Posts

Domain Controller Blue Screen

Posted on by Geoff / 1 Comment

CDC02-STOP During an upgrade of our VMware ESX infrastructure, I ran into an issue with our domain controllers. As part of the process we needed to upgrade the virtual hardware that is part of the guest vm. After updating the domain controller guest’s VMware Tools software, I shut down the guest and select Upgrade virtual hardware. Things looked good, so then I powered on the guest and it started to boot. After a moment, it threw a quick bluescreen and auto-rebooted.

My first order of business was to change the auto-reboot option so I could actually see the error message. I know now that I could just hit F8 during the boot process. However, I did it the hard way.

 

I booted to the Windows 2008 install media, and ran regedit from the recovery environment. I loaded the HKLM hive, and set the HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\AutoReboot DWORD value to 0 (zero). I see in the KB 307973 article that there’s also a wmic command that will set the option. I don’t know if wmic is available in the WinPE recovery mode.

Continue reading →

Posts

NetApp and Microsoft Security Updates

Posted on by Geoff / 0 Comment

When the recent SMB 2.0 vulnerability was announced, there was some discussion on the Toasters mailing list about whether Data ONTAP was affected. Val Bercovici from NetApp responded that Data ONTAP was not affected by this issue.

Today, I discovered that to enable the filer snapshots to be visible within the Previous Versions facility within Windows 7 (or Server 2008 R2), I needed to enable SMB 2.0. I spent some time search on NetApp’s support site for some assurance that the SMB issue didn’t affect ONTAP, but didn’t find anything.

So I sent Mr. Bercovici an email asking if there was a more official statement about ONTAP and SMB 2.0, and he very kindly looked sent me a link to the Windows File Services (CIFS) Compatibility Matrix – Microsoft Security Update Test Report. [requires NOW account]

This document rocks. It lists the Microsoft Security updates, by month, and the result of NetApp’s testing. Exactly what I was looking for. Thanks, Val.

Posts

Is that program running as administrator?

Posted on by Geoff / 0 Comment

Using Process Explorer to view process integrity levels

A friend asked me how to open a Control Panel applet As Administrator. In Windows Vista, when you see a little shield icon as part of a button or shortcut, that would indicate that you would get prompted by the User Account Control (UAC) facility to elevate the process Integrity Level, that is, to run it as an administrator with full rights to muck with the system.

In Windows 7, the frequency of UAC prompts has been reduced. You will still see the shield icon, but sometimes there’s no UAC prompt.

You can use Microsoft SysInternals Process Explorer tool to view the integrity levels of running processes. On campus, you can run the tool from \\files\software\utilities\sysinternals\procexp.exe. Once you’ve started Process Explorer, there are two things you’ll want to do:

  1. From the File menu, select the Show Details for All Processes option (you noted the shield icon, yes?).
  2. From the View menu, choose Select Columns… and check Integrity Level item (on the Process Image tab; see below)

procexp-show-integrity

 Continue reading →

worklog

Monday – 2009-09-28

Posted on by Geoff / 0 Comment

Today’s issues:

  • Backup issues
  • Shared folder quotas
  • Printer configurations
  • Data execution protection

I created a Server 2008 x64 guest for managing 64-bit drivers on our shared printers. It works much better than trying to use Printer Management MMC in RSAT on Windows 7.

One hiccup I ran into while install the Ricoh PCL6 Driver for Universal Print was that it was missing a file. Fortunately, I had also download and extracted the non-universal PCL6 drivers and the file was present in the drivers for the corresponding platforms (x86, x64).

Looking at adding a –WhatIf switch parameter to my SharePoint Backup powershell script. Useful info at Negating PowerShell switch parameters.

Now wrestling with Task Scheduler and PowerShell invocation syntax.

worklog

backups – Bad and Good

Posted on by Geoff / 0 Comment

We’ve been working with our backup vendor to address some shortcomings of their product as it relates to Windows 2008 system recover. This was precipitated by a failure of a portion of our virtual infrastructure, which lead to corruption of several hosts’ virtual disk files.

We managed to rebuild one failed host from bare (virtual) metal, because EMC Networker could not recover the system from backups. For Server 2008 systems, they require backups made with client 7.5.1 and restored with 7.5.1 and you have to enable/install any server role that was present on the original system before performing the restore.

We’ve been working on other ways to make sure we can recover from a system failure. Greg has successfully scripted using server 2008’s printer management scripts to dump printer info to files. I’ve been working on scripted backup of SharePoint Site collections. I got some help from Microsoft in determining the correct permissions needed for a service account to perform STSADM backup operations, which has been a thorny issue. ( see KB896148 )

worklog

re-enabling ESET NOD32

Posted on by Geoff / 0 Comment

ESET has fixed the problem that caused widespread system hangs. If you followed my instructions to disable NOD32, you can re-enable it by repeating those steps and changing one word: replace disabled with auto.

