Kev's questions

Does djbdns/tinydns support large TXT records, for example when serving long DKIM keys?

I'm aware of RFC 4408 section 3.1.3 and RFC 1035 section 3.3.14:

https://www.rfc-editor.org/rfc/rfc4408#section-3.1.3

https://www.rfc-editor.org/rfc/rfc1035#section-3.3.14

Which both suggest that a TXT record can be split into multiple character strings to permit long (>255 characters) records to be served.

I also bumped into this question during my research:

https://serverfault.com/questions/255580/how-do-i-enter-a-strong-long-dkim-key-into-dns

I've attempted both approaches mentioned in the accepted answer, with and without surrounding parenthesis.

But djbdns refuses to to serve these records correctly. For example, when querying my domainkey record using nslookup I get:

mail03._domainkey.zygonia.net   text =

    ""v=DKIM1; k=rsa; p=" "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7UNgSlnndT9JY0soSjxLhFFnvAeVN8b6Y3oKctAunNltMjvXfTD37doER8a9xwEOIXkGPgxJ5UPb/KndvHiIo+j8AScoIZCW"
    "glFWp4AUoKlQkKP7o7vwFnWypU+DmcJAtyuhZ9X5yzag37cVR"
    "YD4icd02yAETLbIpv1mnMUFkTnkdmtSa5gL2cLUueUOValoENwkWTcZR" "+kraTEU/VDPI"
    "RgNBu6OJmQdk0sv4qdkwVVvxvquT4C/SimQDoDaQwlFCp2sBryXyaNSRCaAhRxPaKUpKsPmubW0SJF2nQZ3DprJQcaRQLd9Qgxz+V+XaseaXXWPy+6"
    "tB6BlPFk5FwIDAQAB""

*** Error: record size incorrect (515 != 419)

*** ns0.example.net can't find mail03._domainkey.zygonia.net: Unspecified error

This is with a DKIM TXT record that looks like:

"v=DKIM1; k=rsa; p=" "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7UNgSlnndT9JY0soSjxLhFFnvAeVN8b6Y3oKctAunNltMjvXfTD37doER8a9xwEOIXkGPgxJ5UPb/KndvHiIo+j8AScoIZCW1glFWp4AUoKlQkKP7o7vwFnWypU+DmcJAtyuhZ9X5yzag37cVRGYD4icd02yAETLbIpv1mnMUFkTnkdmtSa5gL2cLUueUOValoENwkWTcZR" "+kraTEU/VDPIrRgNBu6OJmQdk0sv4qdkwVVvxvquT4C/SimQDoDaQwlFCp2sBryXyaNSRCaAhRxPaKUpKsPmubW0SJF2nQZ3DprJQcaRQLd9Qgxz+V+XaseaXXWPy+6rtB6BlPFk5FwIDAQAB"

The raw djbdns data record looks like:

:mail03._domainkey.zygonia.net:16:\642"v=DKIM1;\040k=rsa;\040p="\040"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7UNgSlnndT9JY0soSjxLhFFnvAeVN8b6Y3oKctAunNltMjvXfTD37doER8a9xwEOIXkGPgxJ5UPb\057KndvHiIo+j8AScoIZCW1glFWp4AUoKlQkKP7o7vwFnWypU+DmcJAtyuhZ9X5yzag37cVRGYD4icd02yAETLbIpv1mnMUFkTnkdmtSa5gL2cLUueUOValoENwkWTcZR"\040"+kraTEU\057VDPIrRgNBu6OJmQdk0sv4qdkwVVvxvquT4C\057SimQDoDaQwlFCp2sBryXyaNSRCaAhRxPaKUpKsPmubW0SJF2nQZ3DprJQcaRQLd9Qgxz+V+XaseaXXWPy+6rtB6BlPFk5FwIDAQAB":600

Is djbdns a lost cause when it comes to long TXT records?

Whilst auditing disk space on our Windows 2008R2 farm we noticed that some servers had quite large C:\Windows\Logs\CBS\CBS.log files (~1.5GB).

I was under the impression that this particular log file would be periodically compressed into CbsPersist_yyyymmddtttttt.cab (where y,m,d,t are year, month day and time respectively) files to reduce space used.

Can I safely delete these large CBS.log files?

If my understanding about CBS.log being periodically compressed is correct, why isn't this happening on my servers?

Whilst preparing a new Windows 2012R2 server for production I needed to install a (GlobalSign Domain) SSL certificate for the website powering our application. I did this by generating a certificate request, submitting to GlobalSign, then completing the request using the PEM formatted issued certificate.

Normally I would also have to go and grab the relevant GlobalSign DomainSSL intermediate certificate and install that as well. However the relevant intermediate certificate seemed to get automatically installed as soon I configured my IIS site bindings.

I know for a fact that the intermediate certificate wasn't present in the local computer certificate store under:

Intermediate Certification Authorities -> Certificates

...in the Certificates MMC snap-in.

I checked first and then when it magically appeared I ran through my SSL certificate .pfx import and IIS binding config on a virgin 2012R2 server and confirmed that the intermediate certificate had indeed automatically been installed.

I don't remember this happening with Windows 2008/R2. Is this a new feature, or something that is turned on by default that wasn't previously?

Update:

HBruijn's answer explains away the appearance of the intermediate certificate on my second "virgin" server mentioned above. I did indeed export the certificate as a .pfx file and imported it on the other server. Checking with the openssl tool reveals the presence of the root and intermediate certs.

However... on the original server I completed a pending certificate request and only loaded the "PEM" formatted certificate. This does not include the root/intermediate certificates (I checked with openssl).

I am trying to use the GroupPolicy PowerShell module to manipulate and read local group policy settings on a standalone Windows 2012R2 server.

When I try to execute the Get-GPOReport cmdlet:

Get-GPOReport -All -ReportType Xml

I get the following error:

Get-GPOReport : Current security context is not associated with an Active Directory domain or forest. At line:1 char:1
+ Get-GPOReport -ReportType Xml -all
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-GPOReport], ActiveDirectoryOperationException
+ FullyQualifiedErrorId : System.DirectoryServices.ActiveDirectory.ActiveDirectoryOperationException,Microsoft.GroupPolicy.Commands.GetGpoReportCommand

I've also tried specifying my server name as well:

Get-GPOReport -ReportType Xml -all -server devserver01

But I get the same error.

I am logged in as Administrator on this server whilst running these commands. I also have the Group Policy Management Console installed which is a pre-requisite.

The error message:

Current security context is not associated with an Active Directory domain or forest.

Suggests I should be logged in as a Domain user, but as I mentioned this is a standalone server that is not part of an AD domain.

Is it not possible to use the GroupPolicy module cmdlets on a standalone server?

I have a Windows 2008R2 server that's reporting the following error:

The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolume2.

Using Powershell and WMI how do I identify which volume this is when querying Win32_Volume.

For example if I do:

Get-WmiObject Win32_Volume

I get a list of all the volumes on the server, however none of the Win32_Volume class properties use (what appears be) this "friendly" name - \Device\HarddiskVolume2. I can see there's a DeviceID property which returns a value like this:

DeviceID    : \\?\Volume{4bc3df2a-65c7-11e0-9c33-806e6f6e6963}\

There's also a Name property but that's just the drive letter assigned to the volume. None of the other properties have a value remotely resembling what is reported in the event log.

I know I could parse the output from fltmc volumes or DISKPART to get this information, but there must be a way to obtain this using WMI in a PowerShell script.

I have also looked at the Win32_DiskDrive, Win32_DiskPartition and Win32_LogicalDisk classes but there is no mention of property values resembling \Device\HarddiskVolume2.

