Ondrej Žilinec – IT Blog

I was facing weird problem with computers when I was trying to migrate computer accounts between two active directory domains. When you use ADMT to migrate computer accounts, ADMT installs ADMT Agent on computer and this ADMT Agent makes all changes during computer account migration.

Problem

When there was computer with ESET Smart Security installed I had following problems. First problem was that migration failed and in ADMT log file I received following error:

2013-04-12 16:29:54 The Active Directory Migration Tool Agent will be installed on CENTRALA.DOMAIN.LOCAL
2013-04-12 16:29:59 WRN1:0000 Could not open SCManager on \\CENTRALA.DOMAIN.LOCAL : GetLastError() returned 5
2013-04-12 16:29:59 WRN1:7015 Failed to connect to the service control manager on \\CENTRALA.DOMAIN.LOCAL, rc=5   Access is denied.
2013-04-12 16:29:59 ERR2:7006 Failed to install agent on \\CENTRALA.DOMAIN.LOCAL, rc=5   Access is denied.

 So error number 5 means I have no rights somewhere. After reading couple pages of ADMT documentation I found out that ADMT installs ADMT Agent using Admin share called ADMIN$. So I tried to access ADMIN$ share on computer CENTRALA.DOMAIN.LOCAL. I received following error:

I have never seen such an error:”An attempt was made to logon, but the network logon service was not started.”. I checked services on computer CENTRALA.DOMAIN.LOCAL and Windows was right. Service NETLOGON was Disabled!

Solution

I had to temporary turn off ESET Smart Security (I would preffer not use this software at all 🙂 ) and also enable and start service NETLOGON.

Conclusion

Every computer I migrated and had installed ESET Smart Security had the same problems. So IMHO ESET Smart Security has changed service NETLOGON to Disabled. I really don’t understand why this is necessary, but I think it’s not right way “smart security product” should protect your computer.

I found one article about disabling NETLOGON service as security practice. It’s maybe good security practice, but there is also pitfall stated on websie:

If you disable the NetLogon service, a workstation no longer functions reliably as a domain member. This setting may be appropriate for some computers that do not participate in domains. However, it should be carefully evaluated before deployment.

I’m wondering what other functions are not available when NETLOGON disabled (besides not accessible ADMIN$ share) on domain member computer.

I hope this helps someone 🙂

Couple of days I’ve got question from my friend if there is way to setup Exchange mailbox to be Read-only for other users in company. I never needed it, because when someone else needed to access other’s mailbox, I just set FullAccess rights on mailbox and everythin worked fine.

Testing scenario

Exchange 2010

Tester user called Tester with following content of mailbox:

Tester user called Tester02 wich wants to access whole mailbox of user Tester, but Read-only.

When I set Reviewer for user Tester02 on mailbox Tester under Outlook:

Problem

When I connect Tester’s mailbox into Tester02’s Outlook profile I can see following:

So I can see only Inbox. I don’t see any folder underneath it. We can check this permissions also using Powershell:

When we look on mailbox folder permissions underneath Inbox, for example “Inbox\My friends” folder, we can see following:

This means that mailbox folder permissions are not inherited. So we can set permission per folder. So let’s test to add permission to folder Inbox and subfolder “My friends”:

and now we can see also subfolders under account Tester02:

This means that using Outlook or powershell commandlet Add-MailboxFolderPermission can set permissions only on one folder and these settings are not inherited! This is really weird. I couldn’t find any setting to allow inheritance.

Another way to set permissions of mailbox folders is set permissions on whole mailbox. This can be set by users which have rights to manage exchange mailboxes. Let’s look on powershell cmd-let Add-MailboxPermission. This cmdlet allows you to set just following access rights: FullAccess, SendAs, ExternalAccount, DeleteItem, ReadPermision, ChangePermision and ChangeOwner. Neither one of these rights define Read-only access to mailbox.

Solution

So there is no easy way to share whole mailbox between users in read-only manner. Only way I can think of is to run some powershell script. For example:

Add-MailboxFolderPermission tester -User tester02 -AccessRights Reviewer

ForEach($folder in (Get-MailboxFolderStatistics -Identity tester) )

{

$fname = “tester:” + $folder.FolderPath.Replace(“/”,”\”);

Add-MailboxFolderPermission $fname -User tester02 -AccessRights Reviewer

}

where “tester” is account with shared mailbox and “tester02” is account which want to access shared mailbox.

After this powershell commands are done, Tester02 can see Tester’s mailbox:

But when user Tester creates new folder in his mailbox, user Tester02 will not see it unless user Tester sets permissions on new mailbox folder.

I hope guys from Microsoft will solve this issue in next release of Exchange. 🙂

Installation of WSUS on Windows Server 2012

I started to install WSUS service on Windows Server 2012. I selected to install Windows Internal Database as store of WSUS metadata.

I selected to store updates on local C:\ drive (it’s just testing machine):

After first run on Windows Server Update Services management tool WSUS asks again if I want to store updates locally or not:

When I click Run, post-installation starts to run:

And I received Post-installation “notification” 🙂 in Microsoft word it means I have a problem (Failed to restart the current database. The currecnt database is switched to master):

So if computer has problem with restarting database, let’s restart service. Didn’t help 🙂 Let’s restart whole computer. Didn’t help either. So the problem will be somewhere else.

