andymeers.blogspot.com

Windows Server 2008, TS profile path and Citrix published Apps

2008-11-03T17:06:00.001+01:00

Recently something very strange happened to me when launching a citrix published application. Instead of launching the application, I was presented with a server desktop. Not quite what you would expect!

Anyway, after some troubleshooting I discovered that the problem was to be found in my AD user object. After adjusting the terminal services profile path with a Windows Server 2008 ADUC console, the attribute named "UserParameters" became corrupted.
Basically, there are 2 options to recover from this problem:
1. Recreate the user account, which is far from ideal.
2. Clear the "UserParameters" property, using this script:

Const ADS_PROPERTY_CLEAR = 1
Set objUser = GetObject _("LDAP://cn=MyUser,ou=MyOU,dc=MyDomain,dc=com")
objUser.PutEx ADS_PROPERTY_CLEAR, "userParameters", 0
objUser.SetInfo

I sure hope this issue gets documented and/or solved soon.

VMware Fusion v1.0

2007-08-31T11:37:00.001+02:00

A while ago I posted an article comparing VMware Fusion (beta) with Parallels virtualization software.
Recently, VMware released version 1.0 of Fusion, so I decided to take the software for another test run.

I noticed immediately that VMware invested lots of energy in optimizing the beta version:
- Fusion now supports virtual SMP, and performance was really stunning! It's hard to notice you're not running natively.
Also, pausing and resuming a VM only takes a few seconds.
- Fusion makes it also possible to unify a Windows VM with Mac OS. You can easily drag and drop, and launch Windows applications from the dock.
- If you have an existing boot camp partition, Fusion will detect it and make it available as a virtual machine.
- Snapshotting is also added to the list of features.

Conclusion is that VMware did a great job with the final release of Fusion, and it has finally become difficult to choose your virtualization software for Mac.

Migrate esxRanger Professional

2007-05-24T14:44:00.001+02:00

If you want to migrate your esxRanger configuration to a different server, there's a very easy way to do so. Just install esxRanger on the new server, and copy these 4 files from the existing server to the new one :
%ProgramFiles%\vizioncore\esxRanger Professional\smtp.dat
%ProgramFiles%\vizioncore\esxRanger Professional\vcenter.dat
%ProgramFiles%\vizioncore\esxRanger Professional\servers.dat
%ProgramFiles%\vizioncore\esxRanger Professional\yourlicense.lic

Make sure you don't forget to copy your scheduled tasks as well...

Restore bkf files in Windows Vista

2007-05-12T18:12:00.001+02:00

Together with the release of Windows Vista, Microsoft decided to replace NTBackup with a newly built backup and restore program. You can access the Backup and Restore Center in the System and Maintenance menu in Vista.

Beware though that there is no support for restoring NTBackup files (bkf) with this new solution. Microsoft did release a tool to cope with this, check it out : http://www.microsoft.com/downloads/details.aspx?FamilyID=7da725e2-8b69-4c65-afa3-2a53107d54a7&displaylang=en

Migrate Double-Take for Windows

2007-04-27T15:46:00.001+02:00

If you want to migrate your double-take configuration to a different server, there's a very easy way to do so. Just install the same version of double-take, and copy these 3 files from the existing server to the new one :
%ProgramFiles%\DoubleTake\connect.sts
%ProgramFiles%\DoubleTake\DblTake.db
%ProgramFiles%\DoubleTake\schedule.sts

Also make sure that you add every double-take admin to the local security group "Double-Take Admin", otherwise even local admin's won't have the necessary permissions.

SMS Advanced Client Setup Problems

2007-04-18T14:46:00.001+02:00

I recently had problems installing an sms advanced client. During setup, it failed while creating the necessary WMI namespaces.
Error: failed to create WMI namespace CCM, code 80041002.

Solution:
- Stop WMI service (winmgmt)
- Delete folder "%systemroot%\system32\wbem\Repository"
- Start WMI service
- Rerun client setup

Netbackup SQL Restore Problems

2007-04-11T19:50:00.001+02:00

Using the Netbackup MS SQL Gui client:
If you install a new SQL server, and try to restore database backups from an existing SQL Server, the message "Error encountered trying to read database images" shows.

