SQL 2008 Sillyness
Posted by: ds in Microsoft Server, User Privileges on June 29th, 2010
In server 2008 (and probably other versions as well) if you need to add a user or group local to the server as an SQL user, you get the following lovely error: “Error 15401: Windows NT user or group ‘%s’ not found. Check the name again. ” Domain accounts add fine, but not local accounts. Well, SOME local accounts add fine but other ones don’t Now isn’t that silly? Turns out that any predefined local accounts or groups like “administrators” or “system” need to use the domain “BUILTIN” and not the server name as the domain preface. Problem solv-ed.
ds
Funky DNS resolution with cisco VPN and Vista/7
Posted by: ds in Microsoft Network Admin, Vista on February 25th, 2010
You have Vista or Windows 7 and finally got the latest version of Cisco VPN client (5.0.06.0110) to install and apparently work. All is well until you try to get to some other internal host after a few minutes or more. Suddenly no other hosts than the original host resolve! You ping your internal DNS server by address and it responds. NSlookup reports timeouts and cant resolve the host name for the internal DNS server. What the heck is going on here? Is it another Cisco “issue”? The clue is that everything works fine on XP but not on Vista/7. So what changed between XP and Vista/7? Well, it turns out that Microsoft rewrote the IP stack for Vista/7 and among other things added a nifty little feature called autotune. This is supposed to automatically tune the recieve window size based on latenacy, usage and the color of your underware. So guess what? Since you don’t resolve internal names over the VPN very much (and you have green undies on), name resolution gets tuned down to practically nothing. So when you try to use it, it times out. The fix is to turn off autotune. You can do this as follows:
Disable TCP Auto-Tuning
1.Open elevated command prompt with administrator’s privileges.
2.Type the following command and press Enter:
netsh interface tcp set global autotuning=disabled
Enable TCP Auto-Tuning
1.Open elevated command prompt with administrator’s privileges.
2.Type the following command and press Enter:
netsh interface tcp set global autotuning=normal
How about that law of unintended consequences???
Restoring Exchange 2003 from a remote Backupexec 9.1 server
Posted by: ds in Exchange, Microsoft Server on October 20th, 2009
So this seems like it should be a fairly straight forward task. I mean there are a ton of BE backups going on every day and a ton of exchange backups in those. And I seriously doubt that all of the backups are running from the exchange server (unless it an SBS - but that’s a totally different animal). But documantation and gotchas are seriously lacking here. So, follow the bellow exactly! Do not skip anything otherwise you will go directly to jail and will owe $200.
1) Install the base OS.
a) Do a parallel install or scratch install to a folder that is NOT c:\windows on the server to be restored
2)Install the BE remote agent on the exhcnage server and make sure it is running!
IMPORTANT! Don’t forget this - bad things happen!
3) Restore the remote server OS from the BE server.
Only include the C:, D: volumes and system state. Do NOT include the exchange stores.
Before restarting, edit the Boot.ini to add back the parallel install. IMPORTANT because it’s likely the restore will munch one or more of the drivers
4) If the server does not restart, it’s probably the video driver.
restart in safe mode, then reinstall the correct video driver - even if it says it’s already there.
5) Once successfully restarted, start the Exchange store.
Make sure the stores are dismounted
In the store properties, check the setting to allow restore.
6) restore the exchange store from BE.
7) there may be misc stuff to cleanup but it should be mostly good to go.
what can happen???
If you forget to install or don’t have the remote agent running on the remote server, BE will restore the system state to the local server! No shit!
It won’t tell you it did that - it will only fail on the volume restores but say the system state was successful. If you see something like that - DO NOT REBOOT!�
Immediately restore the local system state from BE. If you screwed that up, then you’ll need to do a parallel OS install.�
You will need to remove (or rename the existing MSSQL$dackupexec instance and make sure when you install BE, you install to a different directory.
Unless you want to recatalog the tape (yikes!) copy all of the *.ui1 files from the backupexec/nt/catalog folder to the new install.
Then, you will need to service pack the OS up to the level the orginal server was. Then restore in Directory Restore mode and restore the system state. Oh, and you have to restore the entier C: volume along with the system state to get your registry and SAM back. Otherwise it will fail to restore with a cryptic error (eventhough it lets you select only the system state - how lmae is that??)
ds
MDT 2008 Lite Touch fails with wierd network errors - sometimes
Posted by: ds in Microsoft Network Admin, Microsoft Server, Vista, Windows Desktop on October 20th, 2009
You may not put two and two together but they last time you updated MDT (because MS told you you needed to… (yeah so much for trusting MS)) you actually broke it. Now you get a Network Timeout (or a wierd access denied error) in Windows PE 2.1 when it’s trying to launch the Lite touch scripts. Oh, and another thing about launching LiteTouch, don’t have a Windows boot CD (or any CD in the CD drive. For some wierd reason WPEInit will see that and fail to launch the LiteTouch Script. (no I havn’t figured out why yet)
Symptoms:
You get the following error message in MDT 2008 Lite Touch Deployment even though you have the correct nic drivers in Windows PE and the correct bootstrap.ini settings. “A connection to the deployment share \\Server\Distribution$ could not be made. The Deployment will not proceed” upon further investigation you find out that you get an access denied error when you try to list the \\server\distribuiton$\ directory. BUT! if you do a Net Use mapping to the folder, it works just fine! WTF? AND, it works on some models of computer but not on others. More WTF?
