|
Warning/Error number |
VMM Description |
VMM Recommended action |
Possible cause/Resolution |
| 10696 | The host network adapter does not support the specified virtual network adapter configuration. | Select a host network adapter that supports this configuration. | Remove the check mark for Enable virtual network optimizations on the virtual network adapter in the Hardware Configuration tab of the virtual machine. |
Windows and Extension mechanisms for DNS (EDNS)
Introduction
RFC 2671 defines the Extension mechanisms for DNS (EDNS), or EDNS0 as it is also known. EDNS is a specification for expanding the size of several parameters of the Domain Name System (DNS) protocol. More info about EDNS here. As of Windows Server 2008 R2, the Windows DNS service will use EDNS in its queries to other DNS servers. Because of the way EDNS works, this should not present a problem. EDNS only adds data to the end of a DNS packet. Any server not supporting EDNS will just ignore those extra bytes and process the first 512 bytes as a regular DNS packet. Unfortunately this is not always so. In some cases, I cannot explain why, DNS servers reject or return an error when they receive an EDNS packet. This could possibly be because the receiving DNS server has some intrusion/hacking functionality in place which causes it to reject a packet longer than 512 bytes, or that it supports the EDNS specification partially. Whichever it is, this presents a problem. The best way to fix it is to update the offending DNS server. This should be easy to do and solve the problem for everybody. If that is not possible we have to disable the EDNS functionality on the Windows DNS servers. To do this you use dnscmd.exe.
To see if EDNS is active on your DNS server:
dnscmd.exe /info /EnableEdnsProbes
If this returns 1 EDNS is active.
To disable EDNS on your DNS server:
dnscmd.exe <servername> /Config /EnableEDNSProbes 0
More information
- The answer received from a non-compliant DNS server when queried using EDNS could generate event 5504 in the DNS log of the Windows DNS server that sent the query. This is an example:
Message : The DNS server encountered an invalid domain name in a packet from <IP address of DNS server>. The packet will be rejected. The event data contains the DNS packet. - It seems that any Windows DNS server upgraded to Windows Server 2008 R2 retain its original settings and does not use EDNS unless specifically configured to do so.
- A network trace can reveal if a DNS query uses EDNS. This example is from Wireshark:
Notice the Type: OPT (EDNS0 option). This means the DNS packet uses EDNS. A packet that does not use EDNS will not have any Addition records.
- Firewall may sometimes interfere with EDNS packets. The original DNS specification sets a limit of 512 bytes on DNS packet. If a firewall encounters a packet that is longer than 512 bytes (this would be an EDNS packet) it may block it, causing DNS resolution to fail.
In conclusion
The EDNS draft was first published in 1999, and for good reason. DNS is one of the corner stones of the Internet and we really need the functionality provided by EDNS (DNSSEC, for instance, requires EDNS to work). In my mind there is no reason why anyone should not support it, be it DNS servers or firewalls. Microsoft should not be blamed for turning on functionality that we have had almost 10 years to implement.
Links
Hyper-V Backup tip
KB article 958662 explains how to user Windows Server Backup, the new backup software included with Windows Server 2008 and Windows Server 2008 R2, to backup up Hyper-V virtual machines. The article walks you through creating a new Registry value to enable support for the Volume Shadow Copy Service (VSS) provider for Hyper-V. I have put together a command line that does it for you, just copy, paste and run it on your server.
reg add “HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindowsServerBackupApplication Support{66841CD4-6DED-4F4B-8F17-FD23F8DDC3DE}” /v “Application Identifier” /d Hyper-V /t REG_SZ
To verify that the key was created successfully you can use vssadmin.exe:
vssadmin.exe list writers
If everything is in order the result will include an entry for the Microsoft Hyper-V VSS Writer:
Writer name: ‘Microsoft Hyper-V VSS Writer’
Writer Id: {66841cd4-6ded-4f4b-8f17-fd23f8ddc3de}
Writer Instance Id: {f3358397-0e40-4c97-b845-d9ec930740e6}
State: [1] Stable
Last error: No error
Notice the Writer Id for the provider, which is identical to the one created in the Registry.
