How can I mount a hard drive as read-only on Windows XP?

I recently had reason to move a hard drive from a computer that blew up to another computer for the purpose of recovering data. Under the (unfortunate) circumstances, both the donor and the recipient were Windows XP SP3 machines. I wanted to be sure that the transplanted drive would not be altered by the recipient computer, so I searched like hell but was unable to find a way to mount the transplanted drive as read-only.

How can I mount a hard drive as read-only on Windows XP?

From serverfault eleven81

• There is no built-in mehanism to mount a filesystem read-only in Windows. You either need to mount it in an operating system that does support read-only mounts, or use a hardware write-blocker.

  As an alternative method, I would consider imaging the souce drive with a non-Windows operating system onto a new drive, and working with the new drive in Windows.

  For forensic work, though, you really need to be using a hardware write-blocker in every step of the process (and you should always be working with images of the original drive after you image and create a signature for the original drive).

  pplrppl : Evan's answer assumes the drive is non removable. As mentioned in other answers there is a way to just change the registry (and many companies are already doing so with group policy) to force USB drives to be read only. Such a policy/registry would mount the drive as read only if it were mounted after the change is in effect and if the drive was connected by way of USB not eSATA, SATA, or IDE. The first google result for this registry change is http://www.petri.co.il/configure_usb_disks_to_be_read_only_in_xp_sp2.htm and seems accurate enough to recommend.

  Evan Anderson : I'm not finding much information about what in the driver stack this registry setting actually tweaks. Assuming that it's sufficiently low in the stack as to truly prevent any writes then it would satisfy the poster's requirement re: "not be altered by the recipient computer". Certainly, USB attachment is going to be slower than (e)SATA or PATA, but it might be worth the trade-off. For any serious forensic work, though, a hardware write-blocker is absolutely a "must".

  pplrppl : USB 3 superspeed will make the speed penalty of USB a non issue. It's worth noting that USB enclosures generally don't support SMART data and don't give access to the bare drive in any advanced sense. Not only is it not sufficient for legal forensic work it isn't sufficient for detailed trouble analysis (brand specific diagnostic software won't work over USB). It does however give you a way to access a drive read only on XP without additional hardware or software if your need does not include low level access to the drive.

  pplrppl : The ability to power on the drive separately from the PC can help in "light" recovery situations. Sometimes a drive will only stay working for a few seconds at a time (less than the time it takes to boot windows and copy the files). I've personally recovered data from drives by booting into the OS, letting the startup items settle down, and then turning the external enclosure on. Copy data to the good drive a directory at a time, power down the drive and let it cool off, power it back up and grab another directory, repeat as needed.
  From Evan Anderson

• I have never done this, but once its installed find it under My Computer. Then right-click and select properties then security tab. You maybe able to configure the permissions for what you are looking for.

  EDIT - after reading your entire post and EA's answer, the hardware write-blocker sounds best.

  note to self - read ENTIRE post before responding and try not to feel like this is a race to beat EA

  squillman : Yeah, good luck on the whole "Beating Evan" thing :)

  Evan Anderson : Heh heh... The trick is to get me into a "religious argument" about the intent of some OS feature, etc. That'll slow me down dramatically.
  From cop1152

• I've got this bookmarked from a while back, but I've never tried it: http://www.microsoft.com/communities/newsgroups/list/en-us/default.aspx?dg=microsoft.public.windows.file_system&tid=4b1a14f7-6bd2-4c9f-ae64-df57c35712bf&cat=&lang=&cr=&sloc=&p=1

  The 4th post (by Edwin) has the solution I am talking about.

  From MattB

• As Evan says there's no easy way of doing this other than to clone the drive. There's a linux live distro called PING that you can use to boot a machine, and it gives you the facility to copy partitions between hard drives (and it's free & pretty easy to use)

  From Marko Carter

• You can use WriteProt, a little command line tool that enables you to write protect a filesystem on Windows.

  Evan Anderson : Interesting looking little tool! For casual non-forensic work I'd definitely look into it. For the poster's question, though, I think I'd still recommend imaging and working on an image, since we're talking about potential data loss. Handling the only drive with the data on it should be kept to a minimum.
  From Doliveras

• There is a way to access the drive in a mode that is effectively read only.

  1. Mount the drive as per normal.
  2. Right click on the drive, and turn on file sharing.
  3. Alter the permissions for the share to remove "write" permission. Leave "read" permission enabled.

  Now, do all of your access through the UNC file share, e.g. \computer\mydrive - RO\

  I use this trick to provide an absolute guarantee that my file backup program won't inadvertently stomp on the data that its meant to be backing up.

  From Gravitas

• Solution:

  From: http://www.autorunremover.com/

  "You can set the USB port status to Read only or Readable/Writable with Autorun Virus Remover ..."

  Conclusion: if you place your hard drive in an external hard drive case with a USB cable, you can ensure that its mounted as read only.

  According to Software Informer there is over 4,078 people with this utility installed on their computer as of 2009-07-07.

  Note of caution: when this utility is installed for the very first time it scans external hard drives. Suggest a thorough test flight on another external USB drive before committing your life to it.

  pplrppl : Close but no need to get specific software to do it. Just edit the registry and plug in a USB drive adapter and you are good to go. See http://www.petri.co.il/configure_usb_disks_to_be_read_only_in_xp_sp2.htm for the registry key.
  From Gravitas

How do I best archive VMWare VMs for reuse?

I'm using VMWare ESX 3.5.

I've just created a couple of different-flavour VMs (a Windows 2008 one and a Windows 2003 one), installed windows updates, and am generally happy with their pristine nature.

I will want to run them now, but reuse them from their current state later. So, I want to archive off a snapshot now, to come back to when I want to spin up more.

What are my options?

• Manually zip up the directory that contains the VM and physically store that someplace else?
• Something specific to VMWare ESX?

I have allocated xGb for the virtual disk; is unused-but-allocated space still taken up on the "real" disk?

Note: Backups are not my question - I'll handle that separately.

Edit:

• I'm not using vSphere or vCenter; that's AFAIK not available to me as an option here (separate license? Am unfamiliar).

From serverfault Peter Mounce

• I personally don't like leaving suspended VMs or seldom-used templates lying around, whether I have the space or not. I'd be tempted to just back them, either by using VCB or just copying the VM directory from the datastore - then removing the VM altogether if you need the space.

  With v4 you could have SVM'ed the VM to thin disks first of course.

  Peter Mounce : I don't know what "SVM'd the VM to thin disks first" means, sorry. I'm a developer, really, not a sysadmin ;-)

  Chopper3 : If you were using vsphere/version4 there's an option to convert your disks to 'thin' (smaller, slower) disks - thus saving you disk space - it uses a function called 'Storage vMotion' or SVM - sorry for the confusion.

  Peter Mounce : Thanks; but sadly I'm not using vSphere.
  From Chopper3

• I have had this work before, but I'm sure there are others who wouldn't recommend it.

  We're running ESXi and don't have servers that are necessarily 24/7 critical. I shut down the VM, then using the disk storage browser, copy the directory to a storage NAS and then 7zip the directory into one large 7z file (and verify there aren't any errors). This takes a LOT of time to copy over, but for us it works. If something goes wrong I can copy the VM back over to the ESXi server and point a new VM configuration there to fire it back up. Be aware that you may have to be careful about things like MAC addresses and such being "duplicated" if you're restoring; we do this primarily in case there's a failure of the VM server. Use MD5 sums to verify your large backup file when transferring it to make sure it's not corrupted in storage or transfer.

  Another option is to treat your VM as a regular server and make full backups to your backup server. If there's a failure, spin up a new VM and do a "bare metal" restore on the virtual computer. This saves you having to have special storage set aside just for the virtual machines, which can easily grow to several gig each and the larger the file, the greater the chance that it'll get corrupted. This is probably a better solution in many cases because it eliminates variables with version of VMWare (your backup is one version, you upgrade VMWare or change something and forget, suddenly your backups are screwy...)

  Your last option would probably be to get VMWare-specific backup solutions that are ESX-aware. Expensive as all get-out, but they're aware of the issues involved in file locking and access for the virtual disks, and you won't need to shut down the VM's to do the backup. Attempting any copying or modifications while it's running results in Bad Things(tm).

  I've read that there are issues with using a VM that has snapshots and just copying files over as a "Backup" (my first suggestion), so I don't use snapshots in VMWare. I can't confirm the issues though.

  joeqwerty : Anopther thing you can do is to shut down the VM and export it as an appliance (in OVF format). You can then import the VM as an appliance to the same host if needed or to another host.

  Antitribu : I've done this and it works but if your xfring a lot or want to do it in a more automated fashion I'd recommend enabling SFTP on the ESX host and using either WinSCP or SFTP to pull the images down. I've found it faster and more reliable.
  From Bart Silverstrim

• If you are using ESX in concert with vSphere Virtual Center, you should be able to create a "template" from your VM. The template, which is essentially a specially type of "clone," is stored on a VMFS volume just as a VM would. If the source VM uses "thin" disks, I believe the template would as well.

  Farseeker : +1 for Templates in vSphere. vSphere can also customise the installation for each deployment to change the server name/license key as well.
  From ktower

• Use VMWare Converter to connect to the ESX server - you can then "convert" your VM into a Virtual Appliance file (ovf), and store this on a network share, external hard drive etc. The appliance format will also compact your virtual hard drives, so you aren't archiving empty space.

  You can also leave it as a VM, but the single ovf file is easier to manage IMHO.

  Back in November 2009 VMware converter seemed to be the only VMware supported method for getting a VMs files out of the Datastore. Quick and easy too. Backup is another option, but VMWare converter is a lot easier to use for occaisonal archiving, or moving VMs around between different networks.

  VMware Converter 4 will create ovf and VMs for ESX 3.5 and vSphere - make sure you use the appropriate one for your environment.

  monomyth : +1. in my experience moving VMs without a converter lead to unexpected results :)
  From dunxd

• You just need to backup the vmdk and vmx files. The compressionratio's are good. If I had vCenter Server, I would use templates. Otherwise backups, as I described, are a better option.

  From

• As ktower mentions templates are the simplest method but only if you have Virtual Center\vCenter as the templating feature isn't available on standalone ESX\ESXi hosts. If you select to clone the VM to a compressed template you get a reasonably compact copy, it just removes unused space in the VMDK's it's not a true compression but it will create a much smaller set of files. It's important to mention that templates are also a set of files, just like a VM not a single file like an OVF.

  I tend to put templates of systems that I want to save in this manner onto a NAS that is presented to the ESX host and make backups\copies directly from there when I want to move them around, in my experience this is faster (if more cumbersome) than exporting OVF's but a lot depends on the setup you are working with.

  From Helvick

Server room kit?

I feel like this is a question I've seen on here before, but some searching didn't do me any good. This looks similar, but I'm looking for stuff I leave there, not what's in my go-bag.

What would you say is indispensable equipment in your server room? I've inherited one that's a bit light on stuff (except for servers, those are in there). We're in the single digits of racks, if that matters.

I'm thinking of things like:

• Cable labeler
• Ethernet tester (copper at least, fibre if you need)
• ... ?

Community wiki, because, really.

[Edit] I suppose it's important to say that it's a colo facility, kind of far from the office. No food, water, etc. :(

From serverfault Bill Weiss

• A big, big roll of sheet plastic and duct tape.

  For when the ceiling leaks (water), or someone decides they have to drill holes in the walls (dust tent), or when you have to rig up some emergency cooling.

  Bill Weiss : Ok... why? I'm intrigued.

  quack quixote : for sealing yourself in, of course. in case of zombie attack or world-ending virus. someone's got to keep the servers running, right?

  Massimo : It **will** get useful when some (l)user comes screaming in because he wants his data *immediately*.

  Massimo : Carpets can also be quite useful, you know.

  Bill Weiss : Fair enough. (15 character max)

  quack quixote : but carpets leak. sure, they're opaque, but you need that first layer to be waterproof or you'll end up with physical evidence all over the place.

  pboin : For when the ceiling leaks (water), or someone decides they *have* to drill holes in the walls (dust tent), or when you have to rig up some emergency cooling.

  quack quixote : @pboin: that's actually a really good reason. gonna add it into your answer so it's more obvious and detached from our collective sarcasm.
  From pboin

• I'm looking for stuff I leave there, not what's in my go-bag.

  The only thing that should be stored in the server room is servers. Everything else should be stored nearby, but removed from the server room when not needed.

  ---

  To add a bit to my above statement. Colo's and Server rooms are two different animals. With colos you generally have your cage space and that is it - would be nice if they provided lockers for client use but they generally don't.

  Before we shutdown our colo we had a crash cart with the following:

  • Multiple screw driver sets - torx, phillips, flat head in a wide range of sizes
  • Battery Powered Drill with screw bits (and the charger)
  • CD Case with all needed software for all systems at that site
  • BERT tester
  • Cable making supplies - coil of cat5e, crimper/cutter tool, tester, tips
  • Small trashcan
  • Small key safe with keys for all the equipment front panel locks
  • Collection of spare screws
  • Spare lock box for tape transport
  • Leatherman Multitool (most useful!)
  ceejayoz : Some have server rooms that aren't conveniently located near additional secured storage space. I'd rather have equipment safely stored in a cabinet in the server room itself than trekking across a building because I forgot something I'd never use outside the room...

  Bill Weiss : Unfortunately, my servers are in a colo facility an hour from the office. Some things I just don't want to haul back and forth. Plus, I leave for there from different places: the office, my house, bars (when I'm really unlucky), etc. Otherwise, I'd be with you.

  Michael Stum : If you have space in your rack, I wouldn't be surprised if some company offers 19" lockable drawers...
  From Zypher

• Larger, easier to handle screwdrivers, torx wrenches, wire cutters.

  The small packs are nice in an emergency, and they go with you, but trying to use those little guys for hours on end can begin to hurt your hands.

  Bill Weiss : Absolutely agreed.

  Posipiet : You may want to check out this system: It combines into a real proper screwdriver, locked tight. Available large and small. http://www.wiha.com/england/Onlineshop/Reversible-blade-systems/Wiha-SYSTEM-6-Sets/281T11-SYSTEM-6-reversible-blades-set-11-pcs
  From EricJLN

• After years of replacing cordless screwdrivers because the NiCad battery wore out, the Flashcell cordless screwdriver is very welcomed.

  Bill Weiss : That's a neat looking tool.

  Marc-Andre R. : OMG I want one so badly :D But appear that it's not in sale anymore :( Can't find it...

  EricJLN : In Stock: http://www.amazon.com/Coleman-5-4V-Flashcell-Cordless-Screwdriver/dp/B001U8FF5Q

  Michael Stum : +1, awesome tool!
  From EricJLN

• Rolling carts. For the single-digit server room you describe, one may be enough, although I'd guess you'd want 2 or more.

  Use them as a portable tool bin, an easy-to-move worktable, etc. Some setups might have a couple as wandering worktables, and another couple as dedicated terminal carts.

  From quack quixote

• Zip ties, preferably in various colors, and some kind of snip (I use wire cutters) to cut them free.

  Velco ties for short-term binding.

  Keep the server room all pretty and neat.

  Posipiet : lets add some velcro ties, too

  Bill Weiss : I've read that zip ties aren't a good idea for Ethernet cables. A reference, though not a great one: http://www.lanshack.com/cat5e-tutorial.aspx . I don't know how accurate that is, but I've heard similar. However, velcro ties, I whole-heartedly agree.

  James : Urban myth. As long as you don't tighten the ties so tight that they cut into the cable you'll be fine...

  ceejayoz : Agreed with @James. There's no physical reason an inert plastic tie would be inherently bad.

  Bill Weiss : I think the concern is that it's easy to over-tighten those plastic ties. I didn't think that the plastic would set up an EM field or something :)

  Oskar Duveborn : I always use velcro ties for long-term binding as well, so much easier when the time comes to un-bind a run for whatever reason ^^

  EricJLN : @Oskar - one reason to use the zip ties is so that others don't unbind the run just because they came up with a reason. It creates a barrier to change - both for good and for ill. All in all, 6/half dozen, IMHO.
  From EricJLN
• • A workspace with enough room to work comfortably on a broken 19" server, with screen, keyboard, mouse. Separate from the racks.
  • An old PC. Optimally with controllers and slots to fit every piece of hardware you may have to analyze. Mine speaks SCSI wide & narrow, IDE, SATA, PCI, USB, Firewire 400. Keep a small stash of old computers, if you can. They will come and ask if you can rescue the data from this 5.25" disk one day.
  • A notebook on the side. The rescue PC has no internet connection, to make sure it cant be infected.
  • A big enough disk to put data on that you may have to rescue.
  • Room for spare parts and cables. Room for a museum of old stuff you might need for old systems.
  • Cart. In case you have heavy servers, a lift of some sort.
  • A selection of tools you know you will need. You can keep this small, if you have a complete set elsewhere.
  • Telephone with outside access, if your mobile doesnt allow that.
  • Pen and Paper.
  • Spare parts for your most important servers. If you have several identical machines, keep one spare. It is the organ donor. It may be used for testing new setups, but be prepared to rip it apart.
  • A few switches, network converters, cables of all kinds.

  Generally make the server room your fortress of solitude, where you can retreat when the brown stuff hits the rotating thing. Nothing like coming out smiling after one hour of hacking, and the broken server is back up, with all data.

  Helvick : Amen to point #1. As someone who has to regularly work for a couple of days at a stretch in customer server rooms the one thing that I find that is most frequently overlooked is a decent work surface. Doesn't have to be a full desk but as you say, big enough to open up a broken 19" server and take a screen, keyboard and mouse.

  Michael Stum : Just to add: A Chair. Really, sitting on the floor or standing for 2 hours just because some update/backup/rescue operation takes time sucks and may not be healthy.
  From Posipiet

• Multiple spools of cat 5 cable, along with several boxes of RJ45 ends, because you know you want to use that cable-crimper you've been lugging in your go-bag.

  Bill Weiss : But, I don't want to make cables :( You're right though.

  Massimo : But you **will** need to.

  Joe : Most datacenters (think: private cages) will not allow you to run your own cable to their meet-me punch-down block; Instead, I recommend having a few spares of appropriate length and color pre-made.
  From EricJLN

• I'd say these are something I've needed and I've started keeping in the Server Room kit:

  • Flashlight
  • Zip ties
  • Labeler
  • Dell DVDs so if I need to install something or get drivers I can get it from there instead of downloading them
  • A pen (many times I wanted to write something down and found my self with no pen or pencil
  • Sharpie to lable stuff if the labeler won't work
  quack quixote : better than just keeping your Dell DVDs, keep a latest-drivers archive on a handy network share. don't delete old driver versions, since you never know what new drivers might break (or not work with the ancient OS you're installing). having a DVD is handy, but not as handy as having any drivers you need ready to drop onto a thumbdrive, optical disc, or whatever.

  Chris S : A network boot image (or WinPE CD) for booting a borked computer and retrieving data without having to change any physical hardware.
  From Hondalex

• A PC with a floppy disk drive and a DVD burner, and a stock of floppy disks and writable CDs/DVDs.

  A time will come when you will need to flash that firmware...

  Farseeker : Floppy Disk! The number of times I've been saved by that long-obsolete technology...

  Massimo : Not to speak about installing pre-Windows 2008 systems when a controller driver is needed...
  From Massimo

• TOOLS!

  Keep them locked away in the server room so they don't go walk about...

  From James

• I've seen some people mention zip ties, and while they are nice looking, I don't like them so much anymore anymore. I've come to prefer twist ties. They're easy to remove (don't require a tool to do so) and they are also easy to modify (if you need to add additional cables to the bundle). I picked up a spool of it from the gardening section of menards that comes with a cutter... that's similar to this...

  Joel : Have you tried the "releasable" cable ties? They have a little tab you can pinch and it releases the tie. They work really well, and for short term bundling, try velcro ties.

  Chris S : Velcro, it's cheap, comes in different colors, removable and less likely to dig into wires.
  From Brett G

• A desk, so you can go in there and work when the "outside" world gets to be too much. Also a fold-up bed/cot, for those times when things get so bad you're too tired to drive home afterwards. Oh yeah, and a beer fridge won't go astray either.

  Personally, I've found one of the most valuable items to be a rechargeable torch (flashlight), mounted just inside the door. Non-rechargeable types have a habit of always being flat just when you need them most.

  From John Gardeniers

• Aside from tools I would highly recomend a small first aid kit, and some nonmessy snack foods that keep in storage well. Being able to put a bandage on a paper cut or other small nick on the spot is nice insted on having to hunt down someone from security just for a small bandage. The snacks are good for when it has been two hours too long and you are still more or less stuck in the computer room.

  C. Ross : Forget papercut! Some of the worst cuts I've ever had have been from moving and cataloging old hardware, those steel cases can cut like a knife under the right(wrong?) circumstances. I used a paper towel and duck tape at the time, but a first aid kit would have been much appreciated.
  From joe

• A small tool box to keep small tools mentioned above.

  From Chris

• We have and use "community" fold-up tables and chairs in our colo areas. Provides the work surface, a place to sit and takes up little room when stowed.

  Also a light jacket for when it's 90 degrees outside, you're wearing shorts and a t-shirt and you end up spending most of the night in a 65 degree server room.

  Bill Weiss : The colo offering tables and chairs would be so nice... doubt it's going to happen, unless I want to cart the machines out to the break room.

  Keith Stokes : That's why the tenants do it themselves. A couple of cheap chairs and a table fit in-between racks pretty easily.

  Bill Weiss : Oh, I get it. Great idea!
  From Keith Stokes

• Telephones as mentioned above, but with a long enough cord to take the handset to any cabinet. And yes, corded phones -- there's likely to be enough signal on whatever freq you choose for there to be a problem with cordless.

  While I'm on the subject, even if the site uses VOIP phones, you need a non-VOIP, non-PBX, direct line to handle the instances where the VOIP or PBX equipment is down.

  Other stuff that hasn't been mentioned: Printed reference material - phone numbers, networks, remote host dependencies, etc. Stuff that you might need to bring up the server where the online copies reside.

