

5. Click Check Names, and ensure that you are not allowed to add groups:

   

   and click Cancel.

6. Click Browse..., and ensure that you have no ability to add groups:

   

You should now still not have added any group to the sysadmin role.

Additional information

• SQL Server Management Studio is being run as an administrator:

  

• SQL Server is set to use Windows Authentication:

  

• tried while logged into SQL with both sa and the only other sysadmin domain account (screenshot can be supplied for those who don't believe)

How can i update a CLR function (or procedure) assembly dll without having to drop and re-create the assembly in SQL Server (2008 R2)?

As it stands now if i update an assembly (e.g. to add a new function), SQL Server will not honor the updated dll until i drop the assembly:

DROP ASSEMBLY CLRFunctions

Msg 6590, Level 16, State 1, Line 1
DROP ASSEMBLY failed because 'CLRFunctions' is referenced by object 'NormalizeString'.

But before i can drop the assembly, i must first drop all functions that reference it:

DROP FUNCTION NormalizeString
DROP FUNCTION RemoveDiacritics
DROP FUNCTION RemoveCombiningDiacritics
DROP FUNCTION CombineLigatures
....
DROP FUNCTION PseudolocalizeArabic

And then i can drop the assembly:

DROP ASSEMBLY CLRFunctions

Now i have to "create" the assembly:

CREATE ASSEMBLY CLRFunctions FROM 'c:\foos\CLRFunctions.dll';

And now i have to hunt the declaration of all the UDF's that were registered before i deleted them.

i would rather update an assembly, and have SQL Server begin using it.

Update: i randomly tried DBCC FREEPROCCACHE to force a "recompile", but SQL Server still uses the old code.

Update: i deleted the assembly dll CLRFunctions.dll, and SQL Server is still able to run the code (without code that should be impossible).

We have a machine for connecting via Cisco SSL VPN (\\speeder).

i can ping our our speeder on 10.0.0.3:

The routing table on \\speeder shows the multiple IP addresses we have assigned to it:

After connecting with the Cisco AnyConnect VPN client:

we can no longer ping \\speeder:

And while there are new routing entries for the Cisco VPN adapter, no existing routing entries were modified after connection:

It is to be expected that we cannot ping Speeder’s IP address on the Cisco VPN adapter (192.168.199.20) because it is on a different subnet than our network (we are 10.0.x.x 255.255.0.0), i.e.:

C:\Users\ian.AVATOPIA>ping 192.168.199.20
Pinging 192.168.199.20 with 32 bytes of data:
Request timed out.

The problem we are experiencing is that we then cannot ping existing IP addresses on \\speeder:

C:\Users\ian.AVATOPIA>ping 10.0.1.17
Pinging 10.0.1.17 with 32 bytes of data:
Request timed out.

C:\Users\ian.AVATOPIA>ping 10.0.1.22
Pinging 10.0.1.22 with 32 bytes of data:
Request timed out.

C:\Users\ian.AVATOPIA>ping 10.0.1.108
Pinging 10.0.1.108 with 32 bytes of data:
Request timed out.

etc

What’s interesting, and might provide a clue, is that there is one address we can communicate with:

This address we can ping and communicate with:

C:\Users\ian.AVATOPIA>ping 10.0.1.4
Pinging 10.0.1.4 with 32 bytes of data:
Reply from 10.0.1.4: bytes=32 time<1ms TTL=128

What makes this one IP address special? This one IP address has the virtue of being a “main” address:

As opposed the addresses we use, which are “additional” addresses:

To sum up, when the Cisco AnyConnect VPN client connects, it blocks us from all-but-one address associated with the computer.

We need the Cisco Client to stop doing that.

Does anyone know how to make Cisco AnyConnect SSL VPN client stop doing that?

Note: Firepass SSL VPN from F5 Networks does not suffer the same issue.

We've contacted Cisco, and they say that this configuration is not supported.

i am trying to export a virtual machine in Hyper-V.

i click Export, i select a location:

and click Export, and nothing happens:

How do you export a virtual machine in Windows Server 2008 R2 Hyper-V?

Background

When a hard-drive controller detects an error, and needs to remap a sector, the drive normally becomes unresponsive for the seconds (or possibly minutes) it takes to try to complete the re-mapping.

