We noticed that employee group in EV CA v9 sp2 that synchronizes with AD group is empty after the upgrade from v8 sp4 to v9 sp2. Symantec Tech Support confirmed that issue is re-producible in their lab.
Let me note that the bug is VERY critical making the Compliance Accelerator scheduled searches return zero hits, because the target employee group has no employees.
The workaround is to synchronize the EV CA employee group with “Active Directory Container” and not “Windows group or distribution list”
Thursday, May 5, 2011
Wednesday, February 23, 2011
Netbackup 7.0.1 and Encryption
Upgrade of the client to Netbackup7.0.1 breaks encryption, which makes the backups of that clients hang.
Here is the solution:
1. Locate and rename the file keyfile.dat (\Veritas\Netbackup\var\keyfile.dat)
2. Run bpkeyutil -client (from \Veritas\Netbackup\bin)
(Keyfile.dat gets re-created)
Here is the solution:
1. Locate and rename the file keyfile.dat (
2. Run bpkeyutil -client
(Keyfile.dat gets re-created)
Friday, February 4, 2011
Scheduled Task as a Clustered Resource
1.- Modify the following
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SchedulingAgent so that the tasks
folder location is pointed to the tasks subdirectory on the shared disk.
2.- Go into Cluster Administrator to create a new resource in one group and
choose Generic Service
3.- Possible owners and choose Next and for dependencies, add the Disk and
the Network Name
4.- Service Name: “Schedule”, Parameters: “%SystemRoot%\System32\svchost.exe -k netsvcs”; Root Registry Key: Software\Microsoft\SchedulingAgent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SchedulingAgent so that the tasks
folder location is pointed to the tasks subdirectory on the shared disk.
2.- Go into Cluster Administrator to create a new resource in one group and
choose Generic Service
3.- Possible owners and choose Next and for dependencies, add the Disk and
the Network Name
4.- Service Name: “Schedule”, Parameters: “%SystemRoot%\System32\svchost.exe -k netsvcs”; Root Registry Key: Software\Microsoft\SchedulingAgent
Friday, January 14, 2011
Permissions to SQL Database
I have been working on the problem of Synchronization two vendor databases (to be particular – Symantec Endpoint Encryption (SEE) Database should be synchronized with Symantec Altiris Management Platform – former Notification Server Database). The synchronization did not work. What turned out to be a cause of the problem was a permission issue. I figured that Altiris Server (not an any user account) must have permissions to SEE Database. I added DomainName\AltirisServerName$ to the Users in the Security section of SEE Database with db_datareader and db_datawriter roles and synchronization started working.
Monday, October 4, 2010
Restart the domain controller in Directory Services Restore Mode Remotely
Extremely useful article when you need to boot domain controller into Directory Services Restore Mode Remotely:
http://technet.microsoft.com/en-us/library/cc779687(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc779687(WS.10).aspx
Assign permissions to the tree of OUs when inheritance turned off (through Powershell)
Recently I needed to add permission to move computer objects to OUs for the group of users. I added the permissions to the “root” OU and tested it: everything worked great.
After I reported that task is done, I heard from the users in that group that they still get ‘Access is denied’ trying to move computer objects. I discovered that in AD permissions inheritance was disabled for most of the sub-OUs. So, there are more than 1,000 OUs to add permissions to.
Following script took care of the task for me:
#Require Quest "Active Roles Management Shell for Active Directory".
#Put following to the text document saved as *.ps1:
add-PSSnapin quest.activeroles.admanagement
$OU = “root OU DN”
get-qadobject -searchRoot $OU -searchScope 'SubTree'-Type organizationalUnit -SizeLimit 0 |
Add-QADPermission -Account “domainname\user group to add permissions” -Rights CreateChild -ApplyTo All -ChildType
Computer
After I reported that task is done, I heard from the users in that group that they still get ‘Access is denied’ trying to move computer objects. I discovered that in AD permissions inheritance was disabled for most of the sub-OUs. So, there are more than 1,000 OUs to add permissions to.
Following script took care of the task for me:
#Require Quest "Active Roles Management Shell for Active Directory".
#Put following to the text document saved as *.ps1:
add-PSSnapin quest.activeroles.admanagement
$OU = “root OU DN”
get-qadobject -searchRoot $OU -searchScope 'SubTree'-Type organizationalUnit -SizeLimit 0 |
Add-QADPermission -Account “domainname\user group to add permissions” -Rights CreateChild -ApplyTo All -ChildType
Computer
Wednesday, August 11, 2010
Email Router for CRM4 and multi-server environment
We discovered interesting issue with email router when there are few (more than one) CRM4 Servers connected to the same database.
All CRM components in multi-server environment work independently: all requests are being fulfilled by the particular server to which server user connects.
Except e-mails (and mail merge).
Email Router happens to work only on the first CRM server in the environment.
Let me explain a little further:
Let's say you have 3 CRM servers: server1, server2, server3 connecting to the same database. They are combined to the server farm by the load balancer. "Virtual" name of the farm is crm.yourcompany.com. Users access CRM using "virtual" name: http://crm.yourcompany.com.
User requests are answered by one of 3 servers (server1 or server2 or server3) – directed by load balancer.
Let's say, user connects to server3, opens Contact and selects 'Send E-mail'. User fills email fields and click 'Send'. You would expect that email router on server3 processes that email. You would be wrong – email gets processed by email router on server1.
(I wonder what will happen if server1 goes down – would it mean that there will be no email processing by email router? – to me it looks like a single point of failure – hello, Microsoft…)
Subscribe to:
Posts (Atom)