Twitter Archiv bis Oktober 2011

Advertisements

PowerShell Module und SnapIn’s

Module

Die PowerShell Module sind zwar mit Active Directory gleich mitinstalliert, müssen aber manuell nachgeladen werden. Für bequeme gibts im Startmenü über das Suchen Feld einen Eintrag “Windows PowerShell Modules”. Dieses Skript importiert dann alle nötigen Module in die PowerShell. Davor sollte man auch noch sicherstellen dass man die Execution Policy mindestens auf “RemoteSigned” hat.

Set-ExecutionPolicy RemoteSigned -Confirm:$false

Viel einfacher finde ich es mit dem Befehl “ImportSystemModules” die Module zu laden und anschliessend mit “Get-Module” anzeigen zu lassen. Daraufhin erscheinen folgende Module:

Name                ExportedCommands
—-                —————-

ActiveDirectory     {Set-ADOrganizationalUnit, Set-ADUse..}

ADRMS               {Uninstall-ADRMS, Update-ADRMS, Inst
..}
AppLocker           {Get-AppLockerPolicy, Get-AppLockerF
..}
BestPractices       {Get-BpaModel, Set-BpaResult, Get-Bp
..}
BitsTransfer        {Start-BitsTransfer, Remove-BitsTran
..}
GroupPolicy         {Get-GPStarterGPO, Get-GPOReport…}

PSDiagnostics       {Enable-PSTrace, Enable-WSManTrace…}

ServerManager       {Remove-WindowsFeature, Get-WindowsF
..}
TroubleshootingPack {Get-TroubleshootingPack, Invoke-Tro
..}

Somit kanns dann losgehen mit den AD-* Befehlen, welche man übrigens mit folgendem Befehl kurz auflisten kann:

(Get-Module ActiveDirectory).ExportedCommands.Values

PSSnapIn’s

Windows PowerShell SnapIn’s

  • Microsoft.Exchange
  • Microsoft.Windows.AD

Für die Quest SnapIn’s

  • Quest.ActiveRoles.ADManagement

Übrigens: Das Importieren der SnapIn’s ist jeweils nur für die aktuelle Session gültig. Ausser man benutzt den Export-Console Befehl um die aktuellen Einstellungen zu sichern.

AD 2008 Password Setting Objects

Nach einiger Internet Recherche habe ich herausgefunden wie man die neuen Password Policies im Active Directory ab Version 2008 einsetzt. Gar nicht so einfach…

Bereits vorhandene PSO anzeigen

Wenn bereits eine PSO erstellt wurde ist sie unter folgendem Pfad abgelegt. Dieser ist nur zu sehen wenn die Advanced Features im View Menü aktiviert sind.

CN=Password Settings Container,CN=System,DC=Domäne,DC=de

PSO über ADSI Edit anlegen

Der ADSI Editor ist unter Server 2008 bestandteil der Administrative Tools und kann direkt aus dem Startmenü aufgerufen werden. Dort navigiert man gleich zum Password Settings Container (Pfad siehe oben) und erstellt über Rechtsklick -> New -> Object ein neues “msDS-PasswordSettings Object. Daraufhin kann man folgende Fragen beantworten:

Attribute
Wert (Beispiel)
Beschreibung
cn
PSO für Chefs
msDS-PasswordSettingsPrecedence
10
muss >0 sein, das niedrigste hat Vorrang
msDS-PasswordReversibleEncryptionEnabled
FALSE
[boolean] FALSE ist dringend empfohlen
msDS-PasswordHistoryLength
3
[0-1024] in Tagen
msDS-PasswordComplexityEnabled
TRUE
[boolean]
msDS-MinimumPasswordLength
8
[0-255]
msDS-MinimumPasswordAge
00:01:00:00
[dd:hh:mm:ss]
msDS-MaximumPasswordAge
120:00:00:00
[dd:hh:mm:ss] muss >= sein als [minimum Age]
msDS-LockoutThreshold
12
[0-65535] Anzahl der Fehlversuche bis Sperre
msDS-LockoutObservationWindow
00:00:20:00
[dd:hh:mm:ss] Zeitspanne der Fehlversuche
msDS-LockoutDuration
00:00:20:00
[dd:hh:mm:ss] Zeitspanne bis Account freigabe

Erscheint beim erstellen eine Fehlermeldung kann dies zwei Gründe haben:

(1)  Falsche Angaben bei den Attributen
Die Verdächtigen sind dabei die Attribute, die eine Zeitangabe in Form von Tage:Stunden:Minuten:Sekunden enthalten. Z.B. darf der Wert im Attribut msDS-LockoutObservationWindow nicht größer sein (höchstens gleich) als der Wert im Attribut msDS-LockoutDuration.