More info:
Error 0x8024D007 when running Windows Update
A server I was working on refused to let me update it through Windows/Microsoft Update. It would tell me that the computer needed an update before I could update it (!). First it would download some files from the Microsoft Update site, copy them and, finally, try to register them. This last step reached 100 %, but always terminated with the error 0x8024D007.
Process Monitor revealed that regsvr32.exe was called several times and the it failed with an Access Denied error on the registry key HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvcHost. Looking at the permissions on that key I saw that the local Administrators group only had Read access. I changed it to Full Control and was able to restore Windows Update functionality.
In my search for a solution this particular scenario never showed up, so maybe this will help someone.
Some notes on the Windows Server 2008 R2 Active Directory Recycle Bin Feature
- The Enable-ADOptionalFeature cmdlet must be run on the Schema Master DC (if not you will get A referral was returned from the server)
- The only valid value for the Scope parameter is ForestOrConfigurationSet, Domain is not vaild (If you try you will get The specified method is not supported)
- The Forest Functional Level must be Windows Server 2008 R2 mode
- You must be an Enterprise Admin
- The process is irreversible; you cannot turn off the Recycle Bin Feature once it is enabled
More info here:
Configuring a Windows Domain Controller to synchronize its clock with an external time source
Kerberos authentication requires correct time on all clients participating in authentication. If the clocks on two machines trying to authenticate to each other are too far apart, Kerberos authentication will fail. Since Kerberos is used extensively in Windows a mechanism to ensure correct clocks throughout the forest was also implemented. This is the Windows Time Service (w32time), a service which runs on all Windows machines since Windows 2000. The protocol used for synchronizing clocks is the Network Time Protocol (NTP). Every member computer, be it server or workstation, synchronize their clocks with the Domain Controller holding the PDC emulator FSMO role for its domain. The PDC emulator for a domain, in turn, synchronizes with the PDC emulator DC in the forest root domain. The PDC emulator in the root domain, therefore, is authoritative for the time throughout the forest, since all machines will inherit its clock. For this reason the PDC emulator DC in the forest root domain should be configured to obtain exact time from a dependable time server on the Internet. Microsoft has published information about doing this in KB816042. I have created a VBScript which implements the registry changes specified in that article:
1: ' Configures the PDC Emulator in the root of a forest to be an authoritative time server
2: ' and sync time from several NTP time servers on the Internet
3: ' Info gathered from KB816042 How to configure an authoritative time server in
4: ' Windows Server 2003 (http://support.microsoft.com/kb/816042)
5: '
6: ' On a PDC Emulator the settings changed from the default settings are:
7: ' Type (From NT5DS to NTP)
8: ' AnnounceFlags (From 10 to 5)
9: ' NTPServer (From time.windows.com,0x1 to contents of strTimeServers)
10: ' SpecialPollInterval (From 3600 to 900)
11: ' MaxPosPhaseCorrection (From 4294967295 to 1800)
12: ' MaxNegPhaseCorrection (From 4294967295 to 1800)
13: '
14: ' A useful command line command is:
15: ' w32tm /config /manualpeerlist:"time-a.nist.gov time-b.nist.gov time.nist.gov time-nw.nist.gov" /syncfromflags:manual /reliable:yes /update
16: ' This command sets AnnounceFlags to 5, NTPServer to the server list and Type to NTP
17: ' Command found here:
18: ' http://technet2.microsoft.com/windowsserver/en/library/ce8890cf-ef46-4931-8e4a-2fc5b4ddb0471033.mspx?mfr=true
19: '
20: ' A list of the NIST time server can be found here:
21: ' http://tf.nist.gov/service/time-servers.html
22: '
23: ' Microsoft's list of (S)NTP servers is here:
24: ' http://support.microsoft.com/kb/262680/en-us
25:
26: const HKEY_CURRENT_USER = &H80000001
27: const HKEY_LOCAL_MACHINE = &H80000002
28: strKeyPath = "SYSTEMCurrentControlSetServicesW32Time"
29:
30: strTimeServers = "time-a.nist.gov,0x1 time-b.nist.gov,0x1 time-a.timefreq.bldrdoc.gov,0x1 time-b.timefreq.bldrdoc.gov,0x1 time-c.timefreq.bldrdoc.gov,0x1 utcnist.colorado.edu,0x1 time.nist.gov,0x1 time-nw.nist.gov,0x1 nist1.dc.certifiedtime.com,0x1 nist1.datum.com,0x1 nist1.nyc.certifiedtime.com,0x1 nist1.sjc.certifiedtime.com,0x1"
31: strComputer = "."
