technical solutions and commentary

I found my new favorite RSS feed reader! It’s RSS Bandit and can be downloaded here http://www.rssbandit.org/ for free. I used it in the past and switched to SharpReader. I downloaded RRS Bandit to give it a try again and the improvement are great. It is similar to FeedDemon but doesn’t cost the $29. If you don’t have a feed reader or haven’t tried out RSS Bandit in a while, give it a try…. I know this sounds like a shameless ad but this product is great.

BTW, here is another great site for locating technical podcasts which has great content. http://www.techpodcast.com/

i will be moving the content from my msn spaces site to this blog. until the move is complete you can access the past content at http://spaces.msn.com/members/systemsengineer

Last week I was working with a customer on a problem with software installations using Active Directory Group Policy Objects (GPOs). We had the GPO installs working great for months. The installation files for the software had to be migrated from one of the cluster servers to another cluster during system upgrades. During this process a Dfs tree was setup for files shares in the organization.

The plan was to use the Dfs path for the software installation source files from this point on. This would be beneficial because when the software installation source path changes the GPO has to be modified to use the new path. This is done by creating a new software installation package within the GPO and deleting the old installation package using the old source path within the GPO. This may not e a big deal if there are only a handful of applications delivered through the GPO but when you get into higher numbers it can become a real pain.

When I got called in to assist with this issue, at first glance it looked as if there was possibly something wrong with the Distributed file system (Dfs), since the GPO wouldn’t install managed software onto the workstations using the Dfs share to the source files.

The workstation showed Event ID in the Application log of 102, 108, 303 from the ‘Application Management’ source.

The resolution is toward the bottom if you want to skip all the details.

Here are the steps I took to get to the bottom of the issue:

1. Eliminated the source files and the GPO security as the issue – I setup a share on a file server, copied the source files over, created an installation package and tested.
2. Eliminated Dfs as the source of the problem. – I created a Dfs link to point to the share I created in step 1, created a new installation package… worked fine.
3. Eliminated the active cluster node (security/availability) as a source of the issue. I created a software install package using the server node name of active node in the cluster… worked fine.
At this point it was obvious that it was an issue with the cluster service. But where to go from here was tricky. I could access the installation files through the cluster share no problem. I tried it as an admin and a regular network user… I could run the install manually using the same source files and path the GPO where setup to use.

I checked the event logs on the server again, and ran some diagnostic utilities on the server, got some errors on DNS which didn’t apply. I triple checked the permissions on the share and folders. I even granted the test machine account explicit full control permissions to the share… but nothing. Next I created a new network name cluster resource and setup a new share to the install files. Still didn’t work.

This is what it came down to. RESOLUTION

There were no computer accounts in Active Directory for the network name of the resource group. For example the virtual name of the cluster server could be \\filecluster1\software\ , while the actual names of the physical server nodes could be \\file1node1 and \\file1node2 “. So while the name could be accessed manually, it wouldn’t work to apply software through a GPO.

What happened was that the cluster service domain account was a member of the “Domain Users” group and not a member of the “Domain Admins” group. By default “Domain Users” have rights to add computer account objects to Active Directory a total of 10 times. This limit was obviously reached before the cluster services could add the “Network Name” resources to Active Directory as a computer objects. This caused the Kerberos authentication not to work properly when the GPO & machine attempted to access shares from the clustered Network Name resource which requires the network name resource have a computer object in AD.

In order to register the Network Name resource in AD the Network Name resource must be brought offline and the command ‘cluster res “network name resource” /priv requirekerberos=1:dword’ be run as a domain admin at the command prompt on the active cluster node. This creates the required computer object in AD for the resource and fixes the Kerberos authentication problems. I would open a command prompt type the command, then bring the network name offline, press enter to execute the command in the command window, and then bring the resource back online. It only saves 30-60 seconds of downtime, but that can mean a few phone calls if it’s done at the wrong time.

Microsoft KB 302389 provides further details along with KB 235529 which also provides a work-around for this issue.

Other articles I used in the researched are: Microsoft KB 278472, KB 241452, KB 305293, and KB 257932.

Disclaimer: Use this information at you own risk. This information is as is. No guarantees or warranties are implied. That goes for all of the information contained on this site.

I’ve been hearing about Podcasting a lot recently and didn’t really know what it was, so I downloaded the iPodder client from http://ipodder.sourceforge.net/index.php and gave it a whirl. You can subscribe to all kinds of feeds or download individual audio programs to your PC. You can listen to them on you PC, iPod, MP3 player and most are short enough to burn to audio CD. So far I’ve listened to a bunch of tech news/talk programs… they have all been of good audio quality and the content so far as been decent. There are all kinds of different types of PodCast content, not just technical content. Great concept.

Here’s a couple of sites where you can browse and obtain podcasts: http://www.ipodder.org/, http://www.podcastalley.com/

In order to provide a higher level of security on your Windows 2000+ domain, you can disable LANMAN authentication. You will need to make sure there are no WinNT/95/98/Me machines authenticating to your domain.

