The FTP site cannot be started. Another FTP site may be using the same port.

March 12, 2013, 12:23 am

≫ Next: The backup storage location is invalid. You cannot use a volume that is included in the backup as a storage location.

≪ Previous: NSClient++ Clients Report Arguments not Enabled

I found what appears to be a bug today with Microsoft FTP on IIS 7.5 running on Windows Server 2008 R2 where I would get a false error message.

"The FTP site cannot be started. Another FTP site may be using the same port."

This occurs when right clicking the FTP site and trying to start it.

Now I know that I do not have any services listening on TCP21 on my server. A netstat shows this.

I did however have a test service running on TCP21 for a small period of time to verify the firewall portforwarding rules are setup correctly.

When attempting to start a FTP site on IIS7.5, it does not check that TCP21 is free, it checks prior at some stage. To get it to recheck properally you need to restart the "Microsoft FTP Service"

Ahh now all is good... this bug had me scratching my head for a second!

↧

The backup storage location is invalid. You cannot use a volume that is included in the backup as a storage location.

March 12, 2013, 7:42 pm

≫ Next: The Windows Backup engine could not be contacted. Retry the operation.

≪ Previous: The FTP site cannot be started. Another FTP site may be using the same port.

I was about to do a large number of Active Directory changes on a domain controller and needed to grab a system state backup before proceeding. I took a system state backup using the wbadmin utility on a 2008 R2 SP1 domain controller by using the following command from a command prompt:

wbadmin start systemstatebackup -backupTarget:c:

When running the command I received the following error message:

The backup storage location is invalid. You cannot use a volume that is included in the backup as a storage location.

The resolution for this problem was adding a new Key and DWORD value to the system registry. Create the following:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wbengine.
Create a key called "SystemStateBackup"
Set the value of this entry as follows:
Name: AllowSSBToAnyVolume
Data type: DWORD
Value data: 1

After creating the registry key the system state backup now completed successfully.

↧

The Windows Backup engine could not be contacted. Retry the operation.

March 13, 2013, 12:03 am

≫ Next: HTTP Attack Resulted in RBL Listing

≪ Previous: The backup storage location is invalid. You cannot use a volume that is included in the backup as a storage location.

Today when attempting to perform a System State backup on a Domain Controller I received the following error message:

The Windows Backup engine could not be contacted. Retry the operation.
The RPC server is unavailable.

I also noticed the following event errors appearing in Event Viewer.

Log Name:      Application
Source:        VSS
Date:          13/03/2013 10:48:41 AM
Event ID:      12292
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      DomainController
Description:
Volume Shadow Copy Service error: Error creating the Shadow Copy Provider COM class with CLSID {06d8e136-56f6-4048-93fb-a5943e949375} [0x80040154, Class not registered
].
Operation:
   Obtain a callable interface for this provider
   List interfaces for all providers supporting this context
   Get Shadow Copy Properties
Context:
   Provider ID: {5fdb6ef5-6ead-4610-995b-401c88626115}
   Class ID: {06d8e136-56f6-4048-93fb-a5943e949375}
   Snapshot Context: -1
   Snapshot Context: -1
   Execution Context: Coordinator

Log Name:      Application
Source:        Application Error
Date:          13/03/2013 10:48:50 AM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      DomainController
Description:
Faulting application name: wbengine.exe, version: 6.1.7601.17514, time stamp: 0x4ce79951
Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec4aa8e
Exception code: 0xc0000374
Fault offset: 0x00000000000c40f2
Faulting process id: 0x5888
Faulting application start time: 0x01ce1f9517234ddc
Faulting application path: C:\Windows\system32\wbengine.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 880e1970-8b88-11e2-aefa-005056a2000b

The above event error 12292 it provided us the Provider ID: {5fdb6ef5-6ead-4610-995b-401c88626115}. Looking in the registery under HKLM\System\CurrentControlSet\services\VSS\Providers\{5fdb6ef5-6ead-4610-995b-401c88626115} it shows this provider as the Backup Exec VSS Provider.

For some reason WBAdmin is trying to use the Backup Exec VSS Provider instead of the Microsoft VSS Provider.

