09 December 2013

Backup Exec Backup-to-Disk Best Practices

Requirements for creating a backup-to-disk folder:

Backup-to-disk folder can be created in any of the following locations: 
  • NTFS partitions (local or remote) and External USB Hard Drives.
    • The backup-to-disk folder must exist on an NTFS partition for backup jobs in which the Granular Recovery Technology(GRT) option is selected. This option is available for Microsoft Exchange databases and storage groups, Microsoft Active Directory, Microsoft Hyper-V machines, VMware Virtual Machines, and Microsoft SharePoint content database and Team database.
  • Distributed File System (DFS) shares. 
  • FAT/FAT32 partitions(local or remote). 
  • Veritas Volume Manager partitions. 
  • RAID drives with any configuration. 
  • NFS volumes.
  • Network Attached Storage (NAS) devices.
    • If a NAS device is emulating a Windows operating system, contact the NAS manufacturer for assistance before creating backup-to-disk folders on the NAS device. Symantec does not certify NAS devices. If the operating system is a proprietary operating system and not a true Windows operating system, Symantec cannot properly troubleshoot the device.

Recommendations for the "Backup to Disk" feature:

Minimizing Fragmentation:
  • Avoid hosting multiple backup-to-disk folders on the same volume.
  • Minimize the number of concurrent backup operations. Allow only one operation for maximum control.
  • Maintain at least 30 percent free space, and avoid allowing the disk to become completely full.
  • Avoid hosting other applications on the same volume.
  • To prevent fragmentation a regular defragment operation should be performed on all backup-to-disk volumes.
  • Maintain 10% or less total volume fragmentation.
  • Perform a CHKDSK on the volume.
  • Do not allocate the maximum size of the backup-to-disk files when performing a GRT enabled backup.
  • All backup-to-disk locations should be excluded from antivirus/antispyware scans.
  • Destination drives that are setup with RAID 5 can show degraded performance. RAID 10 has been shown to significantly improve overall performance. In some cases, RAID 10 offers faster data reads and writes than RAID 5 because it does not need to manage parity.
  • Use high RPM drives in all backup-to-disk volumes for best performance.
  • Maximize the available memory. The amount of available memory will impact backup speed. Insufficient memory, improper page file settings, and a lack of available free hard disk space will cause excessive paging and slow performance.
  • Do not use Microsoft Windows compression or encryption on the volumes hosting the backup-to-disk folder.
  • Experiment with the options for buffered reads and buffered writes. Enabling these options may increase backup performance depending on the underlying disk structure implemented.

  • All Backup to Disk jobs should be overwrite operations.
  • Calculate disk space requirements before assigning a disk space threshold.
  • Create a separate backup-to-disk folder specifically for all GRT enabled backup jobs. Note: Backup Exec 2012 enforces one disk storage device per Windows volume, as such this will need multiple volumes
  • Erase media from the Backup Exec console do not use Windows Explorer to delete Backup Exec data, unless it has already been properly removed from the application. For more information on deleting media properly please review the related articles section.
  • The size of Backup to disk files should not be set larger than 4GB.  This is the default size for backup-to-disk files in all current Backup Exec releases.  The larger the file size the more data is exposed when that file is corrupted.
  • USB/eSATA drives are not removable media, and should not be used as such.
Note:- For more information please refer to the Administrator’s guide and/or Hardware Compatibility List(HCL) pertaining to the Backup Exec version being used.


19 November 2013

Folder Redirection Failing

After setting up Folder Redirection in a Windows 2003 domain and logging onto a Windows 2008 R2 server we get the following error:
The following error occurred: "Failed to build the list of known sub folders".
Error details: "The system cannot find the file specified.

Apparently, the Folder Descriptions are messed up. To fix this, we ran the following registry file.
Run the following registry file:
Windows Registry Editor Version 5.00


13 November 2013

09 October 2013

Pop-out Replies and Forwards by Default in Outlook 2013

To set email replies and forwards to pop-out, or open in a new window, instead of using the in-line editor, select the following option:
File-> Options-> Mail-> Replies and Forwards-> Open replies and forwards in a new window

01 October 2013

Enable Remote Management in Windows 7

As I've completely ripped off this most excellent post...just in case it is ever taken down, I'll put the reference at the top:

I hope to customise this to my personal style at a later date:
I’ve been searching for a comprehensive article/blog-post/kb, etc on this for a while but have only been able to find pieces of the overall solution I was looking for.  The challenge?
Enable remote management capabilities on Windows 7 clients within an Active Directory domain environment using Group Policy.
Which capabilities?
  1. Be able to PING clients
  2. Be able to connect to clients via Remote Desktop
  3. Be able to connect to clients via Computer Management
  4. Be able to connect to clients through Event Viewer, RegEdit, etc.
You may notice that my “solution” doesnt’ involve a great deal of security options.  That’s because I’m pretty comfortable with the boundary security on my network environment, which will not be described herein.  Suffice it to say that I am only interested in being able to enable and use these capabilities.  If you need increased security, you can configure additional options via Group Policy settings to suit your needs.
Computer Configuration \ Policies \ Administrative Templates
Network \ Network Connections \ Windows Firewall \ Domain Profile
  • Allow ICMP Exceptions:
    • ENABLED - Allow inbound echo request
  • Allow Inbound remote administration:
    • ENABLED: Enter asterisk (*) in IPv4 address box
  • Allow inbound Remote Desktop:
    • ENABLED: Enter asterisk (*) in IPv4 address box
Windows Components \ Remote Desktop Services \ Remote Desktop Session Host \ Connections:
  • Allow users to connect remotely using Remote Desktop services
Windows Components \ Windows Remote Management (WinRM) \ WinRM Service:
  • Allow automatic configuration of listeners
    • ENABLED: Enter asterisk (*) in IPv4 address box
If you need a nudge in the right direction for how to add these settings:
  1. Open Group Policy Management (aka “GPMC”)
  2. Expand Forest: <name> / Domains / <your-domain> / Group Policy Objects
  3. Right-click and select “New”
  4. Enter a name for the GPO (e.g. “Remote Management”) and click OK
  5. Right-click on the new GPO and select “Edit”
  6. Follow the guideline above to locate and enable the settings
  7. Right-click on the very top of the tree-view panel on the name of the GPO and select “Properties”
  8. Check the box “Disable User Configuration settings”
  9. Click “Yes” to accept the warning.
  10. Close the Group Policy Management Editor
  11. Right-click on the desired computer OU in the GPMC and select “Link an existing GPO” and select your new GPO.
  12. That’s it.
You can then either wait for the regular GPO refresh cycle to run (about 90 minutes on average, sometimes less) or go to a client and open a CMD console (remember to right-click and choose “Run as Administrator”) and at the command prompt, enter “GPUPDATE /FORCE” and press Enter.  You should be able to connect to that client from another client on your domain immediately after that.  If you still cannot, double-check your GPO settings and double-check where you linked the GPO (which OU) related to the computer account within AD.  You can (and should) use GPRESULT on the remote client to diagnose GPO issues.
Thank you Skatterbrainz.


27 September 2013

Symantec Endpoint Protection Manager Logs Are Huge

Recently a server's OS drive filled up very quickly before I realised that I had not turned on log truncation in Symantec Endpoint Protection Manager (SEPM). As soon as I performed a truncation and set SEPM to do it every four hours, all was well with the server.

To do this complete the following:

  1. Log in to the SEP Manager.
  2. Click Admin and select Servers.
  3. Select the localhost under Servers.
  4. Under Tasks, Select Edit Database Properties.
  5. In the General tab under Database Maintenance Tasks.
  6. Select the checkboxes next to Truncate the database transaction logs and Rebuild Indexes.
  7. Click OK to apply the changes.


