Thursday, July 17, 2014

Migrating Blog

I will be migrating this blog to my personal web space @ http://www.emerickcc.com in the near future. Blogger just doesn't give me the tools to present a well written blog. I WANT CODE BLOCKS DAMNIT. So I will leave this account in contact in case someone stumbles on it, but I will be migrating the blogs and future content to my website.

I will make a post here when the move has been completed.

Thanks,
Z

Deleting Roaming User Profiles Batch Scipt

PREFACE


Sorry for the lapse in posts as of late. We're gearing up for a new school year and I've been a bit busy. It turns out this blog doesn't get an amazing amount of views a day, but it gets enough for me to know that it might be helping someone. I write these posts because I've always found myself having an unique issue that most forums do not answer specifically. So most of my posts are for specific issues rather than covering a broad subject.

With that said I have a batch script that I wrote today to cleanup my file server. It's very rudimentary so bear with me.

INTRO


In the education environment you have children that leave the system every year. It's amazing what a child in the extent of a year can rack up in terms of roaming data. We use roaming profiles and folder redirection here for the students data. So every year our servers get loaded with 10s of thousands of files. Every year I used to go through the folders and adjust permissions and delete. Which as you can imagine became quite the pain.

We also use this server for backing up workstations when we need to update them to a new operating system or just refresh the computer. We don't erase any data from the backups until the end of the year just in case. This can also add up to 100s of gigabytes of data and 10s of thousands of files.

ISSUE

The issue with this was simple but tedious. The folder redirection and backups were an easy solution. Just write a script to delete the folder because there are no special permissions preventing administrators from doing so. The user profile folders are a different story all together. Their permissions (at least in my case) seem to be hit or miss. I'll explain that in a minute.

SOLUTION

By default the permissions set on roaming profiles is for the user of the profile to also be the owner. This means even the highest level administrator in the enterprise cannot delete this folder. I needed to take ownership of each folder where the profiles are located.

<EDIT> Some people will say just set the GPO in Active Directory "Add the Administrators security group to roaming user profiles". Which is correct and I have done that, but for whatever reason it doesn't always get applied. Some folders will delete just fine and others will not. Again ......a specific answer for a specific problem. </EDIT>

I saw some PowerShell scripts out there, but they kept failing at different parts. They also did not do exactly what I needed them to do. (Why I started this blog) I'm more versed with the old ninja style of command prompts and batch files.

The first thing we must do is to take ownership of the folder structure. So if we have a folder structure like so:

Folder1
|----Folder2
|--------File1
|--------File2

We need to take ownership of Folder1 all the way down to File2. This is a recursive function. Luckily Windows is ready for that and makes a tool just for that.

TAKEOWN : this program is specifically made to take, forcefully or not, ownership of a folder, file, or folder structure.
Here is the syntax:

takeown /f <PATH> /r /d y

 The /f switch is to specify a file or directory pattern.
The /r switch is to specify whether to be recursive or not.
The /d switch is to specify the default answer with confirming the operation.

*NOTE for the /d switch* Default answer used when the current user does not have the "list folder" permission on a directory.  This occurs while operating recursively (/R) on sub-directories. Valid values "Y" to take ownership or "N" to skip.

Takeown will recursively travel through your folder structure taking ownership of everything in it granted that you have the given permission.

The next step is adjust the permissions on the files in the folder structure.

ICACLS : this program can recursively travel a folder structure and adjust permissions in a very simple or complex way. I used the very simple way because I'm just looking to delete these files to free up space.
Here is the syntax:

icacls <PATH> /grant Administrator:F /t /c

The /grant switch is to grant permissions to the user you specify.
The Administrator:F says that you want to grant user Administrator full access to folder and file.
The /t switch indicates that this operation is performed on all matching files/directories below the directories specified in the name. (Recursive for my use)
The /c switch says to continue even if there is an error. This is a must on large folder structures. If you do not use this switch it could fail on file 5,000 and you'd have to start the process all over.
You can also use the /s switch which suppresses output.

These processes, especially the take ownership step, will take a very LONG time. It took me around 15 minutes (estimating) to run though about 10gb of data.

The next step is just to delete the folder structure. I wanted this step automated as well so I added more to my script.

del /q C:\PATH\*
for /d %%x in (c:\PATH\*) do @rd /s /q ^"%%x^"

The del line will delete any files in the top level of PATH.
The for line will run through every folder and it's folders to delete every file in the tree and work backwards until the folder tree is deleted.

