Fixed bugs:
Security Fixes
* Workstation 7.1.4 addresses a local privilege escalation in the vmrun utility
VMware vmrun is a utility that is used to perform various tasks on virtual machines. The vmrun utility runs on any platform with VIX libraries installed. It is installed in Workstation by default. In non-standard filesystem configurations, an attacker with the ability to place files into a predefined library path could take execution control of vmrun. This issue is present only in the version of vmrun that runs on Linux
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-1126 to this issue.
Other Resolved Issues
* In Workstation 7.1, the default main memory VA cache size (mainMem.vaCacheSize) for 32-bit Windows guests was reduced to accommodate 3D emulation memory requirements. However, the reduced value resulted in performance loss. For 7.1.4, the default main memory VA cache size has been be increased to 1000 MB and performance is improved.
* Because Workstation failed to identify more than 10 USB host controllers in newer Windows guests, some USB devices did not appear in the Removable Devices menu. Now Workstation shows all USB devices in the Removable Devices menu as long as they are connected to the first identified 16 USB controllers.
* When using the Capture Movie option, the captured video stopped playing around the 1GB mark if the video file exceeded 1GB. Now you can capture and play video files that are greater than 1GB.
* The application vmware-modconfig UI could not start up in a KDE 4 session in a SUSE Linux Enterprise Desktop (SLED) 11 environment.
* On Windows host systems that have more than 4GB of memory, Workstation sometimes crashed during cryptographic operations, for example, when performing disk encryption.
* VMware Tools upgrade could be started by a non-administrator user from the VMware Tools Control Panel in a Windows guest. In this release, only administrator users can start VMware Tools upgrade from the VMware Tools Control Panel. To prevent non-administrator users from starting VMware Tools upgrade from a guest by using other applications, set isolation.tools.autoinstall.disable to TRUE in the virtual machine configuration (.vmx) file.
* When a virtual machine running on a Windows host was used to access an Omron Industrial CP1L Programmable Logic Controller, Workstation generated an unrecoverable error.
* When using NAT virtual networking on Windows hosts, the traceroute command did not work when used within virtual machines.
* The Easy Install feature did not work for Fedora 14 guest operating systems.
* During VMware Tools installation on a Fedora 14 64-bit guest operating system, the following warning message was generated while building the vsock module: case value '255' not in enumerated type 'socket_state'.
* Workstation crashed with an access violation when a user tried to open the sidebar after closing all tabs in Quick Switch mode.
* The Easy Install feature did not work for Red Hat Linux 6 guest operating systems.
* The VMware Tools HGFS provider DLL caused a deadlock when making calls to the WNetAddConnection2 function from an application such as eEye Rentina in a Windows guest operating system.
* There was no option to disable guest time sync when a host resumes. Now you can set time.synchronize.resume.host to FALSE in the virtual machine configuration (.vmx) file to disable guest time sync when a host resumes. See VMware Knowledge Base Article 1189 for other time sync options.
* Setting a hidden attribute on a file in a shared folder from a Windows guest on a Linux host failed with an error. This problem caused applications such as SVN checkout to fail when checking out to shared folders on Linux hosts from Windows guests
Thursday, March 31, 2011
GPO management editor: registry settings
There are 2 types of configurations:
- Computer configuration
- User configuration
Both of them will modify the registry settings
When you modify the computer configuration, it will make changes inside the HK local machine and for the user configuration it will affect the HK current user.
- Computer configuration
- User configuration
Both of them will modify the registry settings
When you modify the computer configuration, it will make changes inside the HK local machine and for the user configuration it will affect the HK current user.
Office Communicator Server 2007 R2 on windows 2008 R2?
At the step 2 of the installation, its going to check for components, then the installation will bring you back to the same page in an endless loops, even after checking all the pre-requisites and best practice on Microsoft website.
However, there has been a fix available for a little over a year now: http://support.microsoft.com/kb/982021
The best practices for OCS is to stay on windows 2008 SP1 or windows 2003 32 bits. The 64 bits version for windows 2008 and the 32 bits version for windows 2003.
Of course one of the best practices is not to try products that have been released before the integration of new Operating Systems, but sometimes, for the sakes of intellectual curiosity, the human mind needs to know if this can be achieved.
Wednesday, March 30, 2011
How to make sure DCPROMO was successful
After the installation, go to the cmd prompt and type Net Share.
At the prompt you will see many files but only 2 files will indicate that the installation was successful with NETLOGON and SYSVOL.
Logon scripts are found in NETLOGON (path is something like harddrive:\windows\SYSVOL\sysvol\domain\SCRIPTS)
Share folders are in SYSVOL.
To make sure you can replicate files, copy a file inside SYSVOL Directory, then check if it replicated to other domain controllers.
The global catalog also depends on the NETLOGON service, and so do GPOs
Tuesday, March 29, 2011
Exchange pre-requisites: Net. Tcp Port Sharing
Another pre-requisite for Exchange 2010 is to set the Net. Tcp Port sharing.
You can either do this with:
1) services.msc (go to start menu, run services.msc then click on Net. Tcp Port Sharing to enable it)
or
2) Powershell commands: Set-Service NetTcpPortSharing -StartupType Automatic
PS: The mastering of windows powershell is recommended to run smoothly Exchange 2007 and 2010.
I believe that MS products will emphasize more in windows scripting within the next few years.
What does Net. Tcp Port Sharing do? It allows many applications to share the same port without configuring a client. More here
Installing Exchange 2010: unable to read data from the metabase.
When you install the client access role prerequisites, you may find this type of error:
"unable to read data from the Metabase. Ensure that Microsoft Internet Information Services is correctly installed. Then you click the link "recommended action" only to find out no explanation at all, since this link advise you to uninstall then reinstall IIS (which won't take care of the problem anyway).
At this point, we can assume that:
1) You may have read the prerequisites too fast
2) The error you encountered does not bring you enough information to take care of the issue.
or
3) You don't know enough about IIS
or a little bit of everything.
I really pulled out my hair on this issue. I uninstall then re-install IIS with different roles, only to find out that "the management compatibility" feature has to be checked in.
"unable to read data from the Metabase. Ensure that Microsoft Internet Information Services is correctly installed. Then you click the link "recommended action" only to find out no explanation at all, since this link advise you to uninstall then reinstall IIS (which won't take care of the problem anyway).
At this point, we can assume that:
1) You may have read the prerequisites too fast
2) The error you encountered does not bring you enough information to take care of the issue.
or
3) You don't know enough about IIS
or a little bit of everything.
I really pulled out my hair on this issue. I uninstall then re-install IIS with different roles, only to find out that "the management compatibility" feature has to be checked in.
Monday, March 28, 2011
SQL error [0xC3EC79FB] on Office Communicator Server 2007
For Office Communicator, you will need 2 servers, you cannot install SQL on office communicator and get away with it, you need the frontend and the backend. Maybe and I say "maybe", you can get away with installing a SQL instance on a client machine, then the Office Communicator on the server machine.
Here is what MS wrote for this error:
Here is what MS wrote for this error:
"The Office Communications Server 2007, Back-End Database, stores user data for all Enterprise Edition Servers within a pool. As a centralized repository, the Back-End Database cannot be installed on the same computer as any other Office Communications Server role. The Back-End Database cannot reside on an Enterprise Edition Server in the pool.
The Back-End Database is created automatically when you create the pool, but the computer that you designate as the back end must already be running SQL Server in order for installation to succeed. Before you deploy Enterprise Edition Server, install SQL Server 2005 with Service Pack 1 (32-bit or 64-bit) or SQL Server 2000 with Service Pack 4 or higher on a dedicated computer that meets the hardware requirements described in Infrastructure Requirements and Prerequisites in Microsoft Office Communications Server 2007 Enterprise Edition earlier in this document."
AD install tip
During AD installation, always put the IP address of the computer and make it points as a DNS as well, otherwise DCpromo will install you a backloop adapter that may be irrelevant to your infrastructure.
Working on Microsoft Office Server Installation
I've been working on Microsoft Office Server installation. It is the most painful installation, with tons of prerequisites. At this point, I am detecting all the errors encountered and I will probably post them once I am done, depending on the length of the installation at my earliest convenience.
Friday, March 25, 2011
"Run as Administrator" / UAC
In windows 2008 there is a security feature that allows you to run elevated administration if you want to start some programs; it's the case for MS virtual machine manager for example: this program will let you get connected to the virtual host but you won't be able to access the virtual machine with an error message "cannot connect to this machine". It's rather annoying since this security features on lots of programs, and can literally waste your day trying to troubleshoot the issue. So here is how to remove this security feature:
1) type secpol.msc and it will bring up the security policy snapin.
2) Go to local security tab, double click local policies then go to security options. Double click user account control: run all administrators in administrator approval and set it to DISABLED, then reboot the machine.
There is a description of elevated priviledges and UAC here: http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx
1) type secpol.msc and it will bring up the security policy snapin.
2) Go to local security tab, double click local policies then go to security options. Double click user account control: run all administrators in administrator approval and set it to DISABLED, then reboot the machine.
There is a description of elevated priviledges and UAC here: http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx
MS virtual system center manager 2008 R2 X64 SP1 is out
And i am testing it.
Make sure to upgrade your SQL server to 2005 at least or run another SQL version otherwise you won't be able to get connected and will get an EVENT ID 1602. Or ..... you can fix it manually but it will take longer to go the other road.
More later on this software as soon as I test it.
Make sure to upgrade your SQL server to 2005 at least or run another SQL version otherwise you won't be able to get connected and will get an EVENT ID 1602. Or ..... you can fix it manually but it will take longer to go the other road.
More later on this software as soon as I test it.
How to change an FQDN name
Let's say in AD you have a user that would like a better name to log in, you can manipulate the domain name with Active Directory Domain and Trusts and change the UPN suffix.
Steps:
1) Go to ADDT - click on the 1st tree - go to properties - then change the UPN suffix
2) Then go to Active Directory Users and Computers - select your user - go to account, on the second windows after User Login name change the UPN suffix
Steps:
1) Go to ADDT - click on the 1st tree - go to properties - then change the UPN suffix
2) Then go to Active Directory Users and Computers - select your user - go to account, on the second windows after User Login name change the UPN suffix
How to rename a Domain Controller
There are 2 ways, they both work the same in my opinion, although there is a warning setting from MS if you decided to choose the GUI solution:
- With the GUI: go to computer properties and rename the computer
- With the netdom command: run netdom computername oldcomputernamefqdn /add:newcomputernamefqdn
Then run netdom computername computernamefqdn /remove:oldcomputernamefqdn
Both of these commands go together, and you MUST use them in this order to make the affected changes.
- With the GUI: go to computer properties and rename the computer
- With the netdom command: run netdom computername oldcomputernamefqdn /add:newcomputernamefqdn
Then run netdom computername computernamefqdn /remove:oldcomputernamefqdn
Both of these commands go together, and you MUST use them in this order to make the affected changes.
The Module "schmmgmt.dll" Loaded but the Call to DllRegisterServer Failed with Error Code 0x80040201
During roles removal I encountered this error on the schema master with the command regsrvr32 schmmgmt.dll :
The Module "schmmgmt.dll" Loaded but the Call to DllRegisterServer Failed with Error Code 0x80040201
Solution:
Make sure the computer account belongs to "schema admins" otherwise you won't be able to do this operation, then run the CMD in administrator mode, and it will take care of the issue.
Another solution, if you would have been stuck without resolving this issue, is to use the NTDSUTIL command to manually transfer the FSMO to another computer.
Thursday, March 24, 2011
Cannot transfer RID master to main DC
For some reasons today the zone transfer between 2 DCs was not working in my lab. I tried with ntdsutils and I could not transfer the role. For this case a forced removal of the DC took care of the problem.
PS: only do that if you cannot transfer FSMO roles and if you cannot replicate in Active Directory Domain and Sites.
Steps:
1) DCPROMO /forceremoval
2) Active Directory users and computers: go to Domain Controllers, delete the damaged DC
3) Then it will ask you if you want to transfer the remaining roles to the schema master. Click yes.
done
Run netdom query fsmo to check that all the roles have been transfered :)
Re-install the damaged DC with DCPROMO
PS: only do that if you cannot transfer FSMO roles and if you cannot replicate in Active Directory Domain and Sites.
