Blog: Networking

Quite frequently on information security audits we find machines where group policies have been applied incorrectly or not at all.  The IT administrator swears the policy is working, but the policies haven’t always taken on machines.  What we can do in that situation for Windows XP machines is use GPupdate.exe, Rsop.msc, and GPresult.exe to find out more information. [more]

GPupdate

After you make changes to group policies, you may want the changes to be applied immediately, without waiting for the default update interval (90 minutes on domain members and 5 minutes on domain controllers) or without restarting the computer. To make this update, at a command prompt, run the Gpupdate.exe utility.

RSoP

The Resultant Set of Policy MMC snap-in has a nice interface and is easily used. Just go to Start, Run and enter rsop.msc. This will flash up a quick screen with a summary of the environment it’s processing.

When the progress reaches 100%, it will pull up a report for the policies upon which the computer and the user are having applied. You can browse the list, which mirrors the Group Policy Management Console, and see which policies the machine is seeing, which might not quite match what you’ve set in the Active Directory server.

You can also use this to diagnose any errors. For example, if a software deployment isn’t coming through for some reason, you can verify that it has access to the policy and has received the command. You can also see any related errors to help your troubleshooting.

GPResult

Starting with Vista SP1, RSoP no longer shows all of the group policies that a computer might have being applied to it. Instead, Microsoft recommends that you use the command line tool GPResult. Just open the Command Prompt and type:  gpresult

Being a command line tool, it opens up the possibilities to include it in scripting. There are a large number of options you can use with GPResult to get exactly what you want. You can use it to create a nicely formatted HTML or XML report and you can also use it to run remotely on another system and as a different user (provided you know the password).

A customer that had been printing duplex documents to a HP LaserJet 8150 had to send the printer off for repairs.  When they got it back and reconnected it to the network, they were unable to print duplex.  Printing test pages from the printer’s console came out duplexed and the settings on the display showed that duplexing was enabled. 

When I went to look at the printer properties on the printer server, I found a setting under the Device Settings tab for Duplex Unit.  It was set to Not Installed.  As soon as I changed it to Installed, users were able to print on both sides of the page.  I’m not sure what caused the printer to lose this functionality while it was being repaired, but this was the solution. [more]

I run a Windows 7 virtual machine when I need to connect to customer sites.  From this VM I frequently create an RDP session on a customer server then run the vSphere client to connect to the console of multiple VM's.  I ran into a problem where the vSphere client would "capture" my mouse/keyboard in the console session.  Normally you would press Ctrl-Alt to release the mouse, but unfortunately when running from a desktop VM, this releases for the VM and not the connected RDP session.  The only way to get out of this is to force logoff of your RDP session from different session.

My workaround was to create a new key combination through VMware Fusion to send Ctrl-Alt to the VM.  I believe this same technique will work for VMware Workstation also.

I had an IT consulting customer email me requesting assistance with extending the system partition on a Windows 2003 virtual machine. The partition had been running low on disk space for a while. The customer had extended the vmdk using VMware, but was unable to extend the partition using diskpart. This is normal behavior for a Windows 2003 system so I scheduled downtime so that I could use VMware Converter to fix the problem.

I have done this operation a number to times in the past. You simply tell Converter to convert the VM and target the same ESX cluster with the imported copy. During the operation, VMware gives you the option to change the partition size. Windows recognizes the partition size change at first boot and you are good to go. However, the customer failed to tell me that they had un-marked the c:\ drive partition as active while trying to get the disk to extend. When I shut the VM down to clone it, it never came back up. Neither did the imported copy. Both were completely useless. They would boot to an “Operating System not found” error. [more]

I tried fixboot and fixmbr from the recovery console but neither worked. I ended up restoring from a CommVault backup. Later, based on some comments from coworkers, I decided to see if I could fix this problem by mounting the disk to another VM and adding back the “active partition” status. I mounted the vmdk that was broken to a Windows 2008 server and using disk manager re-marked the partition as active. Sure enough, after dismounting from the temp VM the original VM booted up no problem. Just one more reason to use virtual machines.