32: Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\" & strComputer & "rootdefault:StdRegProv")
33:
34: 'Change the server type to NTP (KB Step 1)
35: objReg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath & "Parameters","Type","NTP"
36: 'Set AnnounceFlags to 5 (KB Step 2)
37: objReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath & "Config","AnnounceFlags",5
38: 'Enable NTPServer (KB Step 3)
39: objReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath & "TimeProvidersNtpServer","Enabled",1
40: 'Specify the time sources (KB Step 4)
41: objReg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath & "Parameters","NtpServer",strTimeServers
42: 'Select the poll interval (KB Step 5)
43: objReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath & "TimeProvidersNtpClient","SpecialPollInterval",900
44: 'Configure the time correction settings (KB Step 6)
45: objReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath & "Config","MaxPosPhaseCorrection",1800
46: objReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath & "Config","MaxNegPhaseCorrection",1800
47:
48: Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\" & strComputer & "rootcimv2")
49: Set colListOfServices = objWMIService.ExecQuery ("Select * from Win32_Service Where Name ='W32Time'")
50: For Each objService in colListOfServices
51: retVal = objService.StopService()
52: If retVal = 0 Then
53: 'WScript.Echo "Service stopped"
54: Else
55: WScript.Echo "Service stop failed (" & retVal & ")"
56: End If
57: WScript.Sleep 5000
58: retVal = objService.StartService()
59: If retVal = 0 Then
60: 'WScript.Echo "Service started"
61: Else
62: WScript.Echo "Service start failed (" & retVal & ")"
63: End If
64: Next
65:
66: WScript.Echo "Done!"
Below is a comparison of the changes in the registry before and after the changes:
Before
1: PS C:Usersadministrator> w32tm /query /configuration
2: [Configuration]
3:
4: EventLogFlags: 2 (Local)
5: AnnounceFlags: 10 (Local)
6: TimeJumpAuditOffset: 28800 (Local)
7: MinPollInterval: 6 (Local)
8: MaxPollInterval: 10 (Local)
9: MaxNegPhaseCorrection: 172800 (Local)
10: MaxPosPhaseCorrection: 172800 (Local)
11: MaxAllowedPhaseOffset: 300 (Local)
12:
13: FrequencyCorrectRate: 4 (Local)
14: PollAdjustFactor: 5 (Local)
15: LargePhaseOffset: 50000000 (Local)
16: SpikeWatchPeriod: 900 (Local)
17: LocalClockDispersion: 10 (Local)
18: HoldPeriod: 5 (Local)
19: PhaseCorrectRate: 7 (Local)
20: UpdateInterval: 100 (Local)
21:
22:
23: [TimeProviders]
24:
25: NtpClient (Local)
26: DllName: C:Windowssystem32w32time.dll (Local)
27: Enabled: 1 (Local)
28: InputProvider: 1 (Local)
29: CrossSiteSyncFlags: 2 (Local)
30: AllowNonstandardModeCombinations: 1 (Local)
31: ResolvePeerBackoffMinutes: 15 (Local)
32: ResolvePeerBackoffMaxTimes: 7 (Local)
33: CompatibilityFlags: 2147483648 (Local)