The issue is that the sql agent from the new netbackup client is not allowed to list the existing backups from other SQL servers.

To resolve, go to the master Netbackup server, and copy all the files from <install_path>\netbackup\db\images\<client_name>\*.* to <install_path>\netbackup\db\images\<new_client_name>\*.*.
Leave the SQL host field pointed to the existing server, and point the source client field to the new SQL server.

Works perfect!

Windows Server 2003 Access-based Enumeration

2007-02-15T18:36:00.001+01:00

Ever had the annoying problem that users can see files and folders in shares, even when they have no rights to access them? Install the Windows Server 2003 access-based enumeration add-on for 2003 SP1.

Install offers 2 modes: enable abe for all shared folders on a server, or configure it yourself on a per share basis (default). After default install, it shows an extra tab on the properties of a shared folder:

The add-on also includes a command line interface. (abecmd.exe)

VMware Fusion vs Parallels Desktop for Mac OS

2007-02-13T19:00:00.001+01:00

Since the release of Intel based Macs, the market is open for virtualization products for Mac OS. I decided to give VMware Fusion (build 36932) and Parallels Desktop (build 3120) a test run on my iMac Core 2 Duo.
Both of them support USB 2.0 and drag&drop functionality, but here's a short overview of the most important differences:

Fusion
- Multiple virtual processors
- 64 bit guest support
Parallels
- Coherence
- Boot Camp support (use bootcamp partition as virtual machine)

Since VMware Workstation 5.x and Server 1.x images can be used in Fusion, Parallels had to come up with a solution: Transporter. It allows easy migration of your real Windows pc, or existing VMware or Virtual PC VMs.
In my case, I decided to install 2 new Windows Vista VMs.

The test results:
First off is guest performance, which is nearly native in Parallels! Fusion beta always runs in debug mode (which decreases performance), but then again, I assigned both CPUs to this VM. The performance didn't even come close!
Pausing and resuming works quite well in both products, but Parallels is still a bit faster.

As for view modes, Coherence is quite impressive, but I doubt I will ever enable it. I'd rather use the VM window or full screen mode.

Maybe the most remarkable feature was the dynamic adjustment of the screen resolution in Parallels. Just resize the VM window, and the screen resolution inside the guest adjusts itself. Nice one!

Last thing to mention is the Boot Camp support. Although this works well, I wonder why you need Boot Camp if there's virtualization software like Parallels??

Check out these screenshots:

Group Policy Settings Reference

2006-12-28T10:14:00.001+01:00

A few weeks ago Microsoft published a new Group Policy Reference spreadsheet. This sheet lists all policy settings for user and computer configurations included in the admx/adml files delivered with Windows Vista.

Most important information in this sheet:
- the admx file that contains the setting
- the required OS for the setting to apply
- the registry location of the setting
- reboot or logoff required

Download it here.

Utility : Group Policy Log View

2006-12-05T09:35:00.001+01:00

A few articles ago I discussed the fact that Vista logs all of the group policy events in the event log. Now Microsoft released a tool to export all group policy related events to a text, xml or html file : Group Policy Log View.
The tool even allows to monitor events in real time in a command prompt.

New ADM Templates for IE 7

2006-12-01T07:40:00.001+01:00

For those who already migrated to Internet Explorer 7, download the new Group Policy administrative templates here :
http://go.microsoft.com/fwlink/?linkid=77998

Utility : RGPRefresh

2006-11-27T15:12:00.001+01:00

At GPOGuy.com, they created a usefull tool for remotely refreshing group policy settings. It requires the .NET Framework 1.1 to be installed for usage.

Have a look : www.gpoguy.com/rgprefresh.htm

Terminal Services in Longhorn Server

2006-11-27T11:12:00.001+01:00

During IT Forum I got to see a nice presentation of some of the new features of Terminal Services in Longhorn. Let me sum them up for you:

- Terminal Services Gateway: it's actually the Microsoft version of Citrix Secure Gateway. It provides access to terminal server sessions with the RDP protocol encapsulated in the HTTPS protocol. The session is secure, and only firewall port 443 needs to be open to make a connection. Access through this gateway can be controlled on a per user or workstation basis.