The following logstash configuration is used to accept Windows Event Logs as json over a TCP connection and then after some filtering forward the result to Elastic search (source: https://gist.github.com/robinsmidsrod/4215337):

input {
    tcp {
        type => "syslog"
        host => "127.0.0.1"
        port => 3514
    }
    tcp {
        type   => "eventlog"
        host   => "10.1.1.2"
        port   => 3515
        format => 'json'
    }
}

# Details at http://cookbook.logstash.net/recipes/syslog-pri/
filter {

# Incoming data from rsyslog
    grok {
        type      => "syslog"
        pattern   => [ "<%{POSINT:syslog_pri}>(?:%{SYSLOGTIMESTAMP:syslog_timestamp}|%{TIMESTAMP_ISO8601:syslog_timestamp8601}) %{SYSLOGHOST:syslog_hostname} %{PROG:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" ]
        add_field => [ "received_at", "%{@timestamp}" ]
        add_field => [ "received_from", "%{@source_host}" ]
    }
    syslog_pri {
        type => "syslog"
    }
    date {
        type                 => "syslog"
        syslog_timestamp8601 => "ISO8601" # RSYSLOG_ForwardFormat
        syslog_timestamp     => [ "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
    mutate {
        type         => "syslog"
        exclude_tags => "_grokparsefailure"
        replace      => [ "@source_host", "%{syslog_hostname}" ]
        replace      => [ "@message", "%{syslog_message}" ]
    }
    mutate {
        type   => "syslog"
        remove => [ "syslog_hostname", "syslog_message", "syslog_timestamp", "syslog_timestamp8601" ]
    }

# Incoming Windows Event logs from nxlog
    # The EventReceivedTime field must contain only digits, or it is an invalid message
    grep {
        type              => "eventlog"
        EventReceivedTime => "\d+"
    }
    mutate {
        # Lowercase some values that are always in uppercase
        type      => "eventlog"
        lowercase => [ "EventType", "FileName", "Hostname", "Severity" ]
    }
    mutate {
        # Set source to what the message says
        type   => "eventlog"
        rename => [ "Hostname", "@source_host" ]
    }
    date {
        # Convert timestamp from integer in UTC
        type              => "eventlog"
        EventReceivedTime => "UNIX"
    }
    mutate {
        # Rename some fields into something more useful
        type   => "eventlog"
        rename => [ "Message", "@message" ]
        rename => [ "Severity", "eventlog_severity" ]
        rename => [ "SeverityValue", "eventlog_severity_code" ]
        rename => [ "Channel", "eventlog_channel" ]
        rename => [ "SourceName", "eventlog_program" ]
        rename => [ "SourceModuleName", "nxlog_input" ]
        rename => [ "Category", "eventlog_category" ]
        rename => [ "EventID", "eventlog_id" ]
        rename => [ "RecordNumber", "eventlog_record_number" ]
        rename => [ "ProcessID", "eventlog_pid" ]
    }
    mutate {
        # Remove redundant fields
        type   => "eventlog"
        remove => [ "SourceModuleType", "EventTimeWritten", "EventTime", "EventReceivedTime", "EventType" ]
    }
}

output {
    elasticsearch {
        embedded => true
    }
    graphite {
        # Ping the graphite server every time a syslog message is received
        type => "syslog"
        port => 2023     # carbon-aggregator
        metrics => [ "syslog.received.%{@source_host}.count", "1" ]
    }
    graphite {
        # Ping the graphite server every time an eventlog message is received
        type => "eventlog"
        port => 2023     # carbon-aggregator
        metrics => [ "eventlog.received.%{@source_host}.count", "1" ]
    }
}

What is the significance of the @ prefix on some field names at lines 58 and 68? i.e. @source_host and @message on these mutate filters:

mutate {
    # Set source to what the message says
    type   => "eventlog"
    rename => [ "Hostname", "@source_host" ]
}

and

mutate {
    # Rename some fields into something more useful
    type   => "eventlog"
    rename => [ "Message", "@message" ]
    rename => [ "Severity", "eventlog_severity" ]
    rename => [ "SeverityValue", "eventlog_severity_code" ]
    rename => [ "Channel", "eventlog_channel" ]
    rename => [ "SourceName", "eventlog_program" ]
    rename => [ "SourceModuleName", "nxlog_input" ]
    rename => [ "Category", "eventlog_category" ]
    rename => [ "EventID", "eventlog_id" ]
    rename => [ "RecordNumber", "eventlog_record_number" ]
    rename => [ "ProcessID", "eventlog_pid" ]
}

On one of our older Windows 2003 Servers we need to run the Indexing Service and Windows Search. The problem is that the windows.edb file has grown quite large.

I want to move these and related files to D:\IndexService. To do this you can change the index location using the Advanced Options of the Indexing Options control panel applet:

(via: Old New Thing http://blogs.msdn.com/b/oldnewthing/archive/2009/11/18/9923996.aspx)

I did the following:

1. Stopped Index Service then stopped Windows Search.

2. Copied the contents of C:\Documents and Settings\All Users\Application Data\Microsoft\Search to D:\IndexService\Search.

3. Updated the Index Service Advanced Options -> New Location and pointed at the D:\IndexService path and OK'd my way out back to the control panel (see image above).

4. I restarted the Index Service and Windows Search

This seems not have worked and from the time stamps on the windows.edb file I can see that it is still being updated in it's original location on the C: drive.

I also notice that if I open the Indexing Options control panel applet and click on Advanced Options, it still says that the current location is on C: and that the new location (d:\IndexService) will be used after the service is restarted. However restarting the service hasn't made any difference.

Can anyone point out where I've taken a wrong turn?

I have a Windows 2008R2 server running NSClient++. For some reason the service has got its knickers in a twist and stopped responding to Nagios polling.

When I tried to restart the service the service manager takes a long time to try and kill the service then eventually gives up with a message along the lines of "the service took too long to respond". But...it also starts a new instance of the service.

If I look in Task Manager or tasklist I can now see two instances of nsclient++.exe running.

I tried to kill both of these using:

• right click and "End Process" in task manager - pretends to kill the process and reports no errors (for example Access Denied) but the process is still there.

• taskkill /PID <proc id> /F - reports SUCCESS: The process with PID 6672 has been terminated. but the process is still running.

• downloaded SysInternals PsTools and ran pskill <PID> - reports Process <PID> killed - yet the process is still there.

• execute at hh:mm pskill <PID> to get pskill to do this as the SYSTEM account ... and you guessed it the process is still running.

All of the above were run in an Administrator command prompt.

Other than a reboot which is not really ideal (the box is a fairly mission critical production server), what else can I try?

The server isn't under any resource pressure (memory, CPU, disk etc) and everything running on it is chugging along just fine.

As quick look at the threads tab in SysInternals Process Explorer shows that all of these nsclient++.exe instances are stuck unloading:

As an aside, I also tried killing all of the TCP connections for these zombie(?) processes (with TCPView) in the hope that I could start a new instance and it would be able to grab port 5666. Then we could reboot the server when things are quieter, but alas that didn't work.

We have a customer with a site running on Apache. Recently the site has been seeing increased load and as a stop gap we want to shift all the static content on the site to a cookieless domains, e.g. http://static.thedomain.com.

The application is not well understood. So to give the developers time to amend the code to point their links to the static content server (http://static.thedomain.com) I thought about proxying the site through nginx and rewriting the outgoing responses such that links to /images/... are rewritten as http://static.thedomain.com/images/....

So for example, in the response from Apache to nginx there is a blob of Headers + HTML. In the HTML returned from Apache we have <img> tags that look like:

<img src="/images/someimage.png" />

I want to transform this to:

<img src="http://static.thedomain.com/images/someimage.png" />

So that the browser upon receiving the HTML page then requests the images directly from the static content server.

Is this possible with nginx (or HAProxy)?

I have had a cursory glance through the docs but nothing jumped out at me except rewriting inbound urls.

Nagios check notification intervals must be >= to a check interval because this prevents Nagios from sending out false alarm notifications should a service return to an UP status between checks. I understand the reasoning behind that.

We have a number of checks that run every 30 minutes. This means that if a check fails only one notification is sent out each time the service is checked after the retries are used up.

What I need is to be able to keep pestering the duty admin pager every two minutes after a check has gone HARD DOWN/CRITICAL. I can't do this because the next notification will only go out on the next check i.e. in another 30 minutes.

A feature we had on our old monitoring system was to set a new lower check interval as soon as the check had gone HARD DOWN/CRITICAL. This meant we could keep rechecking every two minutes (and sending alerts) until the alert was acknowledged by a human or changed its status to UP, after which the check interval would revert to 30 minutes.

Is there a way to facilitate this on Nagios?

