COM+ Network Access firewall exception for WS2012r2

Say you have a shiny new Windows Server 2012 r2 that you want to view the event logs on from your Windows 8.1 workstation (why am I saying this… no reason).

If you have Windows Firewall turned on (in my case, through a Group Policy Object linked to the OU with all our servers) you probably are out of luck even if you have remote administration enabled for your existing WS2003, WS2008 and WS2008r2 boxes

Ruckus COM  Firewall2

So, you launch Group Policy Management console (gpmc.mmc) from your Windows 8.1 workstation, and drill down… (Computer configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security).  Inbound rules, click for New Rule, use predefined – but, hey! where’s my COM+ Network Access (DCOM-In)

Firewallwin81

What gives?  Ok, I’ll play – what if I run Group Policy Management Console from my new WS2012R2 box?

Firewall2012r2

Well – it’s there.  WTF Microsoft?  I spun up a clean Windows 8.1 Enterprise VM, downloaded RSAT for Windows 8.1 x64 from Microsoft again – same deal.  Windows 8.1 is lacking the COM+ firewall predefined rules. 

Oh well, I’ve got my GPO updated now so I don’t care enough to open a MSFT ticket!

Posted in Uncategorized | Leave a comment

Help Windows! My DHCP scope is full!

Start of new semester at the U… it seems everyone came back with more WiFi gadgets than ever, and wants them all on the network AT ONCE.  So, our /20 network (4096 addresses) we already planned to supplant with another /22 (1024) but those both filled-up on day one.  Drop the 1 hour DHCP lease to 30 minutes!  Hey, that’s not helping!

Windows 2003 had a registry entry for “LeaseExtension”  (HKLM\System\CurrentControlSet\Services\DHCPServer\ Parameters\LeaseExtension) that defaulted to FOUR (as in ONE-TWO-THREE-HOLY HECK WHEN CAN WE REUSE THIS IP-FOUR) hours.  In addition, the CleanupInterval is 60 minutes (unless the scope is FULL – old/unused IPs are only cleaned once an hour).  So… 30 minutes + 4 HOURS + up to 60 more minutes = 5.5 hours a client uses our Windows 2008R2 DHCP server’s address.

Drop LeaseExtension down, drop down the CleanupInterval – things are more sane (until we finish a re-IP project and take over a second and maybe third /20 for central-campus WiFi).

Thanks goes out to Mike Perth for the first+best Google answer to our issue.

Posted in Uncategorized | Leave a comment

<unknown> disk space on WS2008R2–vssadmin command

Seth B and I have racked our brains today on why a plain-Jane domain controller (just AD-DS role, no DNS, no DHCP, nothing else with any logging load) had <25% free disk space (16/67GB).  The weak-sysadmin-crutch-tool WinDirStat showed us an unfulfilling 15GB of <unknown> files.  WinDirStat explaination of <Unknown> space

Ok, run windirstat with an Admin token.  Sigh – 14.2GB.

So – it evidently is all in the system+hidden folder ‘System Volume Information’

Enter our friend vssadmin.exe.

Even though Shadow isn’t enabled in the GUI for drive C:, WS2008R2 does allow apps and perhaps service packs? to do a system restore point.

Sure enough – we had two – from Feb and October 2012. 

Trying to remove via vssadmin failed with an un-useful message “Error: Snapshots were found, but they were outside of your allowed context.  Try removing them with the backup application which created them.”

Ok — just *WHAT* application created them.  You know what, I don’t care, I just want my disk space back:

vssadmin resize shadowstorage /on=C: /For=C: /Maxsize=4GB

Ta-da!  Both of our shadows removed.  Our DC now has 36/67GB free (yes we deleted some other detritus).

Posted in Uncategorized | Leave a comment

Today’s edition of “Thanks a lot Microsoft…”

Trying to answer for my supervisor what seems like a simple enough question “how many users do we have in Active Directory.”  Good old Active Directory users and computers (ADUC, aka dsa.msc) is kinda kludgy in this respect: I can search for all disabled user objects… I can search for all users and groups (do math and get all active users and groups)… but what about just user objects?

I go to play with this new-fangled Active Directory Administrative Center (ADAC, aka dsac.exe) which seems better-suited, but it bitches at the size of my domain:

Capture

…which begs the question – where is the Management List options.  Oh, of course – silly me – it is HIDDEN – you have to press the ALT button to see the additional menus.  Our friends at Microsoft’s Ask the Directory Services Team blog has the explaination at Fun with the AD Administrative Center – I quote “

The error tells you what to do – just change the “Management List” options. Right! So… ehhh… where is the management list? You have to hit the ALT key to expose that menu. Argh…

image

Then you can set the turned object count as low as 2000 or as high as 100000. If you have to do this though, you need to work on organizing your objects better.”

Nice, except there is no reason to sort down our students into multiple groups.  An argument can be made that we don’t need to have/keep 20,000+ students – but that is a deprovisioning question left to people in a higher pay grade than I.

Posted in Uncategorized | Leave a comment

Microsoft DNS server recursion problems

Many of you at UNI know we’ve had a problem over the past couple of years – oh, since Windows Server 2008r2 was installed on our domain controllers seems to be the timeline.  Various webpages when loaded from a workstation using ad.uni.edu’s AD-integrated DNS resolvers will load partially or not at all, even though they are live and can be resolved against UNI’s Unix DNS recursers (dns2.uni.edu and dns3.uni.edu)

Well, well – after finally getting three URLs that fail every time (previous examples of cisco.com, bn.com, priceline.com would fail, but once the AD DNS server’s cache was flushed they would work again for days or months) I opened a Microsoft service call for $259 and found the magic hotfix that the Googles and the Bing failed to find.

