windows

You are currently browsing articles tagged windows.

SonicWall VPN with RADIUS authentication

Thu 11-Feb-2010 in english, sysadmin | Please leave a comment!

SonicWall has a rather nice VPN application called Global Client. What makes it nice is that it does most of the configuration jobs transparently to the user. And for the network administrator, setting up a VPN really is a one banana job.

The flip side of this is that it’s too easy to set up a VPN server with only Shared Secret authentication. This is all nice and fine if you have two or three VPN users but for any real installation, you really should authenticate the users individually. And if your real installation is based on Microsoft Windows, you probably have an Active Directory on the backline which already has all the users on it.

I’ve been handheld through one such installation and this is the attempt to get another one running, while blogging about the experience.

Prereq

The magic ingredient here is the RADIUS server (Remote Authentication Dial-In User Service). On Windows 2003, the RADIUS service is provided by the Internet Authentication Service, IAS. On Windows 2008 it’s a part of the Network Policy Server. SonicWall has a pretty decent techdoc about configuring RADIUS authentication on Windows Server 2003 but the 2008 implementation is left as an exercise to the reader.

If NPS isn’t installed yet, add it from Server manager –> Roles –> Add role.

The prerequisite step is to create a Windows Active Directory group of folks who will be granted VPN access using RADIUS authentication. While you could use All Users, you might be slipping in a few test users (username test, password test – i’m sure you don’t have any of those on your net, right?). So be a good sysadmin and create the group VPN users, then add users or groups there manually.

Now you can fire up the Internet Authentication Service or Network Policy Server.

RADIUS

imageThe first step is to add a RADIUS client to the configuration. A RADIUS client is the box which uses RADIUS, not the end user itself, using the box. So in this case, we’ll add the Firewall as a RADIUS client.

On Windows 2003, right-click RADIUS Clients –> New RADIUS Client. On Windows 2008, RADIUS Clients and Servers –> RADIUS Clients (right-click) –> New RADIUS Client. Give it the Friendly Name “Firewall” and fill in the IP address. For this discussion, we’ll say the firewall lives at 192.168.42.1. The Client-Vendor can be set to RADIUS Standard. I don’t know if the SonicWall supports the Additional Options listed, so you can leave them blank.

Now tap in a fairly complex Shared Secret which the RADIUS server and the firewall will use, into Notepad. You’ll need the same Shared Secret later.

Since you’ll probably want to test the connection, create a similar RADIUS Client for either your own PC if you happen to be on the local network at the time, or at some test server. Or at the RADIUS server itself, which means you’ll need to add a RADIUS client either for the local IP address or 127.0.0.1. I found a fairly decent, and non-cost RADIUS test client at IEA Software called Radlogin. The least i can do for the favour is to suggest you check out the client too.

The next step is to create a Remote Access Policy. On Windows 2003, right click Remote Access Policies –> New Remote Access Policy. On Windows 2008, it’s complicated. I’ll get to that in a paragraph or two.

If you’re still on 2003, a wizard appears. Name your new “Custom Policy” something like VPN Authentication. Now you need to add the following Policy Conditions: NAS-IP-Address is the one of your firewall, eg 192.168.42.1, and Windows-Groups is the group VPN Users you created in the prerequisite step above. As an extra measure, you could also demand that the NAS-IP-Address matches that of your firewall. In that way you can use RADIUS for other fun things too. Click Next. Tick the right radio button so that these users should be Granted remote access permission. Next. Now you’ll still need to Edit the Profile. On the Authentication tab, check all Authentication methods except Unauthenticated access. Unfortunately the current Sonic Walls do not reliably use MS-CHAP2, which is a shame. We’ll even need to tick the trivially encrypted CHAP and the non-encrypted PAP. Not much for security, i know. On the Advanced tab, make sure you have the following attributes selected: Service-Type: Framed, and Framed-Protocol: PPP, both of vendor “RADIUS Standard”.

Phew. And now for Windows 2008.

NPS –> Policies –> Network Policies (right-click) –> New. This will also pop up a wizard. Give the Policy a name like VPN Authentication and set the Type of network access to Remote Access Server. Add the following Conditions: User Groups (or Windows Groups) must be the VPN Users group you selected above. Then scroll down down down the Conditions list and require that the RADIUS Client –> Client IPv4 Address is that of your firewall, for the very same reasons as above. Do that now or later when the test shows green lights. Next. Access Granted. Next. Select all the Less Secure Authentication Methods except the last two, Allow clients to connect without negotiating… and machine health check only. You can uncheck CHAP and PAP while you test the RADIUS authentication later from the firewall, as they are security holes.

Run Radlogin and test whether you get a response, Good or Bad, or whether you get a Timeout. A Timeout probably means that you haven’t got the RADIUS Client configured right on the NPS. A Bad response probably means that your Constraints are wrong.

The Wall

Here’s a tip. Use anything but Internet Explorer to manage the SonicWall. It emits such buggy HTML code that it’s just hopelessly slow with IE.

I might be taking an extra step here because we also wanted RADIUS authentication to the firewall. In that case, you’re getting two settings at the price of one. Live with it and log on to the SonicWall admin interface.

A safety measure, add a Local User to the firewall which we’ll also allow access in case the RADIUS server is in a twist. For this discussion, we’ll call this user Backdoor. Put Backdoor into relevant groups (Firewall Admin). On the VPN Access tab, give Backdoor the appropriate networks (Firewalled subnets).

Then we want to create a group for VPN users. Thus, go to Users –> Local Groups (sic) and click Add Group. On the Settings tab, call your group VPN Users. On the Members tab, scroll down the left box and hopefully you should find the entry All RADIUS Users. Add it. Also add the Backdoor user we created above. Under the VPN Access tab, add whatever networks you see fit; LAN Subnets may be what you’re looking for. Edit the CFS policy if you (really) want to.

Now from Users –> Settings, set the Authentication method for login to RADIUS + Local and click the Configure button. What now probably happens is that you configure the global settings for the whole firewall, not just the VPN login. On the now popped-up RADIUS Configuration Settings tab, enter the name or IP address of your RADIUS server, the one you created half a page up. Find that Notepad page where you created the Shared Secret and paste it in the corresponding box. On the RADIUS Users tab, tick Local configuration only (yeah, beats me too) and select the VPN Users as the Default RADIUS group.

Final step, and now it’s time to take a deep breath. If you’re configuring this over a VPN connection, make sure you have a backup plan, because you’re now going to change the VPN access settings. Thus, go to VPN –> Settings. I’m assuming that you already have a WAN GroupVPN in place. Click the pencil icon to edit the entry. Switch to the Advanced tab. Check Require Authentication of VPN Clients via XAUTH and choose your previously created VPN Users group as the User Group. Also Enable NetBIOS Broadcasts while you’re at it.

Click OK.

Test your VPN settings. Breathe normally.

Extra sugar

For extra brownie points, you can configure firewall administration logins to be authenticated by RADIUS. From Network –> Interfaces –> LAN –> edit pencil, tick all relevant Management options and the HTTPS User Login checkbox. Voilá, RADIUS authentication to the firewall!

I wonder what we can authenticate next… :)

Tags: , , , , ,

Re-activating certificates with SBS 2008

Wed 3-Feb-2010 in english, sysadmin | Please leave a comment!

The other day, a client at a customer of mine called in to say that “her remote connection does not work”. It took a little while to interpret her problems into technical terms; what she meant was that when outside the office, her Outlook wouldn’t synchronize. I’ve since learned that working with a remote connection also may mean working with a laptop when it’s off-site or just non-docked, regardless if there’s an actual connection involved or not.

But back to the agenda.

First i thought there was something wrong with her Outlook, but after some investigation i came to believe there was something fishy with the certificate presented by the customer’s server. Which is a Microsoft Small Business Server 2008. This could be confirmed by taking a https connection to their Outlook Web Access thingy, which also gave a SSL cert error. It was using the wrong certificate. Bugger.

To remedy, i took a remote c… a VPN connection + an RDP session (see, it’s ambiguous enough if i write it!) to the server and opened up – hear this – the Exchange Powershell console. Issue the statement Get-ExchangeCertificate and you get a list of the SSL certificates the host knows of. The one you’re looking for is probably the one with a hostname and a hint of commercial spice (say Old Thawte). To verify, you can write Get-ExchangeCertificate <thumbprint of relevant certificate> | fl which will give you more info. Now chant Enable-ExchangeCertificate <thumbprint of relevant certificate here> and inform the applet you’ll want to enable it for IIS, the IIS Itertubes Server. Verify with a connection to the Outlook Web Access Thingy and close the Powershell console. You rock. Already.

Since we’re talking about an SBS, we have the Remote Web Workplace installed. RWW provides, among other neat things, a terminal server gateway to the servers inside, and it too relies on an SSL certificate being valid. Thus, with your RDP session still open from the above paragraph, go Start –> Administrative tools –> Terminal services –> TS Gateway Manager. Right click the gateway server name and select Properties. Click the SSL Certificate tab. Pick Select an existing certificate and click the Browse Certificates button. Choose the right certificate, ie. the same one as above, and click Install [sic]. Then OK yourself out of there and verify.

You rock. Fully.

Now you would technically have the time to ponder the reasons why the certificate fell out of grace with the server in the first place, but since you’re the overworked sysadmin you are, you’ll save that as pillow reading for tonight.

Tags: , , , , , ,

Minimal bginfo

Mon 14-Dec-2009 in english, geek | Please leave a comment!

Update: The VBscript code i had was both long and buggy. The new code is short and sweet, and at least works no less than the previous code.

BGinfo is a nifty piece of software which can print out a whole lot of technical information on the desktop background of a Windows box. As an administrator for a bunch of client machines, BGinfo has proven Most Useful.

There are two issues, however. Sometimes the information i use on my backgrounds can be a bit over the top. And then there’s one little bit of info not included in the admittedly colossal BGinfo arsenal: whether the computer needs rebooting after having been updated. So here’s my fix.

Step Zero is to download BGinfo from the link above and save it anywhere that can be addressed over the Windows network during a logon procedure. I chose the domain controller’s Netlogon share, or \\%LOGONSERVER%\NETLOGON in the examples below. In reality, i used the real name of the logon server instead of %LOGONSERVER% but i suppose the variable name will work just as well. You might need to add %-signs for added magic.

I then created a minimal BGinfo template with just the hostname, IP address and a custom field i call Is Reboot Required. The template uses the user’s own default wallpaper and the BGinfo data is aligned to the top right of the window. Your mileage may vary. Save the template with the BGinfo executive. My path is \\%LOGONSERVER%\NETLOGON\bginfo-minimal.bgi

The custom field Is Reboot Required points to the output of a certain is-reboot-required Visual basic script, saved with above two files as is-reboot-required.vbs:


If CreateObject("Microsoft.Update.SystemInfo").RebootRequired Then
Echo "Reboot required"
End if

Old code. Don’t use:

function readFromRegistry (strRegistryKey, strDefault )

Dim WSHShell, value
On Error Resume Next
Set WSHShell = CreateObject("WScript.Shell")
value = WSHShell.RegRead( strRegistryKey )

if err.number <> 0 then
readFromRegistry= strDefault
else
readFromRegistry=value
end if

set WSHShell = nothing

end function

str = readFromRegistry( "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations", "no" )
if( isNull( str )) then
msg = ""
else
msg = "Reboot required"
end if

Echo msg

What the script does is check whether (Windows Update, usually) requires some files to be renamed during the next reboot cycle. This information is stored in the PendingFileRenameOperations registry key. If it’s non-empty,If our computer’s Microsoft Update client deems a reboot is required, we emit the administrator-friendly message “Reboot required”, otherwise we just shut up (having a “Reboot not required” message on the wallpaper isn’t what i call good usability).

Disclaimers: This script works when plugged in but not when run on the command line, oddly enough. And, i’m no VBS guru. The script was created by creative copy-pasting from other resources on the ‘Net.

To paste things together, i created the following one-liner batch file bginfo-minimal.cmd:


\\%LOGONSERVER%\NETLOGON\bginfo.exe \\%LOGONSERVER%\NETLOGON\bginfo-minimal.bgi /timer:0 /nolicprompt

Finally, i added \\%DOMAINCONTROLLER%\NETLOGON\bginfo-minimal.cmd in the startup scripts. Since this happened a week ago, i can’t remember if i did it through Group Policy or through the Administrator’s logon script or (ungh) through the Startup group in the Start menu but in any case it works. If i did it the Right Way (through Group Policy), that means i had to create a new Organizational Unit “Wizards”, add a custom group Admins, add Domain Administrators to it, create a new Group Policy to the Wizards, and apply the bginfo-minimal.cmd from the right path to that group, for that is the way of Windows Server 2003. But then again, i might just have been lazy.

Tags: , , ,

Remotely joining a Windows domain

Fri 4-Dec-2009 in english, sysadmin | 1 comment

I learned something today. It is possible to have a Windows computer join a domain over VPN. My colleague suggested this to be true once but i never actually tried it myself.  And here’s how.

Be at the office, or at home. Take the computer that’s going to the customer and install all the security updates. Make a VPN conection to the customer. Check that the DNS settings for the subnet behind the VPN connection points to the nameserver of the customer. If you’re running a well configured VPN, that should happen automagically (also if you’re running Windows VPN).

Right-click My Computer, choose Properties, do the usual drill from Computer Name to join the customer’s domain. Reboot.

And here comes the trick.

Log in as the old local user. Re-ignite the VPN connection. Start –> Switch user. Log in as administrator (or whoever) from the customer domain. This will, oddly enough, de-activate the VPN connection, so you’ll need to rebuild it.

