Archive for the ‘Microsoft Network Admin’ Category

WOL not working from new server

When moving things from an old server (that happenes to be running Windows 2008 R2 (64bit)) WOL does not seem to get to anything. It worked on the old server but not on the new one. WTF? First thoughts are something 2008 R2 related or 64bit related. It turns out it probably isn’t any of that. It’s probably the fact that newer servers tend to have multiple NICs and your older hardware only had a simgle NIC. What is going on is that even though the extra NICs aren’t used, as long as they are active (not diabled) then WOL will use one to send it’s packets. Don’t know yet how to reorder the NICs so WOL usues the active one so the simple fix is to diable the NICs that aren’t plugged in to the network. WOL then has to use the active one and it works fine. Jeesh.


No Comments

Redirect new computers from default container in active directory

This is posted lots of other places but this is easier to find:

Run the Redircmp.exe file at a command prompt by using the following syntax, where container-dn is the distinguished name of the organizational unit that will become the default location for newly created computer objects that are created by down-level APIs:
redircmp container-dn container-dn
Redircmp.exe is installed in the %Systemroot%\System32 folder on Windows Server 2003-based or newer computers. For example, to change the default location for a computer that is created with earlier-version APIs such as Net User to the OU=mycomputers container in the CONTOSO.COM domain, use the following syntax:
C:\windows\system32>redircmp ou=mycomputers,DC=contoso,dc=com

No Comments

Funky DNS resolution with cisco VPN and Vista/7

You have Vista or Windows 7 and finally got the latest version of Cisco VPN client ( to install and apparently work. All is well until you try to get to some other internal host after a few minutes or more.  Suddenly no other hosts than the original host resolve! You ping your internal DNS server by address and it responds. NSlookup reports timeouts and cant resolve the host name for the internal DNS server. What the heck is going on here? Is it another Cisco “issue”? The clue is that everything works fine on XP but not on Vista/7.  So what changed between XP and Vista/7?  Well, it turns out that Microsoft rewrote the IP stack for Vista/7 and among other things added a nifty little feature called autotune.  This is supposed to automatically tune the recieve window size based on latenacy, usage and the color of your underware.  So guess what?  Since you don’t resolve internal names over the VPN very much (and you have green undies on), name resolution gets tuned down to practically nothing.  So when you try to use it, it times out.  The fix is to turn off autotune. You can do this as follows:

Disable TCP Auto-Tuning

1.Open elevated command prompt with administrator’s privileges.
2.Type the following command and press Enter:
netsh interface tcp set global autotuning=disabled

Enable TCP Auto-Tuning

1.Open elevated command prompt with administrator’s privileges.
2.Type the following command and press Enter:
netsh interface tcp set global autotuning=normal

How about that law of unintended consequences???


Update:  Sometimes the above does not entirely fix the problem.  Do the following (note: article was originally written for Server 2003 but appears to be applicable to this case too)


The Domain Name System (DNS) client screening feature lets Microsoft Windows Server 2003-based computers determine whether a DNS server is reachable from the configured interface. However, this feature mayalso prevent access to a DNS server that is otherwise available.

This article describes how to turn off the DNS client screening feature.

To turn off the DNS client screening feature, you must first create the ScreenUnreachableServers registry entry. To do this, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type ScreenUnreachableServers, and then press ENTER.
  5. On the Edit menu, click Modify.
  6. Type 0 in the Value data box, and then click OK.
  7. Exit Registry Editor.

    Note You must stop and then start the DNS Client service for the registry change to take effect.

In some configurations, the DNS client screening feature may prevent access to a DNS server that is otherwise available. Typically, this occurs on a server that has more than one network adapter interface. The operating system determines whether a DNS server is reachable, together with the DNS client screening feature.

It is by design that the DNS Client service does not access the DNS servers that appear to be unreachable from the interface on which they are configured. The DNS servers are marked unreachable for the server even though they may be available to the other network adapter on the same server.


MDT 2008 Lite Touch fails with wierd network errors - sometimes
You may not put two and two together but they last time you updated MDT (because MS told you you needed to… (yeah so much for trusting MS)) you actually broke it.  Now you get a Network Timeout (or a wierd access denied error) in Windows PE 2.1 when it’s trying to launch the Lite touch scripts.  Oh, and another thing about launching LiteTouch, don’t have a Windows boot CD (or any CD in the CD drive.  For some wierd reason WPEInit will see that and fail to launch the LiteTouch Script. (no I havn’t figured out why yet)

You get the following error message in MDT 2008 Lite Touch Deployment even though you have the correct nic drivers in Windows PE and the correct bootstrap.ini settings. “A connection to the deployment share \\Server\Distribution$ could not be made. The Deployment will not proceed”  upon further investigation you find out that you get an access denied error when you try to list the \\server\distribuiton$\ directory.  BUT! if you do a Net Use mapping to the folder, it works just fine!  WTF?  AND, it works on some models of computer but not on others.  More WTF?