This will not delete the top level folder by design. The top level folder in my environment needed to stay intact to keep permissions consistent.

Below is my whole script. Copy into a text file and save as filename.cmd

------------------------------------- Start below this line -----------------------------------
@echo off
Echo --------------------------------------------------------
echo *
echo *
echo * This process will take quite sometime.               *
echo * This process will clean the server's stored roaming  *
echo * profiles, student folder redirection files, and all  *
echo * computer backup files.
echo *
echo --------------------------------------------------------
echo *
echo *
echo * !!!!!!!!!!!! PROCEED WITH EXTREME CAUTION !!!!!!!!!! *
echo *                                                      *
echo * This process will remove all permissions from user   *
echo * profiles. The data will be be permanently removed by *
echo * this process
echo --------------------------------------------------------
echo +
echo +
pause
Echo --------------------------------------------------------
echo *
echo * Taking ownership of E:\LAUserProfile$                *
echo * This will take a very long time.                     *
echo *
echo --------------------------------------------------------
takeown /f C:\PATH /r /d y
icacls C:\PATH /grant Administrator:F /t /c
echo ++ DONE ++
echo ++++++++++
echo --------------------------------------------------------
echo *
echo * Removing Student Folder Redirection files            *
echo * This will not take a very long time.                 *
echo *
echo --------------------------------------------------------
del /q C:\PATH\*
for /d %%x in (C:\PATH\*) do @rd /s /q ^"%%x^"
echo ++ DONE ++
echo ++++++++++
echo --------------------------------------------------------
echo *
echo * Removing Student User Profiles                       *
echo * This can take several minutes                        *
echo *
echo --------------------------------------------------------
del /q C:\PATH\*
for /d %%x in (c:\PATH\*) do @rd /s /q ^"%%x^"
echo ++ DONE ++
echo ++++++++++
echo --------------------------------------------------------
echo *
echo * Removing Computer backups from e:\Transfer\Backups   *
echo * This can take several minutes depending on size      *
echo *
echo --------------------------------------------------------
del /q c:\PATH\*
for /d %%x in (c:\PATH\*) do @rd /s /q ^"%%x^"
echo ++ DONE ++
echo ++++++++++

Tuesday, June 10, 2014

HP MSM760 Guest access setup without NAT on external DHCP server.

2 years ago we installed 2 MSM760 Mobility Controllers as a team across 2 locations. We have 1 SSID for employees, one for guests, and another for the IT staff. This was all installed as part of a major overhaul we did to two of our locations. This was a complete infrastructure overhaul, from the ports on the wall to the core switch.

Initial Setup

Controller 1
Internet Port - 192.168.10.2 SM - 255.255.255.248
Lan Port - 10.24.32.235 - 255.255.248.0

Controller 2 Internet Port - 192.168.10.3 - SM 255.255.255.248

Firewall
Int 5 - 192.168.10.1 SM - 255.255.255.248

Core Switch
VLAN 5 - Non routable/no IP address. Untagged for A7,A8 Which are the controller's internet port and int 5 of the firewall, respectively. It's also tagged on our interior network.

vlan 1
   name "DEFAULT_VLAN"
   untagged A1-A6,A9-A22,B1-B8
   ip address <CORE SWITCH IP>
   no untagged A7-A8
   ip igmp
   exit
vlan 5
   name "GuestWireless"
   untagged A7-A8
   tagged A18,B4
   no ip address
   ip igmp
   exit


Initial Issues

The biggest issue I had was that the Guest network was setup with NAT. Which is fine in a lot of cases where you don't need total visibility into the guest network. Basically all the guest devices would get an IP from my DHCP server and the addresses were NAT'd at the controller before dumped off into a VLAN and finally to my firewall. So all Guest devices looked like 1 IP address to the firewall.

This presents two issues:
  1. My firewall only saw one IP address for all of my guest traffic because of NAT.
  2. Because of issue 1 I could not diagnose a lot of issues with the guest network because there was no visibility.

Plan

My plan was to disable NAT so my firewall would see each Guest device as an individual IP address. This would give me the visibility I wanted.

Solution

First I needed to set the settings I needed on controller 1. Since they're teamed no necessary changes were needed on the 2nd controller. *NOTE* It's been recommend to me that you adjust the internet port IP to match your master controllers subnet or you could run into issues.