I tried to install WSUS from scratch. I uninstalled WSUS and also Windows Internal Database feature. I also deleted data for Windows Internal Database from directory C:\Windows\WID. Then I installed WSUS with all dependecies – WID, IIS, …

Now I’m getting different error:

Problem was backslash in input window for defining directory to store updates 😀 This path was predefined by wizard and it was wrong. This is really funny 🙂

So after reinstallation of WSUS and WID and defining “correct” path to update store directory (without backslash on the end 🙂 ) everything looks to be done correctly:

Let click Close and look what’s new in WSUS. First we need to configure WSUS and I did it using WSUS Wizard. I don’t see any news in this Wizard compared to older one.

Exploring WSUS

I haven’t notice any news in WSUS mmc console. I always use client side group targeting. This feature allows you to create groups of computers in WSUS structure. It can be used to target updates specified for testing to just group of computers and so on. To make this working you need to set client side of group targeting by defining name of Group and also you need to create new Computer Group in WSUS structure. What I always forget it to create these Computer Groups in WSUS structure 🙂 I would love to see some option to allow WSUS to create these Computer Groups automatically. But this didn’t happend of this version of WSUS.

I think the most powerful thing Microsoft added into WSUS is support for Powershell cmd-lets. Most of the time WSUS settings about update Classifications and update Products are same from customer to cutosmer, so you can automate this settings using cmd-lets Get-WsusClassification, Set-WsusClassification, Get-WsusProduct and Set-WsusProduct.

To get some information about WSUS Server it selft you can use cmd-let Get-WsusServer:

There are more interesting cmd-lets. One is Get-WsusComputer which prints out some more information about computer reported into WSUS:

Get-WsusComputer has lot of ability to filter out computers on some conditions. Failed, Needed, …

To manage updates from powershell you can use cmd-lets Get-WsusUpdate, Approve-WsusUpdate and Deny-WsusUpdate. You can for example approve all updates that are Unapproved and FailedOrNeeded:

Get-WsusUpdate -Classification All -Approval Unapproved -Status FailedOrNeeded | Approve-WsusUpdate -Action Install -TargetGroupName “All Computers”

And the last cmd-let I really love, because I can make scheduled task to run Clean-up Wizard. Cmd-let is Invoke-WsusServerCleanup. You can do every cleanup task you can make from GUI.

Conclusion

I don’t think there is too much to improve on WSUS, but little powershell support for WSUS is handy.

Today I solved one network issue. Customer has Tomcat webserver. This server is located at central site. Users which use this Tomcat website are located at branches. These branches are connected via MLPS network. There is Kerio in between MPLS network and central site. Problem was that people from central site could use Tomcat website, but people from branch offices couldn’t use it. After couple minutes of analyzing network using Wireshark, I found out that problem is caused by IP fragmentation.

I solved it by Enabling PMTU black hole detection and Disabling PMTU Discovery as described HERE.

I found also old article about this issue at Kerio support forum.

Today was new version of Exchange testing applications released. More about it is HERE.

I had to run one vbs script on Windows 7 with UAC enabled. This script was implemented as part of Run/RunOnce technology in Windows. When you want some script/application to run everytime you log in or just once you log in, you can use this technology built-in Windows. You can read about it here. Implementation of these registry keys was easy. Problem raised when I found out that script doesn’t run in elevated mode – without administrative privileges.

If you need to run some script in elevated mode, you can right-click on script and select “Run as administrator”. This is fine, but what about script that is part of registries? There is no way to right-click 🙂 You have to use UNDOCUMENTED parameter “runas” of parameter ShellExecute of object Shell.Application. It’s really undocumented on official sites!

Another bad thing of running script in elevated mode is that you cannot access network drives which you have mapped. You need to remap them and then you can use them.

There are nice articles which describe how to run scripts in elevated mode:

• One is about ShellExecute secret “runas”
• Second is nice .bat script to remap network drives and run it in elevated mode

This saved me couple hours of fight with scripts 🙂

When I wanted to Enable AD users in Lync Server 2010 which were members of Domain Administrators and Enterprise Administrators I received error:

Active Directory operations failed on “DC_server”.  You cannot retry this operation: “Insufficient access rights to perform the operation 00002098: SecErr: DSID-03150E8A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0”

It’s same problem as Exchange has. You cannot be member of those two groups, because periodically all accounts in this groups have cleared Include inheritable permissions from this object’s parent and set explicit permissions by AD. But if you want to add members of those administrative groups into Lync you can check checkbox Include inheritable permissions from this object’s parent, enable user in Lync and uncheck checkbox Include inheritable permissions from this object’s parent after you are done.

Exchange fixed this issue after couple year in Exchange 2010 SP3. Hopefully we will have some fix also for Lync Server.

Here is one reason why I don’t like ESET Antivirus:

I don’t think it needs any comments 😀

Here is official website I saw it at.

Problem

Today I was at one customer which recently installed TrendMicro Worry-Free Business Security solution. It’s firewall and anti-* product. Today I noticed there is no free space on C:\ disk. Trend Micro ate 19 GB! The biggest portion of space was located at C:\Program Files\Trend Micro\Security Server\PCCSRV\Log. There were files called ofcdebug-*.log which were about 150 MB of size and there was lots of them. And there new comming and comming 🙂

Solution

Those file are debugging log files. There is really weird way to disable them. In management website you need to click on little small letter “M” in the logo:

New window appears where you can enable/disable debug logs:

This is really weird way to set logging by looking for some small letter “M” 🙂

More about it on official site.

You can configure expiration period for Certification Template. By default there are default maximum validation periods set to:

• One year for Stand-alone Certification Authority
• Two years for Enterprise Certification Authority

This means you have Certification Template set its validity for example for 10 years, but you can enroll certificates with validity 1 or 2 years (Stand-alone / Enterprise Certification Authority).

This can be changed via registry keys described in KB254632.

Thank you for my colleague Róbert Švec.