Archive for category Windows 2003

Microsoft DFS and File Services updates

Microsoft DFS Updates:
List of currently available hotfixes for Distributed File System (DFS) technologies in Windows Server 2012 and Windows Server 2012 R2:
https://support.microsoft.com/en-us/help/2951262/list-of-currently-available-hotfixes-for-distributed-file-system-dfs-technologies-in-windows-server-2012-and-windows-server-2012-r2
 
List of currently available hotfixes for the File Services technologies in Windows Server 2008 and in Windows Server 2008 R2:
https://support.microsoft.com/en-us/help/2473205/list-of-currently-available-hotfixes-for-the-file-services-technologies-in-windows-server-2008-and-in-windows-server-2008-r2
 
List of currently available hotfixes for the File Services technologies in Windows Server 2012 and in Windows Server 2012 R2:
https://support.microsoft.com/en-us/help/2899011/list-of-currently-available-hotfixes-for-the-file-services-technologies-in-windows-server-2012-and-in-windows-server-2012-r2

How to migrate a DHCP database from Windows 2000 Server to Windows Server 2008 or Windows Server 2008 R2

How to migrate a DHCP database from Windows 2000 Server to Windows Server 2008 or Windows Server 2008 R2
http://blogs.technet.com/b/networking/archive/2009/11/09/how-to-migrate-a-dhcp-database-from-windows-2000-server-to-windows-server-2008-or-windows-server-2008-r2.aspx

Tags: , ,

How to force Kerberos to use TCP instead of UDP in Windows

http://support.microsoft.com/kb/244474/en-us

Tags: ,

How to detect and recover from a USN rollback in Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2

http://support.microsoft.com/kb/875495/en-us

Tags:

An online defragmentation is automatically run after you run the Active Directory garbage collection process in Windows 2000 Server

An online defragmentation is automatically run after you run the Active Directory garbage collection process in Windows 2000 Server:

http://support.microsoft.com/kb/871003/en-us

  1. Install Hotfix from above article
  2. Add Registry Key for DSA Heuristics
    • Click Start, click Run, type regedit, and then click OK.
    • Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
    • Right-click the Parameters subkey, point to New, and then click String Value.
    • Type DSA Heuristics, and then press ENTER.
    • Right-click DSA Heuristics, type 0000000001, and then click OK.
      Note There are nine zeros and a one in this registry value.
    • Exit Registry Editor.

 

Tags:

Things to consider when you host Active Directory domain controllers in virtual hosting environments

Things to consider when you host Active Directory domain controllers in virtual hosting environments:

http://support.microsoft.com/kb/888794

Repadmin /showattr

Repadmin /showattr:

http://technet.microsoft.com/ko-kr/library/cc742051(v=ws.10).aspx

The LastLogonTimeStamp Attribute” – “What it was designed for and how it works

The LastLogonTimeStamp Attribute” – “What it was designed for and how it works:

http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx

Nmcap – Automatizzare la cattura del traffico di rete con NMCap

Con network Monitor 3.3 è possibile utilizzare la riga di comando per catturare il traffico su determinate interfacce.

E’ possibile scegliere il tipo di protocollo da catturare, quando iniziare a catturare etc.

Alcuni esempi:

nmcap /network * /capture “(tcp.port == 25)” /file t.chn:100M /stopwhen /timeafter 120min /terminatewhen /keypress x

Nell’esempio di cui sopra NMcap catturerà il traffico relativo a tutte le interfacce (parametro “/network *”) indirizzato alla porta TCP 25  e si fermerà dopo 120 min oppure premendo il tasto “X”. Il comando concatena inoltre i dati catturati in N file t(1).chn e t(2).chn, ognuno di 100MB fino al termine previsto per la cattura (su questo punto vi consiglio di prestare particolare attenzione al esaurimento dello spazio disco a disposizione). Ricordo che per default, per fermare la cattura, è semplicemente necessario utilizzare Ctrl+C o Ctrl+Break. Procediamo con un passo indietro e un esempio più semplice:

nmcap /network * /capture /file test.cap

Il comando di cui sopra cattura il traffico su tutte le interfacce salvando i dati nel file test.cap (cattura circolare per un file con dimensione massima pari ai 20MB di default). Un altro esempio interessante può essere il seguente dove effluiamo la cattura di tutto il traffico escludendo la parte relativa al protocollo RDP (Terminal Services):

nmcap /network * /capture “!(tcp.port == 3389)” /file test.cap

Come anticipato nel primo script è possibile impostare la partenza e lo stop della cattura attraverso gli switch /startwhen e /stopwhen dopo un certo numero di minuti (ad esempio 30) col seguente switch: “/TimeAfter 30 mintues” oppure indicando un orario preciso con lo switch “/Time 10:30:00 am 9/10/2006” (attenzione perché il formato della data/ora dipende dai locale settings impostati) oppure, come ho accennato all’inizio del post, col verificarsi di un determinato evento come nell’esempio di cui sotto dove la cattura terminerà non appena NMCap rileverà i passaggio di un frame dal server locale all’ host con IP 10.20.30.41:

nmcap /network * /capture /file t.cap /stopwhen /frame (ipv4.address == ipconfig.localipv4address) AND (Ipv4.DestinationAddress == 10.20.30.41)

Come ho accennato prima è possibile concatenare i file di output della cattura specificando l’estensione “.chn” e la dimensione massima per ogni file (che consiglio di mantenere al di sotto di 100-200MB al fine di non ritrovarsi a gestire file di dimensioni troppo ampie). Per cui, utilizzando ad esempio lo switch “/file t.chn:1M” verranno creati dei file chiamati files t(1).chn, t(2).chn, ecc. ognuno con dimensione pari ad 1MB.

Relativamente alla salvaguardia dello spazio a disposizione sarà possibile indicare anche una condizione alternativa di stop della trace basata sulla percentuale di spazio libero su disco come nell’esempio di cui sotto dove, al raggiungimento del 5% di spazio libero residuo, la cattura terminerà automaticamente:

nmcap /network * /capture /file result.cap /MinDiskQuotaPercentage 5

Tags: ,

“0x80070005: Access is denied” error message when you run a batch job on a Windows Server 2003-based computer

http://support.microsoft.com/kb/867466/en-us

Method 1

Grant the Cmd.exe program Read and Execute permissions for the user account that the batch job runs under. To do this, follow these steps:
  1. Click Start, and then click Windows Explorer.
  2. Locate and then right-click the Cmd.exe file. The Cmd.exe file is located in the %windir%\System32 folder.
  3. Click Properties.
  4. Click the Security tab.
  5. Click Add.
  6. In the Enter the object names to select box, type the user name that the batch job runs under, and then click OK two times.

Note When you add the user, the user is automatically granted Read and Execute permissions.

  • Click Yes when you are prompted to continue.
  • Method 2

    Grant Read and Execute permissions for the Cmd.exe file to the Batch group. This permits all batch processes to run the command processor. To do this, follow these steps:
    1. Click Start, and then click Windows Explorer.
    2. Locate and then right-click the Cmd.exe file. The Cmd.exe file is located in the %windir%\System32 folder.
    3. Click Properties.
    4. Click the Security tab.
    5. Click Add.
    6. In the Enter the object names to select box, type Batch, and then click OK two times.
    7. Click Yes when you are prompted to continue.

    Tags:

    EventID: 3083 and 3013 – Source:Windows Search Service [SOLVED]

    ———————————————————————————————-
    Source: Windows Search Service
    Category: Gatherer
    Type: Error
    EventID: 3083
    The protocol handler Search.Mapi2Handler.1 cannot be loaded. Error description: Class not registered
    ———————————————————————————————-
    Import the following registry keys, worked for me:
    Windows Registry Editor Version 5.00
    [HKEY_CLASSES_ROOT\CLSID\{9E175BAF-F52A-11D8-B9A5-505054503030}]
    @=”Windows Search Service Office Outlook Protocol Handler”
    [HKEY_CLASSES_ROOT\CLSID\{9E175BAF-F52A-11D8-B9A5-505054503030}\InprocServer32]
    @=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,74,00,25,\
      00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6d,00,73,00,\
      73,00,70,00,68,00,2e,00,64,00,6c,00,6c,00,00,00
    “ThreadingModel”=”Both”
    [HKEY_CLASSES_ROOT\CLSID\{9E175BAF-F52A-11D8-B9A5-505054503030}\ProgID]
    @=”Search.MAPI2Handler.1″
    [HKEY_CLASSES_ROOT\CLSID\{9E175BAF-F52A-11D8-B9A5-505054503030}\VersionIndependentProgID]
    @=”Search.MAPI2Handler”