With the drive no longer responding, a host RAID controller can assume that the drive has failed, and mark it as unreliable.

Some hard-drive models, from some manufacturers, have a feature to limit (in seconds) how long the drive will spend trying to remap a sector. Different drive manufacturers give different names to this feature:

• Time-Limited Error Recovery (TLER): Western Digital
• Error Recovery Control (ERC): Seagate
• Command Completion Time Limit (CCTL): Samsung, Hitachi

Note: The correct term from the ATA/ATAPI command set is Command Completion Time Limit (CCTL)

By limiting the time the drive spends trying to recover a sector, it ensures that the host RAID controller will not think that the drive has failed.

Different RAID controllers (hardware and software) have different timeout intervals. If the drive is unresponsive for longer than their timeout it will be marked as offline, e.g.:

• 3ware 9650SE: 20 s
• FreeBSD 6.3 (kern.geom.mirror.timeout): 4 s

On to my question

Is there an option in Windows that controls how long Windows will wait before it decides a drive is not responding?

i do know of a registry setting called TimeoutValue:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk\TimeOutValue

• TimeoutValue
  • Location: HKLM\System\CurrentControlSet\Services\Disk\TimeoutValue
  • Values: 1 - 255 seconds
  • Meaning: Time in units of seconds before an SRB request initiated by the disk class driver will time out. If this registry value is not set, a default value of 10 seconds is used. Time-out values for requests that are initiated by class drivers vary according to the class driver.
  • Operating system version: This feature is available in all versions of the Windows operating systems.

But this is only documented as applying to the SCSI Miniport Driver. And even if it also applies to my SATA drives, it doesn't guarantee that it also applies to Window's RAID-5 subsystem.

The reason i ask about adjusting the timeout in my (software) controller is because hard-drive manufacturers have started to get mean-spirited:

• no longer including the ability to limit the error-recovery time
• they intentionally lock one feature of the ATA/ATAPI command set behind a pay-wall.

For that firmware feature they want you to buy the more expensive ("RAID Edition") drives (e.g. 71% more expensive). Thus changing:

• Rᴇᴅᴜɴᴅᴀɴᴛ Aʀʀᴀʏ ᴏꜰ Iɴᴇxᴘᴇɴsɪᴠᴇ Dɪsᴋs¹ (RAID), to
• Rᴇᴅᴜɴᴅᴀɴᴛ Aʀʀᴀʏ ᴏꜰ Exᴘᴇɴsɪᴠᴇ Dɪsᴋs

Bonus Reading

• Disks with TLER / ERC / CCTL & LCC [Table of drives]

See also

• Green drives dropping from RAID, TLER/ERC problems?
• MSDN: Registry Entries for SCSI Miniport Drivers
• StorageReview.com:How to use "desktop" drives in RAID without TLER/ERC/CCTL
• StorageReview.com:TLER / CCTL Disks which can have their TLER / CCTL values changed
• LSI 15639, User Guide for 9650SE 9690SA from 9.5.2 Complete Codeset
• T13 AT Attachment 8 - ATA/ATAPI Command Set (ATA8-ACS) (pdf)
• Western Digital - Difference between Desktop edition and RAID (Enterprise) edition drives

¹ Yes, inexpensive. Source: "A Case for Redundant Arrays of Inexpensive Disks (RAID)", D.A. Patterson, G. Gibson, and R.H. Katz, ACM SIGMOD Conference, June 1988, Chicago IL.

i'm trying to access the shares on a server. The credential box appears, and i enter in a correct username and password, and i get access denied.

The silly thing is that i can Remote Desktop to the server (using the same credentials), and i can check the Security event log for the access denied errors:

Event Type: Failure Audit
Event Source:   Security
Event Category: Account Logon 
Event ID:   681
Date:       3/19/2011
Time:       11:54:39 PM
User:       NT AUTHORITY\SYSTEM
Computer:   STALWART
Description:
The logon to account: Administrator
 by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 from workstation: HARPAX
 failed. The error code was: 3221225578

and

Event Type: Failure Audit
Event Source:   Security
Event Category: Logon/Logoff 
Event ID:   529
Date:       3/19/2011
Time:       11:54:39 PM
User:       NT AUTHORITY\SYSTEM
Computer:   STALWART
Description:
Logon Failure:
    Reason:     Unknown user name or bad password
    User Name:  Administrator
    Domain:     stalwart
    Logon Type: 3
    Logon Process:  NtLmSsp 
    Authentication Package: NTLM
    Workstation Name:   HARPAX 

Looking up the error code (3221225578), i get an article on Technet:

Audit Account Logon Events By Randy Franklin Smith

...

