Category Archives: worklog

Event data mining with PowerShell

On Server 2008 and 2008 R2, if your Domain Controllers aren’t configured to require LDAP signing and disallow simple LDAP binds in plaintext, Active Directory Domain Services logs a warning event on startup, and summary events every 24 hours.

A couple weeks ago, I followed the recommendation to enable logging of unsigned and plaintext LDAP authentication requests. Setting the LDAP Interface Events value to 2 generates a Directory Services event 2889 for each connection.

Now I want to do some analysis of the collected events. The event structure puts the important details, namely the client name and IP address, in the big description text field. It looks like this:

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 11/3/2010 11:46:38 AM
Event ID: 2889
Task Category: LDAP Interface
Level: Information
Keywords: Classic
User: ANONYMOUS LOGON
Computer: CDC01.campus.ad.uvm.edu
Description:
The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a cleartext (non-SSL/TLS-encrypted) LDAP connection.

Client IP address:
132.198.124.202:53298
Identity the client attempted to authenticate as:
CAMPUS\myhost0256BB4$

Previously, I’ve exported the logs to CSV format, then used Excel and some text-mangling functions to pull out the important details. But I noted that the two important values were nicely separated in the XML representation of the event:

Event Xml: 
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> 
  <System> 
    <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS LDAP" /> 
    <EventID Qualifiers="16384">2889</EventID>
    <Version>0</Version> 
    <Level>4</Level> 
    <Task>16</Task> 
    <Opcode>0</Opcode> 
    <Keywords>0x8080000000000000</Keywords> 
    <TimeCreated SystemTime="2010-11-03T15:46:38.219250600Z" /> 
    <EventRecordID>122013</EventRecordID> 
    <Correlation /> 
    <Execution ProcessID="512" ThreadID="3396" /> 
    <Channel>Directory Service</Channel> 
    <Computer>CDC01.campus.ad.uvm.edu</Computer> 
    <Security UserID="S-1-5-7" /> 
  </System> 
  <EventData> 
    <Data>132.198.124.202:53298</Data> 
    <Data>CAMPUS\myhost0256BB4$</Data> 
  </EventData> 
</Event>

Continue reading

Monday – 2009-09-28

Today’s issues:

  • Backup issues
  • Shared folder quotas
  • Printer configurations
  • Data execution protection

I created a Server 2008 x64 guest for managing 64-bit drivers on our shared printers. It works much better than trying to use Printer Management MMC in RSAT on Windows 7.

One hiccup I ran into while install the Ricoh PCL6 Driver for Universal Print was that it was missing a file. Fortunately, I had also download and extracted the non-universal PCL6 drivers and the file was present in the drivers for the corresponding platforms (x86, x64).

Looking at adding a –WhatIf switch parameter to my SharePoint Backup powershell script. Useful info at Negating PowerShell switch parameters.

Now wrestling with Task Scheduler and PowerShell invocation syntax.

backups – Bad and Good

We’ve been working with our backup vendor to address some shortcomings of their product as it relates to Windows 2008 system recover. This was precipitated by a failure of a portion of our virtual infrastructure, which lead to corruption of several hosts’ virtual disk files.

We managed to rebuild one failed host from bare (virtual) metal, because EMC Networker could not recover the system from backups. For Server 2008 systems, they require backups made with client 7.5.1 and restored with 7.5.1 and you have to enable/install any server role that was present on the original system before performing the restore.

We’ve been working on other ways to make sure we can recover from a system failure. Greg has successfully scripted using server 2008’s printer management scripts to dump printer info to files. I’ve been working on scripted backup of SharePoint Site collections. I got some help from Microsoft in determining the correct permissions needed for a service account to perform STSADM backup operations, which has been a thorny issue. ( see KB896148 )

re-enabling ESET NOD32

ESET has fixed the problem that caused widespread system hangs. If you followed my instructions to disable NOD32, you can re-enable it by repeating those steps and changing one word: replace disabled with auto.

