Click on Pictures to View

To view a larger version of an image within a post, just click on the picture you want to view :)

Wednesday, September 14, 2016

Computers Disappear from Active Directory/Domain

Discovered our MacBooks were “disappearing” out of Active Directory and falling off the domain (lost domain access).  One disappeared during lunch break today.  5 steps taken to resolve:
1)    Confirmed the deleted object (from today at lunch) existed in the Deleted Objects container.
            I used Ldp.exe to search the domain for deleted objects.
            To use Ldp to search the domain for deleted objects (tombstones)
1.      On the Start menu, click Run , and then type ldp .
2.      Connect and bind to a domain controller in the domain whose tombstones you want to retrieve.
o    To connect, on the Connection menu, click Connect , and then type a server name and a port number.
o    To bind, on the Connection menu, click Bind , and then type an account name, password, and domain if you want to connect to a domain other than the domain to which you are currently logged on.
3.      On the Browse menu, click Search .
4.      In the Search dialog box, for Base DN , type the distinguished name of the domain whose tombstones you want to retrieve.
5.      In the Filter box, use the filter (isDeleted=*) .
6.      Under Scope , click Subtree .
7.      Click Options .
8.      In the Search Options dialog box, under Search Call Type , click Extended .
9.      Click Controls . Then in the Object Identifier box, type the following:
1.2.840.113556.1.4.417
10.  Under Control Type , click Server .
11.  To add the control to the Active Controls list, click Check in . Then click OK .
12.  In the Search Options dialog box, click OK .
13.  In the Search dialog box, click Run .
SOURCE: https://technet.microsoft.com/en-us/library/cc978013.aspx

2)    Used command repadmin /showobjmeta with deleted object’s DN found in ldp.exe

Syntax

        repadmin /showobjmeta [DSA_LIST] <Object DN> [/nocache] [/linked]
 
Here’s the command I used (using quotes around the Object DN because of spaces in the name): repadmin /showobjmeta “CN=macX\0ADEL:bfe5e5d0-3f16-4897-9f2f-3691adeea02a,CN=Deleted Objects,DC=mydomain,DC=com”
 
3)    Confirmed Originating DSA on “isDeleted” entry, along with date and time attribute action was done.
“The originating DSA is a GUID that identifies the domain controller that performed the originating write.”
“You can see all three components of the stamp in output from the repadmin /showmeta command. The column labeled "Ver" contains the version, the column labeled "Org. Time/Date" contains the originating time, and the column labeled "Originating DSA" contains the originating DSA (expressed as "site\server" rather than GUID).”
SOURCE:  https://technet.microsoft.com/en-us/library/cc961798.aspx
4)    Logged onto that Domain Controller, and checked Event Viewer Security Logs with the timestamp from the repadmin output.
Found a Windows Security Event Log 4743: A Computer Account Was Deleted, with a specific domain account name associated to the action.
SOURCE:  https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4743
Subject:
The user and logon session that performed the action.
  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session. 
Taget Computer: 
  • Security ID:  SID of the account
  • Account Name:  name of the account
  • Account Domain: domain of the account

5)     Traced the issue to our MDM Active Directory profile

It was trying to download to Macs the AD profile in its associated SMART group.  The MDM was using the same account credentials as shown in the Security Event log event.  This profile wasn’t working correctly to begin with (was not downloading successfully to devices) and it appeared that either it began unjoining the Macs in the associated smart group, or was causing distrust by the domain controller that supposedly may have deleted the computer.



SOURCES:
Searching for Deleted Objects:  https://technet.microsoft.com/en-us/library/cc978013.aspx
Viewing Deleted Objects in Active Directory:  https://support.microsoft.com/en-us/kb/258310
Computer Accounts DELETED from Active Directory (forum thread):  http://www.edugeek.net/forums/windows-server-2000-2003/112820-computer-accounts-deleted-active-directory.html
Repadmin /showobjmeta:  https://technet.microsoft.com/en-us/library/cc742104(v=ws.11).aspx
Tracking Active Directory Updates:  https://technet.microsoft.com/en-us/library/cc961798.aspx
4743 – A Computer Account was Deleted:  https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4743


Posted by at No comments:
Labels: , , , , , , ,

Tuesday, August 23, 2016

Using Wireshark & Port Traffic Monitor Session

Scenario: I was wanting to watch for packet traffic between a laptop and a server to see if there was any actual communication happening.

