Troubleshooting WSUS

I was getting errors when trying to update a new Windows Server 2008 computer in our empty forest root domain.  We don't use resources very often and from time to time setting up connections doesn't work very easily.

I was getting Windows Update Error Code:  80244021

To troubleshoot, I went to http://<servername>/selfupdate/wuident.cab to see if I could connect to a file.  When the security trust page came up I quickly realized that I needed to add the WSUS server as a trusted site.

Joining Ubuntu to Windows Active Directory Domain

Over the years, I have joined Ubuntu to a Microsoft Domain in a couple different ways.  The first method I had tried was quite manual and described on Ubuntu's Community Documentation website.  The last 2-3 times, I have joined Ubuntu computers, I started using a new automated method provided by Likewise Open.

I found some likewise-open documentation for the older version of Ubuntu 8.04.  Since the process is automated, the documentation hasn't changed much.  However, one of the features of the manual process was allowing users to connect to the samba server on my Ubuntu machine.  I had to piece together how to get this to also work.  Maybe there will be a modification to likewise-open5 eventually that will include some automation with this.

=== to be continued ===

http://likewise.com/resources/user_documentation/Likewise-Samba-Guide-5.pdf

1. Create a directory named ‘idmap’ under /usr/lib/samba, if
necessary (/usr/lib64/samba for 64-bit servers). Create a
symbolic link from /usr/lib/samba/idmap/lwicompat_v2.so to
point to /opt/likewise/lib/lwicompat_v2.so. Repeat for
lwicompat_v3 and lwicompat_v4.
# cd /usr/lib/samba
# mkdir idmap
# cd idmap
# ln -s /opt/likewise/lib/lwicompat_v2.so /usr/lib/samba/idmap/lwicompat_v2.so
# ln -s /opt/likewise/lib/lwicompat_v3.so /usr/lib/samba/idmap/lwicompat_v3.so
# ln -s /opt/likewise/lib/lwicompat_v4.so /usr/lib/samba/idmap/lwicompat_v4.so
On a 64-bit server, the path is slightly different:
# cd /usr/lib64/samba
# mkdir idmap
# cd idmap
# ln –s /opt/likewise/lib64/lwicompat_v2.so /usr/lib64/samba/idmap/lwicompat_v2.so
# ln –s /opt/likewise/lib64/lwicompat_v3.so /usr/lib64/samba/idmap/lwicompat_v3.so
# ln –s /opt/likewise/lib64/lwicompat_v4.so /usr/lib64/samba/idmap/lwicompat_v4.so

2. Confirm the version of Samba that you have installed and edit the
Samba configuration file accordingly.
# smbd –V
Version 3.0.26a-1478
Now that you know the version number, edit the Samba
configuration file /etc/samba/smb.conf to set the following
parameters to the listed values. If the parameters are not included
in the smb.conf file, add a new line for them in the [global]
section. Here are the compatability plugins to use by Samba
version:
lwicompat_v2 for Samba 3.0.0 - 3.0.22
6
Copyright © 2009 Likewise Software. All rights reserved. 3.16.2009.

Product Documentation
Likewise 5: Samba 3 Integration Guide
lwicompat_v3 for Samba 3.0.23 - 3.0.24
lwicompat_v4 for Samba 3.0.25 and later 3.0 releases.
Here is how to edit your smb.conf file for lwicompat_v2 or
lwicompat_v3:
security = ads
workgroup = <enter NETBIOS name from /opt/likewise/bin/lw-get-
status>
realm           = <enter realm from /etc/krb5.conf>
# idmap backend = lwicompat_v2
idmap backend = lwicompat_v3
idmap uid = 50-9999999999
idmap gid = 50-9999999999
The configuration for Samba 3.0.25 and later 3.0 releases is
different. Here is how to edit your smb.conf file for lwicompat_v4
for Samba version 3.0.25 and later 3.0 releases:
security = ads
workgroup = <enter NETBIOS name from /opt/likewise/bin/lw-get-
status>
realm           = <enter realm from /etc/krb5.conf>
idmap domains = ALL
idmap config ALL:backend = lwicompat_v4
idmap config ALL:default = yes
idmap config ALL:readonly = yes
3. Print out the machine account information by running the following
command as root to retrieve the machine account password from
the Likewise authentication system and provide it to the Samba
server’s authentication system:
/opt/likewise/bin/lw-dump-machine-acct <dns domain>
DomainSID                                     = S-1-5-21-aaaa-bbbbb-ccccc-ddddd
DomainName                                    = AD
Domain DNS Name                               = AD.PLAINJOE.ORG
HostName                                      = srv3
Machine Account Name                          = srv3$
Machine Account Password = EncryptedStringPassword
4. Set the domain SID in Samba's database by using the Samba net
command:
net setdomainsid S-1-5-21-aaaa-bbbbb-ccccc-ddddd
7
Copyright © 2009 Likewise Software. All rights reserved. 3.16.2009.

