Windows 2003 : Certificate Services – Repair CA Virtual Directories
Today I had an issue with a subordinate CA, its AIA/CDP/CRL HTTP locations were showing as down. On further investigation I noted that the virtual directories for the CA had in fact vanished out of IIS. The files themselves for the CA were present in the CertEnroll directory, so it was an IIS issue.
To restore the Virtual Directory configuration use the following command: certutil -vroot
Windows : List Installed Updates
The following vbScript will list all installed updates on a host, the script can also be run against another system by changing the “.” to “computername“. I used this to help with a recent audit of our systems and found itsaved a lot of time!
Const OpenAsASCII = 0
Const OverwriteIfExist = -1Set oShell = CreateObject(“WScript.Shell”)
Set oFSO = CreateObject(“Scripting.FileSystemObject”)strComputer = “.”
sFile = “C:\” & strComputer & “_updates.txt”
Set fFile = oFSO.CreateTextFile(sFile, OverwriteIfExist, OpenAsASCII)fFile.WriteLine
fFile.WriteLine “Hotfix report date: ” & Now & vbCrLfConst HKLM = &H80000002
‘On Error Resume Next
Set objWMIService = GetObject(“winmgmts:” _
& “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)Set colSettings = objWMIService.ExecQuery _
(“Select * from Win32_OperatingSystem”)‘ get general info about the OS
‘ Caption value for different OS:
‘ Microsoft Windows 2000 …
‘ Microsoft Windows XP …
‘ Microsoft(R) Windows(R) Server 2003, ….. Edition
For Each objOperatingSystem in colSettings
strOSCaption = objOperatingSystem.Caption
Select Case True
Case InStr(1, strOSCaption, “windows 2000”, vbTextCompare) > 0
strOS = “Windows 2000”
Case InStr(1, strOSCaption, “windows xp”, vbTextCompare) > 0
strOS = “Windows XP”
Case InStr(1, strOSCaption, “windows(r) server 2003”, vbTextCompare) > 0
strOS = “Windows Server 2003”
End SelectintOSLang = objOperatingSystem.OSLanguage
strOSLangHex = Right(“000” & Hex(intOSLang), 4)
strOSServicePack = objOperatingSystem.CSDVersion
NextSet objReg = GetObject(“WinMgmts:{impersonationLevel=impersonate}!//” _
& strComputer & “/root/default:StdRegProv”)strOSLanguage = “Unknown” ‘ Init value
strKeyPath = “SOFTWARE\Classes\MIME\Database\Rfc1766”
strValueName = strOSLangHex
objReg.GetStringValue HKLM, strKeyPath, strValueName, strOSLanguage‘ remove unnecessary stuff
arrOSLanguage = Split(strOSLanguage, “;”)
strOSLanguage = arrOSLanguage(UBound(arrOSLanguage))
If Instr(strOSLanguage, “(“) > 0 Then
arrOSLanguage = Split(strOSLanguage, “(“)
strOSLanguage = Trim(arrOSLanguage(0))
End IffFile.WriteLine “OS version: ” & strOSCaption
fFile.WriteLine “SP version: ” & strOSServicePack
fFile.WriteLine “OS language: ” & strOSLanguage‘ start enumeration of hotfixes
fFile.WriteLine vbCrLf & “Hotfixes Identified:” & vbCrLf
strRegBaseUpdOS = “SOFTWARE\Microsoft\Updates\” & strOS
strRegBaseUpdIE = “SOFTWARE\Microsoft\Updates\Internet Explorer 6\SP1\”Set colItems = objWMIService.ExecQuery _
(“Select * from Win32_QuickFixEngineering”,,48)For Each objItem in colItems
If objItem.HotFixID “File 1” Then
fFile.WriteLine “HotFixID: ” & objItem.HotFixID
fFile.WriteLine “Description: ” & objItem.Description
fFile.WriteLine “InstalledBy: ” & objItem.InstalledBy
strInstallDate = Null ‘ init valueIf InStr(1, objItem.HotFixID, “-IE6SP1-“, vbTextCompare) > 0 Then
strRegKey = strRegBaseUpdIE & objItem.HotFixID
objReg.GetStringValue HKLM, strRegKey, _
“InstalledDate”, strInstallDate
ElseIf objItem.ServicePackInEffect “” Then
strRegKey = strRegBaseUpdOS & “\” & objItem.ServicePackInEffect _
& “\” & objItem.HotFixID
objReg.GetStringValue HKLM, strRegKey, _
“InstalledDate”, strInstallDate
End IfIf IsNull(strInstallDate) Then
strInstallDate = “(none found)”
End If
fFile.WriteLine “InstallDate: ” & strInstallDate
fFile.WriteLine ‘ blank line
End If
NextfFile.Close
oShell.Run sFile
Windows 7 : Windows 2003 Print Server
Came across an issue today where a Windows 7 client would not print to a Windows 2003 x64 print server. The solution was a registry key to disable the use of Async. RPC for printing:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\
Right-click Printers, point to New, and then click DWORD.