34: EventLogFlags: 1 (Local)
35: LargeSampleSkew: 3 (Local)
36: SpecialPollInterval: 3600 (Local)
37:
38:
39:
40:
41: Type: NT5DS (Local)
42:
43: NtpServer (Local)
44: DllName: C:Windowssystem32w32time.dll (Local)
45: Enabled: 1 (Local)
46: InputProvider: 0 (Local)
47: AllowNonstandardModeCombinations: 1 (Local)
48:
49: VMICTimeProvider (Local)
50: DllName: C:WindowsSystem32vmictimeprovider.dll (Local)
51: Enabled: 1 (Local)
52: InputProvider: 1 (Local)
53:
After
1: PS C:Usersadministrator> w32tm /query /configuration
2: [Configuration]
3:
4: EventLogFlags: 2 (Local)
5: AnnounceFlags: 5 (Local)
6: TimeJumpAuditOffset: 28800 (Local)
7: MinPollInterval: 6 (Local)
8: MaxPollInterval: 10 (Local)
9: MaxNegPhaseCorrection: 1800 (Local)
10: MaxPosPhaseCorrection: 1800 (Local)
11: MaxAllowedPhaseOffset: 300 (Local)
12:
13: FrequencyCorrectRate: 4 (Local)
14: PollAdjustFactor: 5 (Local)
15: LargePhaseOffset: 50000000 (Local)
16: SpikeWatchPeriod: 900 (Local)
17: LocalClockDispersion: 10 (Local)
18: HoldPeriod: 5 (Local)
19: PhaseCorrectRate: 7 (Local)
20: UpdateInterval: 100 (Local)
21:
22:
23: [TimeProviders]
24:
25: NtpClient (Local)
26: DllName: C:Windowssystem32w32time.dll (Local)
27: Enabled: 1 (Local)
28: InputProvider: 1 (Local)
29:
30: AllowNonstandardModeCombinations: 1 (Local)
31: ResolvePeerBackoffMinutes: 15 (Local)
32: ResolvePeerBackoffMaxTimes: 7 (Local)
33: CompatibilityFlags: 2147483648 (Local)
34: EventLogFlags: 1 (Local)
35: LargeSampleSkew: 3 (Local)
36: SpecialPollInterval: 900 (Local)
37: Type: NTP (Local)
38: NtpServer: time-a.nist.gov,0x1 time-b.nist.gov,0x1 time-a.timefreq.bldrdoc.gov,0x1 time-b.timefreq.bldrdoc.gov,0x1 time-
39: c.timefreq.bldrdoc.gov,0x1 utcnist.colorado.edu,0x1 time.nist.gov,0x1 time-nw.nist.gov,0x1 nist1.dc.certifiedtime.com,0x
40: 1 nist1.datum.com,0x1 nist1.nyc.certifiedtime.com,0x1 nist1.sjc.certifiedtime.com,0x1 (Local)
41:
42:
43: NtpServer (Local)
44: DllName: C:Windowssystem32w32time.dll (Local)
45: Enabled: 1 (Local)
46: InputProvider: 0 (Local)
47: AllowNonstandardModeCombinations: 1 (Local)
48:
49: VMICTimeProvider (Local)
50: DllName: C:WindowsSystem32vmictimeprovider.dll (Local)
51: Enabled: 1 (Local)
52: InputProvider: 1 (Local)
The most notable change is the Type value for the NTP client, which changes from NT5DS to NTP. The Type value is documented here.
Using w32tm.exe
The Windows Time Service can be configured using a complimentary utility called w32tm.exe. The following sets AnnounceFlags to 5, NTPServer to the server list and Type to NTP:
w32tm.exe /config /manualpeerlist:”time-a.nist.gov time-b.nist.gov time.nist.gov time-nw.nist.gov” /syncfromflags:manual /reliable:yes /update
Note that the settings for poll interval (SpecialPollInterval) and time correction (MaxPosPhaseCorrection/MaxNegPhaseCorrection) must be set in the registry.