  Massimo : +1. Nothing worse than having critical info for fixing a server... on the same failed server.
  From mpez0

• I'd add

  A magnifying glass** so you can read the ridiculously teeny-tiny writing you get on some equipment, and a mini-maglite so you can use it.

  ** yes, I am seriously old

  Bill Weiss : I'm completely with you on that one.

  Joe H. : For when it's in awkward places, I've been known to use a digital camera. (and then zoom in on the display, if necessary) It also keeps me from needing to copy down serial numbers while wedging my head into racks.
  From

• Digital camera, so that when you have to unplug or move things, you can put them back the way they were.

  Joe H. : Cell phone cameras work okay for cabling ... but most can't handle the macro issues of shoving it between servers to snap a picture of a serial number.
  From Norman Ramsey

• Quality tools. Cheap tools like screwdrivers that the tips shear off when you're trying to remove that overtightened screw can ruin your day, especially if you're at the colo in a downtown urban centre at 3am, and there is nowhere within a hour drive (or commute) to get a replacement. They don't have to be top of the line machinist tools, but decent quality, not a bigbox / department store set bought on sale for $4.99. Wiha, Wera, Snap-On, and Klein Tools are recommended brands.

  And the right tools, that actually fit. Needing to open a case where the screws have been "stripped" due to screwdriver slippage, or using the wrong screwdriver is an act of unnecessary frustration.

  • Notebook and pen/pencils.
  • serial cable, USB to serial adapter (for laptop), null-modem connector, and serial to RJ-45 adapter for routers and switches (a cheap multi-cable for the DIY types)
  • cross-over ethernet cable (if not covered by previous)
  • install / recovery media, and portable hard drive for storage / backup
  • nut drivers, particularly for rack screw / nuts that can need more torque to loosen
  • bottled water (for colo); not a diuretic like soda or coffee, which forces bio-breaks
  • spare power cord - I always seem to end up short
  • compact keyboard
  • Cat-5/6 cable, plus RJ-45 connectors, and crimper, wire cutters, utility knife
  • Multi-tool, again quality one, e.g. Leatherman or Gerber
  • phone list / directory of contacts
  From mctylr

• a small pry bar (I use a Stanley Wonder Bar II) has come in handy a number of times -- trying to get a tight server out of the rack; replacing swollen batteries out of a UPS. But it gets its most use when I have to shift everything in the rack up a couple of mm because the server I'm inserting is just a hair taller than whatever it was I just took out. (lossen a higher machine, lift it 'til it's tight against the one above it, tighten screws, repeat down the line).

  ... if you weren't in a colo, I'd also suggest a crash cart w/ serial terminal, and a lift cart (for those times when your management won't give you a maintenance window, and you really, really need to move that server; it also comes in handy when you don't have enough people to safely unrack that ancient 8U UPS, but can extend it far enough to get a lift under it)

  From Joe H.

How do I move user folders for many users to a new server?

Hello,

I need to move two users folders on two separate drives on a main DC to another shared folder on a NAS. These user folders are the users main home drives.

What is the best way to do this without doing it one at a time.

From serverfault Rob

• Try using xcopy or robocopy from the Microsoft Windows Resource Kit (and optional GUI) to do the copying of data.

  From Dave Drager

• Robocopy is your friend.

  Rob : Robocopy does not work. I need to move all the user home folders to a NAS. I cant run Robocopy from there. Unless I can run robocopy from a remote server, moving the user files from the DC to the new NAS. Is this possible? Can I move these home folders and save their rights with robocopy to the NAS?

  squillman : You can specify UNC paths in the Robocopy arguments, thus you can use it anywhere to copy from A to B, so long as they are both accessible to you.

  GregD : You can preserve ntfs permissions using the /COPYALL switch. Have you tried using Robocopy? Why are you saying it does not work? You don't have to run robocopy from the NAS, you can run it from the DC.

  Rob : You are correct. robycopy is getting done what I need it to do. The issue I have now is that the permissions do not carry over to the NAS. I am trying to figure out how to get the user folders that were moved with robocopy from the DC to the NAS to be accessible to the users once I change their home drive mapping. Once I changed the home drive mapping in AD it worked (as in it mapped the users folder on the NAS) but not the user folder for that user, just the users folder that contains all the user folders and the account has access to read all the folders in there. Which cant happen.

  Rob : its a linksys/ cisco NAS and has only limited interface for security settings, it only allows 21 people to be assigned to one share for some reason. So I am trying to work out how to not have to set up separate shares for each user account. I want to do it in a mass change. It looks like I am still going to have to do each one individually, unless I can find a way to make a mass change in rights for each new user share on the NAS.
  From GregD

• Hello All,

  It seems that I found the solution to my issue. The NAS cannot do what I thought it could. It is a NSS6000 Linksys and it seems that the limitations in the security rights interface is hindering the rights I need to be able to set.

  So I am going to order a new file server that will be the primary user home drive server and set this server up as a member server in our domain.

  Thanks for all your help. I did not know that robocopy has a new version called RichCopy, and it has a really cool interface GUI.

  Thanks all.

  From Rob

Scheduled Tasks w/ GUI issue

Are there issues running Scheduled Tasks in Windows 2003 when the task has a GUI? I have one that worked fine in Windows 2000 but won't run on Windows 2003.

Details:

I have a .bat job that ran every hour throughout the day on an old Windows 2000 server for many years. I finally retired that server last week and moved the job (and associated programs and files) to a Windows 2003 server.

The .bat file calls a couple cmd line apps first, but the final step is a GUI based .NET app (it does some OCR on image files and then shuts itself down).

From the new server, logged on as the Scheduled Task owner I can run the .bat file from the command line successfully.

From the new server, again logged on as the Scheduled Task owner, I can right-click on the task in the Scheduler and run it successfully. This task simply runs that same .bat file.