Cause:
A network initializion timeout issue in wpeinit.exe in Windows PE 2.1 causes MDT 2008 Lite Touch Deployments to fail.
Workaround:
Give WIndows PE 2.1 a few more seconds by editing startnet.cmd on your LiteTouch_x86.wim (or iso) to look like below. (It’s in the windows/system32 directory) (Use Imagex /mountrw LiteTouch.wim 1 d:\image to mount the WIM) (Don’t forget to ImageX /Unmount d:\image when you’re done)
startnet.cmd
wpeutil InitializeNetwork
ping localhost or Pause (or any other command that does nothing but takes a few seconds to complete)
wpeinit
If you want the Deployment Workbench to include the updated startnet.cmd every time you update the Deployment Point just follow the below steps
Configure MDT to use the updated startnet.cmd
- Create a folder named ExtraFiles\Windows\System32 in the distribution share and copy the updated startnet.cmd to it.
- In the Deployment Workbench, right-click the Deployment Point and select Properties.
- In the Windows PE Tab, in the Extra directory to add textbox, type in D:\ExtraFiles
- Click OK
- Regenerate the WIM files and don’t forget to rebuild the Boot images in WDS otherwise your changes won’t take effect.
ds
Converting Roaming Profiles to Mandatory Profiles
Posted by: ds in Microsoft Network Admin, Vista on March 26th, 2009
When doing the official MS method for creating mandatory profiles, you used to be able to take advantage of a little flaw in XP where XP neglected to remove the cached roaming profile even though you told it to via GPO. Well, they fixed that for the most part in Vista and so now it really does remove the cached profile when you tell it to. So now, everytime you need to refresh your mandatory profiles, you pretty much have to start from scratch creating a new local profile. If only you could convert the mandatory profile back to a roaming one, make the changes then reconvert it back to mandatory! Life would be so much simpler. Guess what there is a way! Go ahead and create or change the roaming profile that is your base, log off to save it to the server. Now simply copy it to where you keep the mandatory profile, fix the permissions on all the files and subfolders, rename ntuser.dat to ntuser.man and whala! you’re done. er….. almost. You probably remember that didnt freakin work. It turns out that all you were missing was to fix the permissions inside the registry. Yup, they’re still set to only allow the user you saved the roaming profile as access to the registry. So, now all you need to do is fire up regedit, load the ntuser.man hive, remove the roaming user, and add the group you want to be able to use the mandatory profile, unload the hive back to the mandatory profile folder - and NOW you’re done! so why doesn’t MS tell you you can do it that way instead of the rigamarole they have you go through???? Because they are MS of course.
ds
The user profile service service failed to logon
Posted by: ds in Uncategorized on March 12th, 2009
This is another Vista goodie. All us anal retentive network nazi’s have the habit of cleaning up old profiles from desktop computers when we run accross them. the simplest way was to simply delete the profile folders from the Documents and Settings folder in XP or 2000. As you probably know by now, documents and settings has been replaced by the OSXesq Users folder. So you figure you can do the same thing in this folder. Well, you can, but you are stting up a potential problem in the future. It seems that the registry keeps track of all the users that have every logged on to a machine. Now if you’ve deleted the user’s profile contents by simply deleting their profile folder, then when you try to log into the machine using that profile, Vista barks at you with the titled error. You think WTF? this user can log into every other computer, and other users can log into this computer!!! The fix to this is to go into the registry and remove the references to the deleted profiles. The profile list can be found here: HKLM\Software\Microsoft\Windows NT\Current Version\ProfileList\ The prevention is to log into the machine as a local adminitrator and go in to the computer’s Advanced properties and delete the profile from there. that way the folder AND the registry entries will be removed.
Just another “helpfull” feature of Vista…
DS
Adobe Acrobat Reader 9.0
Posted by: ds in Adobe, Vista, Windows Desktop on March 12th, 2009
Don’t DO it!!!! In case you haven’t figured it out yet, Adobe’s realease 9.0 of acrobat reader cause lots of problems. Known issue #1 - In Vista with IE 7 and a normal user, Reader won’t launch inline in the IE browser window - it just hangs with a blank page. The work around for this has been to turn off the browser integration so Reader launches in it’s own window.
Known Issue #2 - If you have redirected your Application Data folder to a network share, 9.0 has a hissy fit and errors out on open.
The fix to all of this??? why it’s Acrobat reader 9.1 of course! Just another example of why you should be very cautious with dot zero releases. And, cynically, another example of the rediculous buggy bloat that is all things adobe. Yes Adobe seems to be contending with the king of bloat (MS) for the crown. I think they might even get it very soon!
PS: Version 9.1 does indeed fix both of the problems. HOWEVER, it unintentionally breaks it’s self again. Or more correctly, it tries to use something that is broken in Vista. so, when you install 9.1, make sure to install hot fix 228839 available here: http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=955555&kbln=en-us
This fixes a problem that shows up when you are using roaming or mandatory profiles and Vista doesn’t create all of the local temp folders. It’s especially bad if you clear the cached profiles at logout.