Consider the simple setup below:


I am wanting to capture traffic from computer 1 to the server.  I will do this using Wireshark running on computer 2.

Using Putty, I ssh'd into the Cisco switch from computer 3 and ran the below commands, considering source (computer 1 with application) and destination (computer 2 with Wireshark) interfaces respectively:

 conf t
monitor session 1 source interface Gi0/1 both
monitor session 1 destination interface Gi0/2


I ran Wireshark on computer 2, double clicked the network interface (which was Ethernet) and watched for packets.

I tested to make sure this was working and communication could be seen by doing a simple ping test on computer 1 to the server in question, and watched for packets with computer 1's IP address on Wireshark on computer 2.

After the work was done, the monitor sessions were ended on the switch this way:

no monitor session 1
sh monitor

Make sure no monitor sessions remain open afterward.




Resources:

https://www.wireshark.org/download.html
Posted by at No comments:
Labels: , , , , ,

Wednesday, July 27, 2016

Sysprep Windows 10

So I was needing to prepare a VMware Fusion virtual machine for embedding in our NetRestore image we deploy to all of our new MacBooks.  We recently decided to upgrade / deploy all Virtual Machines on Macs with Windows 10 rather than Windows 7.

At first I ran into a few problems, which ended up being rather silly things that I simply overlooked.
Anyway, here's the process I used to successfully SysPrep a Windows 10 virtual machine for distribution.

1.  I first imaged a virtual machine with a fresh copy of our corporate Windows 10 base load image.  I actually did this using an ISO created with SCCM to essentially PXE boot the vm and pull the image down over the network from our SCCM server / distribution point (DP)

2.  Our corporate base load has a known local administrator account already configured with a known password.  If you are unsure of the password of an account already created or if there is not a local admin account, etc, just create a new local user account with a password set to never expire.  Don't forget to remove that newly created user account from the "User" group membership, and instead add it to the "Administrators" group, or else you won't have local admin rights.

3.  Next, our newly imaged virtual machine was automatically joined to the domain during the imaging process.  So the next step was to remove the machine from the domain (this is also why a local administrator account with a known password is needed - so you can log on to the machine after removing it from the domain).  So in the computer's properties, move the computer off the domain and into a workgroup.  Then save and or apply, and OK and it will prompt for a reboot.  Say yes to reboot.

4.  After the vm rebooted, I logged in with our local admin account with known password.  After logging in, I also disabled our anti-virus to head off any issues or potential errors from being thrown during or after the next step (it re-enables and updates itself anyway once booting up the sysprepped machine)

5.  Then I launched an elevated command prompt (right click "cmd" & run as administrator).  Changed directory to Sysprep directory:  cd C:\Windows\System32\Sysprep
Then typed "sysprep" (without quotes) and pressed enter.  This brought up a little GUI dialog box.

6.  The settings to use are "Enter System Out-Of-Box Experience (OOBE)" with the "Generalize" box checked, and Shutdown Option of "Shutdown".  This will sysprep this very machine and shut it down, so you can then copy it for distribution.  When you launch this shut down machine or any of its copies, it is a brand new "box" with unique SSID and computer name, etc.  During the initial boot up, it asks if you want to join to a domain or not, followed by creating a new local user account for the new machine you are booting up.  This must be a different account than the one used to do the sysprep process.


Here are a few notes:

- Make sure you are not joined to any domain prior to running Sysprep tool - it will throw an error either during the sysprep process, or after opening the sysprepped OS (see below error)

- If the local administrator account is disabled by default, before removing from the domain, right click the admin account in Computer Management Users & Groups and uncheck "Account is disabled"
- If you launch the same file you just sysprepped without making a copy, you will no longer have your original shutdown file and will probably have to start over either from the very beginning or relaunch the sysprep GUI and run sysprep again to create a usable file to copy for distribution
- If you imaged a vm and are getting ready to run sysprep on it but are unsure about anything, make a copy BEFORE running sysprep.  This way you have an already imaged backup machine and don't have to reimage another one should something fail or go awry.


