Windows OS

A few months ago I blogged about a particular situation with cluster creation under Windows Server 2008. Typically, as long as the cluster validation tool passes, cluster creation completes successfully. However, in our case, the issue ended up getting escalated all the way up to the clustering group at Microsoft.

Strange as it might seem, the root cause was the fact that the root of Active Directory had too many individual ACLs assigned. These were inherited by every object further into the AD tree structure, as long as inheritance wasn't blocked. AD has an architectural limit of 64K ACLs per object. The cluster creation process needed to assign a few more ACLs to the newly created computer object and this hit the limit of Active Directory.

At the time, we were the 5th case in the world to have something like this to happen, but those cases were still unresolved. Due to the numerous TTT (Time-Travel-Trace) dumps of the cluster creation process before, during and after the failure, we were able to nail the root cause with Microsoft PSS.

The deceiving part of all of this is that it was not readily apparent that this "ticking time bomb" of a problem existed. After a certain amount of ACL entries (I suspect around 2000), "Active Directory Users and Computers" will not show any additional ACLs. Only after removing duplicate/unneeded ACLs, more would show up in the console. Using ADSIEDIT.msc directly would show all the entries, but I like to tread lightly at customer sites when I can.

Once the ACL entries were cleaned up, the showstopper issue of "The parameter is incorrect" went away and we could create the cluster.

Months later, either as a fluke or as an emerging issue overall, this happened at another customer site with a different group of engineers within our organization. They already had a case open with Microsoft PSS but thankfully how we fixed the problem at the other site allowed us to fix the error and close the issue before PSS could dig into this issue.

The common denominator, software-wise, at both companies? The use of Bindview. It might be a fluke, or it might be a case of "Bindview gone wild" with creation of excess ACLs. Hopefully, someone out there will benefit from this information. If you run into this error, especially with Bindview, I'd like to hear about it.

Here are the notes from PSS on the case, if you are curious:

ISSUE:
- The existing DACL on the computer object is near the size limit of an ACL (65532)
- Cluster Setup adds an ACE to the DACL, which exceeds the size of an ACL but ADSI Security Descriptor objects do not check for this limit.
- Cluster Setup builds the ADSI Security Descriptor (including the new ACE added by Cluster) and then attempts to overwrite the existing ADSI security descriptor of the computer object with the new ADSI Security Descriptor using the PUT method (of the IADS computer object) and passing the "ntSecurityDescriptor" attribute and the variant of new ADSI Security Descriptor.
- The PUT method converts the IADS Security Descriptor and its sub components to native Security Descriptors and Access Control Lists
- The native Windows API for ACL creation checks the requested size limit against the max size limit of 65532 and fails returning STATUS_INVALID_PARAMETER

RESOLUTION:
- Remove the number of ACEs within the original Security Descriptor protecting the computer object to allow Cluster Setup to add the required ACE and still be within the maximum size of the ACL

Windows 7 has a new power management debugging option built into powercfg.exe that can be used to expose potential power hogging drivers and configuration issues that could be eating away at your battery life and driving up your power bill.



As the description states, it is best to run while the system is idle, much like the WinSat "Windows Experience Index" process.

Running powercfg -energy, you end up with results like this:

Enabling tracing for 60 seconds...
Observing system behavior...
Analyzing trace data...
Analysis complete.

Energy efficiency problems were found.

21 Errors
17 Warnings
10 Informational

Using the default options, a file called energy-report.html will be created in the current directory from which powercfg.exe execute and gives you a snapshot of your system energy consumption over a 60 second period.

My laptop's report during idle was not particularly interesting, so here is an example of energy-report.html while my system was under light load with the usual devices I have plugged in my docking station. I seem to have many Suspend unfriendly USB devices.

This update causes ISA Server to use random source ports for UDP sessions created by access rules which serve hosts in networks for which ISA Server defines a network address translation (NAT) relationship.

This update resolves the issue described in Microsoft Article 956910, DNS queries that are sent across a firewall do not use random source ports after you install security update 953230 (MS08-037). With this update, ISA Server allocates a large set of random UDP ports and then selects a port from this set for use in new UDP sessions. You can disable it programmatically (there is no user interface).

Just a quick FYI which I expect to be resolved in future builds (post-PDC/etc), but for right now, networking of guest VMs in VMWare Workstation 6.5.0 and 6.5.1 is rather broken. I have some workarounds/hacks that I will document when I get a moment but they aren't pretty, but they at least get working networking.