I added the registry DWORD UseMicrosoftProvider to HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore with a value of "1" which is meant to force the backup to use the Microsoft provider.

This key had no effect, the backup still attempted to use the Symantec VSS Provider. Next I used the following Symantec article 130940 to completely remove the Symantec backup exec agent from the server including removing registry keys.

http://www.symantec.com/business/support/index?page=content&id=TECH130940

After removing the Symantec backup exec agent I ran a test backup and the backup failed again with the same error. Running a "vssadmin list providers" revealed that the Symantec VSS Provider was still in place despite following Symantec article 130940 which was meant to completely remove backup exec from a windows server.

Again we see same GUID of the Symantec provider which was presented in the event error and the registry, {5fdb6ef5-6ead-4610-995b-401c88626115}.

I then followed Symantec article 77585 to completely remove the Backup Exec VSS Provider by deleting the {5fdb6ef5-6ead-4610-995b-401c88626115} key from the following location in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Providers\

http://www.symantec.com/business/support/index?page=content&id=TECH77585

After restarting the VSS service we see the Backup Exec VSS Provider is no longer available.

I then rebooted the server. After a reboot I attempted another backup with wbadmin. We got further this time but it still crashed out.

Some new event logs exist now:

Log Name:      Application
Source:        Application Error
Date:          13/03/2013 2:47:07 PM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      DomainController
Description:
Faulting application name: wbengine.exe, version: 6.1.7601.17514, time stamp: 0x4ce79951
Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec4aa8e
Exception code: 0xc0000374
Fault offset: 0x00000000000c40f2

Log Name:      Application
Source:        VSS
Date:          13/03/2013 2:47:11 PM
Event ID:      8193
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      DomainController
Description:
Volume Shadow Copy Service error: Unexpected error calling routine RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...). hr = 0x80070005, Access is denied.
.
Operation:
   Initializing Writer
Context:
   Writer Class Id: {35e81631-13e1-48db-97fc-d5bc721bb18a}
   Writer Name: NPS VSS Writer
   Writer Instance ID: {37bef355-a711-4241-a2bc-91f1181c845b}

VSS Event ID 8193 says that the VSS provider was denied access when opening a registry key under the security context of SYSTEM

SYSTEM\CurrentControlSet\Services\VSS\Diag,...).

Damn it cut off! We could use Sysinternals ProcMon to get the full path however lets just force FULL access for tye System account from the DIAG key downwards.

After making this change I then tested another wbadmin. Made no difference. :-(

I searched the entire registry for the GUID of the Backup Exec VSS Provider to ensure nothing was missed. My search found nothing. Whilst I have isolated the problem to the VSS Provider provided by Symantec, a change made by the Symantec Backup Exec agent remains and as a result wbadmin will not function.

If there is someone out there who has fixed this issue can you please comment below with your resolution to ensure others with this issue have a fix as this is not documented anywhere on the Internet.

↧

HTTP Attack Resulted in RBL Listing

March 19, 2013, 6:15 am

≫ Next: Cisco - Port Two Public IP Addresses to the Same Internal Address

≪ Previous: The Windows Backup engine could not be contacted. Retry the operation.

Today one of my customers was listed on the SpamHaus XBL list. The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits.

My customer had all client workstations access the Internet from the same public IP address as what the Exchange 2010 server relayed email from. Workstations did not connect to the Internet through a proxy, just sandard network address translation (NAT).

My customer did block TCP25 Outbound (SMTP Traffic) from all hosts on the network but the internal IP address of there Exchange 2010 server. Despite this my customer was still added to the XBL.SpamHaus.org blocklist and as a result had difficulties sending and receiving email from many companies especially because SpamHaus is one of the more popular blocklists.

This was because a few workstations on their network was infected with the Pushdo trojan which was performing denial of service (DOS) attacks against target web servers.

Below is the reason why we were RBLed extracted from the SpamHaus.org website:

To get around this problem we changed the outgoing IP address of email, ensured a PTR record exists for the new IP address, updated the Sender Policy Framework (SPF) TXT record on the DNS zone. Finally we updated the port forward on the router and MX records to ensure all mail relay went through a dedicated email.