Table 1 - Error Codes for Event ID 681

Error Code  Reason for Logon Failure
3221225578  The username is correct, but the password is wrong.

Which would seem to indicate that the username is correct, but the password is wrong.

i've tried the password many times, uppercase, lowercase, on different user accounts, with and without prefixing the username with servername\username.

What gives that i cannot access the server over file sharing, but i can access it over RDP?

Edit: i tried entering random credentials (i.e. username: ramdom), just to make sure i'm trying to connect to the correct server. The event log on the server shows the failed attempt:

Event Type:   Failure Audit
Event Source: Security
Event Category:   Logon/Logoff 
Event ID: 529
Date:     3/20/2011
Time:     8:40:28 AM
User:     NT AUTHORITY\SYSTEM
Computer: STALWART
Description:
Logon Failure:
  Reason:     Unknown user name or bad password
  User Name:  random
  Domain:     HARPAX
  Logon Type: 3
  Logon Process:  NtLmSsp 
  Authentication Package: NTLM
  Workstation Name:   HARPAX

Edit: Trying all possible LAN Manager Authentication Levels (secpol.msc -> Security Settings -> Local Policies -> Security Options -> LAN Manager Authentication Levels):

• Send LM & NTLM responses: Fails
• Send LM & NTLM - use NTLMv2 session security if negotiated: Fails
• Send NTLM response only (default): Fails
• Send NTLMv2 response only: Fails
• Send NTLMv2 response only\refuse LM: Fails
• Send NTMLv2 response only\refuse LM & NTLM: Fails

(Client: Windows 7. Server: Windows 2000 Server)

How do you grant access to network resources to the LocalSystem (NT AUTHORITY\SYSTEM) account?

Background

When accessing the network, the LocalSystem account acts as the computer on the network:

LocalSystem Account

The LocalSystem account is a predefined local account used by the service control manager.

...and acts as the computer on the network.

Or to say the same thing again: The LocalSystem account acts as the computer on the network:

When a service runs under the LocalSystem account on a computer that is a domain member, the service has whatever network access is granted to the computer account, or to any groups of which the computer account is a member.

How does one grant a "computer" access to a shared folder and files?

Note:

Computer accounts typically have few privileges and do not belong to groups.

So how would i grant a computer access to one of my shares; considering that "Everyone" already has access?

Note: workgroup

| Account        | Presents credentials |
|----------------|----------------------|
| LocalSystem    | Machine$             |
| LocalService   | Anonymous            |
| NetworkService | Machine$             |

i've been attempting to script a database using SQL Server 2005 Management Studio. i cannot get it to script some objects. It scripts others, but skips some.

i can provide detailed screen shots

• the options being selected
• including all tables
• the folder where the script files will go
• the folder being empty before scripting
• the scripting process saying Sucess when scripting a table
• the destination folder no longer empty, with a hundred or so script files
• the script of some tables not being in the folder.

And earlier SSMS would not script some views.

Is this a known thing that the the Generate Scripts task does not generate scripts?

Update

Known issue on Microsoft Connect, but Microsoft couldn't repro the steps, so they closed closed the ticket.

Fails on SQL Server 2005, also fails on SQL Server 2008.

Update Two

Some basic questions:

1.What version of SQL Server?

 Microsoft SQL Server 2000 - 8.00.194 (Intel X86)
 Microsoft SQL Server 2005 - 9.00.3042.00 (Intel X86)
 Microsoft SQL Server 2008 - 10.0.2531.0 (Intel X86)
 Microsoft SQL Server 2008 - 10.0.5768.0 (X64)
 Microsoft SQL Server 2005 Management Studio: 9.00.4035.00
 Microsoft SQL Server 2008 Management Studio: 10.0.1600.22

2.What O/S are you running on?

