Head over to the download section on NVIDIA's web site and obtain the appropriate driver. Place it somewhere you can easily find it; the Downloads folder in my home area worked fine for me. The way I got the driver installed was to (broadly speaking) following the instructions found in a post on the Ubuntu Forums, specifically TheRawGod's post (thanks ).

First I blacklisted some drivers. To do this open a terminal and use the following commands. Note that I like to use vim (Vi–IMproved) but you will need to install this (sudo aptitude install vim). If you want something really straightforward, just use nano. I also tend to kick off with a sudo su so I can just do everything as root.


sudo su
cd /etc/modprobe.d/
vim blacklist.conf


Add the following to the end of the file:


blacklist vga16fb
blacklist nouveau
blacklist rivafb
blacklist nvidiafb
blacklist rivatv


Drivers to blacklist

Once completed, save the file. The next step is to update GRUB so it will prevent the nouveau driver from loading automatically at startup. To do this, perform the following:


cd /etc/default
vim grub


Now add GRUB_CMDLINE_LINUX=”nouveau.modeset=0″ at the bottom of the file.

Disable nouveau driver

Save the file and invoke update grub. Reboot and you should be presented with a horrible looking low-res login (which is good, for now!).

Next you will need to install the NVIDIA driver you downloaded earlier. Press Ctrl-Alt-F1 to bring up a Teletype terminal and login. Then run the following commands (replace the location for that of your download) to get the driver installed.


sudo su
service gdm stop
cd /home/mike/Downloads
sh NVIDIA-Linux-{driver version}.run


Follow the on–screen prompts to install the NVIDIA driver (just accept the defaults and always choose to continue). If you are told that you have an X server running and have definitely stopped gdm, try the following:


rm /tmp/.X0-lock


Once the driver is installed, there is a final step to make sure the Sony display panel is properly recognised by NVIDIA's driver. Run the following commands:


cd /etc/X11
vim xorg.conf


Add the following lines to the bottom of the file, immediately before the “Display” SubSection:


Option "ConnectedMonitor" "DFP-0"
Option "CustomEDID" "DFP-0: /proc/acpi/video/NGFX/LCD/EDID"


Note that I originally added this to the end of the “Device” Section, but a subsequent reinstall of the NVIDIA driver after a kernel update caused it to be placed in the section referenced above.

Edited Screen Section

Please remember that you will need to be root or use sudo to execute most of the above commands. I also found that after a kernel update, it is necessary to repeat the driver install from the point where I stop the Gnome Display Manager (run Ubuntu in low–graphics mode one time only, switch to a Teletype terminal, stop the Display Manager and reinstall the driver).

Simply copy the script below and save it to a .ps1 file of your choice. Please retain my comments at the top and, as always, use at your own risk! The deletion portion is quite destructive . You may also have to set your Execution Policy to a less strict setting, such as RemoteSigned, e.g.:


Set-ExecutionPolicy RemoteSigned


I have tested the script with Microsoft Office SharePoint Server 2007 SP2 and Windows SharePoint Services 3.0 SP2 running on Windows Server 2003 R2 SP2 (PowerShell 1.0). It should work fine for MOSS and WSS running on different Windows Server operating systems.

Here is the script:

# SharePoint Site Collection Backup Script
# Author: Michael Cox
# Version: 1.0
# Date: March 2010
# Contact: http://www.betteritsolutions.co.uk/
# Use at own risk, please retain these comments

# Create alias for STSADM
Set-Alias -Name exeStsadm -Value ($Env:CommonProgramFiles + "\Microsoft Shared\Web Server Extensions\12\BIN\stsadm.exe") -Option Constant
# Specify maximum age in days for backup files
New-Variable -Name maxFileAge -Value 14 -Option Constant
# Get todays date, formatting as yyyyMMdd e.g. 20100224
New-Variable -Name todaysDate -Value (Get-Date -Format yyyyMMdd) -Option Constant
# Specify backup location and set log file location, folder must exist and be writable by account running script
New-Variable -Name backupLoc  -Value "S:\Backups" -Option Constant
New-Variable -Name logFileLoc -Value "$backupLoc\site_collection_backups.log" -Option Constant
# Specify Web Application
New-Variable -Name webApplication -Value "http://mossintranet/" -Option Constant

# Change to backup location and create folder, suppressing notification
Set-Location $backupLoc
New-Item $todaysDate -type directory | Out-Null
Set-Location $todaysDate

# Record backup start
Out-File -FilePath $logFileLoc -Append -InputObject $("Backup started at: " + (Get-Date -Format HH:mm` dd/MM/yyyy) + "`n")

# Enumerate Site Collections within chosen Web Application and store in a variable
[xml]$sitesXml = exeStsadm -o enumsites -url $webApplication

# Enumerates each site collection and performes an stsadm sitecollection backup against each site
$sitesXml.Sites.Site | ForEach-Object -Process {$backupFile = $_.Url.Replace('http://','').Replace('/','_') + ".bak"; exeStsadm -o backup -url $_.Url -filename $backupFile; Write-Host "Finished writing: $backupFile"; Out-File -FilePath $logFileLoc -Append -InputObject "Finished writing: $backupFile"}

# Remove folders that are older than the maxFileAge value
Set-Location $backupLoc
$tooOld = (Get-Date).addDays(-$maxFileAge)
Get-ChildItem | Where-Object {$_.PSIsContainer -and ($_.lastWriteTime -le $tooOld)} | ForEach-Object -Process {Remove-Item $_ -force -recurse; Write-Host "Folder $_ was deleted."; Out-File -FilePath $logFileLoc -Append -InputObject "Folder $_ was deleted."}

# Record backup end
Out-File -FilePath $logFileLoc -Append -InputObject $("`n" + "Backup ended at: " + (Get-Date -Format HH:mm` dd/MM/yyyy) + "`n")

Here is a screenshot of files created following a backup of a Web Application with two Site Collections and also the contents of the log file:

Screenshot after running script

Please let me know if this is useful and also feel free to make suggestions for improvements or bug fixes, if you find any.

I won't go overboard, but here are the relevant technical details: ASUS P5B Deluxe motherboard with Intel ICH8R onboard SATA controller and 3 x 250GB SATA HDDs. I used to have two of these in RAID 0 (yes, I have backups) but I decided that the performance benefits vs. just sensibly placing things on different drives wasn't worth the extra risk. So, for my reinstall I would be moving from RAID mode in the BIOS to AHCI mode.

I backed up everything, flashed the BIOS with the latest version (good time to do it when I am reinstalling anyway), set all my settings and flipped the ICH8R to AHCI mode. As I expected, my old XP install no longer booted as it was configured for RAID mode with the appropriate driver. Linux coped fine, though . I popped in the XP Pro SP2 CD, hit a key when prompted and watched the message: Setup is inspecting your computer's hardware configuration. After that, nothing. No chance to hit F6 or anything. Just a black screen. I even left it for ages in case it would finally realise it couldn't read the disks yet. No joy. Hmmm.

Basically, there seemed to be some issue with the fact that the setup CD could understand that there was an operating system installed but not properly read it and it was getting stuck. OK, no bother, whack in a Linux live CD and nuke the disks. In case you are interested, I like using badblocks in write mode but anything that destroys the partitions would do I expect.

Right, attempt number 2 (well actually a much higher number, but if you are reading this you don't need to follow my mistakes!): this time I get to the F6 prompt, add the AHCI driver from a floppy (drive hanging out of the side of the PC – why would I have a floppy drive on a modern PC?) and Windows sees the disks. Great! Actually, no. This time it sees 1 x 250GB disk and a 500GB disk that it cannot access (the old RAID array). Having selected AHCI in the BIOS and the AHCI driver this did surprise me. No problem, back in the BIOS and enable RAID then into the RAID BIOS and delete the array. Back in the BIOS again, enable AHCI.

Attempt number 3 and we have success! 3 x 250GB disks detected (after using the F6 option to add the driver) and I install Windows XP.

So in summary, if you want to reinstall Windows XP and go from one SATA controller mode to another, my tips would be:

• Break any RAID arrays in the RAID BIOS
• Delete any existing partitions on your disks
• Make the BIOS changes you require
• Boot to the setup CD and slipstream the correct driver

Simple when you know how! As an aside, I was installing from a SATA DVD drive and that caused no issues (I saw some people report that this is a problem). I know this wasn't part of the problem because I even had another 'donor' machine next to my desktop at one point so I could try installing from an IDE optical drive…


msiexec /i "VMware Tools64.msi"