18 September 2013

Google App Sync for Outlook and Click-to-Run

If you have a non click-to-run version of Outlook 2013, but Google Apps Sync for Outlook won't work properly because it thinks you do have a click-to-run version, try the following:

a. Click 'Start' > 'Run'.
b. Type 'regedit' and click 'OK'.
c. Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Office\15.0\ClickToRunStore AND HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\ClickToRunStore
d. Right click it and choose 'Rename'.
e. Change the name from 'ClickToRunStore' to 'ClickToRunStore1'.
f. Install Google Apps Sync for Microsoft Outlook.
g. Back in the Registry Editor, right click 'ClickToRunStore1'.
h. Choose 'Rename' and change the name back to 'ClickToRunStore'.

If you DO have a click-to-run version of Outlook, I would not recommend trying to use it with GASFO, as Outlook is only a streaming version of the software and will effectively be uninstalled when you log out of the click-to-run system.

Google Support :-) Thanks guys!

30 August 2013

Re-appearing File Won't Delete

If you're trying to delete a file and upon pressing F5 (i.e. refresh view), it keeps re-appearing, restart your PC (and yes sometimes an entire file server needs to be restarted if that is where the file is stored), and see if the file is then gone, or can successfully be deleted.

This is a bit extreme in some cases, but in others, it is the only thing that works.

Other options you can try range from using Process Explorer to find which process is locking the file, and stopping that process, to throwing your entire computer away in frustration.

The last option is effective, but has a number of side-effects.

27 August 2013

Fix RDP clipboard if copy/paste is failing

Sometimes copy/paste to/from an RDP session fails even if all server and client settings have been configured correctly. Often the fix is as easy as this:

  • Open Task Manager
  • End the rdpclip.exe process
  • Run a new process
  • Type rdpclip and press Enter

or for a more stressed out post (if the comments have not been removed)

07 August 2013

Remotely Enable RDP

This method assumes remote registry is enabled on the remote PC that you wish to access. If that is also disabled, a physical trip to the PC may be in order.

  1. Open Regedit and "Connect Network Registry..."
  2. Connect to the remote computer by name or IP address
  3. Find HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server
  4. Locate the fDenyTSConnections entry
  5. Change the value from 1 to 0
  6. You should now be able to connect via RDP


26 July 2013

Join a Mac to a Domain

There are some good discussions about doing this and working through the issues on the following sites:

I'm not sure at this point where to find something on the actual domain-joining procedure.

22 May 2013

Enable Legacy Boot Mode on Windows 8 Pre-Installed Device

Apparently Microsoft requires OEM suppliers of Windows 8 systems to set the BIOS (actually UFEI now) to Secure Boot by default. This and another setting can prevent booting from CD/DVD drives and USB devices and also prevent Windows 7 (or older) network deployments from succeeding.

To enable smooth Windows 7 (or older) installations or booting from various boot disks, e.g. for disk imaging or repartitioning, etc, you will need to do the following:
  1. Enter the BIOS/UEFI using whatever method the hardware vendor provides for this
  2. Look for the Secure Boot option and disable this
  3. Look for Legacy Boot or CSM (Compatibility Support Module) and enable this
In some cases, you will need to revert these settings to enable Windows 8 to install and/or boot.

01 May 2013

Printer Colour/Duplex/Page-size Setting Won't Save in Windows

In the past I have found myself changing printer settings on a Windows PC, laptop, or tablet, only to find that when I go to print, the settings are not what I want. Examples of this are when the colour or black and white setting, the page size setting, or the duplex setting just will not stick!

What I've found in my travels are that most print drivers have a number of places where you can change these settings and if you don't check them all, they can seem to incessantly be returning to settings you don't want.

Ensure you check the relevant settings in the following locations:

If you're using a Windows-based print server:
1.       On the print server, in the Print Preferences on the General tab you first see when you open printer properties
2.       On the print server, in the Print Defaults on the Advanced  tab in the printer’s properties – THIS IS THE MOST IMPORTANT ONE TO SET ON A PRINT SERVER

Whether you're using a print server or not:
3.       On the user’s PC, in the Print Preferences on the General tab you first see when you open printer properties – this does not affect other users, i.e. it is a per user setting.
4.       On the user’s PC, in the Print Defaults on the Advanced  tab in the printer’s properties. THIS IS THE MOST IMPORTANT ONE TO SET IF NOT USING A PRINT SERVER. If you ARE using a print server, these can often not be changed from a client PC/laptop/tablet. It's worth a look anyway.
5.       Lastly, on the user’s PC, within the program they are actually printing from, i.e. Word/Excel/whatever. When you change these settings, they only hold until you close the application. – this is therefore a per session setting.

26 April 2013

Exchange 2007 Transport Service Not Starting

I found the following error in the Application Event Log
Topology discovery failed, error 0x80040a02 (DSC_E_NO_SUITABLE_CDC)
The fix was to reenable IPv6 on the server's NIC.

Other fixes, some of which are NOT best practice so are used at your own discretion, are available here:


08 April 2013

Symantec Endpoint Protection Manager version 11 Recovery

Windows Deployment Server Multicast Is VERY Slow

If WDS multicast deployment is creeping VERY slowy, you probably have switches that are not able to fragment packets the way Microsoft expects.

To change WDS so it does not send fragmented packets do the following

Windows Server 2008R2
Set the following registry key and restart the WDSService
Name: ApBlockSize
Value type: REG_DWORD
Value data: 1385 decimal

Windows Server 2008
Windows Server 2008 uses network profiles to control the setttings.  Do the following to configure it to not send fragmented packets
  1. Click Start, Run, WdsMgmt.msc
  2. Right click the WDS server and choose properties
  3. Choose the network settings tab
  4. Change the network profile to custom
Set the following registry key and restart the WDSService
Name: ApBlockSize
Value type: REG_DWORD
Value data: 1385 decimal

If this allows the multicast transmission to complete you can then modify the TpCacheSize registry key below to increase the performance.  If you decrease ApBlockSize without increasing TpCacheSize then overall performance will decrease. Basically ApBlockSize * TpCacheSize = the maximum bandwidth that can be achieved. Increase it from 1190.

Windows Server 2008 R2
Name: TpCacheSize
Value type: REG_DWORD
Value data: 3145 decimal

Windows Server 2008
Name: TpCacheSize
Value type: REG_DWORD
Value data: 3145 decimal
Restart the WDSServer service after setting this registry key.  After setting this run a deployment to verify it completes and take note of the time to download the image.  Then increase this value in increments until it fails or reaches 7550.

If you have to disable IP fragmentation to get multicast working then this may be indicative of low-end switching/routing hardware that perhaps does not support fragmentation efficiently or does not support multicast efficiently (IGMP/MLD snooping etc.).  Multicast can be demanding on a network so it can expose problems or issues in network infrastructure that were unknown until multicast was setup. 


07 April 2013

Windows Deployment Server's Message from Administrator

On your WDS server type the following at a Command Prompt:
WDSUtil /set-server /AutoAddPolicy /Message:"To contact your network administrator, please dial 123-4567“

If your message is too long (I haven't tested how long), it will fail.


22 February 2013

Lync Resources

For those, like me, deploying Lync 2010 and 2013. Most of the info here will just be links to other resources.

Lync 2013 Server Roles

Lync 2013 Prerequisites

Lync and the Enterprise Network

Edge Media Connectivity with ICE

Understanding Regular Expressions

Connecting Office 365 Lync to On-Premise Exchange

Skype Interoperability

Integration with On-Premise Systems


Microsoft Support - New Zealand

Kindly highlighted by Nathan Mercer from Microsoft New Zealand in a recent newsletter:

One of the most common questions we receive: What is the best way to contact Microsoft if you have a problem with a Microsoft product or service, or to ask a general question? This article is designed to give you a summary of the support options available to IT Professionals in New Zealand. Support options range from free support through to premium paid support.