Do the other tricks you wanted to as a member of the customer’s domain.

Easy as pie, once you know the recepie.

Tags: , , , ,

Virtually saved

Fri 25-Sep-2009 in english, geek | Please leave a comment!

Here’s a tip. Do not, ever, change your password just before going home for the weekend (or worse, for a vacation). When you’re back home, you won’t remember how you spelled it. Or at least if you’re me, you won’t.

The added bonus here is that i need to be on call for work this weekend, and i need my virtual machines on standby. But since my VMs are for Microsoft Virtual PC, a Windows platform that you can get in to would be nice. Or really, would be really, really preferred. But as hinted, i don’t have a Windows box at home that i can log in to.

So what’s a boy on a penguin trip to do? Install VirtualBox. It reads .vhd files natively, without any conversion hoop to jump through. There was a less-than-obvious error message when i started VirtualBox from the K menu, but started from the command line, i got hints on which extra bits and pieces i needed to install. A reboot later, and VirtualBox starts. It reads my VHD file with that Windows XP and the Cisco VPN client on. It starts. It notices some hardware changes (no shit, Watson) which i ignore. I suceesfully start the VPN client and gloriously connect to the customer. I RDP to their server. I feel fine.

I’m well aware that there is a Cisco VPN client for Linux too, which would have been the easier and more logical approach here, but i never really got it installed last time i tried. And half success with installing VPN drivers has caused compleat failure on the network side before, at least on Windows, so i wasn’t really that eager to retry.

But hey, Windows with Cisco VPN, running on Linux. Schweet.

Tags: , , , , ,

Amish på ett halvår

Wed 9-Sep-2009 in svenska | Skriv en kommentar!

Mycket av min aktiva arbetstid går åt på att upprätthålla Windows-system — servrar, arbetsstationer och infrastruktur — men det har jag aldrig fått nån formell utbildning i. Learning by doing hela vägen. En annan återkommande favorit är F-Secure Policy manager, som är en rätt förbryllande helhet [0]. Jag kände mej som om jag kunde vara lite mer beläst vid min läst [1] och ansökte sålunda till utbildningen för närvårdare av sagda uppgifter, Tietokoneasentajan ammattitutkinnon Reititinverkot ja lähiverkon julkiset palvelut osatutkintoon Lähiverkkoasiantuntija -koulutus på Amiedu. Och blev antagen.

Utbildningen sker av fyra timmar föreläsningar per onsdagskväll plus övningar i ett halvt års tid. Och började idag. Jag befarar att en av sakerna jag inte kommer att lära mej är utbildningens namn. Men lokalnätsinstallör alltså, förutom att inget av utbildningen egentligen handlar om att installera lokalnät sådär i fysisk kabeldragarbemärkelse. Ånej. Men innehållet är mer matnyttigt än så.

Under de första sju föreläsningarna behandlas Windows Server 2008, baserat materialet för 70-642 (Microsoft-certifikat får man ta på egen hand om man vill). Sen blir det fem föreläsningar om IIS, SQL Server och Exchange. Baserat på det jag upplevt av speciellt Exchange blir det ena tajta föreläsningar och hel del att studera/öva på egen hand. Därefter blir det fyra föreläsningar om lokalnät och fyra om lokalnät och dess tjänster kopplade till publika nät; ICND-1 och 2 i komprimerat format alltså. Därutöver får man i egen takt förkorva sej i F-Secures infrastruktur.

Till slut blir det en “näyttö”, vilket är nån form av uppvisning-under-övervakning, där man handgripligen får visa att man lärt sej nåt. Och kaffi å bulla om man gjort det.

Idag var det introduktionsföreläsning där vi närmast presenterades kursens struktur och redskap. Vi kommer att få träningsversioner av all MS-mjukvara vi behöver (inget ord om F-Secures motsvarande) att träna med. Det man får stå för själv är hårdvaran. Själv sitter jag och suktar efter en serverpark i maskinrummet men undrar om inte det vore mer rationellt att betala en dollar per virtualmaskinstimme till Amazon. Lika roligt är det förståss inte :)

Blir väl att börja gro sej en elegant amis-mustach då för att passa in.

[0] Här hade jag velat skriva perplexerande, men det är väl inte ett ord. Ännu.

[1] Var det för svårt? Skomakare?

Tags: , , , , , ,

Wallpaper fail

Thu 27-Aug-2009 in english, geek | Please leave a comment!

I know Windows [0] has problems handle multiple monitors well. I’ve lamented the fact before that when i have two monitors that have different pixel density [1], there is no way that i can adjust Windows so that items look as big on both monitors.

I keep my laptop to the left or my external display, but the external display is my “main viewer” or primary monitor. Windows doesn’t like this. Much.

My latest discovery is that when i put a dual screen wallpaper onto Windows and set the wallpaper to “Tiled”, the left half of the picture would go on the right monitor and the right half onto the left monitor. Centering the image will show the middle half of the picture on both monitors. Stretching it (“fit to screen”) will squeeze the dual screen width image onto one screen, and show that on both displays.

Wallpaper fail.

[0] Vista, and everything that came before. I still have high hopes for Windows 7.

[1] While they have the same number of pixels, 1680 x 1050, my laptop monitor is smaller than my external display. My old laptop had a higher resolution display than my external display, so it had an even higher pixel density. I intently avoided using the word “resolution” here, since it can mean either pixel density or amount of pixels.

Tags: , , , ,

Exchange .forwarding is hard

Wed 26-Aug-2009 in english, geek | Please leave a comment!

A client of ours had the following job for us: some of their workers had moved to an affiliated company with its own infrastructure. As a result, i was tasked to set up the Exchange (2003) server to forward their mail from their old addresses to their new ones. An easy task, right?

For the impatient sysadmin on the run, here are the bare bits: there is no easy and elegant way, at least none that i found. I have to do it manually, from Outlook, as the user. Which sucked. Badly.

To vent my frustration, i shall now painstakingly enumerate the methods that didn’t work. You might as well press the Next button now unless you enjoy reading about your fellow sysape’s sufferings.

Step zero: mung the user accounts

Since the workers had moved to another company, i changed their account passwords and moved them to another Organizational Unit in the Active Directory.

Step one: Using Outlook Web Access

As i didn’t know how to do this from the Exchange management interface, i started with an unelegant but straitforward approach: set a forwarding rule in Outlook. The shortest way to Outlook is Outlook Web Access. There, you can find a Settings section and set one rule to inform the sender (once) that their new email address is Firstname.Lastname@thatothercompany.com and another one to forward the mail to the new address.

I got two problems with this approach. For one, since two of the users had their mailbox sizes over Quota, their settings wouldn’t stick. And for the rest of the users, no forwarding happened. At all.

Step two: JFGI

It turns out that you can set up mail forwarding from Exchange after all. Open an Active Directory Users and Computers (ADUC) console on an Exchange server. Locate and right-click the user. Choose Properties. Select Exchange General > Delivery Options > Forwarding Address > (tick) > Forward to > Modify.

  • First duh: You can’t type a free-text email address here, you’ve got to choose an Active Directory record.
  • Second duh: After i created Contact objects (basically, an email address and a pretty name field for it) for all four users, i was unable to select any of them. I suppose the server would eventually synchronize, but it was late and i wasn’t in the mood for waiting.

Step three: Use brute force

Since the Bigger Hammer didn’t work, there was just one thing to do. Go manual. So i logged in (using remote desktop) to our admin box on site there, as the first of our four users. Indeed, the mail quota had been surpassed quite a few megs ago. So i created an Outlook data file (Archive.pst) and moved all the mail from the inbox there. It was a looooong job, i tell you. Moving thousands of mails onto an archive file on a server just isn’t the fastest thing to do.

When the inbox is reasonably empty, create a rule from Outlook > Tools > Rules and Alerts, or open the one that did stick on one or two of the accounts. Create an empty rule and apply following two things, the first of which is optional. Move the mail to a “FORWARDED” folder. And ask the mail to be rerouted, not forwarded, to the new address.

So that’s my last night in a nutshell. I want to go to bed now.

Tags: , , ,

Drive letters suck

Tue 25-Aug-2009 in english, geek | 9 comments

Update: Most of the problems i whined about below seem to have a simple solution in the comments. If you change drive letters for a device using the Disk manager, the letter designation sticks. Virtual machines fail out of the box because configuration files refer to virtual hard disk files using absolute paths, those config files are pure XML and can easily be edited. Whoa.

I have a small bunch of external hard drives. Some i use at work, some i use privately, and many of which i use on a single day. One drive in particular has my digital photos [0], which i connect when i want to work with those.

The problem is that the hard disk may or may not retain the drive letter from one time to the other. Especially when i’ve used the computer with a bunch of other external hard disks, which happens a lot at work since i keep my virtual machines on external media [1]. But what this does is screw up my photo management software, since it expects the pictures to be on g:\Pictures and not, like they in fact were, on i:\Pictures. To make things worse, the two-partition photo brick i had connected in fact did have a g: assigned, so i managed to import a bunch of photos to the same disk but the wrong partition.

