Edit registry offline

A Windows XP box came into our shop, infected with malware last Friday.  It would boot part way into Windows and then crash with a BSOD stating something like "Unable to load basebow32.dll – unable to load the application, reinstalling might fix this".  To fix, I placed the infected HD in a clean Windows XP box (as a secondary drive), launched regedit, clicked on HKEY_Local_Machine, went to the File menu, Load Hive, and selected the Infected_Drive\Windows\System32\config\SYSTEM file.  Searched it for references to "basebow32" and removed them.  Problem solved!

Symantec AV removal

How do you uninstall the corporate version of Symantec antivirus if it's password protected & you don't know the password?

First, try the word "symantec".  If that doesn't work, open regedit and navigate to HKEY_LOCAL_MACHINE\Software\Intel\LANDesk\VirusProtect6\CurrentVersion\AdministratorOnly\Security.  Change the useVPuninstallpassword from 1 to 0.  Close the registry editor and retry the uninstall.


Windows 2003 wouldn't boot on a client's server, claiming that it's SYSTEM registry hive was corrupt.  Strangely, not only was I unable to boot from the HD, I couldn't get any of my bootable CDs to work either!  I even tried a different CD drive.  The culprit?  A bad RAM module.  The registry and my bootable CDs were just fine.

Internet health

On May 21, several customers called in to complain about slow Internet access.  They all had one thing in common: their ISP was TDS.  A major fiber line in the Chicago area had been cut by construction.  A co-worker then introduced me to InternetHealthReport.com

Missing Icons

A month ago, I copied all the files from a repaired HD onto a new, blank HD for a laptop running Windows Vista.  After repairing the boot sector on the new drive, I was able to boot into Vista just fine.  The puzzling thing was that none of the programs installed by the Windows Installer had an icon!  This was because my file copy program had skipped C:\Windows\Installer.

For more reading, about icon issues, see these links:

Windows Installer

Default programs

Icon Cache


PhotoSmart via RDP

How do you print to a local HP Photosmart printer in an RDP session? It's simple, right? No. HP doesn't make Server 2003 drivers for their Photosmarts. To work around this, you can install HP Deskjet 990Cse drivers on both the client and the server. On the client PC, be sure to select the same port used by your Photosmart driver.


70-297 - Passed!

I passed 70-297 this afternoon, thus completing my study to become MCSE certified.



Today's topic is DHCP! There are three ways to get a DHCP assigned address to a client:
1) Place a DHCP server on every subnet
2) Enable BOOTP in the router(s)
3) Place a DHCP relay agent on every subnet. The relay agent picks up a client's multicast request for an IP address and then unicasts that to the DHCP server...which unicasts a response to the relay agent and then the relay agent broadcasts that IP address to the client.

If you have a DHCP server and a relay agent on the same subnet, how do you know that the server will respond first? DHCP relay agent settings can be found in RRAS, and there's a setting called "Boot threshold" which lets you tell the agent to wait several seconds to see if a DHCP server will respond.

A "split scope" is a way to create fault-tolerance for DHCP. On subnets "A" and "B", you use both a DHCP server and a DHCP relay agent. Each DHCP server can assign up to 80% of its IP addresses and the server in the other subnet holds the other 20% (the percentage is flexible). This way, if one DHCP server dies, the associated relay agent can forward requests to the other server and receive a valid address for the original subnet.

To paraphrase, a DHCPDiscover broadcast says "Hi, my MAC address is blah-blah-blah and I used to have IP address blah-blah-blah. Are there any DHCP servers available to re-assign this address to me?". It receives an IP and subnet. Then it says "Thanks, I'm also looking for a default gateway and a DNS server - do you have that info?". Here's a really good article on this topic.

Two other methods of fault-tolerance for DHCP are to cluster your DHCP servers or to use the "alternate configuration" in Windows XP.

Random note:
In a big organization, it makes sense to keep the "root domain" of your forest empty (w/ only the Administrator account active - and assigned a good password) to protect the Enterprise Admins and Schema Admins group from misuse.