If the Scheduled Task owner is logged on to the 2003 server and the task is started from a remote server (where the user started Scheduled Tasks and connected to this server) it'll also run successfully.

If the scheduled task owner is not logged on to this server then the scheduled task fails at the step where the GUI app is launched. We can't get any error messages. Running ProcMon from a different session/user account monitoring that user account didn't turn up anything either.

For the moment, my horrible work-around is to leave the scheduled task owner logged on at the console with the screen locked. Of course, this becomes a pain each time that server is rebooted...

The scheduled task owner is our "domain service account" and is working with all other tasks on all other servers. It isn't locked out or anything like that.

I even tried modifying the Task Scheduler to check the "Allow service to interact with desktop box" but that didn't change anything. (Yes, I restarted the service after the change.)

Thoughts?

Updated (1/19/2010)

I need to clarify a bit: The .NET app I mentioned does a bunch of stuff that works. It isn't until it gets to the point where it needs to open a window that the app then hangs. We can see the progress of the app via the logging entries it leaves behind so we can see it working fine with the last log entry being "about to start OCR"... and that's where she hangs.

From serverfault Chris_K

• Is the task setup to start in a specific directory? Permissions are setup correctly in those directories that it is reading/writing to..

  I'm assuming the "Run As' in the task is setup correctly (gotta check basics! :) )

  Have you checked to ensure that the account is running the task is granted the right to "Log on as a batch job" (Local Security Policy\Local Policies\User Rights Assignments\Log on as a batch job)

  Chris_K : Thanks for the response. Yes, the task is setup to start in a specific directory. Permissions there are good. If I'm logged on as the task's "Run As" user I can manually run the job (cmd line or manually starting scheduled task). If I'm logged on as the task's Run As user and let the scheduler kick it off the job runs fine. And finally, yes -- the "Run As" account is added to the Log on as a batch job. The program runs ... to a point. According to our logging, it hangs at the point where it would be displaying a windows for the first time.
  From Rex

• Do you have access to the source code for the program for debugging? It sounds like the windows creation is failing because there's no windows desktop available to the program unless the task owner is logged into the machine. This article http://msdn.microsoft.com/en-us/library/ms687105%28VS.85%29.aspx describes the process for window station and desktop creation.

  Chris_K : This seems really likely. I've shared your link with the developer and am waiting to hear back from him. Thanks for that.

  Farseeker : We had this problem a few years ago and we sent a very similar artical to our developer and he had it fixed in a matter of hours for us.
  From Fred

How to move Mailboxes over from old Exchange 2007 to new EBS 2008 network?

Hi all,

This q is similar to: http://serverfault.com/questions/39070/how-to-move-exchange-2003-mailbox-or-store-from-2003-to-2007-on-separate-networks

Basically I am trying to move our exchange mailboxes over to a test domain that is hosting EBS2008 with Exchange 2007. We plan to move as soon as we can when we have our exchange data over.

I have tried moving a db with mailboxes over but cannot get it to mount in the new Exchange in any way possible, including mounting it onto a recovery store. From my understanding the ONLY prerequisite for moving Exchange DBs across is that it must have the same Organizational name (unlike previous versions of Exchange). If anyone has any insight as to why I cannot mount and simply reattach the mailboxes, please give me an idea as to what could be wrong. It should be as simple as this. Note that the DBs I have are in a clean state.

I cannot use ExMerge because I am not running any mailboxes on 2003.

I have also tried using a 32bit Vista machine with the Export-Mailbox cmdlet to extract mailboxes but anything I do to it results in Permission errors. I have tried to troubleshoot these with no success. I am running in full admin with proper exchange roles and yet it still gives me access denied errors:

Export-Mailbox : MapiExceptionNetworkError: Unable to make admin interface conn
ection to server. (hr=0x80040115, ec=-2147221227)

Also some errors show in the management console:

get-MailboxDatabase
Completed
Warning:
ERROR: Could not connect to the Microsoft Exchange Information Store service on server TATOOINE.baytech.local. One of the following problems may be occurring: 1- The Microsoft Exchange Information Store service is not running. 2- There is no network connectivity to server TATOOINE.baytech.local. 3- You do not have sufficient permissions to perform this command. The following permissions are required to perform this command: Exchange View-Only Administrator and local administrators group for the target server. 4- Credentials have been cached for an unpriviledged user. Try removing the entry for this server from Stored User Names and Passwords.

Why I have to use a 32bit machine to export a simple .pst file is beyond me...

So yeah I am now out of ideas and any help would be great! Thanks in advance.

From serverfault Qwerty

• I would suggest using the commandlet Export-Mailbox, as you described. There is an article on the MS Exchange Team Blog that goes over its usage and discusses the permissions needed. (There is a newer post as well that is more clear)

  Since I have found their post to be somewhat vague on setting the correct permissions, I prefer the instructions in an alternate post, which show how to give yourself permissions on all accounts or only on an individual account (my preferred method when I only have to export a few accounts). Basically, before running the export command, you run:

  Add-MailboxPermission –Identitiy “MailAlias” –User Username –AccessRight FullAccess

  where "MailAlias" is the account you are trying to export, and Username is your account (or the account you will be running mailbox-export as). After that, export away:

  Export-Mailbox –Identity <mailboxUser> -PSTFolderPath <pathToSavePST>

  Lastly, to be clean, I like to remove the permissions and return things their original state, so:

  Remove-MailboxPermission –Identitiy “MailAlias” –User Username –AccessRight FullAccess

  After that, you are all set, you can take those PST's over to your new server, and import them. (You will probably need to grant yourself FullAccess to the new mailbox in order to run the import)

  As an aside, the reason you need to run the pst export on a 32-bit machine is that the export has a dependency on Outlook, which is currently only 32-bit (this is described in the second posting from the MS Exchange Blog). I recall somewhere that MS was planning on correcting this limitation with the release of Office 2010.