So what did we learn from this?

If possible always use a dedicated public IP address for relaying mail (if possible)
Use a proxy server for your users to surf the net and block HTTP/HTTPS and other ports if possible outbound to the Internet.

Regarding the Pushdo botnet, we got around to cleaning that up too to ensure my customers network was not used to DOS innocent web servers on the net.

↧

Cisco - Port Two Public IP Addresses to the Same Internal Address

March 19, 2013, 6:23 am

≫ Next: How do I find out if an Email Address exists in Exchange

≪ Previous: HTTP Attack Resulted in RBL Listing

Today we required the ability to port forward two public IP addresses both listening on TCP25 to the same internal IP address listening on TCP25. By default a Cisco router will not let you do this. However there is an extenable option which you can put on the end of your command to allow you to do this.

For example to allow TCP25 from both 3.3.3.3 and 3.3.3.4 to 10.1.1.40 on TCP25 we would do the following:

perth-router(config)#do show run | in ip nat
ip nat inside source static tcp 10.0.8.10 25 3.3.3.3 25 extendable
ip nat inside source static tcp 10.0.8.10 25 3.3.3.4 25 extendable

Hope this has been helpful.

↧

How do I find out if an Email Address exists in Exchange

March 21, 2013, 2:50 am

≫ Next: An Insight into Stellar Phoenix Outlook PST Repair tool

≪ Previous: Cisco - Port Two Public IP Addresses to the Same Internal Address

You want to determine if an Email address has been already configured on an Exchange server. To do this you need to use the following cmdlet:

Get-Recipient

For Example:

Get-Recipient clint.boessen@avantgardetechnologies.com.au

You cannot use the Get-Mailbox cmdlet as remember you can configure email addresses on more then just user accounts. Email addresses can be configured on groups, contacts even public folders.

Note: If you use Get-Mailbox with the -an switch it will only search the primary SMTP addresses.

↧

An Insight into Stellar Phoenix Outlook PST Repair tool

March 24, 2013, 4:42 am

≫ Next: Exchange 2010 Outlook Anywhere Connection Randomly Drops Out

≪ Previous: How do I find out if an Email Address exists in Exchange

In this article we are going to look at how to repair a corrupt PST file using the Outlook PST Repair tool created by Stellar Phoenix.

Before we dive into Outlook PST Repair lets quickly cover Scanpst.exe. Scanpst.exe is a free tool shipped with Microsoft Outlook 2003/2007/2010 which lets you repair corrupt PST files.

On my Office 2010 installation, ScanPST can be found in the following path:

C:\Program Files\Microsoft Office\Office14

Below is a screenshot of ScanPST.

Stellar Phoenix labs performed testing with ScanPST and from their testing they discovered that the free PST repair tool is capable of repairing PST files with only minor structural errors. PST files with severe correction or PST files where the indexing table is completely removed, ScanPST will not repair the file.

Stellar Phoenix claim that their tool Outlook PST Repair v4.5 can repair a corrupt PST file and bring it back to a consistent state regardless how severe. I questioned this with Stellar Phoenix as 100% of corruption is a big claim however the company was confident to back it. All content within the corrupt the PST file which is in its valid state can be recovered. Data which has been lost due to corruption is gone, no tool will be able to recover this.

Outlook PST Repair v4.5 has been designed to look like Microsoft Outlook to provide users and administrators with a familiar user experience. When a corrupt PST loaded, all content which is still readable inside the corrupt PST file will be displayed. Companies have the flexibility of recovering individual emails, attachments, sub folders or entire PST files.

Below is a screenshot of the the Outlook PST Repair tool:

To begin using the tool simply the Open an Outlook File to Repair.

Select the location of the PST file which is corrupt. In my case I have a corrupt PST file called test.pst.

Hit the Start button and Outlook PST Repair will go through and scan for all recoverable content.

The tool displays all data which is now recoverable. The user is able to browse mail items, calendars, contacts, tasks, notes everything which can be displayed in Outlook using the Outlook PST Repair tool.