Steps:
1) DCPROMO /forceremoval
2) Active Directory users and computers: go to Domain Controllers, delete the damaged DC
3) Then it will ask you if you want to transfer the remaining roles to the schema master. Click yes.
done
Run netdom query fsmo to check that all the roles have been transfered :)
Re-install the damaged DC with DCPROMO
Wednesday, March 23, 2011
Cannot join an XP machine to the domain name
Solution: after checking internal DNS pointers inside TCP/IP, create the machine name inside AD, then disable LMHOSTS and make sure it can read netbios name inside TCP/IP settings, then join the machine to the domain.
I can't say it's a 100% solution, it worked for my case though.
How to seize and remove FSMO roles
After decommissioning a domain controller, run NTDSUTIL at the DOS-prompt.
To remove the roles, you need to type the following:
1) metadata cleanup
2)connections
3) connect to server X (establishing a connection to the schema master (your primary domain controller usually))
4) select operation target
5)list domains
6)select domain X (x is a number)
7)list sites
8)select site X
9)list servers in site
10)select server X
11) remove selected
12) q
Repeat step 4 and 11 for a 2nd or 3rd demotion.
To remove the roles, you need to type the following:
1) metadata cleanup
2)connections
3) connect to server X (establishing a connection to the schema master (your primary domain controller usually))
4) select operation target
5)list domains
6)select domain X (x is a number)
7)list sites
8)select site X
9)list servers in site
10)select server X
11) remove selected
12) q
Repeat step 4 and 11 for a 2nd or 3rd demotion.
How to remove orphaned child domains
Description: you have a domain controller named for example test.local and inside active directory users and computers when you want to change the domain controller, you notice sub domains such as sub.test.local; these sub domains of course do not exist and you need to remove them from your AD.
First and to make it short, the creation of subdomain is often due to a connectivity problem (DNS for example) or a multiple instance of DCPROMO that was unsuccessful after promoting a new domain in a new forest. There may be other reasons as well.
So what are the steps to take care of this issue?
1) removal of DCs
2) seizing FSMOs role and deleting them.
Do not try FSMO role as a first step then remove a DC.
Also you may notice an error msg " The FSMO role ownership could not be verified because its directory partition has not replicated succesfully with at least one replication" (error 0x21a2). For my case, I found out that the order of creation of sub child domain would take care of this error. Remove first the subdomain that was created first, then remove the second one if you have more than 2 to delete.
There are also other tricks with repadmin but it would not take care of my issue.
Also to remove FSMOs roles to another domain controller, refer to this article.
First and to make it short, the creation of subdomain is often due to a connectivity problem (DNS for example) or a multiple instance of DCPROMO that was unsuccessful after promoting a new domain in a new forest. There may be other reasons as well.
So what are the steps to take care of this issue?
1) removal of DCs
2) seizing FSMOs role and deleting them.
Do not try FSMO role as a first step then remove a DC.
Also you may notice an error msg " The FSMO role ownership could not be verified because its directory partition has not replicated succesfully with at least one replication" (error 0x21a2). For my case, I found out that the order of creation of sub child domain would take care of this error. Remove first the subdomain that was created first, then remove the second one if you have more than 2 to delete.
There are also other tricks with repadmin but it would not take care of my issue.
Also to remove FSMOs roles to another domain controller, refer to this article.
Event ID 2042
Event ID 2042: It has been too long since this machine replicated
There is a fix here: http://technet.microsoft.com/en-us/library/cc949136(WS.10).aspx
As far as I am concerned, my case was with a new forest in an existing domain during a DCPROMO, I just rebooted the main DC, and was able to install the new DC after 2 attempts, but now i have 2 other child-domains that will need a metadata cleanup.
There is a fix here: http://technet.microsoft.com/en-us/library/cc949136(WS.10).aspx
As far as I am concerned, my case was with a new forest in an existing domain during a DCPROMO, I just rebooted the main DC, and was able to install the new DC after 2 attempts, but now i have 2 other child-domains that will need a metadata cleanup.
Monday, March 21, 2011
The security database on the server does not have a computer account for this workstation trust relationship
The security database on the server does not have a computer account for this workstation trust relationship.
Solution: go to AD, and look if the computer is duplicated or not in the OU, if so, remove the duplicated computer (it will be a name with an SID number), and reboot the computer.
Sunday, March 20, 2011
Domain Controller in AD shows as unavailable
Solution: go to TCP/IP properties and select Internet Protocol version 6 (IPv6).
Works in windows 2008 R2 SP1
Subscribe to:
Comments (Atom)