Sharepoint test server configuration

I am attempting to set up a test sharepoint server environment to deploy the current production environment. This will contain a copy of the prod sharepoint Content DB, and will reflect the same general conrfiguration:
-Kerberos authentication
-separate service account for Sharepoint content managment and Sharepoint configuration
-SQL DB server and Sharepoint web components run on separate OS instances
-Sharepoint installed on non-default IIS site, using host headers to direct users to the secondary IP (do we really need a secondary IP???)

I am having some difficulties around Kerberos auth and also with prod DB import. Here are some helpful links:

Hunting down and exterminating uncompressed TIFFs

It seems that some of our constituients have not been paying overly much attention to the settings on their scanners. We have over 40Gb of black-and-white, text-only documents scanned at 24 BPP, uncompressed, consuming 10 Mb each!

This happened once before. My colleague Warren licensed a product called “2TIFF” to shrink the files in question. This works well, except in his case ALL of the images in an Application folder needed to be compressed. I only need to shrink SOME of them.

After much fooling around and wasting of time, I was able to use a win32 port of the UNIX “find” command to hunt down all of the large files, dump the list to a file, and then use this file as a source for 2TIFF. The big mess of images now occupies only about 30 Mb of space.

Here are the sommand syntax details:
> find.exe “I:\OBJECTS\PURCHASE_ORDERS” -size +3M -fprint bigfiles.txt
(searches the PURCHASE_ORDERS document tree for all files larger then 3 Mb, dumps results to the text file “bigfiles.txt)

> FOR /f %F in (bigfiles.txt) DO ( “C:\Program Files\2TIFF\2tiff” s=%F d=%~dF\shrink%~pF -namegen=”[name].[srcext]” -quantize8 -ct4 -cd4 -keepexif)
(Perform a loop operation. For each loop, set the next line in bigfiles.txt to the variable %F. Run the 2Tiff program using %F as the source file. Use \shrink as the output directory (example: when %F=”c:\objects\procurement\1\163.bin, the output directory will be “c:\shrinkProcurement\1\”).)

Here is what the 2Tiff arguments mean:
-namegen=”[name].[srcext]” -> The name of the destination file is the same as that of the source ([name] is a built in variable equal to the source file name. [srcext] equals the source file’s extention)
-quantize=8 -> sets the “quantization” level of the TIFF. This value effects the “sampling rate” and affects image quality. Eight is the maximum value, for best quality.
-ct4 -> Compression type “LZW” is used. This is the default type for color scans. We are using LZW rather than the standard “type 3″ for B/W documents because tests showed that reducing these images to monochrome yielded very low quality in some cases. We are keeping some color information to allow anti-aliasing and thus better letter quality.
-cd4 -> Sets the color depth down to 4 BPP from the source 24 BPP. CD1 would be better, but as mentioned above, this results in poor readability of the destination TIFF.
-keepexif -> preserves EXIF tags in the destination file from the source. Probably there is no EXIF info in these files, but I thought we would keep it in case I am wrong.

Warren had used the “dither” switch, but IMNSHO this makes the target document look worse and also results in larger files.

Fixing the RIS image store

Our server “SYSIMG1″ just does not seem to want to take on its new role of replacement RIS server. I guess it just liked being a NetWare box and resents its lot in life.

Robocopy of the image library from \\risprime\reminst is consistently a failure. I run out of drive space every time, and the Gorveler never frees up enough drive space to resume copy operations.

I followed MS advice from the KB and have tried using our backup software (Legato) to restore the whole image partition to SYSIMG1 from RISPRIME. This generally caused BSOD errors on SYSIMG1. This particular problem cleared up after I patched the iSCSI initiator from v2.0.0 to v2.0.1, set the “lanmanserver” “binlsvc” (RIS Service) and “groveler” services to be dependent on “MSiSCSI” (the iSCSI initiator service), and also disabled a misconfigured secondary NIC on the server. Now I can restore the RISPRIME volume, but the groveler does not want to start.

So, I seem to have fixed that problem by “repairing” the SIS database on the volume… (where repair=deleted the damn thing, and let the Groveler start over). The article in question is here:;en-us;247611

And here is the key information:
The SIS Groveler service database is stored in the hidden folder named SIS Common Store on each SIS managed volume. To rebuild the Groveler service database, follow these steps:
1. Stop the Single Instance Storage Groveler service.
2. Make a backup copy of the SIS Common Store folder contents to an alternate location.
3. After a backup copy of the folder contents have been made, remove all the database files in the SIS Common Store folder EXCEPT for the *.SIS and the MAXINDEX files.
4. Restart the Single Instance Storage Groveler service.

NOTE: I had to run RISetup prior to successful restart of the Groveler. All of the configuration settings for the groveler are set by RISetup. Once this is done, the gorveler restarts, and a new .mdb gets generated in the SIS directory.

SAV release, and install script updates

I made some more changes to the script and installer package:

– Decided to converge on the “Administative Install” method for wrapping the patches into the installer. This prevents the installed SAV instance from interfering with the patch portion of the install script. Features like “autoprotect” were preventing “msiexec /p” from working. Also, msiexec /p seems just plain unpredictable if the system has not been rebooted. I just don’t feel like injecting actions into the “RunOnce” registry key, or attempting to force a reboot.

– Added “AUTOPROTECT=OFF” to the msi options portion of the setup.exe line in the install script. This will prevent the SAV autoprotect from giving us grief while installation completes.

– Used WinRAR options to extract archive files to a specified directory: %SystemDrive%\SAVInst.
(this will cause a local cache of the install files to be maintained on the system)
(NOTE: We may wish to add a script line to delete the contents of this archive on reinstall)

– Mod the setup.ini file to contain a higher version number for the product being installed than the default (this should allow the setup.exe to install over existing SAV10 installs)

– Added an error logging option to the MSI options portion of the setup.exe line in the script (-le %SystemDrive%\SAVInst\install.err)

– Prefixed the setup.exe line with %SystemDrive\SAVinst\ to force run out of the directory created by the WinRAR extractor.

Disabling computer account creation in RIS

It would be nice if we had the option to deploy RIS-based images as either domain-joined or free-standing systems. As it stands, default configuration forces all imaged systems to have a pre-staged computer account. Since most imaging jobs are scheduled for eventual deletion, we run into a real problem with computer that we want to keep joined.

One possible work-around is to change the “Image Type” variable associated with the image (I believe this info is located in the .SIF file. I tried this once before when attempting to generate a bootable WinPE instance on our RIS server… I think it worked for WinPE, but I am not sure if it will work for standard images. It is worth a shot. Details taken from:

Here is the text of the newsgroup posting:

Normally, you would modify the RISSTNRD.SIF file for that Windows PE image
to change the “ImageType” entry from “ImageType=Flat” to “ImageType=WinPE”.
This causes RIS to no longer create the computer account (to prevent “AD
clutter”), which OSD is not going to use anyway. When making this change,
the Windows PE image will move from the “images” list to the “Tools” menu,
so you have to have the tools menu enabled via GPO to see it. For more
information on this, see the “Zero Touch Installation Deployment Feature
Team Guide” in the Solution Accelerator for Business Desktop Deployment
Enterprise Edition (

I have downloaded the Solution Accelerator that is referenced, and will have a look though the “ZTI” section to see if it is any further help.

SAV 10 installer, redux

What a pain! Our testers still report problems with SAV 10.0.1 installers. High CPU, disk thrashing, scheduled scans kicking off without permission…

Several fixes. First off, I generated a fancy new install script:

ECHO – Symantec Antivirus installation script for the University of Vermont

  • ECHO – version 2.1, by JGM, 2005-10-17
    ECHO – This Window will close automatically when installation has completed.
    REM Script can be altered to allow for either managed or unmanaged client installations.
    REM For managed installs, UN-comment the “goto endFirewall” line below, and uncomment the appropriate “setup” command line.
    REM For unmanaged installs, COMMENT OUT the “goto endFirewall” line below, and uncomment the appropriate “setup” command line.