It is possible to boot a Cisco router off of a USB flash drive.  This can come in real handy if you are on-site and the compact flash of the router is bad.  Here are the steps to do it: [more]

1. Format your USB flash drive with a FAT file system.  This needs to be FAT and not FAT32.
2. Copy the system IOS image to the USB flash drive.
3. While the router is powered off, plug in the USB flash drive to the USB port on the router.
4. Power on the router and when it starts to boot up press the Break key to enter ROMMON mode.
5. Once in ROMMON mode enter the following command to boot to USB:
   • boot usbflash0:<system image file name>    (e.g. boot usbflash0:1841-advsecurityk9-mz.124-23.bin)

The following link has some more information about what is supported: http://www.cisco.com/en/US/prod/collateral/modules/ps6247/prod_qas0900aecd80232483.html

During this last maintenance window for a customer, I needed to update and recompose their linked clones and then log in and test the various applications to make sure everything was working properly. After the recompose had completed, I fired up the View client only to be greeted with an error message that said “The View Connection Server connection failed (null).” This was obviously a problem. After some quick searches on the VMware KB, I found an article which states “View Client 4.5.0 or earlier fails to connect to View Connection Server if Internet Explorer 9 Beta or Windows 7 SP1 Beta is installed on the same client system.”

I had IE9 Beta installed. After removing it (and rebooting), the client connected up just fine and all was good again.

If you have more than one domain controller and are trying to examine why an account keeps locking out (for example, after a password change), you can download a tool from Microsoft called LockoutStatus.exe.  This tool will help you analyze which Domain Controller the lockout happened against if there is more than one DC.  It will also list the time it happened so it can help speed up the process of examining the Security logs in the correct DC’s event logs. 

The tool can also be used to unlock accounts easily.  You must specify the name of the domain account that you are searching for.  [more]

Further information can be found here: http://technet.microsoft.com/en-us/library/cc738772%28WS.10%29.aspx

In a prior post I outlined a method to set the time zone from the command line using a control panel applet.  I needed to do this to fix a problem with the Mac RDP client which doesn't work correctly with time zone redirection.  Using the control panel applet works great on XP and 2003 Server, but only launches the Date and Time applet on 2008 and Windows 7.  After a little bit of research, I found a utility called tzutil that's included with Windows Server 2008 and Windows 7.  This is the same utility Microsoft used to change time zones during the last daylight savings time calendar change. [more]

Syntax:   tzutil /s "Central Standard Time"

I had an issue where wsus on a Windows SBS 2008 system was saying it was synchronizing successfully, but it wasn't downloading updates. All you would get was a message in the event logs from Windows Server Update Services (event id 10032) saying that "The server is failing to download some updates". Clients would show that they needed updates through the WSUS console and via the SBS Console, but the updates would never show up on the server for installation. In the local client WindowsUpdate.log file you would see something similar to the following [more]

2010-10-12  10:39:45:574  784  1a20 PT       +++++++++++  PT: Synchronizing server updates  +++++++++++
2010-10-12  10:39:45:574  784  1a20 PT       + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://...
2010-10-12  10:39:49:011  784  1a20 PT       +++++++++++  PT: Synchronizing extended update info  +++++++++++
2010-10-12  10:39:49:011  784  1a20 PT       + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://...
2010-10-12  10:39:52:433  784  1a20 Agent  * Found 0 updates and 57 categories in search; evaluated appl. rules of 643 out of 1075 deployed entities

So why would the WSUS server recognize the server needed updates and the client not recognize and download them? Further investigation uncovered the fact that the WSUS Content Repository was nearly empty. Total size of the repository was less than 100 MB. Obviously, none of the patch data had been downloaded.

So why was the sync successful? Moving on, after more investigation, I discovered that the ISA server was blocking what appeared to be anonymous web traffic from the SBS server even though there was a access rule set to allow all http, https, and ftp traffic from the SBS server. So, skipping to the solution. First, ISA 2004 has a problem with BITS 7.0 that is used in Windows 2008 and Windows 7. Because the initial synchronization from WSUS ONLY downloads metadata, ISA was letting that out and it would show success in the consoles. Then WSUS turns over processing and downloading of the actual patch files (.cabs, etc.) to BITS. ISA was blocking BITS background download processing so what we had was metadata for the updates, but no updates. WSUS knew the servers needed the updates, but the servers had nothing to download because the actual content for the updates wasn’t there. The fix is to change the processing of update downloads using BITS from a background to a foreground process. ISA seems to allow that just fine.

Do it by running the following query against the WSUS database. The connection can be made via SQL Management Studio Express in most cases…you are just looking to run the query against the SUSDB database.

update tbConfigurationC set BitsDownloadPriorityForeground=1

If you are using Windows 2008 with the Microsoft Internal Database (as SBS 2008 does), this proves to be a little more challenging because you have to connect with SQ Management Studio Express using named pipes instead of TCP/IP. Connect using named pipes by using this as the server

\\.\pipe\mssql$microsoft##ssee\sql\query