A little Active Directory DNS Server Magic

By default, Windows DNS servers register a static A record for every IP address that the DNS server service is bound to.

If you have a multi-homed AD Server which is also a DNS server (as they often are), you’re fine as long as there’s no routing involved in your local network. The netmask ordering feature magically gives the correct IP address out to clients depending on the LAN segment they’re attached to. But if you also have routing, that breaks the netmask ordering, and clients just get round-robin randomised IPs. If they have routes to both IP’s fine. In the more common case, they don’t (after all, why else did you segregate your network and multi-home your DC/DNS server).

REGEDIT to the rescue:

See http://support.microsoft.com/kb/246804:


Data type: REG_SZ
Range: IP address [IP address]
Default value: blank

This value specifies the IP addresses that you want to publish for the computer. The DNS server creates A resource records only for the addresses in this list. If this entry does not appear in the registry, or if its value is blank, the DNS server creates an A resource record for each of the computer’s IP addresses.

This entry is designed for computers that have multiple IP addresses. With this entry, you can publish only a subset of the available addresses. Typically, this entry is used to prevent the DNS server from returning a private network address in response to a query when the computer has a corporate network address.

DNS reads its registry entries only when it starts. You can change entries while the DNS server is running by using the DNS console. If you change entries by editing the registry, the changes are not effective until you restart the DNS server.

The DNS server does not add this entry to the registry. You can add it by editing the registry or by using a program that edits the registry.

Thank you Microsoft. No really, a GUI would be nice, but thanks anyway.

Posted in Uncategorized | Leave a comment

SSL Wildcard Certificate enables Host Headers on SSL in IIS7

But not with the GUI… Sad smile

Here’s an example:

C:\Windows\System32\inetsrv>appcmd.exe list site
SITE "Default Web Site" (id:1,bindings:http/*:80:,state:Started)
SITE "borrowers" (id:2,bindings:http/,https/,state:Started)
SITE "lenders" (id:3,bindings:http/,https/,state:Started)

In order to get the host header bindings you need this arcane syntax for each website:

C:\Windows\System32\inetsrv>appcmd.exe set site /site.name:"borrowers" /+bindings.[protocol='https',bindingInformation='']
SITE object "borrowers" changed

And in order to remove the existing https bindings:

C:\Windows\System32\inetsrv>appcmd.exe set site /site.name:"borrowers" /-bindings.[protocol='https',bindingInformation='']
SITE object "borrowers" changed

If you had previously bound to any IP (not a static one), the substitute ‘*:443:’ instead of ‘<ip address>:443:’

Check it all again with appcmd list site.

Impossible to remember, but easy to do…

Posted in Systems | Tagged | 5 Comments

Hyper-V – Mount ISO image from remote file share

I’m always forgetting how to do this and getting an error like the following:


The explanation at http://virtuallyaware.wordpress.com/2008/06/23/hyper-v-constrained-delegation-of-authority-remote-mounting-of-iso-with-management-console/ is perfect, but in case it ever goes away, here’s my summary:

In ADUC, find the Hyper-V server, properties, Delegation Tab:


Add the computer which will host the shared ISO images and OK.

Wait a minute of two – trust me!

Now you’re good to go.

Posted in Systems | Tagged , , | Leave a comment

DOS Bootable USB Drive

Oh, what a horrible afternoon. I just needed to update the firmware on a couple of Adaptec 5805 SAS/SATA controllers as part of re-purposing a server with Windows Storage Server 2008 R2. I splashed about for ages, but the solution was easy once I got all the bits together.

  1. Unless you have a floppy drive, you’ll need a virtual one. If you have a virtual machine, you can use that to create a virtual floppy drive, otherwise:
    1. Download Ken Kato’s VFD driver from http://sourceforge.net/projects/vfd/
    2. If you’re on x64
      1. get the x64 patch from http://levicki.net/downloads/ (and read his story if you have the time)
      2. Copy the two files in Levicki’s download and save them over the ones from SF
      3. Remember to repeatedly hit F8 while windows is booting so you can Disable Driver Signature Enforcement
    3. Run vfdwin.exe as administrator to install and start the Virtual Floppy driver
    4. Create a driver using RAM and remember to assign it a Drive letter (in the vfdwin tool)
  2. Format the virtual floppy drive with Windows, and make it into a DOS bootable disk. This gets the DOS boot files.
  3. Download and install the HP USB Disk Storage Format Tool from SP27213.exe from http://code.google.com/p/opensourcemid/downloads/detail?name=SP27213.exe&can=2&q=
  4. Use the HP tool to copy the boot files to the USB drive:


  5. Put Windows Explorer in “show everything” mode
  6. Copy all of the files from the Virtual Floppy to the USB stick, except IO.SYS, MSDOS.SYS and COMMAND.COM, as they’re already there
  7. Reboot and select the USB stick as the boot device. Try F12 for a boot menu…


Posted in Uncategorized | Leave a comment

Hyper-V Tools

It seems I can never remember the command lines any more. Must be getting old. Notes here apply to 2008 R2.

