RDP : Black Logon Screen

RDP : Black Logon Screen

Came across an odd one the other day where when trying to logon via RDP I was greeted with an RDP logon Window that was pretty much all black; Text Input boxes (username/password/domain) were all black, the logon window was all black, blackground was black. Everything was black other than the Windows 2003 logo.

Once logged in everything was fine however.

When it’s broken down like that you may see where I’m going with this…

Check out the Colour values under: HKEY_USERS\.DEFAULT\Control Panel\Colors

On the affected server these were all “0 0 0” – i.e. black. You can simply export this key from another (working) Windows 2003 server and iomport it to the affected box.

NAPP : iSCSi Initiator and Snap Server Replacement

NAPP : iSCSi Initiator and Snap Server Replacement

 

Snap Server can have IP address set to 10.10.10.10 by holding down the reset button whilst powering on.

 

Once configured ensure GuardianOS is upgraded to the most recent entitlement.

 

To reconfigure the backup server (normally XX0015.eu01.apmn.org)

  1. Load Microsoft iSCSI initiator
  2. Remove all iScsi Targets under Persistent Targets
  3. Go to Targets > Refresh
  4. Highlight the new Target > Logon > Tick Automatically Restore This Connection
  5. Under Disk Management Partition & Format the drive:
      500GB Drive I:\ ‘Daily Backups’
      Remaining Drive W:\ ‘Weekly Backups’
  6. Verify the Backup Software paths are correct for the Backup to Disk targets.

AD DS : PDCe Time Server Configuration

AD DS : PDCe Time Server Configuration

Use the following script to configure your PDCe to sync its time using an external time source:

w32tm /config /manualpeerlist:”tock.usno.navy.mil,0x9 tick.usno.navy.mil,0xa” /syncfromflags:MANUAL
w32tm /config /update
w32tm /resync

This will perform all of the required registry changes under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters without having to actually modify the registry.

Check the system event log for Event ID 35, W32Time ‘The time service is now synchronizing the system time with the time source tock.usno.navy.mil.’ entries once complete.

BackupExec : 0xE0008524 Unable to initialize the snapshot

BackupExec : 0xE0008524 Unable to initialize the snapshot

This error is generally caused by not running the BackupExec service as a local administrator account (which is a good thing!).

V-79-57344-34110 – AOFO: Initialization failure on: “System?State”. Advanced Open File Option used: Microsoft Volume Shadow Copy Service (VSS).
Snapshot provider error (0xE0008524): Unable to initialize the snapshot because the Advanced Open File Option (AOFO) is not installed on the target computer. You must install this option, restart the computer, and then run the job again.
Check the Windows Event Viewer for details.

To resolve this issue:

Configured ‘full controll’ permissions on the DACL for the service account on the following registry key:

   HKEY_LOCAL_MACHINE\SOFTWARE\VERITAS\Backup Exec\Engine\Misc

DNS : Enabling DNS Dynamic Update Credentials

DNS : Enabling DNS Dynamic Update Credentials

 

For further info see MS KB Article: http://support.microsoft.com/default.aspx/kb/816592

 

This should be setup when you enabled secure updates only for an AD-Integrated DNS zone and have devices that are unable to perform secure dynamic updates of their A/PTR records. Examples of this type of device are Thin Client terminals.

 

Configure service account details on each server as detailed below, use the service account ‘svc_dnsproxy

 

    

 

Then add the computer objects to the ‘DNSUpdateProxy’ group in AD:

 

 

Finally it is necessary to remove the stale records from reverse DNS manually. We can immediately clear the 10.144.X.X reverse DNS records then selectively remove remaining stale records ensuring that DCs, Servers and Static Addresses are not deleted.

 

Forward lookup entries should not be affected by this change.

 

This change will probably be necessary on all European sites.

 

Records will now register as follows:

 

Dataprotector : IDB Maintenence

Dataprotector : IDB Maintenence

.1 IDB Backup

Make sure all Data Protector production backups have completed overnight. Any backups that need to be re-run should be re-run before the backup of the IDB is taken. It would also be worth making sure there is no known requirement for a Data Protector restore. Disable all backups scheduled to run before 6pm.

Note: Timings listed on this document are approximate, based on previous run times. Depending on the condition of the Data Protector IDB and available resource on the Cell manager, times could differ. Though it’s expected regular purge procedures on the DP IDB will decrease job times lower than projected.

Take the following services Offline:

OBVS_MCRS

OBVS_VELOCIS

Copy the Data Protector IDB files from the R:/ of UKSPICDP. These files should be backed up to a local drive.

Once copied, bring the above listed services back online.

1.2 IDB Purge

 

Run the following commands from a command line on the Data Protector Cell manager:

omnidb –strip               (seconds)
Omnidbutil –purge –filenames –days 1  -force ( >5 hours)

(This task can take a number of hours, if this task is not finished by early afternoon 3 – 3.30pm, this complete process should be re-run another day)

Note in the above screen shot, this error will be displayed if you try to run another omnidbutil command whilst one is in progress.

To monitor the purge bring up task manager. The rds.exe process is running your purge task.

