SQL Server 2012/2014: Enabling and disabling trace flags

You can use the DBCC TRACEON command to turn on the specified trace flag. This is the syntax:

DBCC TRACEON (trace# [,…n][, -1]) [WITH NO_INFOMSGS]

If you want to turn off the specified trace flag(s), you can use the DBCC TRACEOFF command.
This is the syntax:

DBCC TRACEOFF (trace# [,…n] [,-1]) [WITH NO_INFOMSGS]

You can use the DBCC TRACESTATUS command to get the status information for the particular trace
flag(s) currently turned on. This is the syntax:

DBCC TRACESTATUS ([ [trace# [,…n] ] [,] [-1] ]) [WITH NO_INFOMSGS]

To get the status information for all trace flags currently turned on, you can use -1 for trace#.

This is the example:

DBCC TRACESTATUS (-1)

 

Useful trace flags

1. Trace flag 1204.

This trace flag returns the type of locks participating in the deadlock and the current command
affected. This trace flag is documented in SQL Server 2012 Books Online. This is global trace flag.

2. Trace flag 1205 (undocumented).

This trace flag returns more detailed information about the command being executed at the time
of a deadlock. This trace flag was documented in SQL Server 7.0 Books Online, but is not
documented in SQL Server 2012.

3. Trace flag 1211.

This trace flag disables lock escalation based on memory pressure, or based on number of locks.
If turns on, then SQL Server 2012 will not escalate row or page locks to table locks.
Note. When the trace flag 1211 is turned on then excessive numbers of locks can be generated.

4. Trace flag 1224.

This trace flag disables lock escalation based on the number of locks. If both trace flag 1211
and 1224 are set, 1211 takes precedence over 1224.

5. Trace flag 1807 (undocumented).

You cannot create a database file on a mapped or UNC network location. This opportunity is
generally unsupported under SQL Server 2012. However, You can bypass this by turn on trace
flag 1807.

6. Trace flag 2508 (undocumented).

This trace flag disables parallel non-clustered index checking for DBCC CHECKTABLE.

7. Trace flag 2528.

This trace flag disables parallel checking of objects by DBCC CHECKDB, DBCC CHECKFILEGROUP,
and DBCC CHECKTABLE. Usually trace flags 2508 and 2528 should not be used because checking in
parallel provides better performance, but sometimes when another process requires CPU resources
during checking, you can disable parallel checking to free some CPU resources for another process.

8. Trace flag 3205.

This trace flag disables hardware compression for tape drivers. You can use this trace flag
if your tape drives do not support compression.

9. Trace flag 3608.

This trace flag skips automatic recovery (at startup) for all databases except the master
database. To turn on this trace flag, you must use -T startup option. For example, you should
start SQL Server 2012 with the following parameter: -T 3608
To make it, run Services from the Control Panel, double click on MS SQL Server service, click
Stop button, then specify parameter value (-T 3608) and click the Start button.

10. Trace flag 3609 (undocumented).

This trace flag skips the creation of the tempdb database at startup. To turn on this trace
flag, you must use -T startup option.

11. Trace flag 4616.

This trace flag makes server-level metadata visible to application roles. By default, an
application role cannot access metadata outside its own database. This is global only trace flag.

 

Taken from: http://www.sswug.org/alexanderchigrik/sql-server/useful-sql-server-2012-trace-flags/

Windows Server Remote Desktop Services grace period expoired

Remove the RDS licensing time-bomb registry entry with the help of Sysinternals PSExec (Regedit alone couldn’t do it because it had to be run under highest privileges):

psexec -s -i regedit.exe:

Locate the registry key: HKLM\system\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod

 

Remove the registry key GracePeriod and reboot the computer.

Bind multiple sites on same IP address and Port in SSL

Until IIS 7.5, the major limitation of IIS is that IIS will allow you to bind only one site for one IP: Port combination using an SSL certificate.  If you try to bind a second site on the IP address to the same certificate, IIS will give you an error when starting the site up stating that there is a conflict. In order to assign a certificate to be used by multiple IIS sites on the same IP address and port, we need to use a special mechanism. Before we go there let’s understand why it is not possible for IIS to allow the binding of multiple sites on same IP: Port combination using an SSL certificate.

