We encountered a strange one today that may not affect many folks out there, but after three hours of mind numbing troubleshooting (and some Wireshark Ninja Skillz), I figured it would be worth passing along what's happening here...

Server 2008 R2 DNS Service by default supports DNSSEC.  This is a long-awaited feature for many of us, and is generally a good thing.  However after migrating our DNS services to R2, we noticed quickly that we were no longer able to resolve *.internet2.edu addresses.  When we looked at packet captures of this traffic, we could see the request leave our server, but the response from the destination DNS server showed up in Wireshark as "Fragmented IP Protocol", and we were only seeing one of the fragmented packets (the first packet transmitted by the responding DNS server) getting to our R2 server.

When we did the same packet capture against our old Server 2008 SP2 DNS server, that same behavior did not occur.  We examined the difference between the request packet sent by the 2008 SP2 box versus the 2008 R2 box, and noticed that R2 is requesting DNSSEC information on each request.  For most domains there is no DNSSEC information to return, and thus the vast majority of the Internet worked correctly.

We brought our firewall guy in on the problem and he began poking around in that space.  We eventually determined that the information being returned to R2 based on it's request for additional DNSSEC information exceeded the 1514 byte size limit on the Ethernet frame, causing the response packet to become fragmented.  This alone should be handled gracefully by the OS, but in our case we had an upstream firewall that was configured to block these kinds of packets (not the first fragmented packet, only the trailling packet fragments), which caused our DNS server to think that it never received a response from the queried DNS server.

Reconfiguring the upstream firewall to allow those fragments through to just our DNS servers solved the issue, and we're now running our DNS services on Server 2008 R2 without error.

Great success!

Somewhere in the neighborhood of about 2006, Microsoft's HTML help viewer application stopped gracefully opening CHM (compressed HTML help) files consistently.  I've noticed this problem on XP, Vista and Win7, across rebuilds, across browser versions, nearly universally.  There's a lot of advice out there about how to make Windows open CHM files correctly when faced with a content pane in the viewer application that reads "Navigation to the webpage was cancelled", however on my Windows 7 x64 workstation nothing worked.  A quick Google search this morning yielded a handy little utility called CHM Decoder that will extract the HTML content from a CHM file, allowing you to view the contents within a web browser.  Great stuff!

http://www.gridinsoft.com/chm.php

To view processes on a computer and their current physical memory consumption:

Get-Process -ComputerName <name> | select Name, WS | sort WS

• Omit ComputerName to get processes on the local machine
• WS = Working Set - returned in KB, size of pages in physical memory for a given process
• VM = Amount of virtual memory (page file) committed for use by a given process
• CPU = Amount of process time in use by a given process (for all available processors)

1. Download the Windows Automated Installation Kit for Windows 7 (WAIK) - http://www.microsoft.com/downloads/details.aspx?familyid=696DD665-9F76-4177-A811-39C26D3B3B34&displaylang=en 

2. Start | All Programs | Microsoft Windows AIK | Windows PE Tools Command Prompt -> This command prompt preloads the necessary folders into the path variable for easy image editing. Make sure to Run as Administrator!

3. copype.cmd <x86 | amd64 | ia64> <destination folder to create, ex: z:\PEBuild> This script creates a workspace for manipulating WinPE images prior to burning a CD or copying to a flash drive.  The ISO folder contains the files used for both.  The file ..\PEBuild\ISO\Sources\boot.wim is the actual WinPE image that the bootloader extracts to a RAMDisk when WinPE boots.  The copype.cmd also creates a second copy of the WIM called winpe.wim in the root of the PEBuild folder - this provides you with an easy way to make a "start fresh" with a new WinPE boot image if necessary.

4. To place tools or files within the ISO (on CD) or on the flash drive you will boot from, copy the files to the z:\PEBuild\ISO folder.

5. To place tools or files within the RAMDisk that WinPE boots from (which is useful to retain access to tools, such as Imagex, when you pull the flash drive or CD from the computer upon which you will boot into WinPE), use this command: imagex /mountrw ISO\Sources\boot.wim 1 .\mount  ->  This mounts the WIM file to the mount folder within your PEBuild workspace. (Note that DISM.exe can be used in place of Imagex if you prefer.)  This step is also necessary to perform driver servicing on the WinPE boot image, as discussed in step 6 below.

6. To load additional drivers into a your WinPE image, use the following command after proceeding with step 5 above): Dism /image:<path_to_image> /Add-Driver /Driver:<path_to_driver.inf>  Note that this command must be run against a mounted WIM file (performed in step 5 above).  For more on driver servicing and WinPE, see the following article on TechNet: http://technet.microsoft.com/en-us/library/dd799258(WS.10).aspx.

7. When you are finished editing the WIM file, do this: imagex /unmount /commit .\mount

8. Make sure to copy ImageX to your ISO folder so you can apply an image to a hard drive.  Use this command: copy "c:\Program Files\Windows AIK\Tools\x86\imagex.exe" z:\PEBuild\ISO

8. WinPE is now ready to go.  Either burn the entire contents of the ISO folder to a CD marked as bootable (step 9), or copy the entire contents to a flash drive (follow the steps listed here to prepare your flash drive).

9. If you intend to create a bootable CD, you'll need to use the following command to create an ISO from the files in the ISO folder (using the PE Tools Command Prompt): oscdimg -n –bz:\PEBuild\etfsboot.com z:\PEBuild\ISO Z:\PEBuild\winpe_x86.iso  You can then burn the resulting ISO to disk.