Product Documentation
Likewise 5: Samba 3 Integration Guide
5. Store the machine account password by using the net command.
You can copy the encrypted machine account password from the
output of the /opt/likewise/bin/lw-dump-machine-acct
<dns domain>  that you executed in a previous step.
Important: Your machine account password expires, according
to your default AD domain policy, after 40 days. Therefore, you
must repeat these steps every time your machine account
password expires. However, you can set up a cron job to
automate this operation, but doing so is beyond the scope of this
document.
net changesecretpw -f
Enter password: <EncryptedStringPassword>

Powershell Example

What Can I Do With Windows PowerShell?

Scenario: Needed to test disaster recovery procedures at the hospital.  All employees were told to go to a website and type in a url.

Problem: Workstations located in the doctor-patient procedure rooms don't have that ability because of patients have been known to 'surf' the web while waiting to be helped.

Solution: Needed to copy a new http:// shortcut to every workstation ASAP

Tools used: Active Directory Users and Computers and Powershell

1. Export a list of all Procedure Workstations from Active Directory
2. I was going to use psexec tool but then remembered powershell was capable of running a foreach loop
3. Started with: cat 'secured workstations.txt' | foreach-object -process {echo copy-item 'shortcut.lnk' \\$_\c$\documents and settings\userprofile\start menu}
4. After failure I started looking at backslash as an escape character and putting parts of the phrase in quotes
5. Tested one computer with: echo 'computername' | foreach-object -process {copy-item 'shortcut.lnk' \\$_"\c$\documents and settings\userprofile\start menu\"}
6. Ran final command: cat 'secured workstations.txt' | foreach-object -process {copy-item 'shortcut.lnk' \\$_"\c$\documents and settings\userprofile\start menu\"}

Powershell Script To update links

Single line to deploy new shortcut to all workstations:

cat workstations.txt | ForEach-Object -process {copy-item 'shortcut.lnk' -destination "\\$_\c$\documents and settings\all users\start menu"}

If I was to work on this again I would want to add a line that would tell me what workstation was being worked on like the untested code below.  If the computer is turned off or not able to be connected then the error just shows up as "Copy-Item : The network path was not found" or "Copy-Item : Could not find a part of the path" without any indication of what workstation was failing.

cat workstations.txt | ForEach-Object -process {

write-host "Trying to connect to $_"; copy-item 'shortcut.lnk' -destination "\\$_\c$\documents and settings\all users\start menu"}

Powershell Notes

I'm working on a Powershell script to change the owners of every home directory to {the domain}\{the folder name}.

Here are some notes:

• set-alias -name grep -value select-string

•     IanG on Tap: Learning PowerShell: FINDSTR Equivalent

• 
  

User Profile Service Failed the Logon - Vista

http://forums.techarena.in/showthread.php?t=707676

This is the second time that I have gotten this error on Vista.  I have already destroyed my profile and started over but it appears like this will just keep happening.

Restoring Domain into Vmware virtual environment for a Lab or Test

Key article KB249694: How to move a Windows installation to different hardware

The first step is to make sure that you are using the same hal.dll's. In our environment almost every server has dual processors or more. I had to shutdown the virtual environment and switch to 2 processors. After logging in as an admininstrator for 5 minutes, Windows asked me to reboot to take advantage of new hardware.

The first machine to install is a machine with the global catalog at the highest most domain a root level. When you restore

Next I restored C: and the System State. No big problem there, just wait it out and don't reboot!!! Wait until you replace c:\boot.ini with your backup in c:\backup. Also make sure that c:\windows\repair\boot.ini doesn't revert (only if you did this once before and have an old backup boot.ini here) Microsoft has a step for the first domain controller in a new environment in the registry but we found that the registry entry wasn't available until the next reboot.