Classic Chicken and Egg Problem

We know that IIS identifies a site using three piece of data:

1. IP-Address

2. Port

3. Host Header

You can have multiple HTTP site configured with different combination of above. The binding, for example 192.168.1.0:80 can be configured to site “MyServer1.com”. That means if I browse to IP-address 192.168.1.0 over port 80 then I will hit the site “MyServer1.com”. I can have the binding as 192.168.1.0:80:myserver2.com configured for site “MyServer2.com”. That means when I browse the site over IP-address 192.168.1.0 over port 80 with a host header as “myserver2.com” then I will hit the site MyServer2.com. This allows multiple DNS hostnames on a single server at the same IP address.

However this doesn’t work in HTTPS. To know why it doesn’t work in HTTPS lets understand the SSL handshake briefly.

1. Client – > (SSL Handshake) – > “ Hello, I support XYZ algorithm for encryption”

2. Server -> (SSL Handshake) -> “Hi there, Okay so here is my public certificate. Let’s use algorithm X”

3. Client -> (SSL Handshake)-> “Great we can use that”

4. Client -> (In Encrypted format)-> “HTTP Request”

5. Server -> (In Encrypted format)-> “HTTP Response”

<And now cycle continues>

Now let’s say hypothetically, you have set two sites on same IP-address and port and different host headers and you set two different certificates on both of them.

Look at the steps in SSL Handshake, Client sends the HTTP Request only in Step 4. That means Server doesn’t know what host header HTTP request is referring to until step 4. So at Step 2, Server has only IP-Address and Port information with it, so how can server figure out which certificate it needs to send to the Client as you have bind two certificates to same IP-Address and port.

When a request comes to HTTP.SYS layer, the HTTP.SYS reads the site configuration, including the certificate used to encrypt/decrypt the data. The host name is encrypted in SSL Blob that the client sends. However, IIS needs to know the host name in order to get the right certificate. Without the host name IIS cannot get to the correct site. As IIS is not able to get to the correct site so it cannot get the right certificate to decrypt the SSL blob to get the host name. This is the classic Chicken and Egg problem. We are turning into circles with no way out.

This is the precise reason; HTTP server can only allow one site per IP-Address: Port combination for HTTPS browsing. If you need to bind another site over HTTPS then you need to get either a different IP-Address or bind the site to a different port.

Sometimes getting a new IP-Address or port for each website becomes costly affair. So how we can attach two website to HTTPS over same IP: Port. There are two ways to do it in IIS7.

Wild Card Certificate.

A wildcard certificate can secure an unlimited number of first level sub domains on a single domain name. For example, you can get a certificate which is issued to *.mydomain.com. This certificate will secure www.mydomain.com, secure.mydomain.com, welcome.mydomain.com etc. Basically it will work on any subdomain that replaces the wildcard character (*).

Setting up the Wild Card Certificate

Step 1: Install the wildcard certificate.

Verify if the certificate is properly installed.

1. Select Start –> Run

2. Type in “MMC” and hit enter

3. From the console, select File –> Add / Remove Snap-in

4. Select Certificates from the Add / Remove dialog

5. Select Computer Account when prompt for which certificates the snap-in will manager.

6. Select Local Computer when prompted

7. Click OK to add the Snap-in to the MMC

8. Locate your SSL certificate

9. Right click on the certificate and select properties

10. You should see the * in the friendly name.

clip_image002

Once you have installed the certificate then the issued to should be the *.mydomain.com

clip_image004

Step 2: Setup the wildcard certificate in IIS

Let’s say you need following configuration

So let’s say you have the following configuration:

Website                   Host Header Value                  IP Address      Port             SSL Port
==================================================================
Test1                         http://www.myserver.com              10.0.1.1              80                  443
Test2                        test2.myserver.com               10.0.1.1              80                  443

Test3                        test3.myserver.com                10.0.1.1             80                  443

IIS6

You need to select the certificate for all the three sites which are configured for same IP-Address and port.