- Remote Programs: the ability to publish programs, in stead of a complete desktop environment. The application will run in a seamless window, so the user will experience no difference with local applications. File type associations can be configured on the clients, so they will automatically launch a terminal server application for certain file types.
These remote programs can be distributed as an MSI package (created in the TS Console), or through TS Web Access.

- Terminal Services Web Access: an interface which makes the terminal services remote programs available to users from a web browser. It's a customizable web part, which can also be integrated in a Sharepoint site.

Also a very nice feature, which makes the user experience even better, is the possibility to copy/paste from the desktop environment to a terminal server session. (and visa versa)
It was already possible for text strings in the past, but this has now been expanded to support complete files.

Group Policy in Vista and Longhorn

2006-11-19T16:23:00.001+01:00

The most innovative change in group policies with windows vista and longhorn server is the introduction of admx and adml files. Admx files are xml based policy files, which contain registry based values. Adml files only contain text (per language), and are linked to admx files by using an id attribute for each string.
The location of these admx and adml files is %systemroot%\Policy Definitions. A very nice tool by FullArmor, which has been acquired by Microsoft, is called ADMX Migrator. This allows for the migration of adm files to admx, and the creation of new admx files.

Another improvement is the creation of a Central Store. This is a repository for all admx and adml files in a domain. This ensures that all of your gpo's use the same version of a policy template. The central store has to be created in a specific location : SYSVOL\domain\policies\PolicyDefinitions. If this central store is available, the GPMC will automatically load all of the templates from this location.

Since windows vista, multiple local policies can be created. As you can see in the screenshot below, local policies can be created for specific users, administrators, non administrators, ...

In the past it was also pretty difficult for admins to monitor gpo application. Userenv debug logging could be enabled, but not microsoft tools helped in analyzing this information. Since vista, the complete processing of gpo's is logged in the event log.

The last new feature I want to mention, is network location awareness. The main advantage of NLA is the end of the reliance on the ICMP protocol for policy application. It ensures a more accurate determination of network bandwith.

Security in Windows Vista

2006-11-19T15:36:00.001+01:00

Most of you who have been playing around with Vista probably noticed all of the security prompts when performing admin tasks. I'll try to give an overview of the most important security enhancements in Windows Vista.

Internet Explorer Protected Mode
With Protected Mode, the IE process runs with a different user account with very little system privileges.(Check the processes list for an additional process called ieuser.exe) By running in this sandboxed mode, the IE process does not have sufficient rights to write to most parts of the file system. (eg. users profile) Protected Mode IE reads/writes to "low" versions of cache, located in :
Cache: %userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
Temp: %userprofile%\AppData\Local\Temp\Low
Cookies:
%userprofile%\AppData\Roaming\Microsoft\Windows\Cookies\Low
History: %userprofile%\AppData\Local\Microsoft\Windows\History\Low
By default, protected mode is enabled for all security zones, excepted trusted sites.

Windows Firewall
The Windows firewall now has firewall rules for three fixed profiles: public (very secure), private (less secure) and domain. The domain profile is automatically configured when the workstation is added to a domain. For the other two profiles, windows will prompt you to select a profile whenever a new network is detected. This detection is done by the Network Access Protection client, which I'll talk about later. Whenever multiple networks are connected, the most restrictive firewall profile will be applied to the system. (support for multiple profile application will be added later)
Another new feature of the windows firewall is IPSEC integration. IPSEC policies are now configured with the windows firewall mmc snap-in. (or through gpo's of course, as is the rest of the firewall config)
The windows firewall now also supports outbound traffic control, which can limit installed applications to send traffic onto the network.

NAP (Network Access Protection)
NAP is actually nothing more than controlling network access based on the configuration of a network client. These checks can be done on, for example: antivirus software, sms client, patchlevel, ...
Vista has a built-in NAP client, which communicates with a NPS (Network Policy Server). NPS is actually the new version of the
RADIUS server in Longhorn.
If the client has a compliant configuration, a health certificate together with network access is granted.
After being granted network access, the nap client will continiously monitor client configuration, and deletes the health certificate if the config becomes uncompliant.

User Account Control
Probably one of the most important security enhancement in Vista is UAC. Because of UAC, even an administrator runs with regular user privileges. Each time an admin task is performed, elevation is required. This prevents unauthorized programs from running, which in the past would have run without the admin even noticing it.
Another feature of UAC is virtualization. File access by legacy applications which try to write user configuration to the windows or program files location is captured, and redirected to a virtual folder : %userprofile%\AppData\Local\VirtualStore. This virtualization is controlled by a file system filter driver (luafv.sys)
The same goes for registry access. User configuration written to HKLM is captured, and redirected to HKCU\Software\Classes\VirtualStore.
Good to know is that these virtualization locations are not included in a roaming profile.

Microsoft really put a lot of effort in securing its new OS. I didn't even talk about Bitlocker, Windows Defender, or the new authentication architecture which replaced GINA.
If you're interested, read more about it here: http://www.microsoft.com/technet/windowsvista/security/default.mspx.

Command line utility : Systeminfo

2006-11-16T16:34:00.000+01:00

Recently I was looking for an easy way of remotely checking the system uptime. I came across a very interesting utility : systeminfo.
Just run this command in a command prompt, and it will give you detailed system configuration information. (including hardward info, regional settings, virtual memory settings, uptime and installed hotfixes)

Command line options allow you to run it on a remote machine. (overview of all command line parameters)

XP SP2 adds file stream to all downloads

2006-11-16T16:33:00.001+01:00

When downloading a file on a Windows XP SP2 machine with a NTFS filesystem, a separate file stream is added to the file, which contains an Internet Explorer security zone identifier.
It contains a ZoneId value which is configured to 3, which means Internet zone. This causes a security pop-up ("Open File - Security Warning") to show each time you try to run the file. (unless the location where you run the file from is added to your Trusted Sites)

In our case, we had a problem with executing these files silently in an sms package. The package installs with SYSTEM account, which means you won't see this security popup, and the installation will keep running until the machine is rebooted. Removing the file stream can be done by opening the file properties, and clicking on the "unblock" button.

If you want to view file streams, just register StrmExt.dll, and you will get an additional streams tab when you open file properties.

BSOD Debugging

2006-11-16T16:30:00.000+01:00

Debugging a BSOD is not difficult to do at all. For basic debugging, everything you need is a Microsoft tool called windbg (http://www.microsoft.com/whdc/devtools/debugging/default.mspx). The tool uses symbols, based on OS version, to perform the analysis. You can either download symbols for the OS you're debugging, or just enter the following path for symbols in the windbg app : SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Windbg will now automatically download symbols for the loaded dump file.

In most cases a small memory dump will be sufficient for analyzing the problem. The small memory dump is located in %systemroot%\minidump. The filename will be mini%.dmp, with % being the date for the dump.
Just open this dmp file with windbg, and it will automatically perform a short analysis of the dump.
An example output :

BugCheck 100000EA, {81600708, 814b43a8, 8179f888, 1}

Probably caused by : nv4_disp ( nv4_disp+2dddb )

Followup: MachineOwner
---------
In the example above, the dump was caused by nv4_disp, the nvidia display driver.

A few usefull commands to be used in windbg :
!analyze -v : will display detailled debugging information
!drivers : shows all drivers loaded in memory from the time the dump took place
!process : shows all active processes from the time the dump took place (only available for full dumps)

For a much better and visual explanation of the above, check out this webcast.

UserEnv Debug Logging

2006-11-15T12:15:00.000+01:00

Most of the problems associated with group policy processing and user profile loading can be debugged by enabling the debug logging. This can be done with the following registry value :

Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value: UserEnvDebugLevel
Value Type: REG_DWORD

UserEnvDebugLevel can have the following values:
NONE 0x00000000
NORMAL 0x00000001
VERBOSE 0x00000002
LOGFILE 0x00010000
DEBUGGER 0x00020000

The default value is NORMALLOGFILE (0x00010001).
If you want to log the most verbose details, set the value to 0x00030002.
After configuration, reboot the workstation for settings to apply. The log file is located at %systemroot%\debug\usermode with name userenv.log.

A very nice freeware tool for analyzing the userenv.log file is available by Syspro software : Policy Reporter (http://www.sysprosoft.com/policyreporter.shtml).