Sources:

https://redmondmag.com/articles/2016/03/04/sysprep-work-with-windows-10-2.aspx

https://superwidgets.wordpress.com/tag/windows-10-sysprep/

http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_install/windows-could-not-complete-the-installation-to/bf09c3c5-298b-459f-aed5-4f431b8398f5?auth=1
Posted by at No comments:
Labels: , , , , , ,

Thursday, July 14, 2016

Command for Timestamped Ping

Thought I'd post this since it has come in handy several times.  Just save the command to a text file for later, and cut and paste the command to a cmd prompt when needed and voila.  No 3rd party software needed, etc.

This command will give you a timestamped continuous ping:

 ping -t 8.8.8.8|cmd /q /v /c "(pause&pause)>nul & for /l %a in () do (set /p "data=" && echo(!date! !time! !data!)&ping -n 2 8.8.8.8>nul"

 You can replace the two 8.8.8.8 addresses with whatever IP address you are trying to ping


Press Ctrl + C to end the ping

You can also send the output directly to a text file.
This command sends output of ping to 8.8.8.8 to C:\pingtest.txt


ping -t 8.8.8.8|cmd /q /v /c "(pause&pause)>nul & for /l %a in () do (set /p "data=" && echo(!date! !time! !data!)&ping -n 2 8.8.8.8>nul" >C:\pingtest.txt

 You can replace the two 8.8.8.8 addresses with whatever IP address you are trying to ping, and C:\pingtest.txt with whatever location and file name you want to send the output to.

 Don't forget to press Ctrl + C in the command window to end the ping


Sources:

 https://www.raymond.cc/blog/timestamp-ping-with-hrping/
Posted by at 9 comments:
Labels: , , , , ,

Thursday, July 7, 2016

SCCM 2012 Installation Status Waiting for Content

We had a machine that showed as "Waiting for Content" for a certain application in the Deployments section of Monitoring in SCCM administration console.

All other machines in the company successfully received the application with successful installation.  So this was a one-off.

Troubleshooting Process:

1) Verified SCCM client was installed correctly and completely.  This meant 7 tabs across two rows in the client window, 11 client actions listed on the Actions Tab, correct assigned site code, and an "installation succeeded" entry in the C:\Windows\ccmsetup\Logs\ccmsetup.log file.

2) Verified software was seen in Software Center with status as Downloading (0% complete)

3)  AppDiscovery.log and AppEnforce.log in C:\Windows\CCM\Logs didn't show anything in particular in regards to the application in question

4)  Verified content was available in the SCCM software repository location and was available on the Distribution Point where the computer was located


Resolution:

In the process of seeing what remote site the computer was at to verify the Distribution Point location, I looked at the IP address of the machine.  It showed to have an IP address in the new IP address scheme we are starting to slowly roll out to all of our sites.

I then remembered that as we roll out the new IP address scheme, whenever the new data subnet deployed to a site was not added to Active Directory Sites and Services, SCCM content could not be downloaded by client computers.

Sure enough, the new subnet that the computer was in was missing from Active Directory Sites and Services.  We added the subnet in, waited a few hours for everything to update, and then checked that the computer began downloading and installing the software.
Posted by at No comments:
Labels: , , ,

Monday, June 13, 2016

SCCM Error Codes: 0x654 (1620) AND (1612)

The initial problem in our scenario was trying to deploy an application via SCCM, which was showing as "Past Due - Will Be Retried" in Software Center and had a Failed status with error code 0x654(1620).

I checked the AppEnforce log at C:\Windows\CCM\Logs on the client computer, and it showed an incorrect network path on the command line being run for the application.

I discovered within the deployed application's .msi-installer settings in SCCM that the Content Location was blank, and the Installation Program specified was incorrect.

I created a new deployed application as a test, making sure the Content Location contained the correct path, and the Installation Program contained the correct .cmd file we created for the install.
I added the machine in question to the collection for this test app, and verified the app showed up in the computer's Software Center.