 Windows Server 2000
 Windows Server 2003
 Windows Server 2008
 Windows Server 2008 R2 Standard

3.How are you logging in to SQL server?

 sa/password
 Trusted authentication

4.Have you verified your account has full access to all objects?

 Yes, i have access to all objects.

5.Can you use the objects that fail to script? (eg: select top(10) * from nonScriptingTable)

 Yes, all objects work fine.
 SQL Server Enterprise Manager can script the objects fine.
 

Update Three

They fail no matter what version of SQL Server you script against. It wasn't a problem in Enterprise Manager:

Client Tools  SQL Server 2000  SQL Server 2005  SQL Server 2008
============  ===============  ===============  ===============
2000          Yes              n/a              n/a
2005          No               No               No
2008          No               No               No

Update Four

No errors found in the database using:

DBCC CHECKDB
go
DBCC CHECKCONSTRAINTS
go
DBCC CHECKFILEGROUP
go
DBCC CHECKIDENT
go
DBCC CHECKCATALOG
go
EXECUTE sp_msforeachtable 'DBCC CHECKTABLE (''?'')'

Honk if you hate SSMS.

Update (four years later): Honk!

How do you disable the password complexity requirements on a Microsoft Hyper-V Server 2008 R2?

Keep in mind that when you log into the server, the only UI you have is:

And you cannot run gpedit.msc:

C:\Users\Administrator>gpedit.msc
'gpedit.msc' is not recognized as an internal or external command, 
operable program or batch file.

because there are no .msc snap-ins installed with Microsoft Hyper-V Server 2008 R2.

The problem comes when you're trying to add an account to the server, so you can manage it, but it doesn't like most passwords:

And, predictably, typing

NET HELPMSG 2245

gives you

The password does not meet the password policy requirements. Check the minimum p
assword length, password complexity and password history requirements.

i hoped it would have been a friendly user experience, and either:

• offered to disable the password policy
• tell me how to disable the password policy
• tell me how to check the minimum password length, password complexity and password history requirements.

Password Complexity Requirements

The Microsoft's default password complexity for Server Core is:

• Passwords cannot contain the user’s account name or parts of the user’s full name that exceed two consecutive characters.
• Passwords must be at least six characters in length.

• Passwords must contain characters from three of the following four categories:

  1.English uppercase characters (A through Z).

  2.English lowercase characters (a through z).

  3.Base 10 digits (0 through 9).

  4.Non-alphabetic characters (for example, !, $, #, %).

External links

• Technet Forums: Hyper-V Server disable complex passwords
• Technet: Passwords must meet complexity requirements of the installed password filter

Update: 2k views? So many people keep coming coming to it: up-vote it!

Windows provides a number of shims to workaround bugs and limitations in programs.

Shims can lie to a program about all kinds of things

• lie about the version of Windows
• lie about a file operation failing
• lie about a registry key that it couldn't open

Is there a shim to lie about the software being run from a Terminal Session (e.g. Remote Desktop)?

i have a piece of software that detects if it is running in a Terminal Session and changes its behaviour accordingly. Another piece of software refuses to run because it is says it's simiply not supported.

And like a program that refuses to run on anything higher than Windows 2000, it can run fine - if it just gives itself a chance.

Is there a "terminal session lie" shim?

Imagine the psuedocode that contains:

static class Program
{
   if (System.Windows.Forms.SystemInformation.TerminalServerSession)
   {
       System.Environment.FastFail("We're too lazy to make our software work under TS.");
   }
   ...
}

Other applications change their behaviour under a terminal session:

//Don't enable animations if we're in a TS window, or on battery
Boolean animationsEnabled = 
        (!System.Windows.Forms.SystemInformation.TerminalServerSession)
        &&
        (System.Windows.Forms.SystemInformation.PowerStatus.PowerLineStatus != 
               PowerLineStatus.Offline);

i want Windows to lie to the application, so that it doesn't think it is running in a Terminal Session/Remote Desktop Session.

This is similar to how other program's don't know how to write version check code, and so fail on anything newer than Windows XP:

static class Program
{
   //Make sure we're on Windows 5.0 or later:
   if (!(WinMajorVersion >= 5) && !(WinMinorVersion >= 0))
       FastFail("Requires Windows XP or later");
}

The above code prompty fails on Windows versions 6.0 - which is exactly the reason why version lie shims exist.