Type EnabledProtocols.
Rigkt-click EnabledProtocols.
In the Value data box, type 6.
Close Registry Editor.
Reboot the client then test printing again.
More info here: http://support.microsoft.com/kb/2269469
Userenv : Event 1041
On a Windows 2003 server i came across the following errors in the event log:
Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} and it will not be loaded. This is most likely caused by a faulty registration.
Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE} and it will not be loaded. This is most likely caused by a faulty registration.
To resolve this issue simply delete the following registry keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
This issue is caused by the uninstaller not removing all keys created during the installation of IE8.
Windows Update ; Install Downloaded Updates in Bulk
First, copy updates to the server you wish to update then execute the following command to install multiple Windows Update files:
for /f “tokens=*” %a in (‘dir /b C:\updates\*.msu’) do start /wait wusa.exe %a /quiet /norestart
Storage Essentials : Beware ‘Get All Details’ Task
Shortly after the introduction of Storage Essentials into an environment, fibre tape backups were interrupted at around 03:00 AM every day. We had various errors reported by hosts:
[Major] From: [email protected] “SYS-LTO5_LIB_Drive_1” Time: 23/02/2011 03:02:56
[90:51] Tape8:0:6:0C Cannot write to device (Details unknown.)[Major] From: [email protected] “CDC-LTO5_LIB_Drive_4” Time: 23/02/2011 03:03:26
[90:161] Cannot write filemark. ([5] I/O error)[Critical] From: [email protected] “/itaedi” Time: 23/02/2011 03:03:26
Unexpected close reading NET message => aborting.[Major] From: [email protected] “UX-ITPROD_OFFLINE” Time: 23/02/2011 03:04:52
[61:3003] Lost connection to VBDA named “/itaedi”
on host server.domain.local.
Ipc subsystem reports: “IPC Read Error
System error: [10053] Software caused connection abort
“
[Minor] From: [email protected] “evamgmt02.domain.local [/CONFIGURATION]” Time: 22/02/2011 22:44:13
[81:141] \IISDatabase
Cannot export configuration object: (Unknown internal error.) => backup incomplete.
It turned out that there was a scheduled task within Storage Essentials ‘Get All Details‘ that ran at 03:00 AM every day. This task scanned all known hosts to check for new fibre attached LUNs/devices.
After disabling this task backups were no longer interrupted. It is still possible tomanually trigger updateson a single host, this does NOT impact backups that are runnin, it only appears that backups are interrupted whilst running the scan on ALL hosts.
HP DataProtector : Cannot obtain Cell Manager host
Came across this one today, the below error suddenly started to appear on a SQL backup that was working one day and stopped the next without any change or modification to the SQL server or Cell Manager:
Normal 0
[Critical] From: [email protected] "OSCDB" Time: 2/10/2011 2:40:04 AM
Cannot obtain Cell Manager host. Check the /etc/opt/omni/client/cell_server file and permissions of /etc/resolv.conf file.