However, a new problem arose - the new test app kept saying "Past Due - Will Be Retried" in Software Center.  If I tried to initiate the install from Software Center, it would fail, showing Past Due status again.  This time the failure code was 0x654(1612).  I also confirmed that the application woud install if run manually from the ccmcache folder.  After some research and looking at .msi error codes, I found a solution online suggesting removing an associated registry entry to the install file.

I navigated to the registry, opening it as administrator, and searched for the program in question's GUID.  It showed up under a SourceList key, sure enough listing the previous incorrect path for the install.

SOLUTION - original solution can be found on Mick's IT Blog (see Sources link at bottom):

I backed up the registry just in case, and then deleted the GUID folder of the full path containing the SourceList key:

HKEY_CLASSES_ROOT\Installer\Products\<GUID>

I re-initiated the install from Software Center, and the application installed successfully.





SOURCES:

http://mickitblog.blogspot.com/2015/10/sccm-deployment-with-error-1612.html

https://msdn.microsoft.com/en-us/library/windows/desktop/aa376931(v=vs.85).aspx
Posted by at 4 comments:
Labels: , , ,

Wednesday, June 8, 2016

Fix: SCCM 2012 Client Check Shows No Results

This post was copied and slightly modified from Dale's Tech Blog post on the issue.  See bottom for source link.



Computer SCCM client lists "No Results" for "Client Check Result" in the System Center 2012 Console














Problem: SCCM client computer listed as "no results" for "client check result" in the system center 2012 console client monitor. You'll notice on the problem computer that it's missing the ccmeval.log and you'll see errors in the ccmevaltask.log file.

The ccmeval.exe is run from a scheduled task that is created upon installation of the agent. This task is run daily to allow the computer to check-in with the sccm server. More than likely this error condition occurs when a client agent was upgraded, but for some reason the scheduled task wasn’t recreated. On the problem computer you'll see listed under the task results "not registered" or other failure codes.

Solution 1:  On the computer with the problem client, in Task Scheduler under Configuration Manager folder in the Microsoft folder, right click and Run the task Configuration Manager Health Evaluation.  Refresh page, and verify task updates to show “Last Run Time” as the current time (when the task was Run).

If this doesn't fix the issue, try solution 2 below (from Dale's Tech Blog).

Try Solution 2: On the computer with the problem client open the Task Scheduler in Control Panel. Open Microsoft folder in the Task Scheduler Library, then Configuration Manager and delete all listed entries. Initiate the “install client” with the “always install” option checked from within the SCCM 2012 console. The scheduled tasks should be recreated when the agent installs and the computer will start checking in appropriately to the SCCM server. Check the local computers ccmeval.log file for more details.

After implementing one of the above solutions, prompt the client to check in with the SCCM server by running that client’s Data Discovery Collection Cycle either by opening from Control Panel > Configuration Manager, go to Actions Tab, and selecting and running the task, or using Right Click Tools, if installed, in the SCCM console.

Tip:  Open up the Task Scheduler by either typing "task" into the Start Menu search bar, or by opening All Programs > Accessories > System Tools OR go to Control Panel > Administrative Tools


Source:

http://dalestech.blogspot.com/2013/04/sccm-client-computer-listed-as-no.html
Posted by at 8 comments:
Labels: , , , , , , ,

Friday, June 3, 2016

Search Chrome History By Date

In making an earlier post I could not find the source link I had used for one of my fixes.  I had narrowed down to the date it would've been, but scrolling back to that date was a pain using Chrome's History, and Chrome only keeps the last 3 months worth of history anyway.

I discovered and tried the Chrome Extension History Trends Unlimited so that I could not only save my history for longer than 3 months locally in a database, but also search it by date.

Here's the description of the extension:

History Trends Unlimited regularly syncs your history to a local database to work around the (approximate) 3-month time limit imposed by Chrome.  Your history is saved locally; it's never shared or sent over the network.

Features:
* Interactive charts and stats. Click any of the bar/line/pie charts to filter by a value.
* Search your history by keyword. