| J.C.'s profileJ.C.'s spaceBlogNetwork |  Tools  Help |
J.C.'s space |
|||||
|
|
April 30 Cannot Connect to Virtual Machine -- McAfee HIPS Firewall.I was working on a Windows Server 2008 version of Hyper-V that had McAfee's HIPS firewall turned on. It had been on for several weeks without incident, when I needed to turn on and connect to a virtual machine. But whenever I tried to connect to a running VM a very generic "Cannot connect to the Virtual Machine" error popped up as shown below.
 It took me too long to figure out that the firewall was finally causing the issue. Adding the following firewall rule solved the issue:
TCP Incomming onPort 2179 fromPorts 1024-65535 fromIP: Any April 29 Delta CRL is present, but not downloadable is IIS 7.0. When navigating to the URL an "HTTP Error 404.11 – URL_DOUBLE_ESCAPED" error occurs.While looking at PKIView for a newly installed CA, I noticed that the delta crl (CAName+.crl) was "Unable to download", despite the file being present in the CDP virtual directory file location. When I copied the URL and browsed to the location, I received an HTTP Error 404.11 -- URL Double Escape error.
This is apparently a new security feature under IIS 7.0 that denies double escape characters in the URL. Not sure what "escape characters" are, but I presume that a space and then the + sign were the characters in my URL.
Fortunately the Error page gave some insight about changing the application.config or web.config file. A quick search on Google led me to a Microsoft KB article that helped to point me in the right direction: Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 404.11 – URL_DOUBLE_ESCAPED"
This article instructs you to change the application.config file by modifying the allowDoubleEscaping property to True. In looking at the application.config file there was a section for each of the virtual directories under the website, except for the CDP virtual directory. All of those sections had their allowDoubleEscaping attribute set to true, so I had code examples to build the xml for the missing section. I did notice however that the CDP file location did have a web.config file, which had a sparse section of xml code specifically for the CDP virtual directory. And this the web.config file is what I actually modified to fix the 404.11 error.
I added a security section under configuration/system.webserver.
<security>
<requestFiltering allowDoubleEscaping="true" /> </security> Original File:
<?xml version="1.0" encoding="UTF-8"?>
<configuration> <system.webServer> <directoryBrowse enabled="true" /> </system.webServer> </configuration> Modified file:
<?xml version="1.0" encoding="UTF-8"?>
<configuration> <system.webServer> <directoryBrowse enabled="true" /> <security> <requestFiltering allowDoubleEscaping="true" /> </security> </system.webServer>
</configuration> This fixed the issue! April 20 DSQuery doesn't pipe to DSMove -- Work aroundWhile cleaning up AD for a client, I ran a DSQuery to list all the computers that had been inactive over the last 8 weeks and there were more than 100, so I had to expand the search:
"dsquery computer -inactive 8 -limit 400"
Then I wanted to disable them so I piped that into a DSMod command:
"dsquery computer -inactive 8 -limit 400| dsmod computer -disabled yes"
Wow, this is easy. Now all I have to do is move the disabled computers to a special OU using DSMove. But of course its never that simple. The dsmove command didn't accept the piped in dsquery, so I had to put the phrase in a for loop:
for /f "Tokens=*" %a in ('dsquery computer -disabled -limit 400') do dsmove %a -newparent "OU=Disabled objects,DC=mydomain,DC=com"
If you need to target a specific OU, simply place DN of the OU after the computer:
"dsquery computer "OU=Build,DC=hps,DC=com" -inactive 8 | dsmod computer -disabled yes" April 15 GPO Wireless Settings Only Show WEP on Server 2003 32-bit DC's Despite the Connection setting of WAPRan across an interesting GPO issue, while distributing wireless settings to users in the Domain. Despite the actual settings included in the Preferred Wireless network settings the GPO shows WEP with EAP in the settings view of the GPMC.
Apparently the GPMC 1.0 console isn't capable of showing all of the settings, nor can it configure WPA2. The solution is to connect using GPMC from the Remote Services Adminstration Pack on either Server 2008 or Vista. This will show a more accurate "settings view" and allow the configuration of WPA2.