Although the script uses the NIST time servers, I would recommend looking at the NTP Pool Project as well.
Also, to clear up a common misunderstanding, Windows does not need any third party software to synchronize its clock with an external time source, as long as the protocol used is NTP. This, of course, does not apply if you are using a special piece of hardware, such as a hardware clock, to keep correct time on your forest root PDC emulator DC. Furthermore, it is absolutely not necessary to include net time /sync or the like in logon scripts for clients to ensure they have the correct time, the Windows Time Service handles this.
If the DC holding the PDC Emulator FSMO role in the forest root domain is not set to sync its time from a reliable or external time source, the Windows Time service will log a warning in the System log with event ID 12:
Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.
Resetting configuration
In some cases you need to reset the configuration of the Windows Time Service. The easiest way I have found is to unregister and the register the service. Do this:
- Stop the Windows Time Service
net stop w32time - Unregister the service:
w32tm /unregister - Register the service:
w32tm /register - Start the Windows Time Service
net start w32time
These steps will reset the service back to the defaults, usually to sync from the Domain Hierachy for a domain joined machine.
Configuring time synchornication on a non-domain computer
Some machines are not part of a domain hierarchy and therefore do not automatically use it to set their clocks. For Windows Vista and later there is a schedules task (Task Scheduler LibraryMicrosoftWindowsTime SynchronizationSynchronizeTime) that is set to run every Sunday at 01:00 by default. The Windows Time serivce is set to manual startup on workgroup computers by default and is started by the scheduled task. The command in the schedule task is %windir%system32sc.exe start w32time task_started. The start of the service, in turn, triggers a synchronizations agains the configured time server; time.windows.com, by default. Which server that is used to syncronize time is specified on the Internet Time tab of the Date and Time Control Panel applet (timedate.cpl). The Internet Time tab is missing on domian joined computers.
When you press Update now it seems to perform a regular synchronization with the Windows Time service, starting the service first if it is not running. This is evident by the events in the System log:
EntryType : Information
Message : The time service is now synchronizing the system time with the time source no.pool.ntp.org,0x9 (ntp.m|0x9|0.0.0.0:123->139.117.2.21:123).
Source : Microsoft-Windows-Time-Service
UserName : NT AUTHORITYLOCAL SERVICE
EntryType : Information
Message : The time provider NtpClient is currently receiving valid time data from no.pool.ntp.org,0x9 (ntp.m|0x9|0.0.0.0:123->139.117.2.21:123).
Source : Microsoft-Windows-Time-Service
UserName : NT AUTHORITYLOCAL SERVICE
EntryType : Information
Message : The system time has changed to 2011-10-12T10:05:28.640000000Z from 2011-10-12T10:05:28.640606800Z.
Source : Microsoft-Windows-Kernel-General
UserName : NT AUTHORITYLOCAL SERVICE
If you want to dump the SynchronizeTime task you can use this command:
schtasks.exe /query /TN “MicrosoftWindowsTime SynchronizationSynchronizeTime” /v /FO List
If you try to issue any w32tm.exe command before the Windows Time service is started you will receive an error:
The following error occurred: The service has not been started. (0x80070426)
After either starting the service yourself, or by pressing the Update now button in the Date and Time applet (which starts the service), you can issue commands with w32tm.exe normally. To configure which server(s) the computer syncs with you can either use the applet and enter a server FQDN (only one), or use w32tm.exe (multiple servers). With w32tm.exe you would use a sligtly different version of the command used on a forest root PDC Emulator domain controller:
w32tm.exe /config /manualpeerlist:”0.no.pool.ntp.org 1.no.pool.ntp.org 2.no.pool.ntp.org 3.no.pool.ntp.org” /syncfromflags:manual /update
As you can see, the reliable flag is missing from this command since it is only applicable on Domain Controllers.
