Thursday, January 31, 2013

How to determine which domain controller your computer has established a secure channel with

How to determine which domain controller your computer has established a secure channel with

nltest /sc_query:Target FQDN for your domain

Result:
Flags: 30 HAS_IP  HAS_TIMESERV
Trusted DC Name \\Name of your domain controller.Your domain's FQDN
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

This is helpful if you're making Group Policy changes and you don't want to wait for replication; Simply point the Group Policy Management Console directly at this Domain Controller and make your changes there.

This also helps when troubleshooting authentication and/or domain controller issues.

For more information on the NLTEST command, see
http://technet.microsoft.com/en-us/library/cc731935%28v=ws.10%29.aspx

Originally published: 1-31-2013 

Application icons are missing, but the application still launches

  • Icons do not display the correct image, but applications will still launch normally
  • This will happen if the contents of the Windows Installer cache are deleted
    • C:\Windows\Installer
  • Possible fixes:
    • Restore the files from backup
    • If similar applications are installed on another computer, you may be able to copy the files over from another computer 
    • Rebuild the computer 
  • There is no way to rebuild the cache if you do not have a backup. See http://support.microsoft.com/kb/2667628 for details
In a recent outage, this folder was deleted during patch deployment. Unclear if the root cause was Windows Update, Windows Installer, the patch installation, or the tool we're using to deploy patches.

It would be a good idea to check this folder before and after deploying patches.

 Broken Adobe, Office, and WinZip icons

Empty Windows Installer cache

Originally published: 1-31-2013 

Thursday, January 24, 2013

Preventing Remote Desktop session timeouts due to idle tcp sessions


Identifying the issue
The easiest way to identify session resets due to idle tcp session timeouts is to perform a network capture on the client and on the Terminal Server.

If the Terminal Server capture shows a "reset" packet coming from the client, and the client capture shows a "reset" packet coming from the Terminal Server, then the "reset" came from a networking device between the two computers.

It would be worthwhile to quickly verify that the RDP session timeouts are not causing the issue via TSCONFIG.MSC (2008) or TSCC.MSC (2003).



Configuring keep-alives
It's a good idea to configure keep-alives for the Remote Desktop Protocol. A keep-alive of "1" ("send a keep alive packet every 1 minute") will make a TCP session appear to be "active" (not idle), and will prevent idle tcp session disconnects on any networking equipment between your client and your Terminal Server (F5 network load balancing devices, firewalls, routers, switches, etc).

Note there is a problem with Group Policy on Windows Server 2008 where configuring the keep alive for RDP connections is applied to a server (shows up in RSOP and in the Policy key in the Registry), but the setting does not take affect. There is a patch for this issue on 2008. I have also seen this issue on Windows Server 2003, but I have not seen a patch for 2003 (only 2008). You can work around the issue by configuring RDP session timeouts manually.
  • This change requires a reboot
  • Issue can be masked if "reconnect if connection is dropped" is set at the client. Look for many instances of users disconnecting, then immediately reconnecting to identify the issue
    • Disconnect Event ID, followed by a Reconnect Event ID about 10 seconds later for the same user name (Event IDs below)
    • The disconnect / reconnect can also be seen in the Event ID logs on a Remote Desktop Gateway server
  • TCPIP keep alive does NOT need to be configured for the RDP keep alive to work
  • The registry locations are the same for Windows Server 2003 and Windows Server 2008


Registry file for configuring keep-alive settings

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"KeepAliveEnable"=dword:00000001
"KeepAliveInterval"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
"KeepAliveTimeout"=dword:00000000
"KeepAliveEnable"=dword:00000001
"KeepAliveInterval"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters]
"KeepAliveInterval"=-
"KeepAliveTime"=-
"TcpMaxDataRetransmissions"=-




Configuring the keep alive for the Remote Desktop Protocol is accomplished via this value in Group Policy (Windows Server 2008)

Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections

Value name: Configure keep-alive connection interval

Value is in minutes



Verifying the keep-alive setting via network capture

This diagram shows what to look for in a network capture



Event ID 683 - Client disconnect (Windows Server 2003)

Event Type:    Success Audit
Event Source:    Security
Event Category:    Logon/Logoff
Event ID:    683
Date:        8/6/2009
Time:        11:01:40 AM
User:        NT AUTHORITY\SYSTEM
Computer:    (Terminal Server Name)
Description:
Session disconnected from winstation:
     User Name:    (User's Active Directory ID)
     Domain:        (User's Active Directory domain)
     Logon ID:        (0x0,0x305A36CB)
     Session Name:    RDP-Tcp#344
     Client Name:    (User's client name)
     Client Address:    (User's client IP address)