I've had some thoughts about writing an event handler which will reschedule a check for two minutes in the future after a check has gone HARD DOWN/CRITICAL (by directly sending a command to Nagios).

I'm wondering if anyone else has had to do a similar thing?

I'm running Nagios Core 3.2.3.

This is related to this question:

Domain Admins group denied access to d: drive

I have a member server in a brand new AD lab environment.

• I have an Active Directory user ADMIN01 who is a member of the Domain Admins group

• The Domain Admins global group is a member of the member server's local Administrators group

• The following permissions are configured on the root of my new D: drive added after the server became a member of the domain:

    Everyone - Special Permissions - This folder only
      Traverse folder / execute file
      List folder / read data
      Read attributes
      Read extended attributes

    CREATOR OWNER - Special Permissions - Subfolders and files only
      Full Control

    SYSTEM - This folder, subfolders and files
      Full Control

    Administrators - This folder, subfolders and files
      Full Control

Under the above ACL's the domain user ADMIN01 can logon and access the D: drive, create folders and files and all is good.

If I remove the Everyone permission from the root of this drive then non-built-in users who are members of the Domain Admins (e.g. ADMIN01) group can no longer access the drive. The domain Administrator account is fine.

Local machine Administrator and the Domain Admin "Administrator" account still have full access to the drive, but any "regular" user who has been added to Domain Admins is denied access.

This happens regardless of whether I created the volume and removed the Everyone permission logged in as the local machine Administrator or whether I perform this logged on as the Domain Admin "Administrator" account.

As mentioned in my previous question, the work around is to disable the "User Account Control: Run all administrators in Admin Approval Mode" policy either locally on the member server or via a domain wide GPO.

Why does removing the Everyone account from D:'s ACL cause this problem for non-built-in users who are granted membership of Domain Admins?

Also why aren't these types of non-built-in Domain Admin users prompted to elevate their permissions rather than just being flat out denied access to the drive?

I have a brand new Active Directory (CORP-AD) installation running on Windows 2008R2. I have a domain controller (PDC01) and a member server (ME01).

The member server has a C: and a D: drive.

Part of our standard build is to remove all permissions from the root of the D: drive except for:

SYSTEM         (Full Control)
Administrators (Full Control)

I created a new domain user ADMIN01 and granted it membership of the Domain Admins group.

Domain Admins is a member of the member server's local Administrators group.

When I logon (via RDP) to the member server ME01 as the domain user ADMIN01 this user cannot access the D: drive. I then tried adding the Domain Admins group with full control to the root of the D: drive but my ADMIN01 user still cannot access the D: drive:

If I logon to ME01 as a local machine administrator I have no trouble accessing the D: drive at all.

I discovered this question which describes more or less the same problem:

Why can't I browse my D: drive, even if I'm in the Administrators group?

The answer suggests correctly that this is a UAC privilege elevation issue but I'm puzzled by this statement, in particular the bold part:

You can modify this behaviour by Group Policy however bear in mind that the default is set that way intentionally - the specific policy you want to change is "User Account Control: Run all administrators in Admin Approval Mode" - you can find details on how to do this in this MSDN article.

Is this suggesting that "User Account Control: Run all administrators in Admin Approval Mode" should not be disabled?

If it's enabled I don't get a UAC challenge with the "Continue" button + shield icon, I'm just plain refused access to the drive. Is this normal?

Certain IIS7/7.5 500.19 configuration errors only render on a browser running on the local server.

This appears to happen regardless of whether I set <httpErrors errorMode="Detailed" existingResponse="PassThrough" /> in the system.webServer section of a site's web.config file (or even globally for that matter).

For example, I had a developer who reported that he was just getting the generic IIS7 500 error page:

This was happening even though he had the following configured in his web.config:

<configuration>
  <system.webServer>
    <httpErrors errorMode="Detailed" existingResponse="PassThrough" />
  </system.webServer>
</configuration>

If I browse to the site on the server itself I see (some sensitive info redacted):

Would the reason for this be that if the web.config has errors it therefore can't be parsed. Because it can't be parsed the local <httpErrors> setting doesn't get read and thus causes IIS to revert to default settings (i.e. DetailedLocalOnly)?

Update:

@LazyOne - suggested setting the above config at the server level which I already tried. This resulted in just raw 500 errors:

I have a simple .NET custom configuration component that allows me to specify a custom configuration group and section in my ASP.NET 2.0 (the web project targets .NET Framework 3.5) web application's web.config file:

In my web.config I have the following declarations:

<configuration>

  <configSections>
    <sectionGroup 
      name="SimpleConfigGroup"
      type="CustomSettingsLib.SimpleConfigGroup, CustomSettingsLib, Version=1.0.0.0, Culture=neutral, PublicKeyToken=7a58d3af5d6768c9">
      <section 
        name="SimpleConfigSection"
        type="CustomSettingsLib.SimpleConfigSection, CustomSettingsLib, Version=1.0.0.0, Culture=neutral, PublicKeyToken=7a58d3af5d6768c9"/>
    </sectionGroup>
  </configSections>

  <SimpleConfigGroup>
    <SimpleConfigSection MySetting="Hello World" />
  </SimpleConfigGroup>

</configuration>

There are a couple of classes that provide access to this custom configuration section that reside in a class library project called CustomSettingsLib:

SimpleConfigGroup.cs:

using System.Configuration;
namespace CustomSettingsLib
{
  public class SimpleConfigGroup : ConfigurationSectionGroup
  {
    [ConfigurationProperty("SimpleConfigSection")]
    public SimpleConfigSection SimpleConfigSection
    {
      get { return (SimpleConfigSection)this.Sections["SimpleConfigSection"]; }
    }
  }
}

SimpleConfigSection.cs:

using System.Configuration;
namespace CustomSettingsLib
{
  public class SimpleConfigSection : ConfigurationSection
  {
    [ConfigurationProperty("MySetting", IsRequired = false)]
    public string MySetting
    {
      get { return (string)this["MySetting"]; }
    }
  }
}

The code to read the MySetting value looks like (Default.aspx.cs):

using System;
using System.Configuration;
using System.Web.Configuration;
using CustomSettingsLib;

namespace WebApplication4
{
  public partial class Default : System.Web.UI.Page
  {
    protected void Page_Load(object sender, EventArgs e)
    {
      Configuration config = WebConfigurationManager.OpenWebConfiguration("/");
      SimpleConfigGroup group = 
              config.GetSectionGroup("SimpleConfigGroup") as SimpleConfigGroup;
      SimpleConfigSection section = group.SimpleConfigSection;
      Response.Write(section.MySetting);
    }
  }
}

This works great and my web application can read the MySetting value from my web.config file.

Because these settings will be used in many web applications on Windows 2008 R2+IIS7.5 I then created an IIS Configuration Schema extension to allow this setting to be edited in IIS Manager's Configuration Editor feature rather than having to hand edit the web.config file.

I added an IIS configuration schema extension file to:

%systemroot%\system32\inetsrv\config\schema

<configSchema>
  <sectionSchema name="SimpleConfigGroup">
    <element name="SimpleConfigSection">
      <attribute name="MySetting" 
                 type="string" 
                 validationType="nonEmptyString" />
    </element>
  </sectionSchema>
</configSchema>

I then added the following section definition to IIS's applicationHost.config file in the <configSections> element:

<section name="SimpleConfigGroup" 
         overrideModeDefault="Allow" 
         allowDefinition="Everywhere" />

The problem I am having is that when I open IIS Manager's Configuration Editor for the site:

Then select SimpleConfigGroup from the section drop down list it reports the following vague error:

"There was an error while performing this operation."
Details:
Filename: \?\e:\sites\site1\web.config
Error:

Here is a screen shot of this error:

If I remove the .NET <sectionGroup> declaration from the site's web.config file I can edit the custom setting just fine using IIS Manager's Configuration Editor. However my web application can't run because the <sectionGroup> config info is required for the custom config section and for .NET to be able to parse the web.config file.

I've tried adding the <sectionGroup> to the root machine.config (and even dropping the configuration assembly into the .NET 2.0 framework assemblies folder) but I get the same error. I also tried signing the configuration assembly thinking there may be a trust issue but that hasn't helped either.