DNS Server service does not use root hints to resolve external names in Windows Server 2008 R2

This fixed our problem (when a foreign DNS responds with NS and Glue records to the same name) – BUT what really chafes me (or in Peter Griffin’s words “Grinds my gears”) is that this hotfix was released a year ago and is still a request-only hotfix that hasn’t been tested and released as a AU patch.  Come on!  This cannot be that rare: a Windows AD server providing DNS recursion to AD clients via root hints (rather than DNS forwarding to another DNS server – which has its own set of problems).

Posted in Uncategorized | Leave a comment

Ctrl+Alt+End is your Remote Desktop friend

So you’re out of the office, but accessing your domain workstation via Remote Desktop.  Notification area says “your password expires in 1 day – change by hitting ctrl+alt+del” – but when you do this, you’re of course bringing up your portable Windows environment not the one back at your office.

Ctrl+Alt+End while in a Microsoft Windows Remote Desktop (6.1 or newer at least) session sends C+A+Del to the remote computer.  Voila!

Posted in Uncategorized | Leave a comment

Microsoft Key Management Service (KMS) 2012

The blessings of Windows Server 2012 and Windows 8 have descended to us mere mortals with Microsoft software assurance.  Alright, how are we going to activate these new installs?

You remember the game from 2008/Vista and then 2008R2/Win7… and again you don’t have to setup a new server you can reuse your existing KMS.  However it appears if you have played our KMS games for a long time and not upgraded the server to 2008R2 you are out of luck!

Hotfix for Windows Server 2008R2 to support Win8 and WS2012 (and if you don’t have server SA, you can install KMS on Win7 workstation with this patch allowing you to activate Win8/WS2012).

Sigh – fill out form and await email.  At least I received in under 20 seconds.  (BTW – WTF Microsoft, I – a human failed your first two CAPTCHAs??)

My last gripe: Microsoft provided the same KMS code for Windows Server 2012 Standard and Data Center… when installed, it says Windows ServerStandard… but /dlv shows “KMS_2012_C Channel” which if things are the same from 2008R2 implies DataCenter is covered and will be activated.  Time will tell…

Posted in Uncategorized | Leave a comment

Windows 7 PEAP server ‘connect to’ wildcard

Contrary to ‘what’ you’d expect’ and several help forums on the interwebz – on a Windows XP, Vista, 7 client machine using PEAP for wireless or wired 802.1x network access you cannot configure the “connect to these servers” with a value of  “*.foo.com” – it won’t work – users will get a splat on connection – and if they accept, the CN of the certificate will be added after a semicolon – such as “*.foo.com;radius1.foo.com”

Correct configuration at UNI is shown here – this allows rad1.its-ns.uni.edu and rad2.its-ns.uni.edu etc.

UNI Peap

Posted in Uncategorized | Leave a comment

Troubleshooting Remote Desktop Gateway (formerly known as tsgateway)

Rather than provide portable computers for staff, the culture at my day job is for people to use iPads and other data consuming devices to remote back to their office desktop computer and do *all* their work.  Since leaving 3389 (the common Remote Deskop {RD} or Terminal Services {TS} TCP port) open to the Internet guarantees a bunch of door-knocking probes, we force everyone through the VPN or to use Microsoft’s RD Gateway.

With Windows Server 2008 Microsoft introduced TS Gateway (renamed RD Gateway with 2008R2).  You connect to the gateway over TCP port 443 (also gets around the common coffee-house WiFi limits on connecting to only web pages) and the gateway makes the 3389 connection to your workstation inside your campus/building/office network.

Clients are somewhat limited: Windows XP can use gateway with version 6.1 of Remote Desktop Connector.  Windows 2008, Vista, 2008 R2, Windows 7 all support RDGateway natively.  There is no Macintosh client (to my knowledge… Microsoft’s client and CoRD that I use both lack this capability) nor is there a xNix RD client with gateway connectivity.  On the iPad there are PocketCloud and iTap.

Client error messages are less-than-specific, unfortunately.

You will get the following message under two scenarios,

  1. You’ve entered an incorrect DNS name or IP address
  2. Name or IP address is correct, but no device is responding to 3389TCP connection by the RDGateway… which means either powered off or the machine is firewalled in a way that it doesn’t reply to the connection request from the gateway.noDNS

Another scenario, not unique to using a gateway, is attempting to connect to a machine with a user account that isn’t authorized (usually, isn’t in the Remote Desktop Users security group on that workstation).noAuth

The final scenario I have is if your RDGateway is down, you have no route to it, or you simply fat-fingered the host name:rdgUnavailable

Posted in Uncategorized | Leave a comment

Use ADUC to find client machine OS versions

I’ve been asked “how many Winders XP machines ya got left” – off to Active Directory Users and Computes (aka ADUC, aka dsa.msc)

Find the domain/CN/OU you wish to search, right-click Find – then in the find drop-down list choose Custom Search

customSearch

Then the Field Button –> Computer –> Operating System

Enter in the value for what OS you want to report on.  Some options are (you can specify full field with Pro, Ultimate, etc… If you grok ADSIEdit or Attribute editor, the attribute we are looking at is operatingSystem)

  • Windows XP
  • Windows Vista
  • Windows 7
  • Windows Server 2003
  • Windows Storage Server
  • Windows Server 2008
  • Windows Server 2008 R2

winXP

Click Add – then Find now.  Voila!

Posted in Uncategorized | Leave a comment