Reboot the restored pc.

Basically make a backup of boot.ini into a folder like c:\backup. After restoring through ntbackup and before rebooting, replace the c:\boot.ini with c:\backup\boot.ini. Also copy c:\backup\boot.ini to c:\windows\repair\

We have 2 domains in our forest. An empty root domain that has the highest security and a primary domain which all users use for day to day activities. We have broken up the Active Directory roles between 2 machines at each level.  We found it easier to restore the global catalog domain controller because you have the entire database to authenticate against.  The first domain controller (per domain) needs a registry edit under HKLM\System\CurrentControlSet\Services\NtFrs\Parameters\Cumulative Replica Sets\{UUID value}\BurFlags of Hex x00000D4 (212)  If you have multiple UUIDs, use the UUID value that is found under the HKLM\System\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets.  We had to do this twice, once for each domain!!!  The errors that we saw when we missed the second domain were from dcdiag and netdiag about replication errors and security channel errors and domain controllers not being part of the domain they are supposed to monitor.

Our first step was to mimic our production network environment subnet in a host only setting.

We then installed Windows 2003 to a virtual disk. We found out the hard way that we had to be at the same level of service pack, SP1 for us. I then created a sysprep.inf answer file to speed deployment. After resealing the image, I just copied the generic template 4 times. Each time I would have to wait through a mini-setup, but it was pretty easy to work on 4 machines at the same time.

Right after we copied the boot.ini to the right spots, we would take a snapshot. Again, this was learned the hard way; snapshots can save you lots of time!

Our last issue is the Netlogon share under each domain controller, but since the Sysvol share was automatically enabled after replication errors went away, we are hopeful that this will also correct itself.  I think the only thing that we are missing are group policies.

Reregister Windows Updates

I've had problems over the years with computers, more often servers, that do not want to update through Microsoft's Windows Update service.

net stop bits
net stop wuauserv
pause
rmdir /s %windir%\sdold
rename %windir%\SoftwareDistribution sdold
pause
net start wuauserv

Regsvr32 msxml3.dll
Regsvr32 wuapi.dll
Regsvr32 wuaueng.dll
Regsvr32 wucltui.dll
Regsvr32 wups.dll
Regsvr32 wuweb.dll
Regsvr32 qmgr.dll
Regsvr32 qmgrprxy.dll
Regsvr32 jscript.dll

echo Reset the proxy list
rem pause
proxycfg -d
proxycfg -u
net stop wuauserv
net start wuauserv

Here is a batch script that I wrote based off of an email from Microsoft Support. It has worked for me in every situation.

Dell BIOS Silent Install

GX650A08.EXE /nopause

Now we can update bios through SMS.

Changing Registry ACL's EnMasse

Securing the Windows 2000 Registry

Here is an interesting way to modify security permissions (ACL) on computer/servers through GPO policies.

Active Directory administrators that are using a group policy security template can add the following lines to their .inf template file:

[Registry Keys]

"CLASSES_ROOT",0,"D:PAR(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
"MACHINE\SOFTWARE\Microsoft\OS/2 Subsystem for NT",0,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)"
"MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Services\EventLog",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers",2,"D:PAR(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\ContentIndex",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\Computername",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\Software\Microsoft\Windows NT\CurrentVersion",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SOFTWARE\Classes\.hlp",0,"D:PAR(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
"MACHINE\SOFTWARE\Classes\helpfile",0,"D:PAR(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
"MACHINE\Software\Classes",0,"D:AR(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
"MACHINE\Software",0,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"

We have some bad permission policies that were created when we still had Windows 98 and Windows NT. Back then, modifying the default permissions was a strong security stance but today it is giving us more grief than benefit. Especially since Microsoft has improved it's default configuration in regards to security.

We had an issue a few months ago when a Windows Update assumed that we had "Bypass Traverse checking" enabled for Everyone in secpol.msc. If you didn't have bypass traverse checking enabled for a user account, then you wouldn't see your desktop.