VMware Tools Installed

Program Compatibility Assistant

After some digging around and Googling, I discovered that Search Server wouldn’t install on Server 2008 R2 without Service Pack 2. Unfortunately, it doesn't appear possible (at this time) to download it with SP2 so what do you do? I did a little experimenting and found out that you can slipstream the The 2007 Microsoft Office Servers Service Pack 2 (SP2) into the install. Note that the download page actually specifies the service pack will update Search Server. Here's how to slipstream it:

1. Open a command prompt, navigate to the location of the file SearchServerExpress.exe and run SearchServerExpress.exe /extract:SearchServer. This extracts (but doesn't install) Search Server Express to the folder SearchServer.
2. Download the 2007 Microsoft Office Servers Service Pack 2 to the same location as the install file for Search Server Express.
3. From the same command window, run officeserver2007sp2-kb953334-x64-fullfile-en-us.exe /extract:SearchServer\Updates (you will have downloaded the 64–bit version as Windows Server 2008 R2 is 64–bit only). This extracts the service pack files into the Updates folder of the Search Server install.
4. Run setup.exe from within the SearchServer folder

You should find that the Search Server install now runs happily without complaining and pauses for a period of time to apply updates towards the end of the process.

Happy searching!


DISM /Online /Enable-Feature /FeatureName:NetFx2–ServerCore
DISM /Online /Enable-Feature /FeatureName:MicrosoftWindowsPowerShell


Now you can launch powershell.exe from C:\Windows\System32\WindowsPowerShell\v1.0. Although the path would suggest PowerShell 1.0, a quick Get-Host indicates PowerShell 2.0:

Get-Host output

A little more about DISM, for those that are interested. DISM is the "Deployment Image Servicing and Management tool" and can be used to perform various configuration tasks on offline or running images. Hence the /Online switch is used to tell DISM it must target the running operating system. The following command will list all features and their status (suggest you pipe it through more):


DISM /Online /Get-Features | more


Note that PowerShell requires .NET Framework 2.0, hence the first DISM command.

Thanks to Vincent Hu for his post on TechNet, which I finally found. There is a slight mistake, though, as there should be no space between /FeatureName: and the feature you want to install.

The next step (if required in your environment) is to configure Kerberos for the Shared Services Provider. This includes root and virtual directory level Shared Services. A prerequisite for this step is the SharePoint Infrastructure Update (which was released post SP1).

Configuring the SSP Web Application is very similar to a normal Web Application, so we'll keep it brief. Assume we have the SSP's Web Application running on port 1234 not using a host header. Then, the commands to map the SPNs are as follows:


setspn –A HTTP/servername:1234 yourdomain\UserRunningAppPool
setspn –A HTTP/servername.yourdomain.com:1234 yourdomain\UserRunningAppPool


Turn on Kerberos authentication for the SSP Web Application as described for the content Web Application (previous post) and perform the same test, ensuring you see a successful Kerberos logon event in the Security log on the server hosting the SSP.

In order to fully configure Kerberos for the SSP and Excel Calculation Services, further SPNs must be set using a new, custom format. There are also STSADM commands to run and a change to be made to the registry of each server.

Map the SPNs with the following commands:


setspn –A MSSP/servername:56737/SSPName yourdomain\SSPServiceAccount
setspn –A MSSP/servername:56738/SSPName yourdomain\SSPServiceAccount


SSPName is simply the name you gave your SSP. It cannot contain extended characters so be sure to name your SSP with care at install time! You must also generate a pair of SPNs for each server in your farm. I.e. in a standard medium server farm (2 WFEs and 1 App server), you will set 6 SPNs, 2 for each server name.

Now run the necessary STSADM commands on a server in the farm:


stsadm –o setsharedwebserviceauthn –negotiate
stsadm –o set-ecssecurity –accessmodel delegation –ssp
stsadm –o execadmsvcjobs


In order, this sets the Shared Services Web Service to use Kerberos, Excel Calculation Services to use delegation and then forces the timer jobs to run immediately.

Lastly, each SharePoint Server will need a registry key adding to allow it to use the new custom format SPNs.

1. Run regedit
2. Go to the registry path HKLM\Software\Microsoft\Office Server\12.0 and right click 12.0 >> New >> DWORD Value
3. For Name type in KerberosSpnFormat and change the value from 0 (default) to 1.

After this step, you must reboot your server.

There is some additional configuration required within Component Services. In order to prevent the occurrence of DCOM errors, all of your Application Pool service accounts should have Local Launch and Local Activation permissions on the IIS WAMREG Admin Service object, most easily achieved by giving the permissions to the local groups: WSS_WPG and WSS_ADMIN_WPG (this ensures that newly created Application Pool service accounts are granted the permissions, since SharePoint adds them to this group). This is well documented elsewhere.

However, there's also a modification to be made to the servers in the farm within Component Services. Click on Start > Administrative Tools > Component Services. Expand Component Services > Computers, right click on My Computer and select Properties. On the Default Properties tab, change the Default Impersonation Level to Delegate and click on OK.

My Computer Properties

References

There are a huge number of references for configuring Kerberos. Here is a useful selection:

• Configure Kerberos Authentication (Office SharePoint Server)
• How to configure SQL Server 2008 Analysis Services and SQL Server 2005 Analysis Services to use Kerberos Authentication
• Kerberos Authentication & Excel Services
• The Moron's Guide to Kerberos, Version 2.0
• Essential Tips on Kerberos for SharePoint Deployers
• Service Principal Names (Windows) on MSDN
• The .NET Developer's Guide to Windows Security (in particular, Part 5: Network Security)

That concludes my guide to Kerberos for SharePoint. I hope you have found it useful and if you have any queries, please send them to me.

The first thing we need to do is to map some SPNs (again) and the SPNs themselves depend on whether you are using CNAMEs or A Records to resolve your web sites. If you are using CNAMEs, whose targets are servers with associated A Records, you construct the SPN using the CNAME's target (i.e. the hostname in the A Record). In the case of an A Record, it's much simpler; just use the hostname in the A Record. If you're unsure and don't have access to DNS (for whatever reason) then ping the DNS name and see if it resolves directly to an IP address or tells you it's pinging another address. The former result indicates an A Record is in use, the latter indicates a CNAME.

In the case of CNAMEs, it'll often be the case that the target is a machine which will mean constructing SPNs based on that computer's name. There's a further complication in that the same SPN cannot be assigned to more than one account so if you have a collection of CNAMEs for different Web Applications all resolving to the same A Record, each Web Application must use the same domain account for its Application Pool Identity to maintain a unique mapping of SPNs (this will become clear below).

As an example, I am creating SPNs for a site served on the host header kerbtest on port 80 with an appropriate A Record associated with it. The fully qualified SPN is optional (depending on whether the site is ever accessed using the FQDN), but I would always include it.


setspn –A HTTP/kerbtest yourdomain\UserRunningAppPool
setspn –A HTTP/kerbtest.yourdomain.com yourdomain\UserRunningAppPool


Note that HTTP in this case refers to the HTTP service, NOT the protocol. A common mistake is to mistype the above and start them with HTTP://, which is incorrect.

If your domain functional level is Windows Server 2003 or later, you will need to make some changes on the Delegation tab of the user account running the Application Pool. In Active Directory Users and Computers, locate the user object, right click on it and select Properties. Click on the Delegation tab and change the setting to either Trust this user for delegation to any service (Kerberos only) or Trust this user for delegation to specified services only.

Delegation Tab

Some guides will discuss enabling delegation for the computer account in Active Directory as well, but this is only necessary if the service process is running under the Local System account, which is not the case here.

If constrained delegation (the more secure and, therefore, recommended option) is required, I would suggest making sure everything works with unconstrained delegation first, before pressing on with constrained.

Kerberos can be enabled either at Web Application creation time, or later. I would usually implement it later, and make sure that the Web Application functions correctly with NTLM first.

To change the Authentication Provider to Kerberos, from SharePoint Central Administration (SCA), click on Application Management. Click on Authentication providers under Application Security. Make sure that the correct Web Application is selected and then click on the Zone that you wish to move to Kerberos. I will click on Default. The only change you should need to make is to alter the IIS Authentication Settings by changing the radio button from NTLM to Negotiate (Kerberos). Click OK when the warning dialogue box appears and then scroll to the bottom of the page and click on Save.

Edit Authentication

From another machine on the domain (not one of the SharePoint web front end servers), browse to the Web Application. On the Web Server that you hit you should see an event with ID of 540 in the Security log, containing the following kind of information:


Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 09/07/2009
Time: 14:10:52
User: domain\user
Computer:
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x2D996B)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {5dea6995-63c8-8ab0-0b1d-e80325461c16}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.11.12.2
Source Port: 1301


Again, computer, domain and user names have been deliberately removed.

This concludes configuration of Kerberos for a SharePoint Content Web Application. In the final part I will describe how to switch the Shared Services Provider to Kerberos and also add a list of useful references for further reading.