To move the pictures within the photo management software, i did something natural which turned out to be stupid. I asked it to open another set of folders. Which the software proceeded to merge into its database, thus moving all my previous 24227 pictures from where they were to where were, except from my photo management software’s point of view. And after my next reboot i’ll probably have to do it again.

The particular problem would of course go away if i didn’t do personal photo management on my work laptop, but i’d still get insulted by Windows each time a virtual machine has disappeared from the catalogue just because the drive letter designation has changed. The point still holds.

So i suggest to you dear Windows developers: give us users a simple way to identify our hard disks by a label instead of a drive letter. To keep things in tune with ye olde drive lettering scheme, the drives could be accessed as <label>: in addition to the old <letter>: and i could finally find my digital photos on the photos:\ drive, regardless of which drive letter that drive would happen to be mapped to this time.

[0] OK, backup copies of my photos are scattered unevenly across a few other of the hard drives, but that’s another story[1] My most used ones are on a flash stick, a practice i can wholeheartedly recommend. The startup time is so much swifter from solid state than from spinning metal.

Tags:

HOWTO bring back an XP from the dead HD

Fri 15-May-2009 in english, geek | Please leave a comment!

Here’s the story of how i rescued a Windows XP installation from a broken 160 GB SATA hard disk to an intact 60 GB SATA disk, illustrated in a few easy teps that will make my six and a half hours of creative hackery seem like a work (walk) in the park. I also sing high praise to the penguin.

But first a disclaimer, since my boss will probably be reading this.  All this could probably have been done using suitable tools running on Windows. We just don’t have any. Also, you could probably have done this using partimg, saving you a bucketload of work, but since you’re doing this from a broken disk, partimg will puke and fall over.

Here’s the brief background. A few days ago, i heard from a customer that one of their laptop hard disks had broken. Today, while waiting for the replacement HD, i got an update. The guy with the broken laptop is going on a business trip to see some customers and that he needs a laptop with him. So if either that one could be repaired, or if i could get a spare laptop of theirs in running order, that would be, well, critical. Deadline in 24 hours, preferrably less.

This would have been easier if we actually had had a replacement hard disk for his machine, or had not the replacement laptop been “slow to boot” (ie either full of viruses/worms/crapware or just decomposed). Now it was a no-win in either direction.

Step 0: Sanity check

To successfully perform this trick, you need a spare hard disk, cannibalized from your demonstration station, an external HD, and a wonderful little distribution called System Rescue CD. Oh, and a lot of coffee. Optional extras, which would have been nice, would have been a SATA adapter so that you can have two laptop HDs plugged in at the same time, a second copy of System Rescue CD, and the same number of power bricks that you have laptops to work with. I did this with two laptop, one Rescue CD (stupid) and one power brick (equally stupid). If you have only one laptop to work with, be prepared to plug and unplug hard disks plentiful times, and try to compensate my scribbling with your manifestation of reality. I could probably rewrite this article with a more optimal setup, but then it would seem even less heroic.

Oh, also a functioning computer that you can have for reference and to play music from is essential :)

Now before i let you get your hands in the mud, realize that the narrative that follows is just that. A narrative that follows. I can’t take any responsibility if you follow the story below to the comma and a small black hole appears in the middle of your living room that sucks everything into it and reality just ends and the whole thing just ruins your day. If you’re unsure of what i’ve written and the correctness of it, assume i’ve made a mistake and stop right there.

Now let’s get our hands in the mud.

Using, for instance, the laptop’s HD checking tool built into the BIOS, make sure that the hard disk actually is broken. Remember: “Patients lie.”

If your source disk fails, now would be a good time to label your disks (dymo, magic marker, whatever) and your computers, since on the outside they look very much alike when you can’t boot onto them to see which box really is which.

If your source disk actually hasn’t failed yet but only show signs (or sounds) of age, i’ve added how to do this in way fewer steps at the end.

Step 1: Make “just-in-case” backups

This step is completely optional, but since you’re soon going to do irreversibly damaging things to your source hard disk, it’s probably a Really Good Idea to follow. Also, you’re going to repeat this step soon, so why not practice now when it’s not irrevocably dangerous?

Boot the “broken” laptop with System Rescue CD. Plug in the external HD, which needs to have more free space than the HD you are going to rescue, and needs to be formatted in a way that supports gigantic files (ntfs, ext3). Mount the external hard disk as /mnt/brick (or whatever you like). Figure out, using fdisk -l /dev/sdX, which hard disk it is that you’re trying to rescue. Mine was /dev/sda and the brick was /dev/sdb.