Automatically log off users

How to create an ADM file for winexit.scr

;; Remember in GPMC to go View->Filtering
;; and uncheck "Only show policy settings that can be fully managed"
;;
;; David Carlin (djc6@case.edu) 2/25/2005
;;
;; WINEXIT.SCR is located in the Windows Server 2003 Resource Kit

CLASS USER

CATEGORY !!Screen_Saver_Policy

POLICY !!TERMINATE_APPS
KEYNAME "Control Panel\Screen Saver.Logoff"
VALUENAME ForceLogoff
VALUEON "1" VALUEOFF "0"
END POLICY

POLICY !!COUNTDOWN_TIMEOUT
KEYNAME "Control Panel\Screen Saver.Logoff"
VALUENAME CountDownTimer
VALUEON "300"
END POLICY

POLICY !!ENTER_DIALOG_MESSAGE
KEYNAME "Control Panel\Screen Saver.Logoff"
PART !!ENTER_DIALOG_MESSAGE
EDITTEXT
DEFAULT !!DEFAULT_MESSAGE
VALUENAME DialogMessage
END PART
END POLICY

END CATEGORY

[strings]
Screen_Saver_Policy="Winexit.scr Policy settings"
TERMINATE_APPS="Terminate running applications"
COUNTDOWN_TIMEOUT="Enable 5 minute warning logoff notice"
ENTER_DIALOG_MESSAGE="Warning message about being logged off"
DEFAULT_MESSAGE="You are about to be logged out. Press the cancel button to stop this process."

RTFM Education » Ultimate-P2V

RTFM Education » Ultimate-P2V

After getting comfortable on VMware Server, I wanted to reinstall Ubuntu on my work PC and make a copy of my Windows workstation and run it in a virtual environment. I really have missed running Linux for my day-to-day Windows administration job. Previously, I had used RDP whenever needing a Windows only application (like SMS, or an IT Helpline exchange mailbox) but it always got in the way. It was hard to justify 2 machines for 1 user.

Now with this guide, I can use Bart's boot disk to make a clone of my working Windows workstation and throw it into a virtual environment. I wouldn't mind paying for P2V but I usually have a difficult time justifying what I'm trying to do and how it will help with our Windows servers. I have so far failed convincing the Vice President of IT how we can use virtual technologies to offer 2 compatible servers on the same hardware and save $6k. So far, I have only convinced him to allow virtuallization in a lab setting.

RIS Install Notes

JSI Tip 3060. What rights are needed for a RIS server to create machine accounts?

Users can create their own machine accounts (Low security) - For this option, modify the security on the container that will hold the new MAOs to include an Access Control Entry (ACE) for the user (or group) allowing the Create All Child Objects permission. The creator of this object becomes the owner, giving the creator full control of this object only. This option allows the user to reinstall, if required, without administrator assistance.

I forgot a couple items. First, I need to install RIS with Enterprise Admin rights. Since we have 2 domains (root and primary) I needed to give administrative rights on the RIS server to the correct root\account.

My second issue is documented above. Instead of requiring "Domain Admin" rights, we decided to create a domain group of "RIS Operators" which had permissions to perform a RIS installation. To do that, I needed to run ADSI edit from a domain controller, go to properties of the RIS computer and then the security tab. Give the Self object "create all child objects" and "delete all child objects" permissions.

I almost remember reading about this permission but had forgotten it and couldn't find it again on Microsoft's website.

RIS server wont authorise

What OS and SP?  Are you getting other binl event IDs, like 7000, 1047 and 
1007?
Did you successfully complete risetup?
It could be permissions-related.  The computer account of Self has to be 
granted 
the Create All Child object access on the computer object of the Ris Server 
in AD.

Remotely Adding Remote Desktop Windows 2003

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server]
"fDenyTSConnections"=dword:00000000
"TSEnabled"=dword:00000001

Enable Terminal services W2K ( command line )

technorati tags:RDP, Remote, Desktop

Intel Duo Core 2 - My personal observations

I needed to purchase a Radiology 2 medical monitor setup for a doctor that would live 9 months out of the year in Florida and be an integral tele-radiologist for our hospital. I work for the doctor side of our community hospital and as such, we don't normally purchase radiology workstations. I was given the specs for a current machine and asked to replicate it.