A network initializion timeout issue in wpeinit.exe in Windows PE 2.1 causes MDT 2008 Lite Touch Deployments to fail.

Give WIndows PE 2.1 a few more seconds by editing startnet.cmd on your LiteTouch_x86.wim (or iso) to look like below.  (It’s in the windows/system32 directory) (Use Imagex /mountrw LiteTouch.wim 1 d:\image to mount the WIM) (Don’t forget to ImageX /Unmount d:\image when you’re done)


wpeutil InitializeNetwork
ping localhost or Pause (or any other command that does nothing but takes a few seconds to complete)

If you want the Deployment Workbench to include the updated startnet.cmd every time you update the Deployment Point just follow the below steps

Configure MDT to use the updated startnet.cmd

  1. Create a folder named ExtraFiles\Windows\System32 in the distribution share and copy the updated startnet.cmd to it.
  2. In the Deployment Workbench, right-click the Deployment Point and select Properties.
  3. In the Windows PE Tab, in the Extra directory to add textbox, type in D:\ExtraFiles
  4. Click OK
  5. Regenerate the WIM files and don’t forget to rebuild the Boot images in WDS otherwise your changes won’t take effect.


No Comments

Converting Roaming Profiles to Mandatory Profiles

When doing the official MS method for creating mandatory profiles, you used to be able to take advantage of a little flaw in XP where XP neglected to remove the cached roaming profile even though you told it to via GPO. Well, they fixed that for the most part in Vista and so now it really does remove the cached profile when you tell it to. So now, everytime you need to refresh your mandatory profiles, you pretty much have to start from scratch creating a new local profile. If only you could convert the mandatory profile back to a roaming one, make the changes then reconvert it back to mandatory! Life would be so much simpler. Guess what there is a way! Go ahead and create or change the roaming profile that is your base, log off to save it to the server. Now simply copy it to where you keep the mandatory profile, fix the permissions on all the files and subfolders, rename ntuser.dat to and whala! you’re done. er….. almost. You probably remember that didnt freakin work. It turns out that all you were missing was to fix the permissions inside the registry. Yup, they’re still set to only allow the user you saved the roaming profile as access to the registry. So, now all you need to do is fire up regedit, load the hive, remove the roaming user, and add the group you want to be able to use the mandatory profile, unload the hive back to the mandatory profile folder - and NOW you’re done! so why doesn’t MS tell you you can do it that way instead of the rigamarole they have you go through???? Because they are MS of course.


No Comments

Default Permissions For Roaming Profile and Folder Redirection Folders

Here are the recommended default permissions for the Profiles and Redirected folders folders so that new users automatically get their folders created for them when logging on for the first time:

Roaming profile parent folder:

Creator Owner = Full Control, Subfolders and Files Only
Domain Users = List Folder/Read Data, Create Folders/Append Data - This Folder Only
System =  Full Control, This Folder, Subfolders and Files

And don’t forget to change the GPO for the local computer (not the server) to add the Administrators security group to the roaming user profile share.  It’s in Computer/Administrative Templates/System/User Profiles/Add the Administrators security group to roaming user profiles  - Enable it.

Redirected Folders Parent:

Creator Owner = Full Control, Subfolders and Files Only
Domain Users = List Folder/Read Data, Create Folders/Append Data - This Folder Only
System =  Full Control, This Folder, Subfolders and Files
Admistrators =  Full Control, This Folder, Subfolders and Files

No Comments

Enterprise PKI without enterprise edition of 2003 server.

My, my aren’t we getting advanced???  You have decided to implement an enterprise wide Public Key Infrastructure to start securing your network.  Despite what you read from Microsoft (and all of the articles blindly based on Microsoft blather), you do not need Server 2003 enterprise edition to get this to work at the machine level.  Only if you want to do it at the user level do you need the Enterprise edition.  So, how do you go about setting it up?

If your network is comprised of only one domain, it’s pretty simple.  Just install certificate services on a server in your primary LAN selecting the enterprise root CA role.  You can install certificate services on any other servers that you need to selecting the subordinate enterprise CA role and pointing them at the first server you setup.  typically you would install a subordinate CA on LANs that are at remote locations to help reduce WAN traffic and enhance reliability if a WAN link goes down.  Things get a little more involved when your network is comprised of a root domain and one or more trusted child domains.  Basically, you start out the same - installing the Enterprise Root CA in the root domain and installing a subordinate enterprise CA in each child domain, BUT there are a couple of little tidbits you need to do to make it work.  First, you need to log on to the server in the child domain as the administrator of the root domain (otherwise known as the enterprise administrator) otherwise you won’t have the option to install the cert services as a subordinate enterprise CA.  Second, even though it does not indicate you need to, reboot the server right away otherwise all sorts of wierd mesages pop up in your event logs and the CA doesn’t issue certs.  Third, you will find that the CA still isn’t issuing certs but there are no error messages anywhere!!!  (another WTF - MS is good at making you ask that aren’t they?)  The problem is that the computers in the child domains are not allowed to request certs from the enterprise CA by default.  To fix that, go to the root domain server, open up AD sites and services, in the menu go to view then check Show Services Node, then expand the services node and go to Public Key Services, then Certificate Templates.  The template you are looking for is called Machine (even though the certificate you issued is called Computer - it’s actually the same one).  Right click, properties, security, add the Domain computers group from each of the child domains and change their permission from read to Enroll.  Oh, and fourth - sometimes the cert service doesn’t startup right on server start, you can probably fiddle with dependancies but a simple stop/start of the service after the server is done rebooting works too.

So what good is a computer (machine) certificate you ask?  One hint - 802.11x and ipsec.  Well actually that’s two hints and definately a topic for another post.


No Comments

Controlling Cache settings and more in IE

Hidden deep within Group Policy there are many jewels that are not always easy to find. One of these jewels is the advanced or “preference mode” Internet Explorer settings. These can be accessed with the following steps:

  1. Open the Group Policy Management Console and create a new GPO.
  2. Browse to User Configuration/Windows Settings
  3. Right click on “Internet Explorer Maintenance” and click “Preference Mode”

This will add another subgroup of settings listed under “Advanced”. In this subgroup you can edit settings related to cache size, auto complete, roaming profile cache, auto image resizing, and many more things.
Warning:  If you have already set some things in “Internet Explorer Maintenance”, you will need to either clear them first or create a new GPO in order to switch to “Preference Mode”

No Comments

Windows Power Management

Ok, so you’re totally frustrated by the bizarre decisions Microsoft made when they setup power management in Windows 2000 and XP. You know, the problem that power settings are a by user setting but “normal” users don’t have permissions to change them and you can’t figure out a way to manage them centrally? Yup, MS really out did themselves on this one!

So here’s how you get around it.

First, get yourself the latest copy of EZGPO from here:
(make sure it’s at least 2.01 - the older versions kinda stink)

Next, unzip it, copy the ADM into the DC’s inf folder and the MSI file into all the DC’s logon scripts folder.

Next Add the EZ_GPO.ADM template to your GPO and set your settings in both the computer section and the user section.

Don’t forget about the “prompt for password on resume” setting in the user section under system/power management. NOTE: this can only turn the prompt on. It cannot turn it off! (Another MS GO FIGURE!) If you need to turn it off you have to do it either by importing a registry key via logon script or manually user by user.

Now install the Ezgpo.MSI on each computer. You can do that via GPO or logon script but be warned! It needs admin rights to install!

After installation, reboot and logon TWICE. Yes, TWICE! it doesn’t fully implement untill after the second reboot and login cycle. Not sure if you need to be a local admin on both boots or not, I’ll update that info later.

More Notes: It seems that if you have an HP (and maybe others) you have a .default profile that plays into this as well.  It seems that when the computer goes to suspend, it picks up some settings from the .default profile and replaces what you have set with them.  Since the power settings are contained in a binary string, they aren’t really editable directly so…. My advice here is to get your power settings exatly the way you want them and export the HKCU\control panel\PowerCfg\GlobalPowerPolicy, edit the .reg file to fix the key name and then import it to HKU\.default\control panel\PowerCfg\GlobalPowerPolicy

disclaimer: If you don’t know how to add a template or what the heck GPO is, go buy a book! This isn’t a site to teach you how to administer a network for gosh sakes.


No Comments