The GPO will be saved on the 32-bit Domain Controllers and replicated throughout the network properly, but will not show up accurately in the Settings View on GPMC 1.0.
April 08 McAfee Host Intrusion Prevention (HIPS) Firewall doesn't allow PING, despite the default allow PING rule.After Deploying McAfee's Host Intrustion Prevention product (v7.0.3) to a desktop with the firewall turned on and the default "allow Ping" rule enabled, I was unable to ping a remote system.
The system was managed by ePO and the default rule set actually had two ping Rule Groups in place and enabled. The first "Ping and ICMP" had several rules that caused all manner of traffic between systems to crash and caused intermittent problems on the network, so it was deleted from the Polilcy. This left the "Ping" rule group, which included the rules "Allow ICMP Echo Request Outgoing" and "Allow ICMP Echo Reply Incoming."
"Allow ICMP Echo Request Outgoing" allowed ICMP echo requests outgoing to any IP for the PING.EXE application
"Allow ICMP Echo Reply Incoming." allowed ICMP echo replies incoming outgoing to any IP for the PING.EXE application
Looks prettry straight forward for allowing the machine to ping out, but outward pings would not work and there was a log entry stating that the ping request had been blocked??? HIPS is a complicated application and I was afraid that there was some obsure application blocking rule that restricted ping.exe. To test that it was actual a firewall error, I turned off the firewall. Pinging worked.
After modifying the rules several times and in various methods, I finally discovered that the fix was to not limit the application to ping.exe. Removing ping.exe from both rules, but otherwise leaving them unchanged allowed the target machine to ping outward.
March 20 AD Certificate Services 2008, Version 3 certificate at 2008 level, and Web Enrollment for SCOM.Just had an interesting issue with a new 2008 PKI implementation: My certificate templates were not showing up for Web Enrollement.
I had just set up a complete PKI using AD CS 2008 and was trying to issue certificates to a Gateway SCOM server in the "Other" Forest and to the Management server in the home forest. And of course, I ran into some interesting issues.
For security reasons, none of the default templates were published when the CA was turned up, this was to ensure that someone had to actively approve the publishing of a certificate template and to prevent the auto-enrollment of certificates until the organization was explicitly ready. This unique situation would complicate troubleshooting.
So the first template to be published was the newly created SCOM Certificate template. Now there was nothing special about this template. It is simply a Computer template (with the Server and Client Authentication OIDs, just like the default Computer template). Instead of publishing the default Computer template, I duplicated it and extended its life to 2 years, but when I did this it asked me if I wanted to make this a 2003 or a 2008 version. Well, hell yeah, I want 2008. Why else did I go throught the trouble of deploying 2008 CA's -- (ummm, maybe not!!).
This answer had the effect of adding advanced features to the version 3 certificate, something that I wasn't fully aware of at that time, which I discovered hours later can not be web enrolled.
This of course presents a challenge to a SCOM Gateway server in the "Other" forest, because that is the only method that it has of connecting to the issuing CA in the home forest. (Sure, I could have used a third party manual request generation tool, but I was irked that this wasn't working!!!).
So after a few hours of verifying permissions and settings, I ran across the fact that V3 certificates cannot be webenrolled and the fact that Authenticated Users in the Root Domain does not translate to computers or users in sub-domains. March 11 Windows Update Error -- WindowsUpdate_80240019Ok, I just had an issue with WSUS. None of my servers were updating and I was getting a WindowsUpdate_8024001 whenever I tried to update a Vista/Server 2008 server. And the windowsUpdate.log file was showing the following errors:
2009-03-11 21:28:55:852 608 1170 Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80190194
2009-03-11 21:28:55:852 608 1170 Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80190194 2009-03-11 21:28:55:852 608 1170 Misc WARNING: DownloadFileInternal failed for http://computer.domain.net/selfupdate/wuident.cab: error 0x80190194 2009-03-11 21:28:55:852 608 1170 Setup WARNING: SelfUpdate check failed to download package information, error = 0x80244019 2009-03-11 21:28:55:852 608 1170 Setup FATAL: SelfUpdate check failed, err = 0x80244019 2009-03-11 21:28:55:852 608 1170 Agent * WARNING: Skipping scan, self-update check returned 0x80244019 2009-03-11 21:28:55:852 608 1170 Agent * WARNING: Exit code = 0x80244019 Not sure how it happened, but the root cause was a missing Virtual Directory on the WSUS default website. I added a Virtual Directory called SelfUpdate to the default website and pointed it to the C:\Program Files\Update Services\Selfupdate directory. I gave it full permissions, but I doubt it need all of those.
This solved my problem. Of course I checked the GPO to make sure that the update point was correct there. And I checked the Registry of computers to ensure that the had the update point listed correctly as well (meaning they were getting the GPO properly).
For those of you interested in the post mortem. I am not sure what caused the disappearance of the Selfupdate Virt Directory. I was standing up a Forefront Client Security Server with all roles and retiring my old WSUS server. Somewhere along the line it either was not created or was deleted. January 12 Collect DHCP information from the command prompt I needed to document DHCP information for a client across their large Enterprise consisting of more than 15 DHCP servers and each with several scopes. I dreaded documenting by hand, so I turned to my usual trick of collecting information by command line.
First I found just the article I needed about how to get DHCP information at the command line from the Technet Article "To use DHCP commands interactively at the command prompt" My first task was identifying all of the DHCP servers in the organization. Now that could have been easily accomplished from the MMC snap-in, but this is about the Command line. So I used netsh DHCP to accomplish that as well.
Now depending on what information you need to retrieve you can dive down into each server and then further into each scope to retrieve information. I needed to identify the scopes on each server, where their databases were located, and some general idea of the usage of each scope. And I needed to record this to a text file. So I decided to go into each server and get targeted information from each one. So I dug up the following commands:
server \\Server01 -- Switches which server information is retrieved from. Or, type: server\\IPAddress
which takes us to the netsh dhcp server> prompt, then I retrieved the information that I wanted using the following commands.
show scope -- Shows basic scope information
show mibinfo -- show scope use information
show dbproperties -- shows Database information
There are several other commands available, use /help to search for the one you need and you can reference this for usage: http://technet.microsoft.com/en-us/library/cc787375.aspx.
You might also look at the dump command. This actually gives you information about each scope and their options when used at the server level. Or you can dig down into each scope using the command: scope ipaddress and use show commands from there.
Also the show optiondef command will give you the definitions of each scope option. Option 51 is lease time as measured in seconds (that being the most common one you'll need.)
And I discovered that I could run several commands one after the other in a batch file, or in my case by modifying a text file and pasting into the command line.
server \\Server01
show scope
show mibinfo
show dbproperties
server \\Serverdc01
show scope
show mibinfo
show dbproperties
server \\Serverdc02
show scope
show mibinfo
show dbproperties
server \\Serverrdp01
show scope
show mibinfo
show dbproperties
Unfortunately, piping the command out to a text file (>c:\output.txt) didn't work and I didn't have Powershell on the network (Start-Transcript…..). So I ended up listing two or three servers at a time, while using the select all, cut, and paste commands in the CMD.exe window to paste the text into a notepad file. All in all, a way quicker and cooler way of collecting DHCP information across the organization, than using the GUI. January 05 Windows PKI Error CodesI got this from the Technet PKI blogHow to decode Windows errorsMany Windows error messages provide a hexadecimal error code, for example 0x8007267C. This code can provide helpful information. But how to translate it into a readable error message?
At least two commands can be used to decode an error code:
· certutil -error [Code] · err.exe [Code]
For example certutil -error 0x8007267C
Certutil is part of all Windows server stock keeping units (SKU) and Windows Vista. The err executable is available from the Microsoft Download center. Changing the Friendly name of a certificateI got this from the Technet PKI blogDefining the friendly name certificate propertyThe friendly name of a certificate can be helpful if multiple certificates with a similar subject exist in a certificate store. One way to set the friendly name is through the certificate MMC SnapIn. Alternatively certutil.exe can be used in the following way:
|
||||
|
|