The user is able to do the following things once a corrupt PST file has been loaded in Outlook PST Repair v4.5:

Export all content which is readable within the corrupt PST into a new PST file.
Export select content from a corrupt PST file by selecting what content they wish to export.
Extract attachments from emails
Export individual emails to MSG or EML format

Outlook PST Repair v4.5 comes in a demo version and a full version. What is the difference between the demo version and the full version?

The demo version allows you to see all items which can be discovered, read email and look at calendar items however it does not allow you to extract any information out of the corrupt PST file including attachments, individual items or folders.

The full version allows you to browse a corrupt PST file and export content from a corrupt PST file to a new PST.

There are two licencing versions for purchasing the full version of Outlook PST Repair 4.5. Both licences come are lifetime and come with 24/5 technical support free with the purchase.

Single User Licence ($129 USD). Users receive a key which they use to activate the Outlook PST Repair tool. Once activated the key will only ever work on the Windows instance in which Outlook PST Repair tool was activated. In the event the user purchases a new computer or re-installs Windows, the user must contact support to transfer the licence.
Technician Licence (299 USD). The technician licence can be used unlimited times on different workstations. However a USB key must be connected to the machine to activate the licence and perform the recovery. Only one recovery can be performed at a time. One technician licence must be purchased per office. Stellar Phoenix ship the USB key to the customer upon purchase.

Note: All pricing is subject to change, to get the latest pricing please visit www.stellarinfo.com

Summary

The Outlook PST Repair 4.5 tool is a fantastic tool for fixing corrupt PST files. If Scanpst.exe fails to recover a corrupt PST file or you need to perform granular recovery from a corrupt PST file I encourage you to give Stellar Phoenix Outlook PST Repair a shot.

For more information or to obtain a copy of Stellar Phoenix Outlook PST Repair please visit the following website:

http://www.stellaroutlooktools.com/scan/pst-repair.php

↧

Exchange 2010 Outlook Anywhere Connection Randomly Drops Out

March 25, 2013, 2:20 am

≫ Next: Warning: Attribute userAccountControl of DC is: 0x82020

≪ Previous: An Insight into Stellar Phoenix Outlook PST Repair tool

One of my customers experienced an issue where Outlook clients randomly lost their HTTPS connection to the Exchange server. All Outlook clients at my customer connect to the Exchange server using http/RPC rather then TCP (MAPI) both internally and externally. Randomly once a day the Outlook HTTP connection would break and fall back to TCP (internally) or break completely for external users.

Running iisreset would fix the problem but the problem would always re-emerge.

To ensure that Outlook clients retain their connection with the Exchange server using HTTP and not TCP both "On fast networks, conect using HTTP first" and "On slow networks, connect using HTTP first" must be selected.

Activesync and webmail continued to work ok and were not effected by this issue.

This issue was caused by the RPC web application using te Default Application Pool (DefaultAppPool) which is configured to recycle worker processes every 1740 minutes (29 hours). During the recycling process, IIS allows active worker threads an additional 90 seconds to finish servicing requests before IIS terminates the active threads.

Because RPC over HTTP uses long-running connections, the connections may not finish within an additional 90 secosd that were given to the worker threads. In this scenario, the connections are terminated. Therefore Outlook loses connectivity with IIS. When this action occurs, Outlook immediately tries to reconnect. If many Outlook clients are disconnected at the same time, the large number of concurrent reconnections may overwhelm the server.

To resolve this problem create a new Application Pool dedicated to the RPC over HTTP web application with a larger HTTP sys que limit. Please refer to the following TechNet article with instructions on how to perform this procedure:

http://technet.microsoft.com/en-us/library/dd421855.aspx

↧

Warning: Attribute userAccountControl of DC is: 0x82020

April 10, 2013, 12:36 am

≫ Next: Controlling the Auto Shared Mailbox Mapping Feature

≪ Previous: Exchange 2010 Outlook Anywhere Connection Randomly Drops Out

When running a DCDiag at a customer site today I had the following error occur.