Firstly let’s go through the options you can find on the web. On our recently-updated main support portal, you will find links highlighting our top support issues, top downloads, contact details, and can get support by product.

Talk to someone...

To contact Microsoft Customer Service about a specific problem you’re having, you can email our customer service team – they are surprisingly responsive, and are best briefed to deal with product information & pricing, product licensing, Microsoft event registration & details, Microsoft Profile management for email subscriptions, Product key generation, as well as general enquiries such as sponsorships, donations, business proposals, and even job opportunities.

If you would prefer to speak with a real person, you can call us free on 0800 800 004, between 7:30am and 9:00pm from Monday to Friday. You can also contact me personally, through my blog or @NathanM on twitter.

Our New Zealand team also runs the NZ TechNet blog, and @TechNetNZ on twitter – both with news and events for kiwi IT Professionals. For more consumer-oriented information, follow @MicrosoftNZ or, most relevant to this article, reach out to @MicrosoftHelps for support via twitter.

Microsoft Community forums online for self-help

Be sure to check out the Microsoft Community forums for finding answers, sharing ideas and solving problems. Describe what's going on, and our community members can help you understand the problem. Then they can show you how to resolve it with step by-step instructions. There are dedicated forums for each specific product and they are very active with questions and answers.

If you’re working in a technical role, we also have dedicated forums where you can go to for technical assistance – check out the TechNet Forums for IT Professionals or the MSDN Forums for Developers. I can really recommend these forums, they are full of useful information thanks to skilled contributors responding to questions.

TechNet Software Subscription for IT Professionals:
Use promo code NZTN13-1 to receive 30% off.

A 30% discount off a 12-month Microsoft TechNet Subscription makes this affordable for every IT Professional. I’d highly recommend it as it includes great paid support benefits that won’t break the bank. You can read about the different TechNet subscription options and benefits but they include:
  • Professional Support Calls – Professional subscribers receive 2 complimentary support calls and can talk to a Microsoft support professional for fast help with the toughest technical questions. TechNet Professional subscribers also receive a 20% discount on additional purchased support calls.
  • Priority Support in TechNet Forums – with your subscription you have unlimited access & priority support in TechNet forums, with your questions answered within two business days. Engage with other IT Professionals who have encountered the same issues you are facing. Answers are reviewed by a Microsoft support professional.
  • Microsoft E-Learning – Prepare for certification or simply deepen or develop new skills with a selection of Microsoft E-Learning course collection.
  • Microsoft Software Licensed for Evaluation Purposes – During your 12-month subscription you’ll have access to the latest Microsoft full-version and beta software you need for evaluation and deployment planning with no feature limits.

Microsoft Partners

As a Microsoft Partner, you have a range of Partner support options in addition to those listed above. First, sign into the Microsoft Partner Network where you will find a list of support options:
On that site you can also view the details of an incident you recently submitted or submit a new one. You can also see how many partner advisory hours you have available, or purchase more hours. As a Microsoft Partner you receive a range of benefits depending on your membership level, including:
  • Partner advisory hours that you can use for technical enablement and for technical presales and advisory services
  • Partner Support Community
  • Business-critical (customer server down)
  • 5-Pack of Professional Support Incidents

Recommended Links

How-to Websites
Popular resources

19 February 2013

Get Exchange Mailbox Stats


Get-MailboxStatistics | ft DisplayName,TotalItemSize,ItemCount

Get-MailboxStatistics | Sort-Object TotalItemSize –Descending | ft DisplayName,TotalItemSize,ItemCount


Successfully Shrink Database Log File (*.ldf) in SQL 2005

This may also work in other versions of SQL, but I've not tested it.