Make a backup copy of the master boot record (MBR) using the following two commands (substituting paths where necessary):

dd if=/dev/sda of=/mnt/brick/backup-sda.mbr count=1 bs=512
sfdisk -d /dev/hda > /mnt/brick/ backup-sda.sf

(tip taken from here). Without the MBR, the computer Just Won’t Boot even if everything else is restored. This i realized only after everything else was restored but hey, i’m nice and i’m writing it here where things are still simple.

The reason why you’re using dd and sfdisk to back up the MBR is that while the Windows XP restore disk has the very convenient tool fixmbr and was provided with your nice HP laptop, it does not include SATA drivers so it won’t see that you have a hard disk on your computer to fix the damn MBR on. Or in essence, it is a useless piece of compressed polycarbonate and it should be a criminal offence to ship it as such as a restore disk. Also, the Vista installation disk you have backstage will not bother running a restore console on an XP installation. Well, mine didn’t. (End rant)

Back up the hard disk using ddrescue, make a backup of the b0rken hard disk. If your paths are like mine, the syntax is ddrescue /dev/sda1 /mnt/brick/sda1-backup /mnt/brick/sda1-backup.log and what it does is copy the first partition of the disk sda onto a file named sda1-backup on the external hard drive and using a log file in case things go haywire. This will probably take a an hour or two. Send St. Anthony some warm thoughts, just in case.

Nota Bena: If you have the two laptops up and running at the same time (because you have two System Rescue CDs), remember to sync and umount the it before pulling the plug and connecting it to the other lappie. If you’re on a gigabit network, screw USB hard disks and copy over the net instead. If you have just one of the lappies up at a time (because you have just one power brick :) ) you’ll need to go through the mkdir /mnt/brick && mount /dev/sdb1 /mnt/brick hoop after each startup. Oh, and make sure /dev/sdb1 actually is your external HD brick :)

Step 2: Prepare the target disk

As mentioned, we had a spare disk that was smaller than the disk that had broken. Fortunately, the amount of stuff on the broken source disk was lesser in size than the capacity of the target disk. This is where the dangerous fun parts begin.

Boot a laptop with the target disk using System Rescue CD, or plug it into the system you got running in the previous steps using a SATA adapter/enclosure/doohickey/thingamajig. Give a sigh to the installation you have on it, back up the valuable stuff from it onto the external hard disk. If you haven’t yet done so, start XWindows using the command wizard. Plow through the options until you have a graphical user interface. Start GParted by clicking the icon with the disk symbol. Make really really really sure you are selecting the right disk unit (this is why it might be good to boot up the computer with only that disk connected, and to unmount and unplug the external HD before you commence with the following) and delete all partitions there are on the target disk. Create a new NTFS partition on the disk, filling all of it. Then, using the resize/move partition button, make a note (pen and paper, baby!) how many MBs the partition is. Then, just for good measure, using fdisk -l /dev/sda (assuming the disk you just repartitioned is sda) write down the size info you get there too.

And you think that was scary?

Step 3: Resize the source partition

Go back to the laptop with the broken hard disk. Get GParted running on it like in the step above. Grab that /dev/sda1 partition and Resize it into the exact number of MB as your target disk’s image is, the one you made notes of in the previous step. Breath normally (if you can). Oh, and remember to run the computer on a power brick, not batteries, while you do this. It feels much better. I promise.

At this stage, half of your system probably thinks that the /dev/sda1 partition is still of the previous larger size. If you feel unsure, run fdisk -l /dev/sda to check. Or reboot. Or something.

Step 4: Back up the resized partition

Again, using ddrescue, back up the the partition you just resized to the external HD. You’ll probably need to run through the mkdir /mnt/brick and mount /dev/sda1 /mnt/brick hoop again if you’re running with just one System Rescue CD (and one power brick). In case you have both lappies running, i suppose now is a little to late to remind you that you need to sync and umount the /mnt/brick before swapping it between laptops. If you didn’t, your data is probably fried at this stage, so start from the top. Don’t say i didn’t tell you before, because i just added that bit (see, i can write in a nonlinear fashion even if you’re probably reading this from up to down). Then back up the MBR as outlined in step 1.

Thinking of it, you might as well first back up the MBR and then back up the data, since backing up the data is going to take a lot longer than backing up the boot record. Still, since you just made the data partition smaller, it’s not going to take as long as in the previous data backup phase. If you’re running short on disk space on the external brick, it’s probably faster to run down to the chip shop and get a new disk than trying to gzip the original image, even if the chip shop is closed. OK, down to business.