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event ID 682 - Client reconnect (Windows Server 2003)

Event Type:    Success Audit
Event Source:    Security
Event Category:    Logon/Logoff
Event ID:    682
Date:        8/6/2009
Time:        11:02:23 AM
User:        NT AUTHORITY\SYSTEM
Computer:   (Terminal Server Name)
Description:
Session reconnected to winstation:
     User Name:    (User's Active Directory ID)
     Domain:        (User's Active Directory domain)
     Logon ID:        (0x0,0x305A36CB)
     Session Name:    RDP-Tcp#349
     Client Name:    (User's client name)
     Client Address:    (User's client IP address)

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Event ID 303 on the Remote Desktop Gateway server - Client disconnect

Log Name:      Microsoft-Windows-TerminalServices-Gateway/Operational
Source:        Microsoft-Windows-TerminalServices-Gateway
Date:          9/25/2012 3:39:19 PM
Event ID:      303
Task Category: (3)
Level:         Information
Keywords:      (16777216)
User:          NETWORK SERVICE
Computer:      (Remote Desktop Gateway Server Name)
Description:
The user "(User Domain\User Name)", on client computer "(Client Computer IP Address)", disconnected from the following network resource: "(Terminal Server Name)". Before the user disconnected, the client transferred 770068 bytes and received 68900345 bytes. The client session duration was 1055 seconds.


Event ID 300 on the Remote Desktop Gateway server - Client reconnect

Log Name:      Microsoft-Windows-TerminalServices-Gateway/Operational
Source:        Microsoft-Windows-TerminalServices-Gateway
Date:          9/25/2012 3:39:35 PM
Event ID:      300
Task Category: (5)
Level:         Information
Keywords:      Audit Success,(16777216)
User:          NETWORK SERVICE
Computer:      (Remote Desktop Gateway Server Name)
Description:
The user "(User Domain\User Name)", on client computer "(Client Computer IP Address)", met resource authorization policy requirements and was therefore authorized to connect to resource "(Terminal Server Name)".



References

Originally published: 1-24-2013

Wednesday, January 23, 2013

.REG file to reset Proxy settings on the default local accounts

We had an issue on our Windows 2003 servers where local accounts were using a proxy server that was scheduled for decommission. This .REG file cleared up the issue.

Distribute this file to each server
Execute (import) locally using PSEXEC.EXE

Windows Registry Editor Version 5.00

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy"=dword:00000000
"ProxyEnable"=dword:00000000
"ProxyServer"=""
"ProxyOverride"=""

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy"=dword:00000000
"ProxyEnable"=dword:00000000
"ProxyServer"=""
"ProxyOverride"=""

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy"=dword:00000000
"ProxyEnable"=dword:00000000
"ProxyServer"=""
"ProxyOverride"=""

Monday, January 14, 2013

Configure "Delete browsing history on exit" via Group Policy

Configure "Delete browsing history on exit"




Group Policy container:

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Delete Browsing History

Value name: Configure Delete Browsing History on exit





Applies to
Internet Explorer 8
Windows 7
Windows Server 2008 R2

Friday, January 11, 2013

Perfmon: How to quickly add counters for multiple servers

Let's say you want to compare Free Page Table Entries across multiple servers. Using the PERFMON UI to do this would require a lot of repetitive clicking and typing. Thankfully there is an easier way.


Step 1: Create a "general purpose" PERFMON file
  • Open PERFMON
  • Important: In PERFMON, load performance counters from a remote server
  • Add the counters you would like to monitor
  • Configure the scale, color, and style for the counters you would like to monitor
  • Save the PERFMON settings as a file (SERVER01.HTM)






Step 2: Customize the file, creating one file for each server
  • Open the saved file in Notepad
  • Use find and replace to replace the original server name with the new server name
  • Save the file with a new file name (SERVER02.HTM, SERVER03.HTM, etc)
  • Repeat for each unique server



Step 3: Import all files into PERFMON
  • Open PERFMON
  • Drag and drop the files into PERFMON one at a time (PERFMON does not support dragging and dropping multiple files)
    • I have noticed that drag and drop does not work if I'm logged on to a server that has UAC enabled. Works great on servers without UAC enabled.