First, back the database up. I'm assuming you can figure out the details of backing up. I normally backup to disk and create a new file for the backup in a set backup location/drive/disk.

Then, set the database to use simple backup mode, as seen in the drop-down list in the image below.

Finally, shrink the database, ensuring you select the Reorganize files... option. Select a minimum freespace of anywhere from 0 to 20. If it is low, you are likely to see some instant growth in your database. If it is too high, you're wasting space.

Connecting Windows 8 to SBS 2008/2011 RWW

If you are using Windows 8 and cannot connect to computers via  to SBS 2008 or 2011 Remote Web Workplace, the following may help.

It is likely that once logging in you can still access email via OWA and open the Internal Website, but you can't connect to internal computers.

This issue is (or will be) supposedly solved with an Update Rollup package, or you do the following in Internet Explorer to sort it out yourself:
- add your RWW site to Trusted sites,
- open the RWW site in compatibility mode.
After this, you will be able to connect to all computers.


18 February 2013

Great AD Management Tools

Solar Winds have some excellent free (you need to register though) tools to help get the mundane stuff done in AD.

  • List old User Accounts
  • List old Computer Accounts
  • Bulk import User Accounts

This link came from my petri.co.il subscription, so you can see their details in it. I'm not sure how long Solar Winds will offer this either.


Use Group Policy to Restrict Access to USB

Sweet Java Install Automation

12 February 2013

Symantec Endpoint Protection Has Detected Pending Changes

When installing Symantec Endpoint Protection, sometimes you will see an error message that "Symantec Endpoint Protection has detected that there are pending system changes that require a restart", but a restart does not fix the issue.

In that case, do the following:
Delete the registry key: "PendingFileRenameOperations" in "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager".


08 January 2013

Symantec Endpoint Protection Manager 11 - Unable to Communicate with Reporting Component

  • If you are on a 32-bit OS, skip the next step.
  • If you are on a 64-bit OS, first go to 32-bit ODBC Control Panel. To do this do the following:
Go to %systemroot%\Windows\SysWoW64 folder (Example - Click Start -> Run -> C:\Windows\Syswow64 and click on OK)
Locate Odbcad32.exe & double click on the file
Click on System DSN Tab
You will find the "SymantecEndpointDSN" listed in the window.
Now click on the CONFIGURE button and proceed with the configuration of the DSN for the Symantec Endpoint Protection Manager 
  • Open ODBC (using instructions above if on a 64-bit OS), then do the following:
Select Configure on the SymantecEndpointSecurityDSN 
Under the LOGIN tab set it to Supply User ID and password and type:
User ID: dba
Password: Login password to the SEPM 
Under the DATABASE tab configure these options:
Server Name: Name of Server
Database Name: sem5 (if you are using the embedded database) 
Under the NETWORK tab configure these options:
Check TCP/IP and enter: "host=IPAddressofServer" without the quotes. 
Now test connection. You should receive Connection Successful.


Symantec Endpoint Protection Manager Database Will Not Start

If Symantec Endpoint Protection Manager v11 embedded database does not start, try the following:

The below article describes how to recreate the embedded database's log file:
A SEP11 version of the steps is:
Go to "C:\Program Files\Symantec\Symantec Endpoint Protection Manager\db\" and rename sem5.log to sem5.log.old
Click Start, click on Run and Type "CMD" then click OK
In the Command Prompt type: "CD C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\" and press Enter this will change directories to the folder containing dbsrv9.exe.
To force the recreation of sem5.log. Type: "dbsrv9 -f "C:\Program Files\Symantec\Symantec Endpoint Protection Manager\db\sem5.db" and press Enter
Click Start, click on Run and Type "services.msc" then click OK and start the Symantec Embedded Database Service
Start the Symantec Endpoint Protection Manager service.
Don't forget to adjust the paths if your SEPM is on a 64bit OS