Suggested syntax:
dd if=/dev/sda of=/mnt/brick/resized-sda.mbr count=1 bs=512
sfdisk -d /dev/hda > /mnt/brick/resized-sda.sf
ddrescue /dev/sda1 /mnt/brick/sda1-resized /mnt/brick/sda1-resized.log

Again, be sure of yer paths yadda yadda (hey, we’re all grown ups so we can take care of ourselves so i’ll stop warning you at this stage).

Step 5: All pieces fall together nicely

Right then, time to put all your pieces together. The partimg manual (linked to in step 1) suggests now would be a good time to restore your resized partition table to the empty disk. I didn’t, because i only realized later copying the MBR is a mandatory step if you want the target box to boot. So it will probably work if you do it in the wrong order too. But i’ll document the procedure here in the supposedly correct(er) order.

Boot the computer with the blank NTFS-formatted hard disk (which we suppose is /dev/sda — oh that’s right, i said i wouldn’t be warning about paths anymore) and the external USB brick plugged in.

dd if=/mnt/brick/resized-sda.mbr of=/dev/sda
sfdisk /dev/sda < /mnt/brick/resized-sda.sf

…and a fdisk -l /dev/sda, a sync and/or a reboot if you weel wobbly. Could be the coffee at this stage though.

Finally, restore the resized partition image onto the new disk:

ddrescue /mnt/brick/resized-sda1 /dev/sda1 /mnt/brick/resized-sda.restore-log

Step 6: The resurrection

Place the restored hard disk in the laptop which used to house the broken disk. Boot that laptop. Be very, very satisfied. Buy yourself a chocolate, because you’re worth it.

Post mortem

I could probably re-write this article using a more optimized setup. But then again, i started with a way more complicated question which was “how can i resize the backup image i’d taken and fit it on the target disk?”. Turned out it was easier to just resize the broken partition and dump that on the new disk. Also, backing up my 160 gig backup image (i’d rather be careful than sorry) from and to the same external USB hard disk took sooooooo long that i was going to see sunrise before a complete copy.

An easier solution that wouldn’t have worked

Here’s how to do this whole trick if your hard disks aren’t broken just yet. Or if you’re migrating to a larger/smaller HD and don’t want to install everything anew. I’m going to assume this time that you’re doing it on a computer where you can have both disks plugged in at the same time. I’m also going to assume you’re only going to move/rescue a disk with one partition. If there are more partitions there, you’ll have to improvise a bit. They’ll all be copied though, but i’ll leave the particulars to you, the enlightened reader.

Finally, i’m assuming that you’ve read the whole article down until here because i’m not going to repeat how you’re going to do it here. If you haven’t, start from the top and i’ll be waiting right here until you’re through, okay?

Case 1: Identical source and target disks

Plug in both hard disks. Boot with System Rescue CD. Verify that your source disk is /dev/sda and your target disk is /dev/sdb (and not the other way around or your data will be forever fried — you might consider making a backup at this stage :) eg by mounting one of them and checking what’s inside.

ddrescue /dev/sda /dev/sdb transfer.log

Wait. Reboot. Rejoice. Piece of cake.

Case 2: Target disk is larger than source disk

Plug in both disks. Boot with System Rescue CD. Verify /dev/sda is your source disk and /dev/sdb is your target disk as above.

ddrescue /dev/sda /dev/sdb transfer.log

Wait.

Start XWindows. Start GParted. Select target disk from the less-than-obvious drop down at the near top right corner of the GParted window. Resize target disk to maximum. Apply.

Reboot. Rejoice. Cake with crusting.

Case 3: Target disk is smaller than source disk

This is what i should have done (see, now i spoiled my own thunder) and is more or less a more efficient re-write of this whole article up until now.

Plug in both disks. Boot with System Rescue CD. Plug in external HD brick. Mount as above to /mnt/brick. Make a backup of the source disk’s MBR if you’re nervous/careful/pedantic. Back up the source disk, just in case (optional for the brave/foolish).

ddrescue /dev/sda /mnt/brick/sda-backup backup.log

Start XWindows. Start GParted. Select source disk. Resize the partition so that it’ll fit on the target disk. Move your pr0n/mp3s/dvdrips to external brick first if required. Exit GParted. Take a deep breath.

ddrescue /dev/sda /dev/sdb transfer.log

Wait. Restart GParted. Resize your newly transferred /dev/sdb1 to fill all of the disk. Apply. Sync. Reboot. Rejoice.

And that’s about the size of it! Oh, and these tricks would probably have worked equally well for backing up other Windowsen, Linuces and OSXen. I just didn’t try.

Tags: , , ,

« Older entries

Bad Behavior has blocked 726 access attempts in the last 7 days.