Since I knew that the Intel Duo Core 2's just became available July 27th (Thanks to DLtv, Cranky Geeks, and Twit), I wanted to see if I could save money using the more efficient processor.

All I can say is, Wow! You can look at a number of site with benchmarks but if you are like me you usually take them with a grain of salt. I'm not in the business of benchmarking systems, let alone processors. I knew from Anandtech and Tom's Hardware Guide that the speed improvements were significant but until I compared the processor to our systems I didn't really care :)  TG Daily has a fantastic article and graph that compares price versus power between Intel and AMD since the 8/18/2006 price drop.

When I received the Precision 390 with a Duo2 processor, I eagerly opened the box and sat in front of the machine quickly realizing I had nothing to throw at the processor except ripping CD's to MP3 or OGG files. In comes OpenMark...a quick search on sourceforge.org showed a seemingly strong contender (see note below). I don't pretend to do this for a living, this was just the best way I could compare two systems.

Below you can see 3 cpu's. The first one is my normal workstation P4 with hyperthreading which only seems to help when ripping MP3's. The second is a 2 Xeon processor Radiology workstation that I needed to duplicate. The third is the Intel Duo Core 2. Note the differences in Voltage and the Multiplier (I'll talk about the Multiplier later).

Benchmarks

Okay, if you are still with me, here are the results from the OpenMark sstandard tests, with all defaults selected.  I did turn off services on the older machines because I tested the Duo Core 2 with the Dell Windows default OS.  My workstation had a webserver and other crap.

Okay, what can we learn from this?  Well, first of all the AMD comparison doesn't really belong.  I include it here because I have been coveting an AMD chip for a long time.  At work we buy all PCs through Dell and Dell hasn't offered an AMD line until recently.  However, I didn't perform the test so I don't know what type of hardware they were testing and how they performed the test.  I got the results in the downloaded OpenMark package.

On the other three, I performed each test as equally as I could and feel pretty confident that the performance can be compared.  Since I turned off some services on the Intel P4 and the Xeon system, they may have had a slight advantage.  But my process was pretty much the same:

1. copy the zip file from a machine,
   


2. unzip it


3. run the Official Run with all defaults


4. wait for the 3 iterations to complete
   

From these tests, the Intel Duo Core 2 is at least twice the speed as the Xeon system.  I didn't purchase the Xeon system but I had the service tag and could look up the specs which is what I used to determine the power I needed for a Radiology workstation.

I differed from the specs (from memory) on the precision model number (the same model did not offer the new processors), the processor, and the video card and possibly the hard drive.

I'll try finishing this later...I'm getting drastically different values from OpenMark using the same computer/ configuration.

technorati tags:Intel, Duo, Core, 2, Extreme

Defrag Linux? Surely you jest

OneAndOneIs2 - Why doesn't Linux need defragmenting?

After my first run into Linux (3 years ago), I started looking for a defrag tool.  I was using a lot of space for video and iso images and I was sure that my drive needed to be defragmented.

Low and behold I found article after article insisting that Linux didn't need to be defragmented.  That the OS would constantly monitor the drive for fragmentation.  Well, I heard that with Windows 2000 and with Windows XP did that too and it does work the same.

technorati tags:Defrag

Running Regedit with System Rights

In DOS prompt: 

        at 16:31 /interactive regedt32.exe

This will - after 1 minute - open regedt32.exe with SYSTEM rights!!! (yes there is something _more_ powerful than an Administrator in Windows). And automagically - the keys can be violently deleted.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System

McAfee Reference

http://www.chm.bris.ac.uk/pc/tech/ePO_notes.php

Look into dsquery

dsquery * ou=chem,dc=ads,dc=bris,dc=ac,dc=uk -scope subtree -attr cn -filter "(&(objectclass=computer)(objectcategory=computer)(operatingSystem=Windows*))"

to see if I can use this to do multiple queries on our domain.

I've heard some of these before

Matt-Darby.com » What IT Pros Hate About Users

technorati tags:System, Administration

WSUS Slow Updates

wsus - Slow Update Approval

Here is a fix for increasing the speed of Windows Update Services.  It looks like the database wasn't tuned very well.

technorati tags:WSUS, Speed

Better System Administration

ONLamp.com -- Extreme System Administration

Use Agile Programming and Extreme Programming techniques/concepts to administer systems and networks.