Step 4: Remove the counters that you do not need
  • Sort by counter name
  • Select and delete counters you do not need for this monitoring session (note it is possible to select and delete multiple counters at once - CTRL+SHIFT+Home, delete; CTRL+SHIFT+END, delete)
  • Only the counters needed remain
  • Counters are grouped by color (all PTE counters are red in the example image)
  • Use Backspace and select to view counters for individual servers


 


Best practice
For rapid support response, it may be a good idea to create one general purpose PERFMON.HTM file that has all of the PERFMON counters you commonly use in it (CPU, Memory, Physical Disk, Network Interface, etc). You can then either create a unique file for each of your servers ahead of time, or copy/modify this file as needed. During troubleshooting, it is much easier to delete unneeded entries than it is to create new ones.


Edited 2-1-2013

Monday, January 7, 2013

Monitoring for WMI corruption issues and rebuilding WMI

Background
  • WMI is a Windows OS component that is present on every Windows server and PC
  • WMI corruption can cause failures that include failure to apply Group Policy
  • Some organizations rely upon Group Policy to secure servers, secure group membership to groups with elevated rights, and to provide the working environment for interactive Remote Desktop Services users
  • WMI failures could lead to service outages or security issues

Symptoms
  • See "Events to monitor below"
  • Group Policy does not apply, including for interactive users
  • On the security tab in WMIMGMT.MSC, WMI classes do not display correctly
  • "Not found" error when trying to connect to the WMI namespace using WBEMTEST.EXE
  • Network adapter list is blank when configuring Session Directory (Windows 2003)

Events to monitor
  • Event ID 43
    • Application log; Microsoft-Windows-WMI; Event ID 43; Windows Management Instrumentation ADAP failed to connect to namespace (…) with the following error (…)
    • This indicates the WMI namespace cannot be contacted
    • In the case of a recent outage, this failure was because the WMI namespace was corrupt
  • Event ID 10
    • Application log; Microsoft-Windows-WMI; Event ID 10; Event filter with query (…) could not be reactivated in namespace (…)
    • This is a “symptom” event that indicates a failure to query WMI. In the case of a recent outage, WMI the failure of this query indicated WMI was corrupt
  • Event ID 1104
    • "Windows was unable to read the Windows Management Instrumentation (WMI) filter information associated with the Group Policy object..."
    • Indicates a failure to query WMI
  • Event ID 1090 
    • Windows failed to record Resultant Set of Policy (RSoP) information, which describes the scope of Group Policy objects applied to the computer or user. This could be caused by Windows Management Instrumentation (WMI) service being disabled, stopped, or other WMI errors. Group Policy settings successfully applied to the computer or user; however, management tools may not report accurately.
    • Indicates a failure to query WMI

To resolve
  • Rebuild the WMI repository
  • Disable Resultant Set of Policy logging
  • Find other products that write to WMI and eliminate, if possible

Rebuild the WMI repository
Notes about the WMI rebuild:
  • Be careful when importing MOFs. WMI will auto-recover much of the original WMI namespace at start. Importing MOFs may not be necessary, and may restore the issue
  • I have experienced repeat issues on a server after performing a "salvage." Performing a rebuild has had consistently good results 


Disable Resultant Set of Policy logging
Resultant Set of Policy logging writes information to the WMI database for each user who logs on interactively. This causes the WMI database to grow, and can cause WMI database corruption.

Windows 2003
Computer Configuration > Administrative Templates > System > Group Policy
Turn off Resultant Set of Policy logging

Windows 2008
Computer Configuration > Policies > Administrative Templates > System > Group Policy
Turn off Resultant Set of Policy logging


Script to rebuild WMI
@echo off

   cls
   Echo.
   Echo This script will delete the current WMI repository and rebuild it
   Echo Deleting and rebuilding the WMI repository can cause impact
   Echo.
   Echo See this article for details
   Echo http://blogs.technet.com/b/askperf/archive/2009/04/13/wmi-rebuilding-the-wmi-repository.aspx
   echo.
   pause

:Start
   call :StopService WSRM
   call :StopService tmlisten
   call :StopService iphlpsvc
   call :StopService winmgmt
   call :RenameWMI
   call :StartService winmgmt
   call :StartService iphlpsvc
   call :StartService tmlisten
   call :StartService WSRM
   call :ImportMOF
   goto :End


:RenameWMI
   Echo.
   Echo Renaming the WMI repository folder
   for /f "tokens=1-8 delims=:/. " %%a in ('echo %date% %time%') do set FileExtension=%%d%%b%%c%%e%%f%%g
   ren "C:\WINDOWS\system32\wbem\Repository" Repository.%FileExtension%.old

   Echo.
   Echo Registering WMI DLLs
   cd /d %windir%\system32\wbem
   for /f %%s in ('dir /b /s *.dll') do echo %%s&regsvr32 /s %%s

   if /i not exist %windir%\SysWOW64\wbem goto :EOF
   cd /d %windir%\SysWOW64\wbem
   for /f %%s in ('dir /b /s *.dll') do echo %%s&regsvr32 /s %%s

   goto :EOF


:ImportMOF

   Echo.
   Echo Importing WMI MOF and MFL files
   Echo (It's normal for this to take a few minutes)
   Echo.

   cd /d %windir%\system32\wbem
   for /f "delims=" %%s in ('dir /s /b *.mof *.mfl') do echo %%s&mofcomp "%%s"
 
   if /i not exist %windir%\SysWOW64\wbem goto :ImportMOFNext
   cd /d %windir%\SysWOW64\wbem
   for /f "delims=" %%s in ('dir /s /b *.mof *.mfl') do echo %%s&mofcomp "%%s" 
:ImportMOFNext
   Echo.
   Echo MOF and MFL file import complete
   Echo Verify administrative consoles for installed applications and services
   Echo.
   goto :EOF


:StopService
   Echo.
   Echo Disabling and stopping the %1 service
   sc config %1 start= disabled
   if /i {%errorlevel%}=={9009} echo SC tool not installed or not available here. Exiting...&goto :End

   net stop %1 /y
   sc query %1 | find /i "running"
   if /i {%errorlevel%}=={0} echo Couldn't stop the %1 service. Exiting...&goto :End

   goto :EOF


:StartService
   Echo.
   Echo Starting %1
   sc config %1 start= demand
   net start %1
   sc config %1 start= auto
   goto :EOF




:End
   Echo Script ran to completion
   pause


:EOF


Event ID Detail
Event ID 43
Log Name:      Application
Source:        Microsoft-Windows-WMI
Date:          11/1/2012 9:25:58 PM
Event ID:      43
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      
Description:
Windows Management Instrumentation ADAP failed to connect to namespace \\.\root\cimv2 with the following error 0x80041002

Event ID 10
Log Name:      Application
Source:        Microsoft-Windows-WMI
Date:          11/1/2012 9:23:01 PM
Event ID:      10
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer: 
Description:
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/subscription" because of error 0x8004100e. Events cannot be delivered through this filter until the problem is corrected.

Event ID 10
Log Name:      Application
Source:        Microsoft-Windows-WMI
Date:          11/1/2012 9:23:01 PM
Event ID:      10
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      
Description:
Event filter with query "select * from MSFT_SCMEventLogEvent" could not be reactivated in namespace "//./root/subscription" because of error 0x8004100e. Events cannot be delivered through this filter until the problem is corrected.

Event ID 1104
Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          1/7/2013 2:09:47 PM
Event ID:      1104
Task Category: None
Level:         Warning
Keywords:     
User:          USERNAME
Computer:      SERVERNAME.DOMAINNAME.COM
Description:
Windows was unable to read the Windows Management Instrumentation (WMI) filter information associated with the Group Policy object cn={D2F03D3C-A39F-4F9D-AD58-5793B8C82DA9},cn=policies,cn=system,DC=DOMMAINNAME,DC=com.This may be caused by a deleted WMI Filter defined in the domain that is still in use by Group Policy objects. Group Policy settings for this Group Policy object will not be enforced. Other Group Policy objects may still apply. Windows will attempt to retrieve this information at the next policy cycle. This speciffic problem may be resolved by identifying all GPOs that reference the WMI filter and removing the references. Contact an administrator if this event recurs for several hours.

Event ID 1090
Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          1/7/2013 2:09:50 PM
Event ID:      1090
Task Category: None
Level:         Warning
Keywords:     
User:          USERNAME
Computer:      SERVERNAME.DOMAINNAME.COM
Description:
Windows failed to record Resultant Set of Policy (RSoP) information, which describes the scope of Group Policy objects applied to the computer or user. This could be caused by Windows Management Instrumentation (WMI) service being disabled, stopped, or other WMI errors. Group Policy settings successfully applied to the computer or user; however, management tools may not report accurately.

Wednesday, January 2, 2013

In what order are logon scripts executed?


There are a number of places to configure a script to run at logon. This mainly applies when logon scripts are configured to run synchronously.
  1. Scripts configured via Group Policy run first (in order of precedence)
    User Configuration\Windows Settings\Scripts (Logon/Logoff)
  2. Scripts configured via the UserInit value in the registry run second
    (HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit)
  3. Scripts configured via the AppSetup value in the registry run third
    (HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup)
  4. Scripts configured via user properties run fourth (Profile tab on the user's AD object)
  5. Scripts configured via the Run key in the registry run last
    (HKLM\Software\Microsoft\Windows\CurrentVersion\Run)