What I find strange is that the usual .NET Framework <configSections> in machine.config don't upset the IIS Manager Configuration Manager, nor do the .NET 3.5 System.Web.Extensions <sectionGroup> definitions in an ASP.NET 2.0 site, e.g. for system.web yet my custom config sections do.

Why is this? Is it a bug in the IIS Manager Configuration Editor?

Update:

Based on Scott's suggestion I added the following to my applicationHost.config file (leaving the sectionGroup/section declaration in the web.config file:

<sectionGroup name="SimpleConfigGroup">
  <section name="SimpleConfigSection" 
           allowDefinition="Everywhere" 
           overrideModeDefault="Allow" />
</sectionGroup>

This generates the following error which is understandable because it's already defined in the web.config file:

I tried removing the sectionGroup/section declaration from the web.config but keeping the above sectionGroup declaration in applicationHost. IIS Manager's Configuration editor no longer lists the SimpleConfigGroup section.

I then tried this in applicationHost.config:

<section 
    name="SimpleConfigGroup" 
    allowDefinition="Everywhere" 
    overrideModeDefault="Allow" 
    type="CustomSettingsLib.SimpleConfigGroup, CustomSettingsLib, Version=1.0.0.0, Culture=neutral, PublicKeyToken=7a58d3af5d6768c9"/>

IIS Manager's Configuration Settings editor can now see the section again without error, but because there is no section declaration in web.config the ASP.NET app throws an " Unrecognized configuration section" exception.

I also tried this in applicationHost.config:

<sectionGroup 
   name="SimpleConfigGroup" 
   type="CustomSettingsLib.SimpleConfigGroup, CustomSettingsLib, Version=1.0.0.0, Culture=neutral, PublicKeyToken=7a58d3af5d6768c9">
  <section 
    name="SimpleConfigSection" 
    overrideModeDefault="Allow" 
    allowDefinition="Everywhere"
    type="CustomSettingsLib.SimpleConfigSection, CustomSettingsLib, Version=1.0.0.0, Culture=neutral, PublicKeyToken=7a58d3af5d6768c9"/>
</sectionGroup>

Again, no dice, ASP.NET throws an " Unrecognized configuration section" exception and IIS Manager's Configuration Editor no longer lists the SimpleConfigGroup section.

Progress:

I reverted to first base and re-instated the web.config config section declaration so that the ASP.NET application could read the custom config values. I deleted the customer schema file from the IIS schema folder and reverted applicationHost.config's configSections section back to factory settings.

One of the things I found interesting is that IIS Manager's configuration editor exposes the system.web settings and whilst there is a schema file for this (ASPNET_schema.xml) the schema sections aren't actually referenced in the applicationHost.config file. This leads me to belief that these files or the sectionSchema names are being handled in a special way.

To this end I unlocked the ASPNET_schema.xml file and added my schema definition:

<sectionSchema name="SimpleConfigGroup">
  <element name="SimpleConfigSection">
    <attribute name="MySetting" 
                     type="string" 
                     validationType="nonEmptyString" />
  </element>
</sectionSchema>

This didn't work and SimpleConfigGroup wasn't visible in IIS Manager's Configuration Editor. But no errors were thrown and the ASP.NET app could still read it's custom config values.

I then tried following the conventions used in the ASPNET_schema.xml schema file and added this instead:

<sectionSchema name="SimpleConfigGroup/SimpleConfigSection">
  <attribute name="MySetting" 
             type="string" 
             validationType="nonEmptyString" />
</sectionSchema>

This actually worked!:

The ASP.NET application continues to function and can read the custom config section AND I can edit the custom config section MySetting value in IIS Manager's Configuration Editor.

I then rolled ASPNET_schema.xml back to factory settings and tried recreating the custom SimpleConfigSchema.xml file in IIS's schema folder using the same definition and this works as well.

This is also without adding a reference to the config section in applicationHost.config.

I'm coming to the conclusion that the guidance on extending the schema where both IIS Manager's config editor AND ASP.NET need to consume the same section is slightly bogus.

I am about to request a hotfix for Windows 2003 Server. As far as I am aware there is no publicly available Service Pack 3. However on the hostfix request page I see this:

I am guessing this is a mistake?

In Windows 2008 (and R2) should I rename the Administrator account or disable it and create a new one?

Will disabling the built-in Administrator account cause any problems, is this still considered best practice?

For example, if I configure the following limits for an Application Pool in the "Recycling" settings:

Virtual Memory: 512Mb
Private Memory: 128Mb - or "used memory" in IIS 6 parlance

Can the process use, say, 90Mb of physical memory but have requested the use of 256Mb of Virtual memory and thus not trigger a recycle?

On my CentOS 5.2 box running Samba (3.0.33-3.29) I created a folder called /upload.

In samba I configured a share like this:

[upload]
        comment = upload folder
        path = /upload
        valid users = kevin root
        public = yes
        writable = yes
        browsable = yes
        create mask = 0777
        directory mask = 0777
        guest ok = yes

I chown'd the /upload folder to my account 'kevin' and checked that I could create files and folders via the shell.

I can browse to the machine from Windows 7, authenticate as 'kevin' and see my home directory share and the upload share but I can't access them.

Windows reports:

Network Error

Windows cannot access \\cos-01\upload

Check the spelling of the name. Otherwise, there might be a problem with your network. To try to identify and resolve network problems, click Diagnose.

Error code: 0x80070035
The network path was not found.

This is a check list of what I've done:

• the account kevin was added to samba using smbpasswd -a kevin and setting my password at the same time. The samba and centos passwords are both the same.
• the server name cos-01 is in the /etc/hosts file i.e.

172.0.0.1  localhost localhost.localdomain
172.17.3.90  cos-01

• I've also set the netbios name in /etc/samba/smb.conf
• I configured Windows 7's LAN Manager authentication level to "Send LM & NTLM - use NTLMv2 session security if negotiated"

Update:

I tried accessing the share by both IP address and server name i.e. \cos-01\upload or \172.16.3.90\upload. In both cases I get the same error as detailed above.

I checked the /var/log/samba/smbd.log logfile and see lots of:

[2010/07/02 16:56:10, 0] smbd/service.c:make_connection_snum(1013)
  '/upload' does not exist or permission denied when connecting to [upload] Error was Permission denied

I have a few package installation related questions concerning RPM, YUM and CentOS and getting GCC installed:

1. I've mounted my distribution media on my CentOS 5.2 machine but I can't seem to work out how to point RPM at the media and use that instead of looking to the internet. All the examples I've googled for appear to assume downloading the RPM's from the internet.

2. What does the -ivh switch combo do (I'm guessing -i is for install)? I did man rpm but the switch count and combinations blew my mind.

3. Should I be using YUM instead of RPM?

I'm trying to remotely execute a PowerShell script using PSEXEC. The PowerShell script is called via a .cmd batch file. The reason we do this is to change the execution policy, run the powershell script then reset the execution policy again:

On the remote server do-tasks.cmd looks like:

powershell -command "&{ set-executionpolicy unrestricted}"  
powershell DoTasks.ps1  
powershell -command "&{ set-executionpolicy restricted}"  

The PowerShell script DoTasks.ps1 just does this for now:

Write-Output "Hello World!"

Both of these scripts live in c:\windows\system32 (for now) just so they're on the PATH.

On the originating server I do this:

psexec \\web1928 -u administrator -p "adminpassword" do-tasks.cmd

When this runs I get the following response at the command line:

c:\Windows\system32>powershell -command "&{ set-executionpolicy unrestricted}"

and the script runs no further.

I can't ctrl-c to break the script and I just see ^C characters, I can type input from the keyboard and the characters are echoed to console.

On the remote server I see that PowerShell.exe and CMD.exe are running in Task Manager's Process tab. If I end these processes then control returns to the command line on the originating server.

I have tried this with just a simple .cmd batch file with a @echo hello world and it works just fine.

Running do-tasks.cmd on the remote server via an RDP session works ok as well.

The originating server is running Windows 2003 SP2, the remote server is running Windows 2008 SP2.

Why is my remote batch file getting stuck when executing via PSEXEC?