Recently while meeting with a vendor some skepticism was expressed as to our shop's decision to go with Hyper-V from Microsoft over a virtualization solution from VMware.  The vendor rep mentioned memory over-commit as his reason for preferring VMware over Microsoft's solution, which instantly put me on the defensive.  While I admittedly work for the "Windows Group", I try to stay as OS-agnostic as possible.  As with all things in life, it's all about the right tool for the job - and I won't ever and have never claimed that Microsoft software is the "end-all, be-all" fix for what ails you.

But this particular comment about memory over-commit was preceded by the statement “you guys are pretty much the only folks we know of who are doing Hyper-V”, so on this occasion I was particularly sensitive to this argument.  I responded with the certainly-obvious point that “I would never want to put into production a system that had a potential to blow past the top of the available memory space in the event of an unplanned failover, as that to me is a single point of failure.”  Naturally the vendor rep rebutted with standard lines about “getting the most out of the hardware” and more drivel which I completely ignored – in much the same way that my point was ignored by the rep.  It’s unfortunate that many of us in IT which do claim to be agnostic still fall into our partisan ways when put on the spot, myself included.

Today I came across an article on the Hyper-V vs. VMware topic by one of my favorite bloggers, James O’Neill.  Mr. O’Neill (who does work for Microsoft, and thusly wears his bias on his sleeves) eloquently made the technical argument for my point much more coherently than I’ve seen.

“Memory over-commit. Vmware's advice is don't do it. Deceiving a virtualized OS about the amount of memory at its disposal means it makes bad decisions about what to bring into memory - with the virtualization layer paging blindly - not knowing what needs to be in memory and what doesn’t. That means you must size your hardware for more disk operations, and still accept worse performance.” - http://blogs.technet.com/jamesone/archive/2009/12/21/drilling-into-reasons-for-not-switching-to-hyper-v.aspx

So I’ll promptly be inserting this exact language into my defense of our decision.  Aside from the built-in goodness of high availability (driven by proven Windows Failover Clustering technology) (which, BTW, is free – check out Hyper-V Server!), the lack of over-commit is a huge win when comparing platforms.  It prevents novice admins from making a major mistake when designing a virtual infrastructure, and forces admins to provide adequate memory on hosts for the virtualized workloads in question.  We in higher education understand better than most the pains of slashed budgets and “do more with less” directives…  But when it comes to the pursuit of five-nines, in my book you can’t leave a critical factor like memory availability to chance and expect great results.

Besides, I would posit that no professional system administrator worth his weight in DVI dongles would ever take advantage of memory over-commit in a production system.  And as a vendor, if your go-to argument for VMware over Hyper-V is memory over-commit you’d better do your homework - next time I’ll be much better prepared to make my point.  After all, VMware’s own advice is “don’t do it”.

PS: For the record, I am in the process of bringing up two VMware ESXi 4.0 nodes for some non-Windows workloads.  It's the right tool for that job, at least as of December 2009.

This is the KB article for the bug I found in Windows Server 2008 Failover Clustering.  Three months of hard work finally pay off!

http://support.microsoft.com/kb/970529 - The volume GUID may unexpectedly change after a volume is extended on a Windows Server 2008 failover cluster node

1. Download the appropriate driver.  You'll need an INF file to complete the install.
2. CD to the root of your WinPE build folder. 
3. Mount your WinPE boot.wim (imagex /mountrw .\ISO\sources\boot.wim 1 .\mount).
4. Install the driver (peimg /inf=<full path to INF file> .\mount\windows)
5. Unmount the WinPE image (imagex /unmount .\mount /commit)
6. Optional: Create a new ISO for burning to CD (oscdimg -n -b<path to etfsboot.com> <file name of ISO to create>)

Here, are instructions for integrating the Hyper-V RTM (!) Integration Components device drivers into a WinPE image.  This is based on Mike Sterling's post on the same topic, however the scripts below have been updated to use RTM Hyper-V bits.

1. Create your WinPE build folder, if you haven't already done so.  See Building a WinPE Image from Scratch for help (follow only steps 1 through 5).
2. In the root of your build folder, download the appropriate integration batch file from the bottom of this post.
3. Locate Windows6.0-KB951634-x86.msu.  This file is on the c:\windows\system32\vmguest.iso, located on any Hyper-V enabled host.  The update file should be located in the Support folder of the ISO.  Copy this file to the root of your WinPE build folder - the same location as your integration batch script.
4. From the Windows PE Tools Command Prompt, execute the integration script.  If everything went correctly, you'll see "PEIMG completed the operation successfully." listed seven times in the output of the script.
5. At this point your WinPE build is updated.  Resume steps 7 through 9 in Building a WinPE Image from Scratch to complete the process.

If you have questions about the above, please e-mail me at jason.huitt@colostate.edu - I've run both of these scripts successfully as of today, and now have working x86 and x64 WinPE ISOs.  My trust WinPE flash drive has been updated as well.  You'll love the integrated mouse and NIC support when building Hyper-V VMs.  No more Legacy Network Adapter!

Integrate_x86.bat (1.10 kb)

Integrate_x64.bat (1.12 kb)

A breath of fresh air: Windows Mobile 6.1 for the Samsung Ace.  Finally.

http://www.samsungmobileusa.com/i325/upgrade/

I'm blogging this from my laptop, tethered to my Ace.  It's no long necessary to "unlock" the device, as they've set the security profile correctly to allow installation of apps.  To tether a newly updated Ace:

http://cameronfuller.spaces.live.com/Blog/cns!A231E4EB0417CB76!1318.entry

Guest OS processor utilization will not affect processor utilization on the host OS, per se.