Basic Setup – Server Config





More advanced setup – Core Configurator 2.0




I usually stick it in C:\Program Files\CoreConfig

Hyper-V Remote Access Configuration



Can get you out of trouble in workgroup scenarios by fixing permissions and firewall bumf.

Broadcom NIC Teaming and VLANs


Check what features you have installed with


As long as you have added both the 64-bit AND 32-bit .NET 2.0 features…

start /w ocsetup Netfx2-ServerCore
start /w ocsetup Netfx2-ServerCore-WOW64

and optionally also SNMP:

start /w ocsetup SNMP-SC

… you should be able to install and run the graphical BACS.exe, which is way easier to use than the command-line BACSCli.exe

Posted in Uncategorized | Leave a comment

Very slow web browsing to site name in your hosts file? Blame ISA Server

We’ve started using the Windows Azure Accelerator for Web Roles, but that’s not the point. It is one use-case where you might create an entry in your hosts file (at %SystemRoot%\System32\Drivers\etc). But there are a whole host (haha) of gotchas on the way:

  • In order to edit that file with UAC enabled, you need to use a copy of notepad (or whatever) in elevated (Run As Administrator) mode
  • If you have a proxy configured (or even “Automatically detect settings” with a corporate proxy using wpad or whatever) in your browser’s LAN Settings, it’ll never look in the hosts file, so you’ll need to disable that or make an exception
  • If, once you’ve got to here, it works but it’s excruciatingly slow, it may be your firewall. Well, it took me a while to figure it out, but we have ISA Server 2006 as our firewall, and in order to check certain rules which list domain names, ISA Server needs a domain name. To ensure that you haven’t tried to be “clever” by entering an ip address on your url, it attempts a reverse DNS on the IP address it’s connecting to. And Microsoft, like many other hosting companies, haven’t bothered to add RDNS entries for all their Azure server IP addresses. The resulting RDNS timeout adds hugely to the delay while each element of your site is loaded.

ISA Server 2006 specific fix: Enable the option to prevent this DNS access:  “SkipNameResolutionForAccessAndRoutingRules”:

' Create the root object
Dim root  ' The FPCLib.FPC root object
Set root = CreateObject("FPC.Root")

' Declare the other objects needed.
Dim isaArray     ' An FPCArray object
Dim webProxy     ' An FPCWebProxy object
Dim restartMask  ' A 32-bit bitmask of type FpcServices

' Get references to the array object
' and the Web proxy object. 
Set isaArray = root.GetContainingArray()
set webProxy = isaArray.ArrayPolicy.WebProxy

' Configure the Web proxy to skip name resolution
' while checking access and routing rules and save
' the new configuration. 
webProxy.SkipNameResolutionForAccessAndRoutingRules = True
restartMask = webProxy.GetServiceRestartMask

' Restart the firewall service so that
' the change will take effect.
isaArray.RestartServices restartMask

.csharpcode, .csharpcode pre
font-size: small;
color: black;
font-family: consolas, “Courier New”, courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
background-color: #f4f4f4;
width: 100%;
margin: 0em;
.csharpcode .lnum { color: #606060; }

Just paste the code into a text file, save as .VBS and run using cscript.

See http://support.microsoft.com/default.aspx?scid=kb;EN-US;891244 for details.

Posted in Uncategorized | Leave a comment

Windows Time, net time, w32tm.exe, whatever

This one keeps biting me. I always forget what the dance is, but as I’ve just done one, this is what you do to set your Windows Server DC to get reliable time in the UK:

Get an elevated command prompt and do the following:

w32tm /config /manualpeerlist:”0.uk.pool.ntp.org,0x8 1.uk.pool.ntp.org,0x8 2.uk.pool.ntp.org,0x8 3.uk.pool.ntp.org,0x8″ /syncfromflags:MANUAL

and for DCs only:

w32tm /config /reliable:yes

or alternatively (but deprecated)

net time /setsntp:”0.uk.pool.ntp.org 1.uk.pool.ntp.org 2.uk.pool.ntp.org 3.uk.pool.ntp.org”


net stop “windows time”

net start “windows time”

w32tm /resync

Job done.

Posted in Uncategorized | Leave a comment