To recapitulate:

1. Boot into safe mode

2. In either the Run dialog or the Vista Start Menu search box, type the following:

cmd /k "sc config ekrn start= auto"

(Please note that the space after start= is required; goodness knows why…)

start-run-enable

start-box-enable

3. Watch for the success message, and reboot.

worklog

ESET NOD32 making many systems hang

Posted on by Geoff / 1 Comment

I’ve spent most of the day trying identify a systematic way to work around the campus antivirus solution, which is causing widespread system hangs. Our vendor has tentatively identified a problematic recent update, and is recommending that affected users temporarily disable the Eset Service service until a patch is available.

Disabling ESET NOD32 / ekrn Service.

If your system become unresponsive, in most cases soon after logging into the system, you may be affected. Please follow these instructions to disable the ESET service:

1. Restart your system in safe mode

2. In either the Run command ( Start->Run or [Windows Key]+R)

start-run

 

OR in the Vista Start menu search box…

start-box

 

3. …Enter the command below

cmd /k "sc config ekrn start= disabled"

(Please note that the space after start= is required; goodness knows why…)

 

4. Watch for the success message:

sc-success

 

Reboot and stay tuned to your friendly neighborhood technical support resources for updates.

PS. for what it’s worth, here’s my current ESET version info, which hangs my system.

eset-about

worklog

Range Retrieval

Posted on by Geoff / 0 Comment

Working on the Server 2008 hard limit of 5000 attribute values max per query, which breaks our Identity Management process. I’m looking at having to write a clone of LDIFDE that can issue queries using Range Retrieval and then synthesizes a single LDIF entry for groups with more than 5000 members.

Safari Tech Books online provides some good resources, including The .NET Developer’s Guide to Directory Services Programming [at Amazon], which provides a good code example in Listing 6.8. Range Retrieval Using DirectorySearcher.

Or maybe I should just post-process the LDIFDE-generated LDIF file…

Posts

Steve retires :(

Posted on by Geoff

For he's a jolly good fellow! #byesjc on Twitpic

Among other things Steve said at his retirement celebration, today, was this. “I hope I have as much fun in retirement as I’ve had working at UVM.”

My tears didn’t come until I left the party.

Friend to me and many, many souls here at UVM; visionary, curmudgeon, provocateur, playful adopter and vocal advocate of disruptive innovations. I will miss your voice, calling to us from a divergent path, pointing toward a new, interesting destination.

Now that you’ve migrated much of your virtual essence into the cloud, I expect frequent pings (tweets, facebook updates, Asian video chats…) telling me what you really think. And keep the cool music and design posts flowing.

Let’s go out to lunch before summer is over. I’ll buy you a martini. 🙂

worklog

List folder contents – XP vs. Vista

Posted on by Geoff / 0 Comment

Yesterday, a client called me complaining that, after installing Vista SP2, she couldn’t access a folder on a file share. She could access that same folder from her XP workstation, logged in with the same account.

I paid a service call (across the parking lot; any excuse to get up and walk outside 🙂 ), and after some poking around confirmed her claim. We did determine that she might not have attempted to access that folder from her new Vista system before.

So I started digging deeper. The folder granted her (via a group)  the “List Folder/Read data” permission. So I created a test folder and granted an analogous group this specific permission to the folder. This is displayed in the output of icacls thas “(S,RD)”.

C:\>icacls s:\cit\ZTest
s:\cit\ZTest CAMPUS\ETS-FileServices-Browse:(S,RD)
             BUILTIN\Administrators:(OI)(CI)(F)

This permission alone allows Windows XP workstations to browse the folder, but Windows Vista or later give an “Access in denied” error.

When creating a “browse” permission for a single folder, I start by granting the “List Folder Contents” standard permission, which assigns the following permissions to the folder and subfolders (not to files):

  • Traverse folder/execute file
  • List folder/read data
  • Read attributes
  • Read extended attributes
  • Read permissions

With icacls, this permission looks like this:

C:\>icacls s:\cit\ZTest
s:\cit\ZTest BUILTIN\Administrators:(OI)(CI)(F)
             CAMPUS\ETS-FileServices-Browse:(CI)(RX)

The (CI) indicates “Container inherit,” which means that permission (ACE) will be inherited by subfolders. Now I open the advenced security dialog, and edit the ACE to change the “Apply to” control to “This folder only.” Now the browse permission applies only to the particular folder. In icacls, it looks like this:

C:\>icacls s:\cit\ZTest
s:\cit\ZTest BUILTIN\Administrators:(OI)(CI)(F)
             CAMPUS\ETS-FileServices-Browse:(RX)

I changed the permissions on the client’s folder, and her access was restored.

See also: