Posts Tagged ‘Windows Server 2008’

« Older Entries

Fast Reconnect with PEAP

Friday, March 11th, 2011

I have been investigating issues with our laptops whereby they would freeze and become generally unresponsive when changing area and thus changing they connected WAP. This was causing big problems for staff who teach in multiple rooms and regularly change between wired and wireless connections.

We have a combination of HP ProCurve 420WW and HP ProCurve M110 AP’s. All AP’s are required to use 802.1x authentication against a Windows Server 2008 NPS. Two servers run this role – for resiliency.

Wireless settings for the clients are configured through Group Policy and enforced to all machines – specifying the connection protocols, authentication types, etc.

In the client connections, Fast Reconnect was enabled, as we knew users were going to be roaming across AP’s. However, the setting was not set on the server. This meant that although the client was permitted to allow Fast Re-connections, the server was rejecting fast reconnection attempts. I assume that the client continued to try Fast Reconnect, but it was continually being rejected by the server, and causing the client to freeze whilst it attempted the connection.

In NPS you need to enable the Fast Reconnect setting for your PEAP connection by:

  1. Expand Policies then Network Policies
  2. Open up your Wireless Policy.
  3. Select the Constraints tab, then Authentication
  4. Under EAP Types select Microsoft Protected EAP and then click Edit
  5. Make sure that Fast Reconnect is enabled.

As far as I know the setting takes effect the next time that a client completes a full authentication to the RADIUS server.

Another item to check, is that all the wireless AP’s authenticate to the same NPS server. Fast Reconnect only works for clients and AP’s that are connecting to the same RADIUS server. In my scenario I have set every AP to direct requests to a single RADIUS server, and fall back to a different secondary server. If the AP’s are assigned to a different RADIUS server, then a full authentication will occur every time that you change AP that has a different RADIUS server.

1 person found this post useful.
Unmark this post as useful.

Tags: , , ,
Posted in Networking | No Comments »

Redirected My Documents folders showing as ‘Documents’ rather than the users name

Monday, December 20th, 2010

Had a complaint from a member of staff recently that all students work folders showed up as My Documents when he was browsing through their work.

Many of you may have been directed to this Microsoft KB as a ‘solution’. http://support.microsoft.com/kb/947222

Not much of a solution if you ask me. Redirection to a subfolder would work, but do you really want to change something that significant on your network? Enable exclusive access would be fine if you didn’t need to give other people access to the documents folder. In a student-teacher situation, teachers need to be able to see the students work, so this doesn’t work for us. Option 3 – deny permission to the desktop.ini. We have 1400 students. That’s a lot of changes – yes I could use xcacls or subinacl to automate it, but what a headache.

The best ‘solution’ that we have come up with, is to simply delete the desktop.ini file at logoff. We created a VB Script, which looks for a desktop.ini file in the user’s My Documents folder, and if it exists then delete it. Attach this into a GPO that affects the user as a logoff script.

The code we used is:

On Error Resume Next
Set WSHShell = WScript.CreateObject("WScript.Shell")
Set FSO = CreateObject("Scripting.FileSystemObject")
DocsPath = WSHShell.SpecialFolders("MyDocuments")
If FSO.FileExists (DocsPath & "\desktop.ini") Then
  FSO.DeleteFile (DocsPath & "\desktop.ini")
End If

Next time the user logs on and then off again, the desktop.ini file will be deleted, and the folder will show as the username of the user.

Shame there isn’t a GPO option which allows you to turn off this feature. On a home machine it is great, but in a corporate environment you need to be able to turn off the fancy features and see exactly what you have got.

2 people found this post useful.
Unmark this post as useful.

Tags: , , ,
Posted in Server 2008, VBScript, Vista | 3 Comments »

Specified Port is Unknown error when adding Network Printers

Thursday, July 1st, 2010

Just finished investigating and resolving an error whereby the message ‘Specified Port is Unknown’ appears when adding a network printer. This was first noticed when running a login script that add’s printers didn’t actually add any printers.

To fix this problem, you need to delete references to the printer drivers in the registry. I had already deleted any references to any network printers in an earlier attempt to fix the problem, so I wil;l include that as a step as it will not affect any functionality.

  1. Open Registry Editor, making sure that you have administrator rights.
  2. Expand HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Architecture\Drivers\Version-3
  3. Delete any subkeys for printer drivers that have been installed.
  4. Expand HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Print\Printers
  5. Delete any subkeys that reference any network printers.
  6. Close Registry Editor
  7. Restart the Print Spooler services

After this had been completed, all of the shared printers as part of the login script connected and functioned as they should.

All I can imagine is that one of the drivers was corrupt, or information had not been removed from the registry when a printer was removed.

4 people found this post useful.
Unmark this post as useful.

Tags: ,
Posted in Server 2008 | No Comments »

Windows 2008 R2 RDS: Print Spooler Stops

Wednesday, June 2nd, 2010

We have two servers running Windows Server 2008 R2 Remote Desktop Services. On both servers the Print Spooler service kept randomly stopping. In the Application event log, we noticed this error keep appearing:

Faulting application name: spoolsv.exe, version 6.1.7600.16385, timestamp: 0x4a5bd3d1
Faulting module name: ntdll.dll, version 6.1.7600.16385, timestamp: 0x4a5bd3d1
Exception code: 0xc0000374

After trying to replicate the problem, we found that it only occurred when certain groups of users, all with the same login script, logged in to the server. Part of this login script adds some network printers for the user.

Turns out, we had just updated one of the print drivers for the printers, and whenever the user logged in, it was unable to install the new print drivers, because of the user’s access rights. Instead of it popping up asking for an administrators credentials to add the driver, the print spooler service was just failing.

The fix in this case was to simply log in as an administrator, add the printer, so that the driver gets installed.

Other fixes that I found on the internet all relate to driver issues, so do check that the drivers you are using are suitable for Windows Server 2008 and are WHQL.

Unmark this post as useful.

Tags: ,
Posted in Server 2008, Thin Client | No Comments »

Login Script Not Running Windows 2008 Remote Desktop Services (Terminal Services)

Monday, May 24th, 2010

Call today: User has not got any network drives when logging on to the thin clients.

The setup for this is as follows:

  • 2 x Windows Server 2008 R2 servers running RDS, DNS round robin, load balanced.
  • 56 x ThinStation 2.2.2 clients

A VBS login script is applied using Group Policy. All student users have a Mandatory Roaming Profile.

Any user that was not the user that I used to create the template could not run the login script. Took quite a while to work out that the mandatory profile was the cause.

To solve the problem:

  1. Open Registry Editor
  2. Select HKEY_USERS, then click File –> Load Hive
  3. Select the mandatory profile file (NTUSER.MAN) and give it a name.
  4. Right click on the key that you typed in in step 3 and select Permissions.
  5. Remove the user that you used to create the Mandatory Profile
  6. Add in the Authenticated Users (or a different group if you want to restrict access further) and assign it Full Control.
  7. Propagate the permissions to all child objects.
  8. Select the hive that you added in step 3, click File –> Unload Hive
  9. Test.

I suggest creating a backup of the original hive before you make any changes. Just in case.

Now, whenever a user logs in the script should run, and create all of the necessary network drives that you have defined in your script.

Unmark this post as useful.

Tags: , ,
Posted in General Stuff, Server 2008, Thin Client | 1 Comment »

Could not access OWA using HTTPS – Error 404

Monday, April 19th, 2010

Symptoms here are:

  • Unable to access OWA
  • Outlook 2007 reports that it is unable to change any Out Of Office settings; server unavailable.

The enviroment: Microsoft Exchange 2007 running on Microsoft Windows Server 2008.

One other symptom, which I don’t know if this resolved or something else did, is that the Free/Busy information was not accurate when scheduling a meeting.

The fix:

  1. Ensure that you have a current server certificate, even self signed, in the Personal store for the local computer on the server.
  2. Open up IIS Manager
  3. Right click the Default Website (or the site that hosts OWA), and select Edit Bindings
  4. Make sure there is an entry there for https. If not create one.
  5. Edit the entry and make sure that the correct IP address and port settings are present.
  6. Ensure that the current certificate that you verified existed in step 1, is selected for the SSL Certficate.
  7. Click OK and clos all windows. No need to restart IIS, and your site and services should now be back up and running.
Unmark this post as useful.

Tags: , ,
Posted in Exchange | No Comments »

Backup Exec 12: Remote SharePoint Agent – Access Denied

Wednesday, February 17th, 2010

Just coming to the end of fixing a very frustrating problem with Backup Exec 12, and backing up our SharePoint 2007 farm. After over 8 hours on the phone and extra work done by email with Symantec engineers, I have a solution.

Here’s the basic information:

SharePoint Server:

  • Windows Server 2008 Standard x64
  • SharePoint Server 2007 Standard x64
  • Backup Exec Remote Agent for SharePoint

    • A second server runs the Backup Exec program, and a third dedicated database server hosts the Backup Exec database.

    The main problem is described well in the following Symantec document (which is what they keep referring me to) http://seer.entsupport.symantec.com/docs/300675.htm

    After going through a number of fixes, mainly checking that you have actually given permissions to all of the necessary areas (I can’t say exactly what you need at the minute, I still have some very sweeping permissions in place from testing) and creating the SPSWrapperV3.exe.config files, we still weren’t getting anywhere.