(2) UAC
Möglicherweise muss ADSI Edit explizit als Administrator gestartet werden.

PSO über PowerShell Anlegen

Über PowerShell ist das Anlegen einer PSO natürlich viel einfacher, sofern man nicht schon an fehlenden Modulen scheitert: PowerShell Module und SnapIn’s
Mit dem New-ADFineGRainedPAsswordPolicy Befehl kann jede Option über Parameter mitgegeben werden. Schön dargestellt mit jedem Parameter auf einer Linie (verbunden mit dem `-Zeichen am Ende jeder Zeile) sieht das dann so aus:

New-ADFineGrainedPasswordPolicy `
-Name “PSO for Manager” `
-Precedence 10 `
-ReversibleEncryptionEnabled $false `
-PasswordHistoryCount 3 `
-ComplexityEnabled $true `
-MinPasswordLength 8 `
-MinPasswordAge “1:00” `
-MaxPasswordAge “120” `
-LockoutThreshold 12 `
-LockoutObservationWindow “0:20” `
-LockoutDuration “0:20”

Details zum Befehl: http://technet.microsoft.com/en-us/library/ee617238.aspx

PSO an Benutzergruppen knüpfen

Nun muss über die Eigenschaften nur noch definiert werden für welche Benutzergruppen die PSO gelten soll. Dazu trägt man bei msDS-PSOAppliesTo einfach eine Benutzergruppe ein:

Quellen
http://blog.dikmenoglu.de/…

Storage Top 10 Best Practices

Proper configuration of IO subsystems is critical to the optimal performance and operation of SQL Server systems. Below are some of the most common best practices that the SQL Server team recommends with respect to storage configuration for SQL Server.

Source: http://sqlcat.com/top10lists/archive/2007/11/21/storage-top-10-best-practices.aspx

(1) Understand IO characteristics and requirements

In order to be successful in designing and deploying storage for your SQL Server application, you need to have an understanding of your application’s IO characteristics and a basic understanding of SQL Server IO patterns. Performance monitor is the best place to capture this information for an existing application. Some of the questions you should ask yourself here are:

* What is the read vs. write ratio of the application?
* What are the typical IO rates (IO per second, MB/s & size of the IOs)? Monitor the perfmon counters:

# Average read bytes/sec, average write bytes/sec
# Reads/sec, writes/sec
# Disk read bytes/sec, disk write bytes/sec
# Average disk sec/read, average disk sec/write
# Average disk queue length

* How much IO is sequential in nature, and how much IO is random in nature? Is this primarily an OLTP application or a Relational Data Warehouse application?

To understand the core characteristics of SQL Server IO, refer to [http://technet.microsoft.com/de-de/library/cc966500%28en-us%29.aspx SQL Server 2000 I/O Basics].

(2) More and faster spindles are better for performance

* Ensure that you have an adequate number of spindles to support your IO requirements with an acceptable latency.
* Use filegroups for administration requirements such as backup / restore, partial database availability, etc.
* Use data files to “stripe” the database across your specific IO configuration (physical disks, LUNs, etc.).

(3) Try not to “over” optimize the design of the storage

Simpler designs generally offer good performance and more flexibility.

* Unless you understand the application very well avoid trying to over optimize the IO by selectively placing objects on separate spindles.
* Make sure to give thought to the growth strategy up front. As your data size grows, how will you manage growth of data files / LUNs / RAID groups? It is much better to design for this up front than to rebalance data files or LUN(s) later in a production deployment.