Using the Default Domain Policy:
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

Modify the setting: “Network Security: LAN Manager Authentication Level”

Typical Options for Consideration:
“Send NTLMv2 response only” – clients can attempt to use LM, NTLM and NTLMv2 but the server will only respond in NTLMv2.

“Send NTLMv2 response only / Refuse LM” – clients can attempt to use NTLM and NTLMv2 but the server will only respond in NTLMv2.

“Send NTLMv2 response only / Refuse LM & NTLM” – clients must use NTLMv2 and the server will only respond in NTLMv2. (Most Secure method).

Authentication Types:
LM - used by the Windows 95/98/Me OS
NTLM – used by the Windows NT4 SP3 and earlier OS
NTLMv2 – used by the Windows NT4 SP4+ / 2000 / XP / 2003 OS

Related KB Articles:
“You Cannot Join a Windows XP Computer to a Windows Server 2003 Domain During an Unattended Setup”

“Top 10 Potential Problematic Security Settings for Microsoft Windows XP Professional Edition and Microsoft Windows Server 2003″

Question: “Would Office updates deployed using WSUS require the client PC’s to put in an Office CD as the manual/web based method often requires?”

Answer: If you installed MS Office from an administrative installation point (a network share which the office switch of “setup.exe /a” was used to copy the files to) you should not need the CD for applying updates either via the web or through WSUS. Also, there is an option to “remove the installation files from the computer” if you installed Office from a CD onto a computer. I have not tried it with WSUS, but if you leave the install files on the drive, I believe you don’t need the CD for updates either.

I have been asked several times by admins on where the Group Policy settings are for the Windows Firewall and other newer settings. Often times admins are working on a 3rd party application such as an Anti-virus application, or workstation security suite, and run into compatibility issues with Windows Firewall settings.
The documentation from the vendor may indicate you can change Windows Firewall settings using GPO. But the settings are not in the GPO on a default installation of Windows Server.

Each time Microsoft releases a Service Pack, it contains updated Group Policy settings. These GPO settings are contained in “.adm” files which need to be updated on the Domain Controllers. The new GPO settings can be downloaded by accessing http://www.microsoft.com/downloads and using “GPO” as the search term. The results will display the link for “Group Policy ADM Files”. Click on this download link and scroll to the bottom of the page to see the files available. Download the GPO updates you want. If you download the newest collections, for example Windows XP SP2, it will contain the prior SP updates of Windows XP SP1.
Extract these files and copy the adm files the ‘%system%/inf’ folder (i.e., c:\windows\inf). Make sure you do this on all the Domain Controllers so your environment is consistent (Backing up the old adm files may be a good idea before overwriting them). When you open the GPO editor you will then be able to see the new settings.

A couple of important items to note:
1.) Some of the non-standard GPO settings may need to be added to the Administrative Tools area in the GPO object. You can do this by right clicking the Administrative Tools folder and choosing add/remove and then choosing the add-in for items such as Windows Media Player, etc.
2.) You may get a error after you update the adm files on the server when you open the GPO editor. It will say “The following entry in the [strings] section is too long and has been truncated”. There is a hot fix for this issue, you can see the details on it and get the fix from this link http://support.microsoft.com/default.aspx?scid=kb;en-us;842933.

A good resource for engineers that are planning an Exchange Server Migration. “A comparison of the migration methods for migrating from Exchange Server 5.5 to Exchange Server 2003 or to Exchange 2000 Server”

Here’s a link to a BBC news segment about what can happen if you connect a PC to the internet without Anti-virus and firewall protection… interesting.

If you use Microsoft’s DFS (Distributed File System) in conjunction with Microsoft’s FRS (File Replication Service) to organized and distribute data through your organization you may have run into problems with data replica’s being up to date.

A company which I support experienced problems with their DFS/FRS configuration. They have a central location which houses the master file share for there company shared data (about 2 GB worth). They have a branch office which they use FRS to replicate this data to. This data is fairly static so it’s a good candidate for FRS. We discovered that shortly after the replicated to the remote server for the first time, data was not being kept up to date. In addition to comparing the file replica’s manually, we also used Ultrasound (a powerful tool from Microsoft that measures the functioning of FRS replica set) in monitoring the replication.

In troubleshooting this problem, we discovered that the FRS-staging area is set by default to 660 MB in Windows Server 2003 (Windows 2000 can experience this same problem). If you have more a lot more data than this in the share you are trying to replicate you will most likely need to increase the size of the staging area manually. This is done in the registry of the master server and replica server. Then the FRS services need to be started and the replication should work.

Microsoft has a couple of useful KB articles on how to do this:
• File Replication Service Stops Responding When Staging Area is Full (KB 264822)
• Configuring Correct Staging Area Space for Replica Sets (KB329491)