To recapitulate:

1. Boot into safe mode

2. In either the Run dialog or the Vista Start Menu search box, type the following:

cmd /k "sc config ekrn start= auto"

(Please note that the space after start= is required; goodness knows why…)

start-run-enable

start-box-enable

3. Watch for the success message, and reboot.

ESET NOD32 making many systems hang

I’ve spent most of the day trying identify a systematic way to work around the campus antivirus solution, which is causing widespread system hangs. Our vendor has tentatively identified a problematic recent update, and is recommending that affected users temporarily disable the Eset Service service until a patch is available.

Disabling ESET NOD32 / ekrn Service.

If your system become unresponsive, in most cases soon after logging into the system, you may be affected. Please follow these instructions to disable the ESET service:

1. Restart your system in safe mode

2. In either the Run command ( Start->Run or [Windows Key]+R)

start-run

 

OR in the Vista Start menu search box…

start-box

 

3. …Enter the command below

cmd /k "sc config ekrn start= disabled"

(Please note that the space after start= is required; goodness knows why…)

 

4. Watch for the success message:

sc-success

 

Reboot and stay tuned to your friendly neighborhood technical support resources for updates.

PS. for what it’s worth, here’s my current ESET version info, which hangs my system.

eset-about

Range Retrieval

Working on the Server 2008 hard limit of 5000 attribute values max per query, which breaks our Identity Management process. I’m looking at having to write a clone of LDIFDE that can issue queries using Range Retrieval and then synthesizes a single LDIF entry for groups with more than 5000 members.

Safari Tech Books online provides some good resources, including The .NET Developer’s Guide to Directory Services Programming [at Amazon], which provides a good code example in Listing 6.8. Range Retrieval Using DirectorySearcher.

Or maybe I should just post-process the LDIFDE-generated LDIF file…

List folder contents – XP vs. Vista

Yesterday, a client called me complaining that, after installing Vista SP2, she couldn’t access a folder on a file share. She could access that same folder from her XP workstation, logged in with the same account.

I paid a service call (across the parking lot; any excuse to get up and walk outside :-) ), and after some poking around confirmed her claim. We did determine that she might not have attempted to access that folder from her new Vista system before.

So I started digging deeper. The folder granted her (via a group)  the “List Folder/Read data” permission. So I created a test folder and granted an analogous group this specific permission to the folder. This is displayed in the output of icacls thas “(S,RD)”.

C:\>icacls s:\cit\ZTest
s:\cit\ZTest CAMPUS\ETS-FileServices-Browse:(S,RD)
             BUILTIN\Administrators:(OI)(CI)(F)

This permission alone allows Windows XP workstations to browse the folder, but Windows Vista or later give an “Access in denied” error.

When creating a “browse” permission for a single folder, I start by granting the “List Folder Contents” standard permission, which assigns the following permissions to the folder and subfolders (not to files):

  • Traverse folder/execute file
  • List folder/read data
  • Read attributes
  • Read extended attributes
  • Read permissions

With icacls, this permission looks like this:

C:\>icacls s:\cit\ZTest
s:\cit\ZTest BUILTIN\Administrators:(OI)(CI)(F)
             CAMPUS\ETS-FileServices-Browse:(CI)(RX)

The (CI) indicates “Container inherit,” which means that permission (ACE) will be inherited by subfolders. Now I open the advenced security dialog, and edit the ACE to change the “Apply to” control to “This folder only.” Now the browse permission applies only to the particular folder. In icacls, it looks like this:

C:\>icacls s:\cit\ZTest
s:\cit\ZTest BUILTIN\Administrators:(OI)(CI)(F)
             CAMPUS\ETS-FileServices-Browse:(RX)

I changed the permissions on the client’s folder, and her access was restored.

See also:

Troubleshooting Wifi logon

I’ve been working with  client to try to identify why we sometime log onto the UVM wifi network successfully before workstation logon, but frequently this fails and drive mappings are not performed successfully.

In consulting with a colleague, he suggested that it could be a race condition between the network authorizing  the connection and the Windows system DHCP Client behavior.

In looking for details of the dhcp process on a Windows Vista client, I found a couple useful resources:

TCP/IP Fundamentals for Microsoft Windows
PDF book discussing TCP/IP protocols and services, and their configuration. Over 500 virtual pages.

Microsoft Enterprise Networking Team blog: DHCP Client Behavior
Now this is good detail! I have to review this blog in more detail.

Monday – June 1

It’s June! Cold and rainy?! Gah!!

On the list for today:

  • AD Domain Services on Server 2008 and Operations Manager 2007

Operations Manager – verifying current version

Post regarding installing hotfixes on the Management Server using SetupUpdateOM.exe. Never heard of it before. Doesn’t exist on my system. Perhaps it’s part of OPs Mgr 2007 R2?

I decided that the KB956184 patch looked the most promising. Because the installation involved manual replacement of msi files in the AgentManagement folder on the Root Management Server, I could back-out the changes if things went South.

After renaming the original 64-bit OOMADs.msi files and replacing them (AMD64 and IA64 versions) with the ones from the hotfix. Then I used the OpsMgr console to uninstall the agent from my four Windows server 2008 AMD64 domain controllers, one at a time. For each I verified that the new AD MP Helper Object was installed, checking appwiz and Program Files\Common. Then I checked the Operations Manager Event Log. This time, there were no errors running the DSDiscovery script. Health explorer on each DC is now clean. Yes!!!

The only lingering issue is the presence of five errors in the event logs on each DC, complaining about the inability to locate Performance Counters for DirectoryServices: “DS Search sub-operations/sec”, “LDAP Client Sessions”, “LDAP Searches/sec”, “LDAP UDP operations/sec”, and “LDAP Writes/sec”. I verified that I could see these counters within Performance Monitor on the DC. This thread in the OpsMgr Management Pack newsgroup seems germane, though the Live login isn’t working for me at the moment.

Managed to chime in on that thread. We’ll see if anything useful comes of it.

Opsmgr Friday

Having successfully deployed some agents to some recalcitrant hosts, I’m now trying to address a false positive issue on a DC. I’m getting an error regarding “AD Op Master Respone [sic] Monitor”. The host has a recurring error:

AD Op Master Response : The script ‘AD Op Master Response’ failed to create object ‘McActiveDir.ActiveDirectory’.  This is an unexpected error.
The error returned was: ‘ActiveX component can’t create object’ (0x1AD)

This led me to a blog post suggesting that the AD Helper Object needed to be installed. So I look in the OpsMgr host’s AgentManagement location and find the msi. When I tried to install that msi package, I received an error that the “this installation package is not supported by this processor type.” The host is running AMD64 Windows, and the file came from the AMD64 part of the AgentManagement tree.

I checked the list of installed apps on another x64 DC, and saw that the “System CenterManagement Pack Helper Objects” item had been installed. So I tried repairing the agent install from within Ops Manager. Error persists.

Checking the hotfixes required to make Ops Manager agent work on Server 2008, and they are missing. Stay tuned…

UPDATE:

Applied the hotfixes and still no love. I did dig into the eventlog, and saw that it appear the ADDiscover script failed in some way. I tried running the script manually (using the arguments from the eventlog entry), but it still failed. I fell back to google and found the following promising KB article: Alerts are issued from the MOM Active Directory Management Pack after you install an Operations Manager 2007 SP1 agent over a MOM 2005 agent on a domain controller that is running a 64-bit version of Windows.

Now this KB article describes a set of circumstances that don’t match my situation. I didn’t install MOM 2005 agent and then the OpsMgr 2007 agent on the same host. This system was built from the ground up with server 2008 x64 and Operations Manager 2007 was deployed here way before server 2008. However, the constellation of symptoms and architecture issues make it sound interesting.

Just found Kevin Holman’s blog and his list of hotfixes. I must go read about these and OpsMgr SP2 before doing anything drastic. Nothing like breaking the server late on a Friday…