To know how to bind the certificates in IIS6 please follow the following link

http://blogs.iis.net/robert_mcmurray/archive/2011/02/17/iis-6-setting-up-ssl-part-3-installing-the-certificate.aspx

After you installed the Certificate on all the websites with same IP address and port and you try to browse the sites. You will see that all of the HTTPS responses come from one specific site.

That means if you try to access https://test1.myserver.com, https://test2.myserver.com or https://test3.myserver.com you will get the response from one site only.

You won’t get the corresponding pages from different Websites depending upon the site in URL. Why? Because of the chicken and Egg problem remember. When the request comes to HTTP.SYS layer then Schannel will be able to decrypt the request but after decrypting the request it doesn’t know which site it needs to send the request as all the sites listening to same IP-Address and port.

You will also see that only one of the Websites will be running. Other Websites will be in stopped state because we cannot have multiple Websites running with same IP and same SSL port binding. If you try to start the other Websites you may see something like this below:

clip_image005

How to resolve above issue

To resolve this issue we need to add host headers to the sites.

Go to Start Menu, click Run, type “cmd”, and then click OK.

Type the following command at the command prompt:

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/<site identifier>/SecureBindings “*:443 :< host header>”

For example

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/1/SecureBindings “10.0.0.1:443:test1.myserver.com”

Do this for all the three sites

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/2/SecureBindings “10.0.0.1:443:test2.myserver.com”

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/3/SecureBindings “10.0.0.1:443:test3.myserver.com”

clip_image007

You can also change this by changing the metabase.xml for that particular site.

For Example your site id is 1 then you would see following in the Metabase.xml

<IIsWebServer Location =”/LM/W3SVC/1″

AuthFlags=”0″

SSLCertHash=”ee6c56aaacd9e52137ccd4563131c35bdb020712″

SSLStoreName=”MY”

SecureBindings=”:443:”

ServerAutoStart=”TRUE”

ServerBindings=”:80:”

ServerComment=”ssltest”>

Add the hostname in the SecureBindings explicitly for each site.

<IIsWebServer Location =”/LM/W3SVC/1″

AuthFlags=”0″

SSLCertHash=”ee6c56aaacd9e52137ccd4563131c35bdb020712″

SSLStoreName=”MY”

SecureBindings=”:443:www.test.com”

ServerAutoStart=”TRUE”

ServerBindings=”:80:”

ServerComment=”ssltest”>

IIS7

In IIS7, attaching a wild card certificate is much easier. You can attach the certificate to the website you need to attach to. The moment you select the wildcard certificate the hostname field in the UI will be enabled. You can type the host header in it. You can do the same procedure for multiple sites.

clip_image009

How Wild Card Certificate resolve the Chicken and Egg problem

We have multiple sites on same IP: Port with the same certificate (wildcard certificate) attached to them. When the request reach to HTTP.SYS layer, the Schannel gets the IP: Port information from the request. Since there is only one certificate attached to that IP: Port Schannel use that wildcard certificate and decrypt the request using the private key. After decrypting the request, HTTP.SYS is able to get the host header information. Using the host header, HTTP.SYS can put the request into the proper request queue.

Limitation of Wild Card Certificate.

There are certain limitations of wild card certificate.

1) It can only be applicable to single level of subdomain. For example you got a wild cart certificate for *.mydomain.com then you can bind this certificate to sites such as site1.mydomain.com or site2.mydomain.com. However, you cannot bind the wildcard certificate to Site1.myexample.mydomain.com or Site1.example2.mydomain.com or xyz.abc.mydomain.com etc.

That means the wild cart certificate will work only till first level of subdomain.

2) The wild card certificate will work only if the site has same domain name. That means if you have certificate for *.mydomain.com then you cannot bind this certificate to sites such as www.example.com or www.mydomain2.com etc. Wild card certificate will work only for sites which have same domain name.