Know thy SELF…
Windows has a special security principal know as SELF (also Principal Self and NT AUTHORITYSELF).
Here’s the definition of SELF from KB243330:
SID: S-1-5-10
Name: Principal Self
Description: A placeholder in an inheritable ACE on an account object or group object in Active Directory. When the ACE is inherited, the system replaces this SID with the SID for the security principal who holds the account.
And here’s one from KB296479:
SELF is not an actual SID, but a way to reference the objectSid for the object on which it is set, which will always be unique.
The hexadecimal value of the Self SID is: 0x01 0x01 0x00 0x00 0x00 0x00 0x00 0x05 0x0a 0x00 0x00 0x00
And from TechNet:
Principal Self
| Attribute | Value |
| Well-Known SID/RID | S-1-5-10 |
| Object Class | Foreign Security Principal |
| Default Location in Active Directory | cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
| Description | A placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal represented by the object. |
So what does all this mean?
It means that if you want to grant a security principal permissions to itself, or more accurately; the object representing itself, you can use SELF as a placeholder. Whenever the security subsystem encounters the SELF SID in an ACL it replaces it with the SID of the object that the ACL is set on.
Why use SELF?
Using the SELF principal can greatly simplify administration and cut down on ACL sizes. Let’s say you have an OU in Active Directory where you want every user to be able to update their own telephone number. Instead of editing each user object and that user permissions to its own telephone number attribute, you would just give SELF that permission, but at the OU level and each user object would inherit it. When a user wants to change his or hers telephone number the access check in Active Directory will encounter the SELF principal and replace that with the SID of the actual account.
Questions:
One thing I could not figure out while putting this together is what happens when you use SELF in an ACE on an object that is not a security principal, a file for instance. The file does not have a SID (because it is not a security principal) so there is nothing for SELF to point to. I thought that maybe SELF would point to the SID of the owner of the file, but that is the job of the CREATOR OWNER SID, not SELF. I guess that SELF, when used in such a scenario, does not do anything.
The Windows Server 2008 DNS Server Global Query Block list
Event logged in the DNS Server log when a query is received for a name that exists in an authoritative zone, but is also on the global query block list:
EventID : 7600
MachineName : lab-dc1.lab.net
EntryType : Warning
Message : The global query block list is a feature that prevents attacks on your network by blocking DNS queries for specific host names. This feature has caused the DNS server to fail a query with error code NAME ERROR for wpad.lab.net. even though data for this DNS name exists in the DNS database. Other queries in all locally authoritative zones for other names that begin with labels in the block list will also fail, but no event will be logged when further queries are blocked until the DNS server service on this computer is restarted. See product documentation for information about this feature and instructions on how to configure it.
Below is the current global query block list (this list may be truncated in this event if it is too long):
wpad
isatap
Source : DNS
Resources:
How to reset the Windows Recycle Bin
Sometimes the Recycle Bin of a partition/volume can become corrupted. When it does it prevents you from deleting files or takes up space that cannot be reclaimed by emptying the Recycle Bin, or both. To reset the Recycle Bin for a particular volume or partition, start up a command prompt with Administrative privileges and delete the $RECYCLE.BIN folder from the partition/volume in question. Needless to say you will loose everything in that folder. When you delete a file on that volume/partition next, the Recycle Bin will be automatically regenerated.
Example command:
rd /s E:$RECYCLE.BIN
Where E: is the volume or partition with the corrupt Recycle Bin.
What I do when I prepare to reinstall my computer or move to a new one
- Make a manual copy of my entire profile.
See instructions on how here. - Export my favorites, feeds and cookies using IE’s Export function.
- Export all my certificates.
- Retrieve my product key if reinstalling the same computer or moving license to another computer.
Key finders here. - Copy folder that are outside of the profile, e.g.. c:Apps.