    Tags: , ,

    Using XCACLS

    Downloaded Xcacls.vbs
    Copied under shared folder “C:\xcacls” on Domain Controller
    Then creted a script with following lines:
    copy \\domain controller\XCACLS\xcacls.vbs c:\
    cscript c:\XCACLS.vbs “C:\Documents and Settings\%COMPUTERNAME%\Desktop” /G intraosa\user:RWED;RW /T /E
    Added the script to a GPO under “Startup Script”
    This gives the user Read, Write, Excecute and Delete access to the Computer profile’s Desktop (had user with same name as computer) files, and only Read and Write to the Desktop folder

    Kerberos 4 – KRB_AP_ERR_MODIFIED

    If you receive Kerberos 4 errors stating that “the password used to encrypt the kerberos service ticket is different than that on the target server…Commonly due to identically named machines on the target Realm.” check the following:

     

    NET USE \\computer (the computer listed in the event log)

    NBTSTAT -C to see the list of registered names

    Verify in DNS (reverse) o WINS if name is registered correctly. In my case I had DHCP not refreshing the DDNS and so having two computers with same reverse PTR.

     

    Otherwise

     

    You can Check kerberos cache on client by using one of the following tools: KLIST, Kerbtest, or KerbTray

    Reset Kerberos password by using the following command:

     

    netdom resetpwd /s:server /ud:domain\User /pd:*
     
     
    A description of this command is:

    • /s:server is the name of the domain controller to use for setting the machine account password. This is the server where the KDC is running.
    • /ud:domain\User is the user account that makes the connection with the domain you specified in the /s parameter. This must be in domain\User format. If this parameter is omitted, the current user account is used.
    • /pd:* specifies the password of the user account that is specified in the /ud parameter. Use an asterisk (*) to be prompted for the password.

    Tags:

    Troubleshoot Cluster Service Account. Failed File Share Resource (Error ID: 1053, 1068)

    Somebody has set the Cluster Service Account as Domain Admin. I’ve had to remove this setting and make there wouldn’t be aby problem.

    This cluster was configured with Shares and DFS stand-alone. This resource is a File Share Resource with the option set to “DFS Root” in the advanced properties of this object. This make sure that it automatically creates a DFS stand-alone on this node, that can failover to the other node preserving all the settings.

    I’ve followed this article:

    http://support.microsoft.com/default.aspx/kb/307532/

    After setting the proper permissions, some share resources wouldn’t come online, and failed with 1053, 1068 events.
    The issue was due to the fact that for some reason (that I miss), the local Administrators group wasn’t defined on the specific folder shares on the disk, the NTFS permissions to be more precise.  Once added the Administrators group the resources came on line straight away.

     

    Another issue was that the Network Name resource failed. This was because under the cluster group, in Network Name properties, under Parameters TAB, the flag “Enable DNS Registration” was enabled. To resolve this issue follow this steps:

    Root Cause:
    When static record got created the option “allow any authenticated user to update DNS records with the same owner” was not selected. Therefore the Cluster nodes (active node) who will own the cluster name resource won’t be able to register this resource record to the DNS database behalf of the resource records itself.
    Solution:
    Go to DNS, find the record ( A & Pointer record) for the cluster name resource.
    • Make a right click
    • Go to properties
    • In the security make sure the “Authenticated users” are included
    • Make sure it has “Write: rights and Special permissions
    • Click Advance, locate authenticated users, and click edit
    • Make sure, Write all properties, Read permissions, All Validated Writes selected
    • Click okay tree times to exit

    Tags: , ,

    DNS Log [8281 DR SERVFAIL] – Forwarding Issue

    DNS 2003 by default advertises that it can recieve MTU’s greater than 512kb which isn’t compatible with some PIX.
    Workaround
    on DNS Server: dnscmd /Config /EnableEDnsProbes 0 (to turn off this feature) *
    or
    Proper Solution (not always)
    enable pix to accept EDNS packets UDP 53(NOT all Firewalls accept EDNS):
     fixup fixup protocol dns maximum-length 768  (512 is default)

     
    With DNSCMD command you disable EDNS functionality, default on windows 2003, that accepts UDP packets above 512 bytes. This is not always supported by PIX firewalls by design.
    Obviously the server it’s more efficient with EDNS, and doesn’t trunkate packets with data loss, with the need to query again by TCP with more overhead.
    By reading here and there, I found that administrators prefer slowing down a little the DNS queries rather than modifying the PIX configuration that could cause more evident failures.
     
    This link explains the issue:
    https://lists.isc.org/pipermail/bind-users/2002-June/039240.html
     
    Cisco PIX firewalls are configured and fixed to receive UDP packets from 512 bytes or under
     
    4.2.1. UDP usage
     
    Messages sent using UDP user server port 53 (decimal).
     