Delegating DNS

Why would you delegate a DNS zone? If a DNS server is being overwhelmed by traffic, it would make sense to delegate a portion of its namespace to another server; if a DNS server is separated from important "clients" (e.g. Exchange servers, or many workstations) over a slow WAN link (as a way of moving the most important (popular) DNS server closer to its base); or if you just need to shift some of the administrative work to somebody else. Hopefully I'll be able to grasp the the concepts being tested on in 70-297, but in real life, I think I still feel very fuzzy on why/how the whole DNS delegation thing exists/works.

When I created a new zone on my test DNS server, I found that unqualified hostnames failed in nslookup. Using group policy (Computer\Admin\Network\DNS) I added an entry to the DNS suffix search order for the zone that had previously failed the nslookup. After fixing a subnet mask on my test workstation (oops) and rebooting (to apply the machine-level group policy), it worked!


More research 2

Reviewed WINS concepts. On a single subnet, you don't need a WINS server. If you have multiple subnets (broadcast domains) and you have a program that requires WINS lookups, then you need a WINS server.

DNS...I'm comfortable with primary zones, ADI, forwarding, and recursion. Secondary zones are read-only copies of a primary server. In Server 2003 they don't seem to have any value. They can not be integrated into Active Directory. If you have a DNS server that needs to know about DNS servers in other forests, you can use a stub zone to avoid zone transfer traffic. It seems that secondary zones used to be handy for fault tolerance and load balancing, however that's a non-issue with ADI zones. According to informit.com, a BIND server can receive a secondary copy of an ADI zone.

It just occurred to me this evening that the default "ClientApps" share on Server 2003 is probably intended for applications published to clients via group policy in their Add/Remove Programs applet.


More research

I tried 70-297 on the 15th & flopped again! Today, I'm doing some study on related topics.

Server 2003 (Standard) minimum system requirements are a 133MHz x86 CPU, 128MB of RAM, and 2.0 GB of available HD space. Server 2003 supports three processor architectures: x86 32-bit, x86 64-bit, and Itanium. This means that Server 2003 does NOT run on RISC processors.

To bone up on RADIUS, I followed instructions to install IAS and configure RRAS to use it. It worked! I ran IAS and RRAS on the same server.

Operations masters - it seems I'm weak on these. They used to be called FSMO (fiz-mo) for Flexible Single Master Operation. The concept of Active Directory is a "multi-master" one overall, but there are some roles that only a single DC handles. Two of these are at the forest level: schema master and domain naming master. Three others are at the per-domain level: RID master (sort of the "master domain controller" - it allocates domain RIDs to the DCs for use in SIDs); Infrastructure Master (only important in multidomain environments - in which case it shouldn't be on a GC server); and the PDC Emulator, which handles password changes and account lock-outs. It's also the authoritative time source in a domain.

I think if I bandwidth isn't an issue, every DC in a small domain should be a GC.

For a short-term disaster recovery simulation, you only need a PDCe available. However, if you restore a DC from backup, it will invalidate its RID pool and need access to a RID master to replenish it for new object creation. See here and here.

When you install a Server 2003 box in a Windows 2000 forest, you have to update the 2000 AD schema for the new features in 2003's version of Active Directory. You do this by running adprep /forestprep on your forest's schema master & adprep /domainprep on each domain's infrastructure master.

In other news, SP1 for Vista was released on the 18th.

Unable to disjoin domain

Several weeks ago a workstation was experiencing really slow logon/off times. When I tried to disjoin it from the domain I was told "The following error occurred attempting to unjoin the domain: the specified module could not be found". Now what? It turned out that w32time.dll was missing from the c:\windows\system32 directory. Because it was missing, the Net Logon service couldn't run. The Net Logon service is essential for interacting with a domain.


Google Apps

I tried out free email hosting via Google Apps recently. The steps to do so are:

Create a Google Apps account.
Follow instructions to change MX records for your domain (via CPanel).
Follow instructions to change custom webmail URL (via support ticket with web host - CPanel doesn't support this).
Log into each webmail account and enable POP or IMAP access.
Follow instructions to configure your mail client (e.g. Outlook Express)
- You login to pop.gmail.com:995 as username@yourdomain.com

I think this will provide good spam filtering for free - and might therefore be useful for nonprofits and small businesses who don't want to purchase Outlook 2003 for their users. Outlook 2003 has an excellent built-in spam filter, updated monthly by Microsoft via Microsoft Update.


Defragment Exchange

Here's a short batch file to defragment Exchange 2000/2003 information stores:

@echo off
echo Verify that you've backed up and dismounted the Exchange Store!
echo Press Ctrl + C to cancel...
cd "C:\Program Files\Exchsrvr\BIN"
eseutil /d ..\mdbdata\priv1.edb

Local user profiles

Last week, a client requested that their stand-alone workstations be joined to their domain for better password management. To minimize disruption to the users, I used ForensiT's User Profile Wizard to join systems to the domain and re-assign their local profile to the new domain SID. It works beautifully! The only thing it doesn't do is transfer the contents of Protected Storage. I used NirSoft's Protected Storage PassView to copy saved passwords into an Excel spreadsheet for printing.


Local Admin

To add a domain group to the local admins group on all your workstations, fire up a group policy and edit the computer startup scripts. Here are two scripts I've tested:

1) Batch file:
NET LOCALGROUP Administrators /ADD "YourDomain\YourDomainGroup"

2) VBScript:
On Error Resume Next
MyDomainName = "InsertYourDomainName"
MyDomainGroup = "InsertYourDomainGroup"

Set x = WScript.CreateObject("WScript.Shell")

Set Local_Admins=getobject("WinNT://" & ComputerName & "/Administrators,group")
Local_Admins.add ("WinNT://" & MyDomainName & "/" & MyDomainGroup & ",group")

Computer startup scripts run with practically unlimited local permission; logon scripts rely on the current user's permission.



This evening I tried out the Active Directory Migration Tool 3.0, migrating a WinXP workstation from the “silver” domain (the source) to the “gold” domain (the target).

After installation, you open the ADMT as an MMC snap-in on the target domain controller. Your target domain must be in domain native mode. User and computer accounts get migrated in separate steps; then you remotely run an “agent” on the workstations that you’re migrating to join them to the new domain and reset all the necessary file/registry permissions.

In order for this agent to run, your user account in the target domain must have local admin rights on the workstations. Automating the process may be the topic of another post. I did it manually by adding \\gold\Domain Admins to \\silver\Trusted-Admins and then adding the new "Trusted Admins" (a domain local) group to the local admins group on the workstation.

I couldn’t add \\gold\Domain Admins to \\silver\Domain Admins because both groups are global. Remember that global groups are great travelers, but poor hosts. Also found that I couldn’t place an individual user account from one domain in another domain’s group.

If you don’t have local admin rights to the workstations, the ADMT agent will report “access is denied” to the ADMIN$ share. The workstations also need need to have the same primary DNS server as the target domain controller(s).

By the way, during the course of this exercise I raised my forest functional level and learned that the Enterprise Admins group only exists on domain controllers in the “root domain” of a forest. You have to be in that group to make any schema changes (e.g. modifying the forest).

By default, the ADMT does not migrate user passwords; instead is sets the migrated user accounts to “change password at next login”.

After the ADMT agent runs, it reboots the workstation & viola! You’re finished! This is so cool.


Domain tinkering

Powered on SERVER2 and ran dcpromo, but couldn't demote it to a stand-alone server because Active Directory "knew" that there was still another DC out there. So I tried demoting it to a member server, but Active Directory insisted that it must be able to contact another DC in that case...so I powered on SERVER1. After demoting SERVER2 to a member server and rebooting, I ran dcpromo again to install Active Directory as a new domain in the existing forest. This didn't work at first because DNS lookups (for the new domain) on SERVER1 timed out. To fix, I created a primary zone on SERVER1 for the new domain and that allowed me to proceed with installing Active Directory on SERVER2 w/ SERVER1 as its DNS server.

Powered on a virtual workstation (XP1) and joined the second domain. After rebooting, XP1 saw every domain in the forest - meaning DOMAIN1, DOMAIN2, and XP1. A quick Google search determined that this list is not editable, but that you can set a default domain for a PC and then hide the domain list.

Windows workstations cache domain credentials for up to 10 offline logins. To change/disable this, edit a group policy: Computer > Windows > Security > Local > Interactive logon: Number...

After a slow initial login on XP1, I checked the event log and found complaints that the domain controller was inaccessible. Creating reverse DNS entries appeared to resolve this (though maybe it just needed more time).

Lastly, I assigned a batch file login script to XP1 via group policy, but noted that my PAUSE command was ignored.


Rapid replication

Installed Server 2003 in two virtual machines ("server1" and "server2") this evening. Made them domain controllers for the same domain. Learned how to force replication via ADSS. Disabled the default domain GP password settings & tried to create a user w/ no password; this failed with "Windows cannot create the object because: Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirement of the domain." Running gpupdate by itself didn't help, but running gpupdate /force did.

Windows allows you turn off Global Catalog functionality completely in a domain, but if you try to create a user after that, it reports "Windows cannot verify that the user name is unique because the following error occurred while contacting the global catalog: The directory service is unavailable. Windows will create this user account, but the user can log on only after the user name is verified to be unique. Make the sure the global catalog is available." If the user that you create in this offline state is a duplicate, the global catalog server will keep the duplicate account name but assign a unique SID and append gibberish to the name in AD.

A cool tool for viewing an account's SID or last logon/off date comes with the Server 2003 Resource Kit. After you download and install the kit (it's free), run regsvr32 "C:\Program Files\Windows Resource Kits\Tools\acctinfo.dll".

Despite the fact that my two domain controllers are running in the default forest/domain modes, intrasite replication happens almost immediately! I thought you'd have to wait 15 minutes or 5 minutes or 15 seconds.

In other news, Windows Server 2008 was released yesterday (February 28) and I took 70-297 last Saturday, but failed.


Choppy DVD playback

My sister called a couple evenings ago and said "I think my DVD-ROM is going bad! Videos are so choppy and jerky, they're no fun to watch". This was caused by her secondary IDE channel reverting back to PIO mode, an older method for accessing drives - and too slow for DVDs. To fix, we uninstalled the channel, redetected it, enabled DMA mode, and then rebooted. See this article on DMA reverts to PIO.

Fixing RRAS and FPS

A client called our office this morning and said "My users can't access the Internet or browse shared folders!". The client runs Windows SBS 2003. RRAS w/ NAT distributes Internet access on the WAN interface to all the workstations.

What was wrong? File and Printer Sharing had been disabled on the LAN interface (and enabled on the WAN)! This generated lots of errors in the event log, including event 1058 and 1030, because Windows couldn't access the SYSVOL share via UNC path (in fact, while shares were visible via \\servername, double-clicking on any of them merely brought up a username/password prompt). After correcting this, users could once again access shared resources on the server, but they still couldn't access the Internet.

It turned out that the LAN interface had recently been replaced or renamed...so RRAS wasn't doing NAT on the renamed interface. Right-clicking in RRAS/NAT and choosing "Add interface" quickly resolved the problem.


ActiveX error

To access a security camera system for one of our clients, you have to change Internet Explorer's security zone settings. IE will tell you "Your current security settings prohibit running ActiveX controls on this page". To fix, go to Tools -> Internet Options -> Security tab -> Custom Level -> ActiveX controls and plug-ins -> Download unsigned ActiveX controls -> Prompt (instead of disabled).


Malware infections

One of your users has a malware infection. Your antivirus program quarantined part of it, but it’s still hanging on, just beyond the reach of your two or three favorite antivirus/antispyware tools. Now what?

1. Connect the infected hard drive to a spare PC running Windows XP or Vista so you can freely access the file system.

2. Search the Windows directory for recently created/modified *.exe, *.com, *.dll, *.ocx, *.bat, *.dat, *.drv, *.sys, *.bin, *.scr files. Configure the search results to display the file’s publisher and version number.

Recently created or modified files which do not display a publisher are probably malware and should be disabled (by appending a different file extension, e.g. *.bad). Files that do have a legitimate publisher but were recently modified, are probably corrupt and can be replaced by an older (clean) copy displaying the same version number.

Lastly, run HijackThis to cleanup any remaining traces of infection.

I've used this method to remove malware missed by NOD32 and Spyware Doctor.


Theory, part 1

Active directory sites serve two purposes:
- Control AD replication traffic
- Ensure that users logon to a local DC rather than crossing a WAN link during login

As a general rule of thumb, you should install a domain controller in a branch office if there are 50+ users, and you should install a global catalog if there are 100+ users.

There are three reasons to have an OU:
- To delegate administration
- To apply group policies
- To hide resources



Began studying for 70-297 this evening. I need to try out Visio 2007 and Smart Draw 2008 to see if either program is really easy to use. Academic prices are $80 and $120 respectively.


Powershell and VBScript

Microsoft has a new scripting language called PowerShell, which works on Windows XP and everything newer. Someday I would like to take a course on PowerShell or VBScript. Microsoft has some videos about PowerShell.

Fixing a BSOD

A tech in our office recently imaged a hard drive onto a new computer. He did a repair installation of Windows XP on the drive, but after restarting, WinXP setup always crashed with error STOP 0x0000007E. This was resolved with Microsoft's Diagnostics and Recovery Toolset. This oh-so-handy bootable CD lets you disable unwanted device drivers!

Never relay a message

You recall my Exchange 6 post on January 21st? I allowed Exchange to relay messages to the site's own domain, through their web host's SMTP server, because this is a "shared namespace" (not all user accounts are on the Exchange server). The following Monday the web host admin informed us that 40,000 spams had been sent to users at this domain from their own IP address!!! I think the culprit was a compromised workstation on the LAN. To fix the problem, I disabled relaying and used a setting in the SMTP virtual server that says "Forward messages with unresolved recipients to: {insert mail server name or IP}". Problem solved. Note that no SMTP authentication is required in this case.

At the same site, I drastically shortened the amount of time that Exchange spends on retrying message delivery so that users are quickly notified when there's a delivery problem.

SQL error 15401

A couple of weeks ago a customer couldn't create an SQL login account because it had a duplicate SID with an existing account (I have no idea how that happened). I followed Microsoft's directions to identify and delete the offending account.

Someday, I would like to take Test Out's SQL course or CBT Nuggets' SQL course.


70-284 - Passed!

Passed 70-284 this afternoon. There were 30 questions, with an emphasis on name resolution and firewall interaction.


Message size limit

A user on an Exchange 2003 server tried to send a 22MB email attachment and received an error. This was because in Global Settings -> Message Delivery a 20MB maximum size was configured.

When assigning logon/off scripts via group policy, you must use a UNC path.


Restricting RDP users

One of our clients has several inexperienced users connecting to a 2003 terminal server. To help protect the server, the following group policies have been enabled:

- User Config -> Admin Templates -> Start & Taskbar:
Add "Log off" to start menu
Disable and remove "Shutdown" from start menu
- User Config -> Admin Templates -> Windows Explorer:
Hide specified drives... (restricting all drives includes network drive letters!)

This hid most of the local drives on the server, leaving just the mapped network drive for the users' data. However, if they started typing a path in any address bar, folders in the "hidden" drives were listed as auto-complete options. To avoid this, I disabled autocomplete (effective for both Windows Explorer and Internet Explorer):

- User Config -> Windows Settings-> IE Maintenance-> Advanced-> Internet Settings

Exchange 6

Summary of latest Exchange topics covered in my study:
- How to mail enable a public folder (I haven't tested this)
- Free/Busy data is kept in a systm Public Folder
- RPC over HTTPS can replace a VPN for checking email with Outlook 2003
- You can configure real-time block lists (RBLs) to reduce spam

Recently had a client ask us to simplify their email setup. Every user's Outlook was configured w/ a POP3 account which saved mail into an Exchange mailbox (rather than a PST file). Starting with one user as my "guinea pig", I removed his POP3 account in Outlook (retaining only the Exchange account), and created an entry for him in the Exchange server's POP3 connector. Also reconfigured the server's SMTP connector with current information.