On investigation I found that the CellServer registry key, listed below, was infact empty. Upon re-entering the CellServer (Cell Manager) name the backup started to work again:
HKEY_LOCAL_MACHINE\SOFTWARE\Hewlett-Packard\OpenView\OmniBackII\Site\CellServer
Cluster: Generic Script – Rouge Process Cleanup/Terminate
I came across an interesting issue whilst clustering a CODA application server on a Windows Server 2003 Enterprise Microsoft Cluster. CODA spawns multiple processes after service startup, these processes are not services and as a result the cluster is not aware of them. When the CODA services are stopped theadditional processes are not always cleaned up. If the services are started again they will fail with a bind error.
I created a Cluster Generic Script to cleanup ‘rogue’ processes on resource group stop and start. Initially the script below contained a process.terminate() function, however this does not work for SYSTEM owned process. I therefore explored using taskkill.exe which is built into Windows, this means that no additional components are required to get this script working.
‘Chris’ CODA Fix Cluster Script – Created 14/01/2011
Dim WshShell, oExec, oLooksAlive, oIsAlive, oWait, objWMIService, colProcess, objProcess, strComputer, objShell
Set WshShell = CreateObject(“WScript.Shell”)processName = “oasasv.exe”
‘On Error Resume Next
Function Online( )
Resource.LogInformation “Entering Online”
On Error Resume Next
If CheckProcess > 0 Then KillProcess
If CheckProcess > 0 Then
Resource.LogInformation “Rougue ‘” & processName & “‘ process still present, FAILED to kill…”
Online = False
Else
Online = True
End If
If Err.Number > 0 Then
Resource.LogInformation Err.Details
Resource.LogInformation oExec.StdErr.ReadAll
End If
End FunctionFunction Offline( )
Resource.LogInformation “Entering Offline”
If CheckProcess > 0 Then KillProcess
If Err.Number > 0 Then
Resource.LogInformation Err.Details
Resource.LogInformation oExec.StdErr.ReadAll
End If
Offline = True
End FunctionFunction LooksAlive( )
Resource.LogInformation “Entering LooksAlive”
LooksAlive = True
End FunctionFunction IsAlive( )
Resource.LogInformation “Entering IsAlive”
IsAlive = True
End FunctionFunction Open( )
Open = 0
End FunctionFunction Close( )
Close = 0
End FunctionFunction Terminate( )
Resource.LogInformation “Entering Terminate”
If Err.Number > 0 Then
Resource.LogInformation Err.Details
Resource.LogInformation oExec.StdErr.ReadAll
End If
Terminate = True
End FunctionFunction CheckProcess ()
CheckProcess = 0
strComputer = “.”
Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)
Set colProcess = objWMIService.ExecQuery (“Select * from Win32_Process where Name = ‘” & processName & “‘”)
On Error Resume Next
For Each objProcess in colProcess
CheckProcess = CheckProcess + 1
Next
End FunctionFunction KillProcess ()
strComputer = “.”
Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)
Set colProcess = objWMIService.ExecQuery (“Select * from Win32_Process where Name = ‘” & processName & “‘”)
On Error Resume Next
For Each objProcess in colProcess
Set objShell = CreateObject(“WScript.Shell”)
objShell.Run “taskkill.exe /F /IM ” & processNameResource.LogInformation “Killed rougue ” & processName & “ process…”
Next
End Function
Windows 2003 : Print Server Printer ‘Offline’
I ran into an issue recently where a printer kept going into an ‘offline’ state. This would occur randomly and would require the print spooler service to be restarted on the print server.
The solution was simple:
The printer will now return to an online state and will work again.
Active Directory : Publish Third Party CA Certificate / Offline Standalone RootCA in Active Directory
In order to ensure that your certificiate chain is valid when using an offline RootCA or Tird Party RootCA you must publish the CA certificate in Active Directory. This will replicate the certificate to all machines in the domain, ensuring that the chain is indeed valid for all clients.
To achieve this, export the certificate in DER format and then use the following command to import it into AD: certutil -dspublish -f file_name.cer RootCA
You can test replication by forcing a Group Policy refresh on a client, the cetificate should be replicated as part of this operation.