3) You can set the wildcard certificate only for one top level domain. For example you can bind a wild card certificate forwww.test1.myserver.com or www.test2.myserver.com, but you cannot bind the same certificate for hostheader www.test2.myserver.org orwww.test2.myserver.net etc.

SAN Certificate (Subject Alternative Name Certificate)

You can setup the wildcard certificate if the domain name for all the sites are same and first level subdomain changes. What if you want to set up the sites which should work on two different domain names, for example, a site with host header as www.testserver1.com and another site with hostheader as www.testserver2.com. In this case Wildcard certificate won’t help you. To resolve this issue we have SAN Certificate.

A SAN cert allows for multiple domain names to be protected with a single certificate. For example, you could get a certificate for myserver.com, and then add more SAN values to have the same certificate protect myserver.org, myserver.net and even myserver2.com orwww.example.com.

You can see the domain names in the Subject Alternative Name option in the Certificate

clip_image011

clip_image012

Setup the SAN certificate in IIS

Let’s say you need following configuration

So let’s say you have the following configuration:

Website                   Host Header Value                  IP Address      Port             SSL Port
==================================================================
Test1                         http://www.test.edu               10.0.1.1              80                  443
Test2                        http://www.test.com               10.0.1.1              80                  443

Test3                    www.test.testing.com 10.0.1.1             80                  443

IIS 6

You need to select the SAN certificate for all the three sites which are configured for same IP-Address and port.

Note: The hostheaders which are defined in the Subject Alternative Name, only to those hostheaders you can bind the site. That means if you set the Subject Alternative Name to www.test.edu, http://www.test.com, http://www.test.testing.com then you cannot bind this certificate to a site with hostheader say http://www.example.com.

To know how to bind the certificates please follow the following link

http://blogs.iis.net/robert_mcmurray/archive/2011/02/17/iis-6-setting-up-ssl-part-3-installing-the-certificate.aspx

After you installed the Certificate on all the websites with same IP address and port and you try to browse the sites. You will see that all of the HTTPS responses come from one specific site.

That means if you try to access https:// http://www.test.edu, https://www.test.com or https://www.test.testing.com you will get the response from one site only.

You won’t get the corresponding pages from different Websites depending upon the site in URL. Why? Because of the chicken and Egg problem remember. When the request comes to HTTP.SYS layer then Schannel will be able to decrypt the request but after decrypting the request it doesn’t know which site it needs to send the request as all the sites listening to same IP-Address and port.

You will also see that only one of the Websites will be running. Other Websites will be in stopped state because we cannot have multiple Websites running with same IP and same SSL port binding. If you try to start the other Websites you may see something like this below:

clip_image005[1]

How to resolve above issue

To resolve this issue we need to add host headers to the sites.

Go to Start Menu, click Run, type “cmd”, and then click OK.

Type the following command at the command prompt:

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/<site identifier>/SecureBindings “*:443 :< host header>”

For example

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/1/SecureBindings “10.0.0.1:443:www.test.edu”

Do this for all the three sites

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/2/SecureBindings “10.0.0.1:443:www.test.com”

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/3/SecureBindings “10.0.0.1:443:www.test.testing.com”

clip_image013

You can also change this by changing the metabase.xml for that particular site

<IIsWebServer Location =”/LM/W3SVC/1″

AuthFlags=”0″

SSLCertHash=”ee6c56aaacd9e52137ccd4563131c35bdb020712″

SSLStoreName=”MY”

SecureBindings=”:443:”

ServerAutoStart=”TRUE”

ServerBindings=”:80:”

ServerComment=”ssltest”>

Add the hostname in the SecureBindings explicitly for each site.

<IIsWebServer Location =”/LM/W3SVC/1″

AuthFlags=”0″

SSLCertHash=”ee6c56aaacd9e52137ccd4563131c35bdb020712″

SSLStoreName=”MY”

SecureBindings=”:443:www.test.com”

ServerAutoStart=”TRUE”

ServerBindings=”:80:”

ServerComment=”ssltest”>

clip_image015

IIS7

You need to select the certificate for all the three sites which are configured for same IP-Address and port.

Note: The hostheaders which are defined in the Subject Alternative Name, only to those hostheaders you can bind the site. That means if you set the Subject Alternative Name to www.test.edu, http://www.test.com, http://www.test.testing.com then you cannot bind this certificate to a site with hostheader say http://www.example.com.

To know how to bind the certificates in IIS7 please follow the following link

http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis

To configure the SAN certificate you need to run the below command after changing the website name, ip-address and port and the host header value.

Go to Start Menu, click Run, type “cmd”, and then click OK.

Go to the location “C:\Windows\System32\inetsrv”

Type the following command at the command prompt:

appcmd set site /site.name:”<WEBSiteName>” /+bindings.[protocol=’https’,bindingInformation=’*:443:<hostHeaderValue>‘]

For example

appcmd set site /site.name:”Test1” /+bindings.[protocol=’https’,bindingInformation=’*:443:http://www.test.edu’]

appcmd set site /site.name:”Test2” /+bindings.[protocol=’https’,bindingInformation=’*:443:http://www.test.com’]

appcmd set site /site.name:”Test3” /+bindings.[protocol=’https’,bindingInformation=’*:443:http://www.test.testing.com’]

clip_image017

Alternatively you can go to the applicationhost.config and modify the binding part of the website to add the host header. Do this for all the three sites. For example

<site name=”TestSite” id=”2″ >

<application path=”/” applicationPool=”TestSite”>

<virtualDirectory path=”/” physicalPath=”C:\Publish” />

</application>

<bindings>

<binding protocol=”http” bindingInformation=”*:8089:TestSite” />

<binding protocol=”https” bindingInformation=”*:443:TestSite” />

</bindings>

</site>

clip_image019

How SAN Certificate resolve the Chicken and Egg problem

We have multiple sites on same IP: Port with the same certificate (SAN certificate) attached to them. When the request reach to HTTP.SYS layer, the Schannel gets the IP: Port information from the request. Since there is only one certificate attached to that IP: Port Schannel use that SAN certificate and decrypt the request using the private key. After decrypting the request, HTTP.SYS is able to get the host header information. Using the host header, HTTP.SYS can put the request into the proper request queue.

Limitation of SAN Certificate.

There are certain limitations of SAN certificate.

1) One major limitation of SAN certificate is if you have issued the SAN certificate for say two host-headers http://www.test1.com andwww.test2.edu but you need to setup a site for www.test3.net using the same certificate then you can’t use it. You need to get another SAN certificate from the CA with all the three host-headers. In short, for every addition of a host-header you need to get another SAN certificate.

2) There are certain limitations which are defined by the CA on the number of host-header you can add to the Certificate. That means, after a certain number of host-header you cannot add further host-header into it.

 

Taken from: https://blogs.msdn.microsoft.com/varunm/2013/06/18/bind-multiple-sites-on-same-ip-address-and-port-in-ssl/

Resizing the disk space on Ubuntu Server VMs running on VMware ESXi 5

Resizing the disk space on Ubuntu Server VMs running on VMware ESXi 5

We generally do both dedicated and VPS hosting for our websites, apps and some premium projects we run for others.When we choose to have VPS servers (aka virtual machines or VMs for short) instead of dedicated servers, we usually opt for VMware‘s free ESXi 5 and install Ubuntu Server as the OS for the VPSs we create on top of ESXi 5. It may not be as friendly as some VPS providers like Amazon, Rackspace etc. but you got more control and it’s on YOUR hardware (pretty important actually!)…

Now, when you build a VPS on VMware, you start with say 40GBs of hard disk space. You install the OS, setup the server, move the sites on this new server and you’re on. But what happens when there’s no more room on the server for your site or sites and you need to add more disk space?