    Messages carried by UDP are restricted to 512 bytes (not counting the IP
    or UDP headers).  Longer messages are truncated and the TC bit is set in
    the header.
     
     

    Tags:

    VSS Event ID: 20

    Volume Shadow Copy Service error: A critical component required by the Volume Shadow Copy service is not registered. This might happened if an error occurred during Windows setup or during installation of a Shadow Copy provider. The error returned from CoCreateInstance on class with CLSID {f5078f32-c551-11d3-89b9-0000f81fe221} and Name MSXML30 is [0x80040154].
    From command prompt in \windows\system32\ directory, run the following:

    regsvr32 msxml.dll

    regsvr32  msxml3.dll

    regsvr32 msxml4.dll

    If you do a search for msxml*.* you will discover that there are a number of other

    files that appear to related to this same component, you may wish to re-register

     

    Tags: ,

    WSUS 3.0 SP2 – Deploy and registry tweaks

    Install WSUS 3.0 SP2.
    Check if services on clients are Up and Automatic with this .bat:
     
    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
    “Start”=dword:00000002 <– check if service startup is automatic
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
    “Start”=dword:00000002 <– check if service startup is automatic
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate]
    “WUServer”=”http://server.domain.net:8530”  <– if you installed Wsus on New Web Site
    “WUStatusServer”=”http://server.domain.net:8530
    “TargetGroupEnabled”=dword:00000001
    “TargetGroup”=”Unassigned Computers”  <– Default Wsus Group
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate\AU]
    “NoAutoUpdate”=dword:00000000
    “AUOptions”=dword:00000003 <– Auto download but notify for install
    “ScheduledInstallDay”=dword:00000000
    “ScheduledInstallTime”=dword:0000000d <– 1:00 PM
    “UseWUServer”=dword:00000001
    Check if required services are started (can be a batch file):
    NET STOP “Automatic Updates” && NET START “Automatic Updates”
    NET START “bits”
    Start Sync with Wsus server (can be a batch file):
    wuauclt.exe /detectnow
    Check C:\Windows\WindowsUpdate.log for troubleshooting
    Use ClientDiag.exe on client to check if everything is set correctly

    Tags:

    Windows Update [Error number: 0x800B0100]

    Open CMD
    Type:
    net stop cryptsvc
    ren %systemroot%\system32\catroot2 renamed_catroot2
    net start cryptsvc

    You need admin-rights

    If that is not a success, and you still get that error message, try
    this on command prompt:

    regsvr32 wintrust.dll

    Tags:

    FTP problem with .aspx pages

    We had a problem accessing .aspx pages under an FTP Site pointing to a network share, showing “404 NOT FOUND”.

    The user that you specify under the “Connect As” must be granted “Logon Locally” permissions on the FTP server so IIS can use it to browse adn access the files.

    Then you can grant users with specific permissions on the shares and IIS will use them to access the files. So the security is not compromised at all. The fact is that IIS uses the “Connect As” account (call it service account) to do his business, that’s why it should have local permissions.

    Tags:

    Error ID: 1093 – ASP.NET 2.0.50727.0

    “Unable to get the private bytes memory limit for the W3WP process. The ASP.NET cache will be unable to limit its memory use, which may lead to a process restart. Error: 0x80070005”
    A worker process with process id of ‘1600’ serving application pool ‘SapWebServerPool’ has requested a recycle because it reached its virtual memory limit.
    This issues are due to incorrectly configured permissions for virtual directories with local or remote (share) path.
    If in IIS there are many sites, the best practice is to create for each one an Application Pool and set the appropriate permissions. Browse the properties of the Pool under “Identity TAB”. The same user must be configured under the site’s Virtual Directory, under the “Connect As” button.
    To solve the 1093 error, grant this user permissions on the IIS metabase with the following cmdlet:
    aspnet_regiis –ga <user specified in “Connect As”> (you can find aspnet_regiis  under “Windows\Microsft.Net\2.0…..” folder.
    This user must be under the IIS_WPG group that should already have this permissions. Give thie group permissions on metabase running the above cmdlet. It should already have this permissions set, but we’ve noticed that wheren’t set on our IIS.
    • So you should have the Applicatio Pool with the service account specified.
    • You should have the Virtual Directory with the same service account specified under the “Connect As”
    • In Authentication TAB set “Integrated authentication”.
    • The service account must be under IIS_WPG group
    We managed to troubleshoot the issue by running “Procmon” and noticeing Access Denied logs.

    Tags: ,