    After fixing another program (on Vista this time) which had issues relating to User Account Control, gave it a try.

    On Windows Server 2008, go into Control Panel -> User Accounts then select Turn User Account Control On or Off.

    After a restart backups start working!!

    Not sure who I am more frustrated at right now: Symantec for not making software that works with UAC, but is supposedly designed for Server 2008, or Microsoft for putting the feature in. Totally see why it exists, and most of the time I like it’s existence. Some of the time it is a total pain.

    1 person found this post useful.
    Unmark this post as useful.

    Tags: , ,
    Posted in Server 2008, SharePoint | 14 Comments »

    802.1x User Authentication with Mandatory Profiles

    Thursday, October 1st, 2009

    Just been working on 60 new Asus Eee netbooks that we have bought for student use in the college. Mainly, testing thoroughly that the wireless was going to work flawlessly.

    We got everything working for ourselves using Network Policy Server, HP Procurve 420 AP’s and PEAP. Only problem – when a student logs in, the authentication fails.

    Did some checks to make sure that there wasn’t any user group filters or GP settings that were blocking the authentication. In a last ditch attempt we dropped the mandatory profile, and the authentication worked.

    Having never had this problem before (all staff have roaming profiles), started looking up the problem.

    Found that some changes in Windows XP SP3 stop user authentication using 802.1x. You can still use machine authentication, but this didn’t meet our requirements.

    Turns out Microsoft released a hotfix for this. Works great – now integrated into our RIS installations. Link below:

    http://support.microsoft.com/kb/969111

    Unmark this post as useful.

    Tags: , , , ,
    Posted in XP | No Comments »

    Reconnect Just Flickers & Returns

    Monday, September 28th, 2009

    After all that work sorting out my user profiles, and reducing my logon time as far as I can (record is 12 seconds from entering password to a working desktop :-) ) I have found another problem.

    The clients are booting up fine, pulling the config files from the network and running the right applications. However, once they have been logged out and returned to the Shutdown/Reconnect dialog, there is no way to reconnect to the server.

    When you click it, it starts to try to reconnect, and then flickers, and then returns to the Shutdown/Reconnect dialog, just going round and round in a circle. If I shutdown and reboot, it all works fine.

    That’s tomorrow’s challenge now I feel.

    Unmark this post as useful.

    Tags: ,
    Posted in Thin Client | No Comments »

    Group Policy Client Service Failed the Login: Access is Denied

    Monday, September 28th, 2009

    This error has been annoying me for nearly 4 hours now.

    We have a terminal server for students. All students use a mandatory profile, located on a share so that it can be accessed by all of the servers in the farm.

    I thought this would be easy to set up, so I did the following:

    1. Log in as a user (that does not have the profile path set) to create a local profile on the machine.
    2. Configure the profile as you require and then log off.
    3. Log on as an administrator.
    4. Open up System Properties –> Advanced –> User Profiles
    5. Select the profile that you created in steps 1 -3 and select Copy To.
    6. Specify the location and a security group and the intended user. Click OK and verify that the folder exists in the new location.
    7. Go to the location and rename NTUSER.DAT to NTUSER.MAN to make it mandatory.
    8. Set the user profile location for all your desired users.
    9. Log in and test.

    All was going well. I was at step 8, and failure struck. Group Policy Client Service Failed the Login: Access is Denied.

    Check the following first, as simple solutions:

    • The user has read access to the share.
    • The user profile is owned by the DOMAIN\Administrators group.
    • Ensure the desired group has got read access to the entire profile (you can replace all permissions).

    After checking this and repeating the whole process twice, I started looking at something else. The NTUSER.DAT file is a registry hive, which contains keys with their own security on them. So:

    1. Open up Registry Editor
    2. Select HKEY_USERS and then rtight click and Load Hive
    3. Browse to the location of the profile and open NTUSER.MAN
    4. Give the key a temporary name. e.g Profile.
    5. Right click the name you just gave and choose permissions.
    6. Make sure the desired group is listed and has Full Control permissions.
    7. Propagate all these permissions to all child objects.
    8. Unload the hive and close Registry Editor

    This cured the problem for me. Now all of the intended users can pick up the profile and work as desired.

    I understand from my Googling that this is a problem with some Vista users to. I have not tried this as a solution for them, but would be interested to hear if it does solve it.

    4 people found this post useful.
    Unmark this post as useful.

    Tags: , ,
    Posted in Server 2008, Thin Client | 9 Comments »

    « Older Entries