The process is quite simple:

a) Connect to the VMware ESXi 5 server using the vShpere Client. Edit the VM’s properties to increase the hard disk size (VM has to be off) – I won’t get into details on that, if you have the experience on managing ESXi you know what to do… I’m assuming the process is the same for ESXi 4. Now restart the VM.

b) Login via SSH to the VM and follow this process.
– First list all partitions:
$ ls -al /dev/sda*

– Create new partition using fdisk:
$ fdisk /dev/sda
Then:
type p – to list all your partitions
type n – to create a new partition
type l – for “logical”
then give it a number (e.g. if you got 2 partitions listed as /dev/sda1 & /dev/sda2, for the new partition simply type “3” to create /dev/sda3)
type t – to change the partition type to “Linux LVM”
provide the partition number you previously created
type 8e – for the “Linux LVM” type
type p – to list the new partition table
type w – to write changes and exit

– Reboot server:
$ reboot

– Assuming you created partition /dev/sda3, let’s now create the physical volume in that partition:
$ pvcreate /dev/sda3

– Now let’s extend the server’s Volume Group to that physical volume.
$ vgdisplay
This will give you the info on your current Volume Group. Note down the entry next to “VG Name”. That’s your Volume Group name.
$ vgextend EnterVolumeGroupNameHere /dev/sda3

Keep in mind
If you get a message saying /dev/sda3 could not be added to your Volume Group, you need to remove the physical volume and recreate it. Metadata might have gotten corrupt and thus the volume cannot be added to your Volume Group. So just do:
$ pvremove /dev/sda3
And then again:
$ pvcreate /dev/sda3

– Since we’re (essentially) extending the main logical volume, let’s get the name of that:
$ lvdisplay
and note down the entry next to “LV Name”. This is your logical volume’s name (e.g. /dev/srv/root), which you’ll now extend to the newly added partition/physical volume.

– Extend the logical volume by X GBs:
$ lvextend -L +XG yourLogicalVolumeName
Make sure you replace X above with the actual number of GBs you’ve added in your VM’s settings. So if you increased your VM by 20GBs, the command becomes:
$ lvextend -L +20G yourLogicalVolumeName

– Finally, let’s resize the file system to the new allocated space:
$ resize2fs yourLogicalVolumeName
(this may take some time depending on number of GBs added to the file system.

– Check the new file system sizes:
$ df -hT
You should now see an increased disk space for your primary logical volume.

Installing VMware Tools in an Ubuntu virtual machine with only a command line interface

Ubuntu Server with only a command line interface

  1. Go to Virtual Machine > Install VMware Tools (or VM > Install VMware Tools).Note: If you are running the light version of Fusion, or a version of Workstation without VMware Tools, or VMware Player, you are prompted to download the Tools before they can be installed. Click Download Now to begin the download.
  2. In the Ubuntu guest, run these commands:
    1. Run this command to create a directory to mount the CD-ROM:sudo mkdir /mnt/cdrom

      When prompted for a password, enter your Ubuntu admin user password.

      Note: For security reasons, the typed password is not displayed. You do not need to enter your password again for the next five minutes.

    2. Run this command to mount the CD-ROM:sudo mount /dev/cdrom /mnt/cdrom or sudo mount /dev/sr0 /mnt/cdrom
    3. The file name of the VMware Tools bundle varies depending on your version of the VMware product. Run this command to find the exact name:ls /mnt/cdrom
    4. Run this command to extract the contents of the VMware Tools bundle:tar xzvf /mnt/cdrom/VMwareTools-x.x.x-xxxx.tar.gz -C /tmp/

      Note: x.x.x-xxxx is the version discovered in the previous step.

    5. Run this command to change directories into the VMware Tools distribution:cd /tmp/vmware-tools-distrib/
    6. Run this command to install VMware Tools:sudo ./vmware-install.pl -d

      Note: The -d switch assumes that you want to accept the defaults. If you do not use -d, press Return to accept each default or supply your own answers.

  3. Run this command to reboot the virtual machine after the installation completes:sudo reboot

Taken from: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1022525