  Qwerty : The same MapiExceptionNetworkError error is outputted as described. It just wont make the connection. There is something else that has not been configured or opened that is holding it back

  Evan : Just some thoughts off the top of my head. 1) Make sure the computer you are using for the export is a member of the domain 2) that machine has outlook 2003/2007 installed 3) the account running the export can launch outlook and access its mailbox using NT authentication
  From Evan

Where to find information on the IPv4 crunch, why to worry, what to do?

Where do I get information on the IPv4 crunch (what will happen, transition to IPv6, etc.)? What should one do to prepare (if anything)?

Ars Technica ran "A decade's worth of IPv4 addresses" and reminded me about this.

From serverfault Nathaniel

• I am a bit of a contrarian ... I am very leery of IPv6. There are privacy implications, because part of the IPv6 address is a unique device identifier, although I believe there are settings to make that random.

  I fail to see the urgency, when so many class A networks are allocated to organizations with relatively minuscule need. To name a few: MIT, Daimler Benz, Xerox PARC, DuPont, Merck, the US Postal Service, Nortel, Eli Lilly and Halliburton. Heck, the InterOp show has a Class A for itself!

  Back to the question. If you haven't already, read the Server Fault IPv6 tagged questions.

  I don't think IPv6 is a huge issue right now for internal/private networks, but some preparatory steps are advisable for businesses. Eyes and ears should stay open, and the subject revisited every budget season.

  • I would make sure my internet facing hardware can support IPv6, or make sure I have sufficient budget to buy replacements in the event an internet provider switches.
  • I would also make sure any new networking equipment purchased can support IPv6 and IPv4.
  • I would find the networking equipment that doesn't support IPv6, and determine what needs to be done (firmware, upgrade, replace) for each item in the event IPv6 is thrust upon you.

  I don't see that a homeowner/hobbyist needs to do anything. If your ISP switches, you will need a new modem/router, but you will have plenty of notice.

  womble : Even if IANA can retrieve the /8s from organisations who have them unnecessarily (and really, would you want to renumber MIT so that it isn't spread out across it's /8?), that wouldn't add much to the global pool as some god-awfully huge quantity of addresses is being assigned each week from the RIRs. So it's a small and temporary stop-gap measure at best.

  tomjedrz : Perhaps .. I just hear "the sky is falling" in so many of these arguments. How many companies out there are using even 50% of their allocation?

  womble : In terms of "allocated subnets" within the organisation, they're probably pretty well utilised, but the allocations will probably be sparsely utilised. But even if they're not, *it doesn't matter*; even if all the unused addresses were reclaimed, it still wouldn't put a meaningful dent in the available pool, and the cost of reclaiming that address space is large, and would be borne entirely by the organisations which need to give up the resources. If I asked you to spend $200,000 so that you could give me half your backyard to be used for a public park, would that seem like a good deal?

  : I see your point about the underutilized class A networks, but in reality if all the companies you listed gave back their entire network it would only put off the inevitable for a few months (IP4 address allocation was well over 200M/year last time I checked). Seriously, people have known about this problem for twenty years and the solution - IP6 - has been around for 12 years so it's not like an extra few months will really help anything.

  chris : There are some issues at play that drive economists crazy. 1: you can get IP addresses by demonstrating need, so comcast uses an address for each set top box and phone and ... so they "need" 10 billion addresses. 2: you can't "sell" your addresses, so there is no incentive for MIT to want to sell their resource. If they could sell some /12s, I'm sure they'd find the resources to reIP their /8. Same especially goes for nortel and many of the rest. It's a real mess

  Gerald Combs : @tomjerdz The IPv4 sky isn't falling, but it will likely get more expensive. If I were an HP, Ford, or Halliburton investor I'd be ticked off if they didn't start leasing chunks of their /8s within the next 24 months.
  From tomjedrz

• There are in fact a few questions on Server Fault already about IPv6 adoption and allocation of IPv4. Take a quick look at questions tagged IPv4 for example. There are a lot of 'technical' questions about IPv6 but there are also a lot of rollout questions, and people asking similar things to what you've asked.

  From Farseeker

• There's a good discussion of IPv4 Address Exhaustion on Wikipedia.

  I believe RFC 4941 addresses the privacy concerns that tomjedrz mentioned regarding IPv6.

  From Dennis Williamson

• The best source, by far, for the future of IPv4, is Geoff Huston's IPv4 Address Report.

  If you want to follow the news day by day, see the IPv4 depletion site.

  From bortzmeyer

• There is also a lot of useful information on the IPv6 Act Now site.

  From calmh

Where to add DNS for my domain i.e. ns1.mydomain.com (Any disadvantages?)

My VPS hosting provider has agreed that I can use their DNS servers to present a more professional look by giving out vanity nameservers to my clients.

For example, they have said I need a DNS records directing ns1.MyDomain.com to the IP of ns1.VPSProvider.com.

Therefore any DNS queries sent to ns1.MyDomain.com will then be sent to the IP for ns1.VPSProvider.com instead and they will respond

The domain is registered with 123-reg. Therefore, how/where do I add a dns record for ns1.MyDomain.com would it be with 123-reg's help? Is it just a CNAME record of ns1?

Secondly, are their any disadvantages by having a vanity nameserver like this e.g. spam, google, rdns etc

From serverfault asn187

• You cannot use CNAME records since the right-hand side of a NS record cannot be an alias (RFC 1035, section 3.6.2).You have to use A and AAAA records and keep them in synch with VPSProvider.com. Not easy because they can change suddenly.