Gone insane yet??????
More insanity…
Ok, so the hotfix listed above does indeed fix the problem. But ONLY for VISTA SP1 !!! The hot fix won’t install in SP2. Not only that, but if you do have the hotfix installed (or any other hotfix for that matter) SP2 won’t install via WSUS. AND MS broke the Local/Low folder generation for situations of folder redirection in SP2 again. So, basically I give up waiting for MS to fix this and keep it fixed so if you just add the following line to your logon scripts it will create the missing folder if the logon process doesn’t. Maybe some day MS will get their head out of their A@# and actually get this fixed (Yes this has been frustrating).
If not exist %userprofile%\appdata\locallow md %userprofile%\appdata\LocalLow
ds
Default Permissions For Roaming Profile and Folder Redirection Folders
Posted by: ds in Microsoft Network Admin, Microsoft Server on February 3rd, 2009
Here are the recommended default permissions for the Profiles and Redirected folders folders so that new users automatically get their folders created for them when logging on for the first time:
Roaming profile parent folder:
Creator Owner = Full Control, Subfolders and Files Only
Domain Users = List Folder/Read Data, Create Folders/Append Data - This Folder Only
System = Full Control, This Folder, Subfolders and Files
And don’t forget to change the GPO for the local computer (not the server) to add the Administrators security group to the roaming user profile share. It’s in Computer/Administrative Templates/System/User Profiles/Add the Administrators security group to roaming user profiles - Enable it.
Redirected Folders Parent:
Creator Owner = Full Control, Subfolders and Files Only
Domain Users = List Folder/Read Data, Create Folders/Append Data - This Folder Only
System = Full Control, This Folder, Subfolders and Files
Admistrators = Full Control, This Folder, Subfolders and Files
Change those unchangable defaults
Posted by: ds in Vista, Windows Desktop on January 28th, 2009
You can change the default open and save location for all of the Office 2007 programs except Publisher. How lame is that??? Or can you?
It turns out that Publisher for some unknown reason looks at the following registry key value: HKEY_USERS\username\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal to figure out where to open and save from. So if you change this value to where you really want your default to be, thenPublisher (and any other program that looks at the same key) will magically use that as the default path.
Ah, and here is another one just like that. MS Paint looks at: HKEY_USERS\username\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\My Pictures to figure out where it opens at. Change that value and whala! Default changed. You can use either UNC or Mapped drive.
The big warning is that any other programs that use these keys will get their defaults changed as well, but then again, if you want your default changed for these programs, you probably want it changed for any others as well. The other big warning is that these values will be ignored if you have folder redirection enabled for My documents either at the user level or via GPO.
ds
Enterprise PKI without enterprise edition of 2003 server.
Posted by: ds in Microsoft Network Admin, Microsoft Server on January 28th, 2009
My, my aren’t we getting advanced??? You have decided to implement an enterprise wide Public Key Infrastructure to start securing your network. Despite what you read from Microsoft (and all of the articles blindly based on Microsoft blather), you do not need Server 2003 enterprise edition to get this to work at the machine level. Only if you want to do it at the user level do you need the Enterprise edition. So, how do you go about setting it up?
If your network is comprised of only one domain, it’s pretty simple. Just install certificate services on a server in your primary LAN selecting the enterprise root CA role. You can install certificate services on any other servers that you need to selecting the subordinate enterprise CA role and pointing them at the first server you setup. typically you would install a subordinate CA on LANs that are at remote locations to help reduce WAN traffic and enhance reliability if a WAN link goes down. Things get a little more involved when your network is comprised of a root domain and one or more trusted child domains. Basically, you start out the same - installing the Enterprise Root CA in the root domain and installing a subordinate enterprise CA in each child domain, BUT there are a couple of little tidbits you need to do to make it work. First, you need to log on to the server in the child domain as the administrator of the root domain (otherwise known as the enterprise administrator) otherwise you won’t have the option to install the cert services as a subordinate enterprise CA. Second, even though it does not indicate you need to, reboot the server right away otherwise all sorts of wierd mesages pop up in your event logs and the CA doesn’t issue certs. Third, you will find that the CA still isn’t issuing certs but there are no error messages anywhere!!! (another WTF - MS is good at making you ask that aren’t they?) The problem is that the computers in the child domains are not allowed to request certs from the enterprise CA by default. To fix that, go to the root domain server, open up AD sites and services, in the menu go to view then check Show Services Node, then expand the services node and go to Public Key Services, then Certificate Templates. The template you are looking for is called Machine (even though the certificate you issued is called Computer - it’s actually the same one). Right click, properties, security, add the Domain computers group from each of the child domains and change their permission from read to Enroll. Oh, and fourth - sometimes the cert service doesn’t startup right on server start, you can probably fiddle with dependancies but a simple stop/start of the service after the server is done rebooting works too.
So what good is a computer (machine) certificate you ask? One hint - 802.11x and ipsec. Well actually that’s two hints and definately a topic for another post.
ds