Omnidbutil –purge –sessions 1  -force   (Seconds)
Omnidbutil –purge –DCBF –days 1  -force       (Seconds)
Omnidbutil -purge_failed_copies                       (Seconds)

Create the folder c:\IDBtemp on Cell Manager (If directory already exists delete any existing files)

Run the following commands:
Omnidbutil –writedb –mmdb c:\IDBtemp -cdb c:\IDBtemp   (>1 hours)

(This command exports the data base files to a temp folder)

Omnidbutil –readdb –mmdb c:\IDBtemp -cdb c:\IDBtemp                    (>40 minutes)

(This command re-imports the data, leaving behind purged files)

 

omnidbutil -remap_dcdir                       (Seconds)
omnidbutil –fixmpos                              (Seconds)
omnidbutil -remap_dcdir                       (Seconds)
omnidbutil -cdbsync ukspicdp   (Seconds)

Any Backups disabled before the purge task should be re-enabled.

Perform a test or monitor a production backup to completion to confirm DP is working.

1.3 Stopping purge jobs

Purge jobs should only be cancelled if totally necessary, IE urgent business requirement of a restore/ High impact on Production backups.

If for some reason no up to date backup was taken of the IDB, the job should not be cancelled and procedure completed fully. Disabling a purge job in progress can corrupt the IDB, meaning restoring from an offline backup to get Data Protector operational.

If purge commands do need to be stopped, the following command should be used:

Omnidbutil -purge_stop

AD CS : Delegate GPO Creation/Management

AD CS : Delegate GPO Creation/Management

To delegate creation of new Group Policy Objects and link Group Policy Objects to existing OU’s you mustperform the following tasks:

  • Add the user to the Group policy Creator Owner built-in group
  • Delegate the ‘Manage Group Policy links‘ permission on the Organisational Units you wish the user to be able to link policies to.

Optional for generating RSOP information:

  • Delegate the ‘Read Group Policy Results data‘ permission on the Organisational Units you wish the user to be able to link policies to.

You can also utilise GPMC for delegation of GPO permissions.

LastlogonTimeStamp : Report

LastlogonTimeStamp : Report

Use the following script to report on your users lastLogontimeStamp – note this will be accurate to within one week due to the very nature of the lastlogonTimeStamp attribute being replicated between DC’s once per week.

Save the text below into a VBS file and execute like so: cscript.exe file.vbs >> report.csv

If the script fails, download a copy from here: http://cb-net.co.uk/downloads/compreport2.txt

Option Explicit

Dim objRootDSE, adoConnection, adoCommand, strQuery, strCN
Dim adoRecordset, strDNSDomain, objShell, lngBiasKey
Dim lngBias, k, strDN, dtmDate, objDate
Dim strBase, strFilter, strAttributes, lngHigh, lngLow

‘ Obtain local Time Zone bias from machine registry.
‘ This bias changes with Daylight Savings Time.
Set objShell = CreateObject(“Wscript.Shell”)
lngBiasKey = objShell.RegRead(“HKLM\System\CurrentControlSet\Control\” _
    & “TimeZoneInformation\ActiveTimeBias”)
If (UCase(TypeName(lngBiasKey)) = “LONG”) Then
    lngBias = lngBiasKey
ElseIf (UCase(TypeName(lngBiasKey)) = “VARIANT()”) Then
    lngBias = 0
    For k = 0 To UBound(lngBiasKey)
        lngBias = lngBias + (lngBiasKey(k) * 256^k)
    Next
End If
Set objShell = Nothing

‘ Determine DNS domain from RootDSE object.
Set objRootDSE = GetObject(“LDAP://RootDSE”)
strDNSDomain = objRootDSE.Get(“defaultNamingContext”)
Set objRootDSE = Nothing

‘ Use ADO to search Active Directory.
Set adoCommand = CreateObject(“ADODB.Command”)
Set adoConnection = CreateObject(“ADODB.Connection”)
adoConnection.Provider = “ADsDSOObject”
adoConnection.Open “Active Directory Provider”
adoCommand.ActiveConnection = adoConnection

‘ Search entire domain.
strBase = “”

‘ Filter on all user objects.
strFilter = “(&(objectCategory=computer)(objectClass=user))”

‘ Comma delimited list of attribute values to retrieve.
strAttributes = “distinguishedName,lastLogonTimeStamp,cn”

‘ Construct the LDAP syntax query.
strQuery = strBase & “;” & strFilter & “;” & strAttributes & “;subtree”

‘ Run the query.
adoCommand.CommandText = strQuery
adoCommand.Properties(“Page Size”) = 5000
adoCommand.Properties(“Timeout”) = 60
adoCommand.Properties(“Cache Results”) = False
Set adoRecordset = adoCommand.Execute