(4) Validate configurations prior to deployment

* Do basic throughput testing of the IO subsystem prior to deploying SQL Server. Make sure these tests are able to achieve your IO requirements with an acceptable latency. SQLIO is one such tool which can be used for this. A document is included with the tool with basics of testing an IO subsystem. Download the SQLIO Disk Subsystem Benchmark Tool.
* Understand that the of purpose running the SQLIO tests is not to simulate SQL Server’s exact IO characteristics but rather to test maximum throughput achievable by the IO subsystem for common SQL Server IO types.
* IOMETER can be used as an alternative to SQLIO.

(5) Always place log files on RAID 1+0 (or RAID 1) disks

This provides:

* Better protection from hardware failure, and
* Better write performance.

Note: In general RAID 1+0 will provide better throughput for write-intensive applications. The amount of performance gained will vary based on the HW vendor’s RAID implementations. Most common alternative to RAID 1+0 is RAID 5. Generally, RAID 1+0 provides better write performance than any other RAID level providing data protection, including RAID 5.

(6) Isolate log from data at the physical disk level

* When this is not possible (e.g., consolidated SQL environments) consider I/O characteristics and group similar I/O characteristics (i.e. all logs) on common spindles.
* Combining heterogeneous workloads (workloads with very different IO and latency characteristics) can have negative effects on overall performance (e.g., placing Exchange and SQL data on the same physical spindles).

(7) Consider configuration of TEMPDB database

* Make sure to move TEMPDB to adequate storage and pre-size after installing SQL Server.
* Performance may benefit if TEMPDB is placed on RAID 1+0 (dependent on TEMPDB usage).
* For the TEMPDB database, create 1 data file per CPU, as described in #8 below.

(8) Lining up the number of data files with CPU’s has scalability advantages

…for allocation intensive workloads.

* It is recommended to have .25 to 1 data files (per filegroup) for each CPU on the host server.
* This is especially true for TEMPDB where the recommendation is 1 data file per CPU.
* Dual core counts as 2 CPUs; logical procs (hyperthreading) do not.

(9) Don’t overlook some of SQL Server basics 

* Data files should be of equal size – SQL Server uses a proportional fill algorithm that favors allocations in files with more free space.
* Pre-size data and log files.
* Do not rely on AUTOGROW, instead manage the growth of these files manually. You may leave AUTOGROW ON for safety reasons, but you should proactively manage the growth of the data files.

(10) Don’t overlook storage configuration bases

* Use up-to-date HBA drivers recommended by the storage vendor
* Utilize storage vendor specific drivers from the HBA manufactures website
* Tune HBA driver settings as needed for your IO volumes. In general driver specific settings should come from the storage vendor. However we have found that Queue Depth defaults are usually not deep enough to support SQL Server IO volumes.
* Ensure that the storage array firmware is up to the latest recommended level.
* Use multipath software to achieve balancing across HBA’s and LUN’s and ensure this is functioning properly
* Simplifies configuration & offers advantages for availability
* Microsoft Multipath I/O (MPIO): Vendors build Device Specific Modules (DSM) on top of Driver Development Kit provided by Microsoft.

Some Notes to SQL and Performance

Some months ago, I tried to start a own Wiki site to maintain Know-How. Unfortunately I stopped filling it with updates as soon as I started this Blog 🙂

To not loose the small but interesting Knowledge, I want just put it in here:

RAID Layouts

Dell uses only a 2-Disk RAID1 LUN for Database Logfiles, while using a 10-Disk RAID10 for Database.

Performance Tests

There are three basic parameters to alter when running the I/O tests: block size, read/write, and serial/random. For SQL Server, the minimum tests to run are 8-KB and 64-KB block sizes, both serial and random, and both read and write. Most of the ratings you find on the Web are stated in throughput of bytes/sec for the 64-KB serial read test (which gives the highest throughput rating). A value of over 250 MB/sec per core for today’s computers is typically sufficient.

external Links

Scaling Up Your Data Warehouse with SQL Server 2008
Performance of SQL Server 2005 on ESX Server 3.5 

Benchmark Tools

SQLIO Disk Subsystem Benchmark Tool www.microsoft.com
IOmeter Project www.iometer.org