For the Guest VSC I needed to change the DHCP relay agent from Use the following server to Forward to egress interface. Below are screens.

BEFORE


After



What this does is forward all DHCP requests attached to this VSC out of the internet port of the controller(s).

Next I needed to disable NAT on the internet port. You can find that under Controllers > Network > Ip interfaces > Internet Port
Just uncheck the box.

Next I needed to set the Internet Port IP address inside the range of the IPs I would like to hand out. I chose 172.16.0.1/22 since the scope was already setup for my previous configuration. You can find the appropriate settings under Controllers > Network > IP Interfaces > Internet Port

Next I set a route to route the guest traffic to the firewall. You can find routes under Team -> Networks > IP Routes. I set a route for all 172.16.0.0/22 traffic to route to 172.16.0.2/22 (Firewall). This we'll configure in a moment.

The final thing I had to configure on the controller was Address Allocation. This stumped for me for a while until I read the manual. You can find it under Team > Network > Address Allocation. Since a pair of controllers in a team cannot function as a DHCP server you must use the address allocation tab to specify the server you'd like to handle your DHCP requests. You must also check the box Extend VSC egress subnet to VSC ingress. This is the explanation from HP text:

Extend VSC egress subnet to VSC ingress subnet
When enabled, the MSM760 will alter the DHCP address requests from client stations so that they appear to originate from the network assigned to the VSC egress. This will cause the DHCP server to assign IP addresses on this network to all client stations. The MSM760 handles all mapping between the two subnets internally.
For L2 connected APs operating in controlled mode:
 
-
Enable the Client data tunnel option under Settings. (If teaming is active, the client data tunnel is automatically used.)
-Enable the Always tunnel client traffic option on the VSC profile page under Virtual AP > Client data tunnel.
 
In simpler terms: whatever subnet you set on the internet port is going to be the subnet that the clients are going to get IP addresses from. Same concept as ip helper-address on HP switches.
 
 
 
*NOTE* From HP TEXT: DHCP Relay cannot work via the internet port. If you want to use DHCP you MUST use the "Extend VSC Egress. . ." checkbox. The Primary and secondary server address boxes can be left blank. They're ignored if the checkbox is ticked.
 
That finishes the setup on the controllers.


The next part will vary on your configuration as most people don't use the same firewall. I'm using a Watchguard 5 series running v11.9. (The latest at this time).

First thing I had to do is change the IP and subnet for my previous guest interface. I noted above that it was 192.168.10.1. Now that I'm not using NAT and my controller is in the 172.16.0.1/22 subnet, I'd like to use that. So I set the IP to 172.16.0.2/22. (Which we set as the default route on the controller earlier).

Next I had to decide how to handle DHCP. As it sits right now all DHCP requests are being forwarded out my controller's internet port, hitting my core switch, then hitting my firewall. So I setup a DHCP relay agent on my firewall to forward the requests on to my external DHCP servers.

Next I added a route on the firewall to 172.16.0.0/22 to 10.24.xxx.xxx (my core switch).

In my case I needed NAT at the firewall so I setup a NAT translation for the network.

This is all that is required on the firewall. (at least in my case)

Make sure you have a route on your core switch similar to this:

ip route 172.16.0.1 255.255.255.255 <CONTROLLER MGMT INTERFACE>

This will make sure all guest traffic is sent through the controller before traveling anywhere else. Especially if you have a routable VLAN. I advise against using one unless you have well built ACLs in place on your switches.

Thursday, May 22, 2014

DISM An error occurred while attempting to start the servicing process for the image.

This is an issue I've had a few times and when you look around on the forums you see multiple answers. I found the right one on an obscure forum that I can't think of right now. The quick answer is this:

Use the correct version of DISM to service the image. They must be in the same "generation".

For Windows 8.1 and Windows Server 2012 R2 this version is : 6.3.9600.16384

For Windows 8 and Windows Server 2012 and below this version is : 6.2.9200.16384

Background and Setup:

I have a Windows Server 2012 box running System Center Configuration Manager 2012 R2. We are in the process of switching our primary OS for new systems to Windows 8.1 Enterprise x64. As I build my images the old fashioned I tend to forget a few things from time to time. In this case I built the image without installing the .NET feature. The instructions to do that are here: http://technet.microsoft.com/en-us/library/dn482069.aspx

So I'm following the instructions to get a refresher on the procedure and I hit this error.


 
 
and the corresponding log file:
 

After googling a bit I find little to nothing about what this error even means. I get the idea of the error. DISM cannot service the image, but why?

Solution:

I had a moment of clarity and realized that my host OS is a version lower than the version of image I'm servicing. Even though the newest version of ADK (8.1) is installed on the host machine it's not using the newer version of DISM. My PATH variable is set to run DISM from:

C:\Windows\System32\dism.exe (version  6.2.9200.16384)

instead of

C:\Program Files (x86)\Windows Kits\8.1\Assessment and Deployment Kit\Deployment Tools\amd64\DISM (version 6.3.9600.16384)

When I put the full path of the newer version in the command the image installed the features requested. Below is a screenshot of the correct path and command.





Wednesday, April 30, 2014

SCCM 2012 R2 "Machine does not meet OSD capture requirements. Capture cannot continue."

During a "Build and Capture" task sequence you may run into this error. I ran into this error a few times before and I always had to refer back to my older task sequences to figure it out. It's a very simple fix, but I seem to overlook it every time. You will see this in your SMSTS.log:


This means that the computer is a part of a domain. You can't capture a machine if it's part of a domain. My task sequence was like this:


As you can see this is a very simple task sequence. It just captures my built machine and stores it on my distribution point. I don't like the "Build and Capture" style task sequence. This way offers me far more flexibility in my opinion. It's just far less automated.

To fix the issue you need to simply add a 'Join Domain or Workgroup' step before everything else. So your task sequence will look like this:


The next screenshot shows a successful join to the workgoup.


 
 
 
The next screenshot shows the part of the task sequence that failed before. You'll notice the line "Local Machine is not part of a domain." 

 
 
 
 
All done. A simple fix for a simple problem.

Thursday, April 24, 2014

Configuring WSUS for your clients.

Today I got a call from a friend that was setting up WSUS on Windows Server 2012. He got WSUS setup but the clients were not checking in. After talking on the phone with him for a bit he told me he had not set anything up on the client side yet. 

Here are the steps to setup your clients via GPO taken from http://technet.microsoft.com/en-us/library/cc720539(v=ws.10).aspx


  1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
  2. In the details pane, click Specify Intranet Microsoft update service location.
  3. Click Enabled and type the HTTP(S) URL of the same WSUS server in the Set the intranet update service for detecting updates box and in the Set the intranet statistics server box. For example, type http(s)://servername in both boxes.
  4. Click OK.
This is great in most cases, but to my knowledge WSUS in Windows Server 2003 - 2008 R2 use port 80 as the default port for WSUS synchronization. WSUS in Windows Server 2012 the default port is 8530 and 8531 for SSL.

<edit>
      http://technet.microsoft.com/en-us/library/hh852346.aspx
  • On WSUS 3.2 and earlier, port 80 for HTTP and 443 for HTTPS
  • On WSUS 6.2 and later (at least Windows Server 2012), port 8530 for HTTP and 8531 for HTTPS
</edit>

 So to make the adjustment you must specify the port in the TechNet step 3 to look like this http(s)://servername:port

After this you can perform a wuauclt.exe /detectnow on the client machine to detect the WSUS server and start reporting. The process can take 10 minutes or more. Sometimes a simple reboot on the client will force a detection.

After my friend made the appropriate changes (adding the port number in the GPO) and rebooted the client, the computers started reporting.

Optiplex 380 STOP Error: NMI Parity Check/Memory Parity Error

I received a support ticket today from one of our schools saying they had a strange error coming up. I asked the usual questions like did you reboot, what color is the screen, etc. She said it was the BSOD, but it looked different. After going to take a look at the machine I saw the error and I hard rebooted the machine. I came to see this error:


At first thought I figured this was a memory error, but it was not. After I removed each stick of RAM one-by-one the error persisted. After a bit of Googling I ran across this article. http://www.dell.com/support/troubleshooting/bz/en/bzdhs1/KCS/KcsArticles/ArticleView?c=bz&l=en&s=dhs&docid=604790

This says it's a NIC issue and you can fix it by uninstalling the old driver and reinstalling. This, however, was not the case. The NIC was failing at POST, far too soon for a driver to be the issue. I also updated the BIOS to A07. (Was on A01) This did nothing as well.

I resolved the issue by adding a NIC into the machine and completely disabling the onboard NIC.