‘ Enumerate resulting recordset.
Do Until adoRecordset.EOF
   ‘ Retrieve attribute values for the user.
    strDN = adoRecordset.Fields(“distinguishedName”).Value
    strCN = adoRecordset.Fields(“cn”).Value
    ‘ Convert Integer8 value to date/time in current time zone.
    On Error Resume Next
    Set objDate = adoRecordset.Fields(“lastLogonTimeStamp”).Value
    If (Err.Number 0) Then
        On Error GoTo 0
        dtmDate = #1/1/1601#
    Else
        On Error GoTo 0
        lngHigh = objDate.HighPart
        lngLow = objDate.LowPart
        If (lngLow < 0) Then
            lngHigh = lngHigh + 1
        End If
        If (lngHigh = 0) And (lngLow = 0) Then
            dtmDate = #1/1/1601#
        Else
            dtmDate = #1/1/1601# + (((lngHigh * (2 ^ 32)) _
                + lngLow)/600000000 – lngBias)/1440
        End If
    End If
    ‘ Display values for the user.
    If (dtmDate = #1/1/1601#) Then
       Wscript.Echo chr(34) & strDN & chr(34) & “,” & strCN &  “,Never”
    Else
       Wscript.Echo chr(34) & strDN & chr(34) & “,” & chr(34) & strCN & chr(34) & “,” & dtmDate
    End If
    adoRecordset.MoveNext
Loop

‘ Clean up.
adoRecordset.Close
adoConnection.Close

Windows : Uninstalling a hotfix from the Recovery Console

Windows : Uninstalling a hotfix from the Recovery Console

Use the following steps to remove a hotfix from a Windows Operating system whilst running from the recovery console:
1) Ensure you have a record of installed hotfixes/patches (the KB numbers are the important bit!) that you wish to remove.
2) Boot to the recovery console
3) Check for installed patches/hotfixes; dir $*
4) Change to the directory of the hotfix/patch you wish to remove, change text in red to match the KB number: CHDIR $NTUninstallKBXXXXXXXXX
5) To uninstall execute the spunist.txt file; BATCH spuninst.txt

DNS Scavenging : Existing Environment

DNS Scavenging : Existing Environment

Many peopple are wary of the impact of enabling DNS scavenging on an existing environment. Th following command/script will allow you to identify all of the records that will be deleted if you were to enable scavenging.

First execute the command: dnscmd SRV /enumrecords zone @ /continue > DNS_Records.txt

Save the text below into a file names DNSScavenge.vbs, then execute the command: cscript.exe /nologo DNSScavengeTest.vbs DNS_Records.txt >> DNS.csv

‘———————————————————————————————-

Const ForReading = 1
Const ForWriting = 2
Const ForAppending = 8
Const AGING_TOKEN = “[Aging:”

Const DDNS_NO_REFRESH = 7        ‘ The dynamic DNS no refresh period, where an update classified as a refresh will not be accepted for the record
Const DDNS_REFRESH = 7            ‘ The dynamic DNS refresh period, during which an update will be accepted for the record
Const GMT_OFFSET = +10            ‘ Offset in hours to adjust the resultant times based on the current GMT timezone

Set objFSO = CreateObject(“Scripting.FileSystemObject”)

If WScript.Arguments.Count = 1 Then
    strFileName = WScript.Arguments(0)
Else
    wscript.echo “Specify a filename containing the output of dnscmd. eg DNSScavengeTest.vbs DNS_Records.txt”
    wscript.quit(2)
End If

If Not objFSO.FileExists(strFileName) Then
    WScript.Echo “Error: ” & strFileName & ” file not found.”
    wscript.quit(2)
End If

Set objTextStream = objFSO.OpenTextFile(strFileName, ForReading)
strZoneRecords = objTextStream.ReadAll
WScript.Echo “name,timestamp,wouldBeScavengedIn”

For Each strLine in Split(strZoneRecords, vbCRLF)
    intStart = InStr(1, strLine, AGING_TOKEN, 1)
    If intStart 0 Then                                ‘ Does this line contain an aging value?
        intStart = intStart + Len(AGING_TOKEN)
        intEnd = InStr(intStart, strLine, “]”)
        If intEnd 0 Then intLength = intEnd – intStart
        strHost = Left(strLine, InStr(strLine, ” “)-1)                ‘ Yes, extract the host

        intAging = Mid(strLine, intStart, intLength)                ‘ Extract the aging value, expressed in the decimal number of hours since 01/01/1601
       
        dtmDate = DateAdd(“h”, intAging, “01/01/1601 00:00:00 AM”)        ‘ Convert to a date timestamp
        dtmDate = DateAdd(“h”, GMT_OFFSET, dtmDate)                ‘ Add the current GMT offset

        intDiff = DateDiff(“h”, dtmDate, Now)                    ‘ The difference between now and the timestampe
        intHourDiff = intDiff – ((DDNS_NO_REFRESH * 24) + (DDNS_REFRESH * 24))    ‘ Based on the dynamic DNS no-refresh and refresh periods combined
        If intHourDiff > 0 Then                            ‘ Is this a positive number, indicating the record will be scavenged
            intDay = CInt(intHourDiff / 24)                    ‘ Yes, convert to a number of days for output
            WScript.Echo strHost & “, ” & dtmDate & “, ” & intDay + DDNS_NO_REFRESH + DDNS_REFRESH    ‘This record would be scavenged
        Else
            WScript.Echo “*” & strHost & “, ” & dtmDate            ‘ This record won’t be scavenged
            intDay = 0
        End If
    End If
Next