    REM If performing an unmanaged AntiVirus client installation, uncomment the following line:
    REM GOTO endFirewall

    REM Determine if host is running a Windows XP build:
    set OSVer=notXP
    ver | find /i “xp” && set OSVer=XP
    IF NOT %OSVer%==XP GOTO unsupported ELSE goto spLevel

    REM Determines Service Pack Version via registry query:
    set SPVer=0
    REM systeminfo |find “Service Pack 1″ && set SPVer=1
    REM systeminfo |find “Service Pack 2″ && set SPVer=2
    reg QUERY HKLM\SYSTEM\CurrentControlSet\Control\Windows /v CSDVersion | find “0x200″ && set SPVer=2
    IF NOT %SPVer%==2 GOTO unsupported ELSE GOTO addRules

    REM Adds firewall exceptions for Windows XP SP2 hosts:
    ECHO – You have Windows XP Service Pack 2! Let’s Go…
    ECHO – Please wait while firewall exception rules are added…
    ECHO Adding exception for Symantec Realtime Virus Scan to allow managmenet of SAV Client
    netsh firewall add portopening protocol = UDP port = 2967 name = “Symantec RTVScan” mode = ENABLE scope = CUSTOM addresses = LocalSubnet,, profile = ALL
    netsh firewall add portopening protocol = UDP port = 38293 name = “Intel PDS (Symantec AV)” mode = ENABLE scope = CUSTOM addresses = LocalSubnet,, profile = ALL
    IF NOT errorlevel 1 (
    ECHO All firewall rules added successfully.
    ) ELSE (
    GOTO failRuleAdd
    GOTO endFirewall

    ECHO Your system is not running XP with Service Pack 2.
    ECHO You do not need firewall exceptions added to your system.
    GOTO endFirewall

    REM If installing an unmanaged AntiVirus client, installation may begin here.
    ECHO Altering registry to remove and prevent automatic system scans…
    reg import RemoveStartScan.reg
    IF NOT errorlevel 1 (
    ECHO Registry settings imported successfully.
    ) ELSE (
    GOTO failRSS
    ECHO Deleting log files from previous installations…
    del /f /q “%ALLUSERSPROFILE%\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs\*.*”
    IF NOT errorlevel 1 (
    ECHO Symantec AV Log files successfully deleted.
    ) ELSE (
    ECHO No previous Symantec AV log files needed to be deleted.
    del /f /q “%ALLUSERSPROFILE%\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Logs\*.*”
    IF NOT errorlevel 1 (
    ECHO Norton 200/XP AV Log files successfully deleted.
    ) ELSE (
    ECHO No previous Windows 2000/XP Norton AV log files needed to be deleted.
    del /f /q “%PrograFiles%\Norton AntiVirus\Logs\*.*”
    IF NOT errorlevel 1 (
    ECHO Windows 9x Log files successfully deleted.
    ) ELSE (
    ECHO No previous Windows 9x Norton AV log files needed to be deleted.
    ECHO Proceeding with SAV install…
    REM One of the following two “setup” lines MUST BE COMMENTED OUT!
    REM installation string for an UNMANAGED client install (intended for off-campus users):
    REM setup /s /qn /V”/qr REMOVE=Pop3Smtp,NotesSnapin ADDLOCAL=SAVMain,SAVUI,SAVHelp,QClient,OutlookSnapin NETWORKTYPE=2 RUNLIVEUPDATE=1″
    REM **This does not work!*** IF NOT errorlevel 1 GOTO setupFail
    REM installation string for a MANAGED client install (intended for systems that are frequently on-campus):
    setup /s /qn /V”/qr REMOVE=Pop3Smtp,NotesSnapin ADDLOCAL=SAVMain,SAVUI,SAVHelp,QClient,OutlookSnapin NETWORKTYPE=1 SERVERNAME=NORTON2 RUNLIVEUPDATE=1″
    REM **This does not work!*** IF NOT errorlevel 1 GOTO setupFail
    ECHO Product setup complete,
    ECHO Now attempting registry alterations to prevent Definitions scans…
    reg import DefwatchQSOff.reg
    IF NOT errorlevel 1 (
    ECHO Registry settings imported successfully.
    ) ELSE (
    GOTO end

    ECHO Firewall exceptions script failed!
    ECHO Symantec AntiVirus NOT INSTALLED.
    ECHO Take your system to Walk-in help.
    GOTO end

    ECHO “RemoveStartScan” registry import failed!
    ECHO Symantec AntiVirus NOT INSTALLED.
    ECHO Take your system to Walk-in help.
    GOTO end

    ECHO Oh No! Symantec setup program failed to complete!
    ECHO Symantec AntiVirus NOT INSTALLED.
    ECHO Take your system to Walk-in help.
    GOTO end

    ECHO “DefwatchQSOff” registry import failed,
    ECHO but Symantec AntiVirus has been installed.
    ECHO If you experience major system performance degradation,
    ECHO please take your system to Walk-in help.
    GOTO end


  • Changes from previous scripts are:

    1. integration of managed and unmanaged installer scripts in same file – change the comments to change the install method.
    2. attempts at error capturing using IF/Then/Goto
    3. integration of script into one file (sans .reg import files)
    4. added DefwatchQSOff.reg import to the script, moved to end of script
    5. Now using “removestartscan.reg” to kill startup scans… seems to work.
    6. not allowing installation of POP3SMTP plugin
    7. using “setup.exe” with command line options, rather than msiexec. This avoids the need to create separate installers for upgrade vs. new install
    8. Integrated patch into the installer (by extracting original .MSI to an “administrative install point”, then using the msiexec patch commands on the admin install point).

    RIS Server Setup notes

    I had some fun setting up RIS on the newly repurposed server “SYSIMG1″.

    One issue is that copying all of the RIS Images from the current production “RISPRIME” would not complete… I ran out of space on the target volume which is the same size as the source volume. Why? Because RIS runs the “groveler.exe” service to create hardlinks for duplicate files in RIS images. My file copy utilities just copy the hardlinks as separate files, and thus I run out of space.

    Presumably forcing the groveler to startup on the target volume will free up the space needed to complete the transfers… but how to do this? Groveler.exe has no command line support, and has a hard-configured schedule on which it runs (2am or some such). I want it to run now!.

    Some searching reveals the following KB article:;en-us;247611

    I will see if I can find this grovctrl.exe utility of legend. Sounds like just what I need.

    Also found some good docs at MIT:
    and berkeley:

    ADS Imaging – project catalyst

    Catalyst needs us to install eight new servers for them this week. Although it will probably take longer, I have decided to take a stab at using Microsoft ADS (automated deployment services) to roll out the systems.


    1. Install ADS on server “sysimg1″ (reusing the host “castor” from the NetWare days). Select “install MSDE engine locally” and “create self-signed certificate” options. Did not select PXE boot server option… will need to do this later. Also, created share “images” on the root of the c: drive” (note that local storage is rather limited… this may become an issue as time passes).
    2. Created WinPE boot CD rom with ADS support, using ADS documentation as a guide. See notes in this blog in on generating WinPE images.
    3. Created reference system:
      • install MS Office 2003 with SP1, full install from \\files\mca. Ran LISTool from the office 2003 resource kit to move the installation source to the C: drive where it will be imaged properly.
      • – NOTE: did not do this on subsequent system configurations!

      • Install Networker client version 7.2.1, using “Change Journal Manger” option on all local volumes (default settings… saved installer to \\files\software\Server Resources\networker).
      • Install ActiveState ActivePERL. Latest version from (saved to \\files\software\active perl).
      • Install Dell OpenManage Server Administrator – v4.4, with sp1 patch (from \\files\software\server resources\dell).
      • Install SSH communication Security SSH client – latest version, default settings.
      • Install 2003 server resource kit, support tools, “adminpak.msi” for 2003 with sp1.
      • Re-install Intel ProSet utility, using “modify” MSI option, then adding all components (advanced services, Intel WMI agent) – allows for NIC teaming.
      • Install GVim and Notepad++ text editors (deselect “use as default html viewer” for Notepad++).
      • Install “runtime” version of Oracle 10g client v10.2.0.1 to the “c” drive. Added tnsnames.ora file provided by catalyst staff to the %oracle_home%\network\admin directory. Per instructions from Nancy Snow, add “TNS_ADMIN” system environment variable pointing to the same directory containing the TNSNAMES.ora file.
      • add “psadm” CAMPUS directory group to local administrators group.
      • create c:\sysprep directory. Add sysprep.exe, setupcl.exe from Server 2003 sp1 “” file (support tools directory on the 2003 cd). copy sample sysprep.inf file from “\\sysimg\c$\program files\microsoft ads\samples\sysprep” directory. Add minor tweaks, copy back to source directory.
      • run chkdsk and defrag a few times for good measure.
    4. run “sysprep /reboot” on the reference system. Boot to WinPE CD.
    5. from the PE console, cd to the “tools” directory. Run:

      imgdeploy /capture /p c: d:\.img “”

      Then “exit” when the image is complete.
      Note:networking still not working in PE image. Aargh! Well, I guess I will just have to upload the image manually.

    Windows PE

    Since we are now on Campus Agreement, we have access to “Windows PE”, the Microsoft bootable 32-bit OS for system installation and maintenance.

    Lots of work to get everything going. Let us start with a 2k3-ee WinPE install:
    note: turns out my 2k3ee sources are corrupted… bummer! Switched to SE, since it really makes no difference…

    1. Download Windows PE, 2005 edtion from microsoft licensing site (Password ID and login info provided by Nicole Chittenden, former manager of CA at UVM).
    2. Extract PE package. In my case, to F:\WinPE
    3. Extract Server 2k3 EE to local hard drive – slipstream SP1 into the directory
    4. at shell, cd to F:\winpe\winpe, run

      mkimg.cmd d:\2k3-ee-sp1 c:\winpe-2k3-ee

      (this builds a WinPE installation using the 2k3 server source to the directory specified.)

    5. Now, add Microsoft ADS support files to the WinPE image: Add the files Adssupport.dll, Imglib.dll, and Imgdeploy.exe to a directory of the Windows PE build folder. These files can be found in the \Program Files\Microsoft ADS\Bin and C:\Program Files\Microsoft ADS\nbs\repository\DeploymentAgent directories where the ADS imaging tools are installed. (note that the MS documentation is a bit off on the location of these files).
    6. note: If networking will be required when booting to a subnet without DHCP support, a static address will need to be configured in the winbom.ini files of the WinPE image. I added the following to assist in the generation of the Catalyst images:

      Gateway =
      IPConfig =
      StartNet = Yes
      SubnetMask =
      WinPEFirewall = On

    7. Finally, create an ISO to burn to CD. Again at the F:\winpe\winpe shell, run:

      oscdimg -n d:\winpe-2k3-ee d:\winpex86-2k3-ee.iso

    Now let’s build a WinPE for XP Pro.

    1. Extract XP Pro CD (SP2 integrated) files to the local hard drive.
    2. at shell, cd to F:\winpe\winpe, run

      mkimg.cmd d:\xppro-sp2 c:\winpe-xppro-sp2

      (this builds a WinPE installation using the XP Pro source to the directory specified.)

    3. Note that for XP, we will want to perform the additional step of adding some NIC drivers. We have a bunch of these alrady available on our RIS server. Start by copying our current XP NIC drivers from the production RIS server to a local directory (in our case, D:\drivers-xp):


      Again at the F:\WinPE\WinPE shell, perform the following:

      drvinst.exe /inf:d:\drivers-xp d:\Winpe-xppro-sp2

      Note that this procedure will only work for non-PNP drivers, UNLESS we do a special WinPE build enabling it (mkimg /PNP)

    4. Finally, create an ISO to burn to CD. Again at the F:\winpe\winpe shell, run:

      oscdimg -n d:\winpe-xppro-sp2 d:\winpex86-xppro-sp2.iso

    Norton1 LiveUpdate server complaints

    LiveUpdate complaints from the end-users… cannot run LiveUpdate, LiveUpdate logs indicate a specific file was “unavailable on the server”.

    FTP into does reveal that the file is not actually there. The quick fix here is to resynch the LiveUpdate directory from SYmantec. To do this:

    1. On Norton1, Launch “LiveUpdate Administration Utility”.
    2. Go to Tools>Options, then select “Retrieve new and previously downloaded updates”, then “ok”.
    3. Click “retrieve”, wait for the process to complete.
    4. Change the previously set option back to “New updates only”.

    Now test out LiveUpdate to see if the missing file has been restored.