The first time I tried to send a message to my own email address it bounced back w/ error 550, so I enabled SMTP authentication in the connector.

Next, I tried emailing two people who share the organization's domain name but who don't use the Exchange server. That test bounced back w/ error 5.1.1 (recipient doesn't exist). I checked the recipient policy in System Manager and found that the check box for "This Exchange Organization is responsble for all mail delivery..." was grayed out. So...I created a new policy (leaving that check box blank) and created an additional SMTP connector just for this organization's domain - with relaying enabled. Many, many thanks to msexchange.org for their article on SMTP Namespace Sharing.


Negative ping times

A W2K3 terminal server (and domain controller) failed to apply my group policies when users logged into their RDP sessions recently. Today I set about to fix this. Checked the application event log and found that event 1054 had been logged every 5 minutes for the last five months (almost since the server was installed!). Filtering the log for event 6009 showed that the server had been restarted a handful of times during that period. Running gpresult in a user's RDP session returned an error “The user does not have RSoP data”. I checked DNS, restarted the netlogon service, ran ipconfig /registerdns, and checked file system permissions.

Eventually, I found a site that noted a correlation between group policy errors and AMD's multi-core CPUs. The server has an AMD processor, so I pinged the localhost and got some wild numbers in response. Installing a patch from AMD (their "Dual-Core Optimizer") resolved the incorrect ping times, the application log errors, and my issues with group policy!

Exchange 5

Learned about public folders and front-end Exchange servers this evening. The latter are helpful when you have lots of people using OWA or RPC over HTTPS. All Exchange servers are "back-end", until you specifically designate them as "front-end" and move any mailboxes off of them. Here's an article about using NLB on front-end servers.


Exchange 4

This evening I learned about:
- Address lists (e.g. creating lists other than the GAL; replacing the default OAB).
- Mailbox stores. It seems that a single mailbox store consists of two files, the .edb file and .stm file (MDBEF and MIME formats, respectively)...and one or more log files.
- Moving mailbox stores to different disks, and mailboxes into different stores.

In Exchange 2003 Standard w/ SP2, you can have a single mailbox store of up to 75GB. In the Enterprise version you can have up to 20 stores which, I think, can each be up to 8TB in size. Wow.

There's also something called circular logging which prevents Exchange from saving zillions of log files and thereby chewing up your disk space. The downside of enabling this is that it somehow reduces your disaster recovery options and requires that you regularly run a full backup of your stores. Of course, you can also keep logging enabled and do frequent backups & the backups will automatically delete the log files. So, there's little value in using circular logging.

The two database files, the .edb and .stm files have something to do with MAPI (i.e. "Outlook") and non-MAPI clients (i.e. everything else), but I'm not quite sure what.

Haven't figured out what an X400 address is, but one site says that you can't disable it.

Deleted items retention - it's a great feature. I've used it on two occasions to make people very happy. In one case, a user accidentally deleted her items. On the other occasion, an employee was terminated (but her user account was left enabled) and she logged in from home to delete emails via OWA. We recovered those emails, but what if the employee had known about DIRT (deleted items retention time) and what if the employee had purged those messages via OWA? We would've had to do a restore from backup...and that would've been very time-consuming ('cause so far, I've never restored an Exchange backup!). Microsoft tells how to hide the relevant command in Outlook via GP, but that won't help w/ OWA. There's a helpful post about this general topic at Experts-Exchange.


Exchange 3

Learned about recipient policies this evening. You can set the format (e.g. first.last) and suffix of email addresses for all (or just a subset) of your users.

Dynamically updated groups let people email everyone in Active Directory who is in a specific department or who has a middle initial of "J". This is for distribution groups who's membership changes frequently.


70-620 - Passed!

I passed the Vista exam (70-620) today.