The Raven Report

On a crazy whim, last Friday I jokingly stop by my friendly neighborhood Ford dealer. I ended up test driving a Ford Edge, actually 2, even brought them both by the house for the wife to see, but since Ford didn't have any good deals on the Edges we passed. Fast forward about a week, and we now have a new Mercury Mountaineer.

My Lessons learned:

•      Don't drive from out of state to pick up a car unless you have a firm deposit

•      Don't go looking if you don't intend to buy, at least for me Mr. compulsive obsessive

•      You can get anything from a dealer, even a big display bow if you promise to rate them excellent on a survey.

•      Names of Dealers change, but they stay the same.

Words of Wisdom for ones who wish to sell me a car:

•      I'm buying an expensive item. I want to drive it on the real road and get the warm fuzzes. The parking lot just does not work.

•      If you say your going to hold a car for someone. Do it, and set a time limit up front.

•      Tell me you strive for excellence and make sure I'm completely satisfied. Don't tell me how to fill out a satisfaction survey, and have me  practice on one for you.

How the lessons were learned:

If you couldn't tell by all the commercials, automobile manufactures & dealers really what to clear out last year's inventory before the new year, so incentives are plentifully. After looking into the Edge, where even the 2007 don't have a good deal I spent the weekend (did I mention I'm compulsive obsessive? ) browsing the net for 07 Explorers, and coming up pretty much empty handed. We decided to skip the new car for now . Then yesterday I happened across a Mountaineer with all the options the wife wanted, and sent the link over her way.  

This car was exactly what the wife wanted, so I gave them a call around closing and Bob the salesman side he'd look into it and give me a call in the morning. So early this afternoon I get a call, and Bob states that the car already in process, and he'll let me know if it falls through. The wife calls and i let her know the news. I also send her a couple links to some used 2006s, and we decide go check them out. Since the original dealer is on the way to the other dealer,  wife wants to stop by Bob's place, and look at the other two 2007s they had sitting around that were not quite the "the one".

So we get to Bob's place, and ask to drive one of the other Mountaineer. Bob pulls the car up and says we can drive it around the lot since it is almost out of gas, and he would have to send a porter to go get gas. What are you kidding me? I can't take the car off the lot? Figuring Bob had slipped on ice and bumped his head while retrieving the car in question, I played along. After the parking lot cruse, we come back in and meet up with Bob. He states "Those drive nice huh?". Poor Bob he must of really hit his head good.... I chuckle, and ask about how the deal was going on "the one". Bob says it's still pending, so here I figured we would part ways. I told Bob that we were heading to the other dealer to look at the used ones then all the sudden he wants to check on the status of the one.

Bob comes back with the paperwork for the one, and this time we actually get to drive it, what a concept. We get back, I tell Bob that we'll take it, and introduce concept of trading in the 2004 Trailblazer. Bob comes back with an off the wall low ball offer. I guess Bob did hit his head. I pass on the trade in offer, and move to writing up everything. Bob now mentions that we don't need the guy from Illinois paperwork in passing, and I think nothing of it.
At this point, while the paperwork is being written up the wife and I step out for a smoke. This is when first notice the guy who pulls up with an Illinois plate. Oh yeah I'm in Michigan,and the dealer is here also. More on this in a minute.

So we do the signing thing and are wrapping up.  I have been hinting to Bob that I want a bow for the wife all night, but the option has been shutdown. In walks the satisfaction survey. Now don't get me wrong, for us the experience was very good, but these guys want everything to be exceptional, and prep me on how to fill out the survey when it arrives and even have me fill, and sign a mock survey. Here where I realize the deal is not over and bring up the bow. Bob becomes flustered at this point. I casually state that I have a short memory, and a bow would remind me of the exceptional service I received otherwise I might forget and circle a very good. Needless to say I now have a big red bow that I can use as marketing material for this Trailblazer I still have.

We wrap everything up and, as we're moving the car seats into the new car, I notice the couple staring at us through the window. We set to depart and the couple gets in there Illinois plated car, just giving us a passing glare as they go. This is where it hits home. Now don't get me wrong the wife loves the new car, and we wouldn't have bought the other one, but that couple drove over 3 hours to get this car and had it bought for underneath them. Now in their situation I would have been on fire. It actually left a very bad taste in my mouth, and even though we had an fairly good buying experience. I don't think  we would ever purchase another vehicle from them.

For a User Run

strComputer = "."
strUser = "User"
strDomain = "domain"
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

Set objAccount = objWMIService.Get _
    ("Win32_UserAccount.Name='" & strUser &"',Domain='''& strDomain &"'")
Wscript.Echo objAccount.SID

For a Group Use

strComputer = "."
strGroup = "GROUPNAME"
strDomain = "DOMAIN"
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objAccount = objWMIService.Get("Win32_Group.Name='" & strGroup &"',Domain='"& strDomain &"'")
Wscript.Echo objAccount.SID

Question: How do I grant access for a user to remotely Start/Stop a service?

Answer: First the User/Group in question must have remote read permission to the scmanager (Computer Manager or sc commamd line)

Get the scmanager SDDL:

sc sdshow scmanager

Original SDDL:

D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;B
A)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

Copy the Interactive User ACE (A;;CCLCRPRC;;;IU) and change the IU to the SID of the User/Group you wish to grant access and paste the new ACE before the S:

New SDDL:
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;B
A)(A;;CCLCRPRC;;;S-1-5-3-3127463467463)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

Now set the new SDDL on the scmanager service:

sc sdset scmanager D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;B
A)(A;;CCLCRPRC;;;S-1-5-3-3127463467463)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

Your user now has remote access to the scmanager.  Now we must grant access to start and stop a service (Alerter in this example)

Get the Alerter SDDL:
sc sdshow Alerter

Alerter Original SDDL:

D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

Now copy the Authenticated Users ACE (A;;CCLCSWLOCRRC;;;AU)  add "WP" following the RC in the ACE and change the AU to the SID of your user and paste your new ACE prior to S: in the SDDL:

New Alerter SDDL:

D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;
;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWLOCRRCWPRP;;;S-1-5-3-3127463467463)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)


Last of all, set your new SDDL on the Alerter Service:

sc sdset Alerter D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;
;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWLOCRRCWPRP;;;domain\usergroup)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)


For more information on SDDL Syntax


All example SDDLs are default on Windows 2003 SP1

Background

A few months back we had an issue with our clustered DHCP server. It appears that the virus scanner lost its exceptions on the DHCP logs & database files.  During the built in DHCP backup, which normally happens once and hour, corrupted not only the backup, but the DHCP database itself.  Since the issue didn’t actually kill the DHCP service, our SCOM didn’t catch the failure.  Actually SCOM doesn’t monitor DHCP in a cluster very well, since the management pack doesn’t detect cluster installs.  Because the problem occurred in the middle of the night no one was aware of the joy that waited on arrival to the office.  Long story short, we had about 2 hours of real live, no one working downtime. All the servers and applications were running clients they just couldn’t get addresses to connect.

The Question

How do we restore to a new none clustered server in the event that the entire cluster is unavailable, and do it quickly with minimal impact?

The Answer

To restore the DHCP database in a clustered environment or where the DHCP database is not installed in the default location, your new system must the same path available that was on the original DHCP server.  

So say you have DHCP in a cluster and the data base and log files are in the S:\DHCPDATA you will not be able to restore, unless you have a S:\DHCPDATA available on the new box, since the database in the backup folder isn’t a real database and has the path hard coded into the dhcp.mdb, dhcp.pat & log file.  You can actually mount the dhcp.pat in regedit and modify it, but  since the path is also hardcoded in the database, in the end it doesn’t help us in this situation.

This is all well in good except if you are restoring to a server that has an S:\, but what if that isn’t the case?

Workaround

Use the following command on the DHCP server as part of your backup process

netsh dhcp server export C:\dhcp.txt all

Then use the following command to restore on the new server

netsh dhcp server import C:\dhcp.txt all

This option looks great at first, but when you run this command the DHCP server service stops and then restarts. In a cluster this causes the resource to go offline and back online, which in turn triggers alerts. So either we put the system in maintenance mode or look for other options. Also what if I didn’t implement this, and all I have are the backups from tape?

Now to the heart of the problem:

All we have is the built in backup files, and we need to restore to a server with a S:\

1.    Create a folder called DHCP and share on the C:\ giving system full control

2.    Make sure the file structure matches what you had on your original server.  In our case: dhcpdata\back\new.

3.    Restore your backup files in this directory

4.    Create a persistent drive mapping from the server to itself as the system account

a.    How/Why the hell do I do this?
Well DHCP runs as system so we have to have the drive S:\ available for it
This can be accomplished by doing the following

                                       i.   Open a Command prompt

                                       ii.    Type:
AT <future Time> /interactive cmd /k
this will open a cmd window running  as system

                                       iii. Type the following in the system command window:
Net use s:  \\servername\DHCP  /PERSISTENT:YES

5.    Now that we have a S:\ available to system all we need to do is initiate a restore from the DHCP management tool and browse to the backup files.

Additions Info:

Technet Managing DHCP Databases

How to move a DHCP database