Warning: Attribute userAccountControl of DC is: 0x82020 = ( UF_PASSWD_NOTREQD | UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION )
Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION )
This may be affecting replication?
It is a bug when we pre-create a computer account in ADUC and then promote it as DC, the UserAccountControl is set to 532512 instead of the default 532480. You need to manually set the vaulue to 532480 in ADSIEDIT.MSC.

UserAccountControl values for the certain objects:
Typical user : 0x200 (512)
Domain controller : 0x82000 (532480)
Workstation/server: 0x1000 (4096)

Change it to represent 0x82000.

↧

Controlling the Auto Shared Mailbox Mapping Feature

April 15, 2013, 12:22 am

≫ Next: Delegate Permissions to Change Permissions on Mailboxes - Exchange 2007

≪ Previous: Warning: Attribute userAccountControl of DC is: 0x82020

From Exchange 2010 SP1 onwards, Exchange Autodiscover now has the ability to automatically add a mailbox to a user account which has full control of the mailbox to Microsoft Outlook. This was done by changes made to Autodiscover and the addition of a new attribute called MSExchDelegateListLink.

From Exchange 2010 SP1 onwards, whenever you grant a user full access to a mailbox, the user which was granted full access is by default added to an attribute called MSExchDelegateListLink on the shared mailbox. This tells Autodiscover to automatically add the mailbox to the users Outlook profile.

For example take a look at a shared mailbox called "Spam" which is responsible for holding all spam emails on my Exchange server. As you see it has 3 accounts associated with the msExchDelegateLinkList attribute one of them being me, Clint Boessen.

If I only want myself to receive the spam mailbox by default, I would remove the other two accounts from this attribute. This can also be done by powershell with the AutoMapping parameter on the Add-MailboxPermission cmdlet.

Add-MailboxPermission "Shared Mailbox" -User -AccessRights FullAccess -AutoMapping:$false

Hope you learnt something in this post.

↧

Delegate Permissions to Change Permissions on Mailboxes - Exchange 2007

April 15, 2013, 1:15 am

≫ Next: Icons Do Not Appear in Internet Explorer 10 for RD Web Access

≪ Previous: Controlling the Auto Shared Mailbox Mapping Feature

I am currently in the process of a delegation project for one of my customers running Exchange Server 2007. My customer requires that all service desk staff members have the ability to manage Exchange recipients but can make no other changes within Exchange. Part of the Recipient Management requires the service desk staff must have the ability to:

Manage Full Access Permission
Manage Send As Permission

By default the Exchange 2007 Exchange Recipient Administrators group does not provide the ability to manage permissions on mailboxes however this can easily be granted.

To grant Exchange Recipient Administrators the ability to change permissions on mailboxes they must have the ExtendedRights "ms-Exch-Store-Admin" in Active Directory on the Configuration Partition. This can be granted using the following powershell command:

Add-ADPermission -Identity "CN=Exchange Org,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local" -User "domain\Exchange Recipient Administrators" -ExtendedRights ms-Exch-Store-Admin -InheritanceType All
Ensure you change the Exchange Org to reflect your Exchange org and the domain\ to reflect your domain's NetBIOS name.

If the permissions are not set right you will get an error similar to:

Domain\username
Failed
Error:
Failed to commit the change on object "a757e5a9-64e0-49cb-ac90-acda685c7f1c" because access is denied.
MapiExceptionNoAccess: Unable to set mailbox SecurityDescriptor. (hr=0x80070005, ec=-2147024891)

Exchange Management Shell command attempted:
Add-MailboxPermission -Identity 'CN=Domain User,OU=People,DC=domain,DC=local' -User 'DOMAIN\account.name' -AccessRights 'FullAccess'
Elapsed Time: 00:00:00

Failed to commit the change on object because access is denied.

Hope this post has been helpful.

↧

Icons Do Not Appear in Internet Explorer 10 for RD Web Access

April 19, 2013, 1:40 am

≫ Next: SM Bus Controller VEN 8086 DEV 1E22

≪ Previous: Delegate Permissions to Change Permissions on Mailboxes - Exchange 2007

After upgrading to Internet Explorer 10 when accessing a 2008 R2 Remote Desktop Services (RDS) RD Web Access, we noticed the icons no longer display.

Running Internet Explorer 9, the icons display correctly:

However if you switch Internet Explorer 10 into compatibility mode, the icons also display correctly. To enable compatibility mode click the following page icon next to the address bar.

When it turns blue in colour, this means compatibility mode is enabled and the RD Web Access icons will reappear in RD Web Access.

A bug has been logged with Microsoft on this issue.

↧

SM Bus Controller VEN 8086 DEV 1E22

April 21, 2013, 12:49 am

≫ Next: Windows Update Error 80244018

≪ Previous: Icons Do Not Appear in Internet Explorer 10 for RD Web Access

When setting up a new Lenovo X230 for a customer I had problems finding the correct driver for an SM BUS Controller. The hardware had the following Vendor and Device Id's.

PCI\VEN_8086&DEV_1E22&SUBSYS_21FA17AA&REV_04

After research it turns out that this hardware matches a Intel 7 Series/C216 Chipset Family SMBus Host Controller.

To download the Intel 7 Series/C216 Chipset Family SMBus Host Controller driver please see the following website:

http://devid.info/download/56602/27

Scroll through the ads until you find 56602_Chipset_9.3.0.1019.zip (2.87 Mb)

↧

Windows Update Error 80244018

May 12, 2013, 9:22 pm

≫ Next: WSUS - An HTTP error occured

≪ Previous: SM Bus Controller VEN 8086 DEV 1E22

Today I had issues patching a Windows Server 2008 R2 server at one of my clients. Windows Update provided me with the following error message:

A error occurred while checking for new updates for your computer.
Error Code 80244018

This error code is generated when a computer has issues connecting to the Windows Update server. My customer used Threat Management Gateway as a firewall solution. After reviewing the firewall rules there was a rule which prevented access to Microsoft Windows Update servers.

Removed the rule and problem resolved.

↧

WSUS - An HTTP error occured

May 12, 2013, 10:49 pm

≫ Next: AD Replication Issue - The naming context is in the process of being removed or is not replicated from the specified server

≪ Previous: Windows Update Error 80244018

In the process of setting up a new WSUS server I received the following error message when attempting to perform a sync. This is after installing WSUS 3.0 Service Pack 2 available from http://support.microsoft.com/kb/2720211

An HTTP error occurred

Clicking Details provides the following error output.

WebException: The request failed with the error message:
--
Object moved
Object moved to %2fmicrosoftupdate%2fv6%2ferrorinformation.aspx%3ferror%3d15"
--.
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Microsoft.UpdateServices.ServerSyncWebServices.ServerSync.ServerSyncProxy.GetAuthConfig()
   at Microsoft.UpdateServices.ServerSync.ServerSyncLib.InternetGetServerAuthConfig(ServerSyncProxy proxy, WebServiceCommunicationHelper webServiceHelper)
   at Microsoft.UpdateServices.ServerSync.ServerSyncLib.Authenticate(AuthorizationManager authorizationManager, Boolean checkExpiration, ServerSyncProxy proxy, Cookie cookie, WebServiceCommunicationHelper webServiceHelper)
   at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.SyncConfigUpdatesFromUSS()
   at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.ExecuteSyncProtocol(Boolean allowRedirect)

After researching this error message I discovered Microsoft moved data on the Microsoft Update servers early 2013 and as a result the WSUS installation package which comes with Windows Server 2008 R2 no longer knows the correct URL to synchronise with (this is after installing WSUS 3.0 SP2 from KB2720211).

After installing WSUS 3.0 SP2 from KB2720211 you then must install another critical update which can be downloaded from KB2734608. This will tell WSUS the new location to synchronise from. In total you should have installed the following two updates including the Report Viewer 2008 package.

Download KB2734608: http://support.microsoft.com/kb/2734608

After installing KB2734608 on my WSUS 3.0 Service Pack 2 server, WSUS now referenced the right Microsoft Update location and synchronisation started working successfully.

↧

AD Replication Issue - The naming context is in the process of being removed or is not replicated from the specified server

May 22, 2013, 6:55 pm

≫ Next: You don't currently have permission to access this folder

≪ Previous: WSUS - An HTTP error occured

I had an Active Directory replication problem at a customer site with a multi domain environment. Two domain controllers exists in a child domain called DC1 and DC2. DC1 resided in a remote branch location and DC2 exists in a datacentre.

DC2 was able to replicate changes to DC1 without issues.
DC1 was not able to replicate changes to DC2.

Please note the name of the domain and domain controllers involved have been renamed to protect customer privacy.

Symptoms

When attempting a manual replication attempt the following error was experienced:

The following error occurred during the attempt to synchronize naming context "ROOT DOMAIN" for domain controller DC1 to domain controller DC2:

The naming context is in the process of being removed or is not replicated from the specified server.

The operation will not continue.

When doing repadmin /showrepl all inbound replication partners came back successful under the last replication attempt however all outbound replication partners such as the replication attempt from DC1 to DC2 came back as failed with the following errors:

Source: RemoteSiteName\DC1
******* 216 CONSECUTIVE FAILURES since 2013-04-21 07:32:26
Last error: 8524 (0x214c):
Can't retrieve message string 8524 (0x214c), error 1815.

Naming Context: CN=Configuration,DC=ROOTDOMAIN,DC=LOCAL
Source: RemoteSiteName\DC1\
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: DC=CHILDDOMAIN,DC=ROOTDOMAIN,DC=LOCAL
Source: RemoteSiteName\DC1
******* WARNING: KCC could not add this REPLICA LINK due to error.

Running a DCDiag on DC1 came back with the following errors:

Starting test: Connectivity

The host 9b2163cf-b8e7-4ad4-bd54-2342e6cfc1db._msdcs.rootdomain.local could not be resolved to an IP address. Check the DNS server, DHCP, server name etc.

Although the GUID DNS name 9b2163cf-b8e7-4ad4-bd54-2342e6cfc1db._msdcs.rootdomain.local couldn't be resolved, the server name (DC1.child.rootdomain.local) resolved to the IP address xx.xx.xx.xx and was pingable. Check that the IP address is registered correctly with the DNS server.

Resolution

The following error message is the one which lead me to the resolution of this replication issue.

The host 9b2163cf-b8e7-4ad4-bd54-2342e6cfc1db._msdcs.rootdomain.local could not be resolved to an IP address. Check the DNS server, DHCP, server name etc.

Although the GUID DNS name 9b2163cf-b8e7-4ad4-bd54-2342e6cfc1db._msdcs.rootdomain.local couldn't be resolved, the server name (DC1.child.rootdomain.local) resolved to the IP address xx.xx.xx.xx and was pingable. Check that the IP address is registered correctly with the DNS server.

The first domain you promote in a new Active Directory forest is the forest root domain (this can never be changed without building a new forest). The forest root domain contains a MSDCS container in DNS and contains a bunch of CNAME records for all domain controllers in the root domain as well as any child domains/new tree domains. These CNAME records are what Active Directory uses to lookup domain controllers when attempting to perform replication.

This is shown in the following screenshot.

The reason DC1 was unable to replicate to any other DC in the domain was because someone deleted the GUID mapping the CNAME record for DC1 from the msdcs container in Active Directory. From the DCDIAG error message we manually recreated the 9b2163cf-b8e7-4ad4-bd54-2342e6cfc1db._msdcs.rootdomain.localrecord mapping to DC1 as a CNAME record.

After 45 minutes replication began working again for DC1.

Hope this post helps someone with the same problem.

↧

You don't currently have permission to access this folder

May 22, 2013, 7:21 pm

≫ Next: CloudLink - The current account doesn't have sufficient privileges

≪ Previous: AD Replication Issue - The naming context is in the process of being removed or is not replicated from the specified server

With the introduction of Windows Vista came the first implementation of User Account Control (UAC) and with it, a file server NTFS permission issue which has been driving me nuts for years. If you are a Windows server admin you have probably seen this too but never thought twice.

When accessing a folder on a Windows file server, it prompts saying "You don't currently have permission to access this folder". Now I know this folder has the following permissions set on it:

SYSTEM - Full Control
Administrators - Full Control
Users - Create Folder append data

My user account is a member of Domain Admins and I know that Domain Admins is nested in the Administrators group on the file server. I should have permission to access this folder.

If I click continue to this prompt, UAC will automatically add my user name with full control permissions to the folder and all sub folders and files which I'm attempting to access. With multiple administrators maintaining a file server this results in unwanted user name ACL's spread across folders and files throughout the file server making the permission structure a mess.

After many years and now with the release of Windows Server 2012 this issue is still occurring. It's about time we spend some time and work out what's going on.

Resolution

After leasing with some colleagues of mine in Microsoft who work on the file services team they told me two group policy settings are responsible for this behaviour which can be found under:

Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> Security Options

User Account Control: Admin Approval Mode for the Built-in Administrator account
User Account Control: Behaviour of the elevation prompt for administrators in Admin Approval Mode

If you set these policies to Disabled and Elevate without prompting it resolves the issue.

You don't have to create a group policy object to implement these changes unless you have multiple file servers you want to target. In this instance I simply utilised GPEDIT.MSC on the local file server and set these changes as a local policy.

Now when my administrators navigate the file server they are no longer prompted to add their account to NTFS permissions and in result making a mess of my NTFS permission structure.

↧

CloudLink - The current account doesn't have sufficient privileges

May 26, 2013, 10:51 pm

≫ Next: Schemus - User synchronization failed. Update abandoned

≪ Previous: You don't currently have permission to access this folder

In the process of setting up Symantec Enterprise Vault Cloud for Microsoft Exchange, I had an issue where the ArchiveTools CloudLink tool would not accept my service account I created called cloudlink. It is complaining the account does not have Logon As Service privileges on my CloudLink server however I know the account does as I already granted this User Rights Assignment manually.

The error we were getting was:

CloudLink - The current account doesn't have sufficient privileges to give 'Logon As Service' privilege to the selected account. An administrator will need to manually allow this account to run as service. Failing to do so will prevent the service from running.

The problem? Good old User Account Control or UAC for short.

After trying again by running ArchiveTools CloudLink as "Run as Administrator" the problem was resolved.

↧

Schemus - User synchronization failed. Update abandoned

May 27, 2013, 12:17 am

≫ Next: 02A2: BMC System Error Log (SEL) Full.

≪ Previous: CloudLink - The current account doesn't have sufficient privileges

One of my customers who utilises Symantec Cloud email and web filtering was experiencing an issue with the Schemus synchronisation tool when synchronising Mail Address, Groups and Users to Symantec Cloud.

The error they were experiencing was:

User synchronization failed. Update abandoned

After speaking to Symantec this issue can occur sometimes with Schemus due to corruption in one of the following files:

users.sus
syncdata.sus
groups.sus

These files are located in the following directory:

C:\ProgramData\Schemus\configurations\SYNCJOBNAME

In our case it was:

C:\ProgramData\Schemus\configurations\SymantecADSync

To fix this problem, first close Schemus.

Next rename or move these files to another location.

Lastly reopen Schemus and attempt another sync, these files will regenerate. After making this change Synchronisation is now working correctly.

↧

02A2: BMC System Error Log (SEL) Full.

May 30, 2013, 11:40 pm

≫ Next: Setup Windows Server 2012 Core Computer for Domain

≪ Previous: Schemus - User synchronization failed. Update abandoned

A customer of mine had a HP ProLiant ML110 G6 server which did not boot successfully. Upon booting the boot would halt with the following error message:

02A2: BMC System Error Log (SEL) Full.

The fix for this problem was to go into the BIOS by hitting F10 and setting Clear System Event Logs to Enabled in the BIOS.

This can be found under IPMI on the Advanced Tab.

Navigate to System Event Log

And setting the Clear System Event Log to Enabled. This will ensure the event log is cleared on next boot. As you see there are no remaining event logs in our BIOS flash memory hence why the error is occurring.

Upon reboot the system will automatically set Clear System Event Log back to Disabled after the clear has been performed.

↧