  Frankly, if you do not know the DNS at all, it is better to not use "vanity name servers", specially for paying customers...

  From bortzmeyer

• You need to create two A records pointing ns1.mydomain.com to the ip address of ns1.vpsprovider.com, and ns2.mydomain.com to the ip address of ns2.vpsprovider.com. CNAME entries add extra dns lookups, and should be avoided when creating nameservers (and infact break RFCs).

  If you're using these vanity nameservers for your own domain and not just for other people's domains, then you'll also need to set the ns records for your domain to your own nameservers and the ip addresses of the nameservers provided. You'll want to do all this on your vps provider's nameservers rather than 123-reg's because you'll no longer be using 123-reg for anything other than domain registration.

  There are no disadvantages in having a nameserver setup like this other than the fact that you then have to use the control panel of the vps provider to change your dns rather than the 123-reg control panel (though that may actually be an advantage).

  I don't recall if 123-reg provide .uk nameservers or not. If they do, and your domain is a .uk domain, then there will be a small theoretical loss of speed by switching to a .com nameserver. However this won't be noticable.

  asn187 : @Kaerast - so I was on the correct path with my first comment? So whatever the nameserver entries are on 123-reg's side for MyDomain.com would be ignored once I have added the NS entries to the control panel of my VPSProvider.com?

  kaerast : You'll need to set the nameservers and ip addresses of those nameservers in the 123-reg control panel. Once you have done that, the rest of the dns configuration is done at your vps provider.

  asn187 : Thanks, 1 final thing so suppose the reason my change at 123-reg ("This is not a valid nameserver") is because the changes made to MyDomain.com have not propagated through.

  kaerast : You need to add both the ip address and the name of the nameserver when using a nameserver on the same domain. You also need to make sure that the nameserver at the vps provider is ready to respond (try dig yourdomain.com @ns1.vpsprovider.com). Finally 123-reg sometimes just doesn't like you changing nameservers, so contact support if it's all otherwise working.
  From kaerast

Desktop Hardware Management

We are in the beginning stages of converting our desktops to VMs. During this process, we contacted our Desktop Management vendor to verify license requirements for virtual vs. physical, and were told we would be required to have a license for each PC - physical or virtual.

We had hoped to save a little money by going virtual, but we are finding a lot of "hidden" costs. With our current requirements to maintain hardware and software inventory, this will double the management cost of each PC we virtualize because each PC requires an agent/license.

Our current accounting requirements are such that we "charge" our "customers" based on number and type of PC. Until now, that has worked fairly well, but required that some sort of inventory agent be installed. We use Symantec (Altiris) Service and Asset Management to assign PCs to users for reporting/accounting purposes. We also use their Client Management Suite to manage the desktop applications.

We can trim back the "suite" of agents to just the inventory piece on the physical desktop, but still need the full suite of agents on the VMs for software management and inventory.

My question is this: How do other companies track their physical desktop hardware once they are converted to VMs? Do they even care about the physical desktop once converted?

I suppose we could use another vendor, but from what I've been able to find, all have the same answer - a license for each PC, physical or virtual.

From serverfault ToreTrygg

• "physical desktop hardware once they are converted to VMs"...mmm

  If you replace a physical PC with a VM'ed PC then usually* you can transfer the license over to that VM - so long as you get rid of the PC and ensure that license isn't somehow reused elsewhere down the line.

  *check your license agreements.

  ToreTrygg : Thanks, but transferring the license over to the VM isn't the problem. Needing to know the status of the physical hardware is. Our license agreements say one license for every agent installed. If one is on physical and one on virtual, that doubles the number of licenses required. Do other companies just forget the physical PC once they convert to Virtual? Or, do they purchase extra licenses so both physical and virtual are covered?

  Chopper3 : This was the point of my response; you'd need to buy additional licenses for either the VM or the physical machine if you intend to retain the physical machine. Also I couldn't fully understand your question.

  ToreTrygg : Sorry the question wasn't clear. So, what do other companies do? Do they go ahead and double their licenses for desktop management? Or do they just forget about the hardware?

  Chopper3 : Well more often than not companies move from thick PC client to thin VDI clients - they actually get rid of their original machines and destroy them, they are then usually legally allowed to use that original license. If you're keeping your original PCs then you'd HAVE to buy new licenses - is that clear?
  From Chopper3

• This should double your licensing cost for the agents. Going to a virtual desktop under windows also incurs costs as you must aquire a VECD. Hopefully you own SA on your desktops. If not from the site:

  VECD is a device-based subscription license and is available two ways:

  1.VECD for Software Assurance (SA), which is priced at $23/year

  2.VECD, which is priced at $110/device/year

  Note: It is important to know that VECD is mandatory for any virtual desktop infrastructure (VDI) deployment that uses virtual copies of Windows, regardless of the underlying infrastructure provider.

  you also haven't mentioned what you've moved the desktops to. If they are still running windows then you still need to license them. I am unaware of any circumstance in which you can "move" the licesne from a physical device to a vm.

  From Jim B

• So, what you are doing is converting the installed OS over to a VM on the same (or new) machine, so each desktop can run multiple OSs? If so, you should be able to transfer the current license over along with the first VM, and then just need a license (or use open source OSs) for the other VMs.

  If you are putting them all on some larger server somewhere and then using remote desktop to access them, well, it shouldn't have hidden costs beyond each desktop that needs to be replaced. I mean, VMs are wonderful, but they don't really have monitors, mice, and keyboards.

  As for tracking physical hardware after moving to VMs, well, that's what property stickers are for. If you can stick it, it's real, and tracked as something that depreciates. :)

  From Michael Graff