There are also some issues with guest USB support, but considering W7 isn't even considered beta yet, the fact that this is the only piece of software I use everyday that doesn't work 100% correctly for me, compared to Vista, is pretty good.

Using a USB-over-network solution seems to work as a workaround for the USB issue - yes, I go to extraordinary lengths to self-host new operating systems, but it is worthwhile in the end.

If I had permission from my wife and kids, they would all be running W7 right now on their machines and we'd have a 100% W7 house. For now, it is just the machines I control.

If you are looking for Windows 7 Radeon drivers, go to ATI's site here. They work well so far from what I can tell. You can also modify them with Driver Heaven's Mobility Modder in case your mobile chipset isn't quite "officially" supported.

Considering the in-box driver in the recent builds of W7 dates back to 2006, it is nice to be able to take advantage of the newer display drivers.
Thankfully, there will be no radical driver support changes between Vista and W7, so Vista drivers should work with W7 without any changes.

I have yet to find a device that has a Vista driver that does not work under W7. With that said, I've finally been able to abandon the WIDCOMM/Broadcom Bluetooth stack for good and rely on the in-box Bluetooth stack. It is much improved. Ditto for HDMI/HDMI audio support.

This update package fixes the following issues:

KB 958560 - When a Communicator 2007 user calls a Conference Auto Attendant access number, the call always uses Mediation Server instead of going to the Conference Auto Attendant directly

KB 958561 - Communications Server 2007 R2 remote users cannot make public switched telephone network (PSTN) calls when Communications Server 2007 servers or proxies are in the call path

Although not well documented yet, you will need to the October 2008 Communicator update to be able to interact with OCS 2007 R2 servers and users.

There is now an end user created Forefront Client Security v1 Group Policy Object (GPO) available for use for setting Forefront Client settings without a back-end management server involved. Most commonly called a '/nomom' installation because the client is installed without a management server specified on the command line. This is also ideal for non-domain joined computers and you want to lock down settings locally.

Originally spotted here talking about a Technet message forum post here. You can download the .ADM file here.

Despite the lull in actual posts here lately, I have been generating some late night unique/original W7 articles to publish soon.

The long running joke about instantly getting a performance boost inside Vista, especially when it is a guest VM, is to do net stop wsearch.

The next best thing you can do, besides limiting what folders are indexed, is to update your Windows Search to version 4.0. Most of the changes between the version included in Vista RTM, and 4.0, revolve around performance enhancements. It becomes especially noticeable on systems with limited I/O bandwidth (think laptops with 4200 rpm HDs).

However, this still isn't perfect. I've talked quite a bit with the Search team about this at the MVP Summit earlier in the year. There is a tweak I do on every system that runs Vista/Windows 7 or Server 2008 with the search/indexing engine enabled. I make sure to use Windows Search 4.0, for the performance improvements and the additional GPO/registry settings available.

The tweak? Disable the indexer backoff. You probably didn't realize you could even do this, but it is an available option that tells the indexing engine, "Don't worry about system activity - just index and get it over with already!". I'd much rather suffer with high CPU / I/O usage for a little while than a long and drawn out 'trickle' of activity that gives Vista a bad name.

This is particularly noticeable on a new install of Xobni when it indexes your Exchange mailbox and touches almost all your mailbox contents. With the indexer backoff enabled, which is the default on all operating systems, Outlook performance drags for a long time. With the indexer backoff disabled, the SearchIndexer.exe process will kick into high gear, finish and fall back asleep. Perfect.

How do you disable the indexer backoff?

For use in a group policy object (GPO):

Assuming you have the Windows Search 4.0 .ADM template added to your domain, or are on a Windows 7 system, look under Computer Configuration\Windows Settings\Administrative Templates\Windows Components\Search. The setting to disable the indexer backoff is not surprisingly called Disable indexer backoff. By default, it is set to Not Configured but you will want to set this to Enabled.

For a non-domain joined computer, or a single PC, you can set this DWORD registry key:

HKLM\Software\Policies\Microsoft\Windows\Windows Search\DisableBackoff with a value of 1.

You can download a pre-made .REG file here.

If this makes a difference for you, performance-wise, positive or negative, please let me know.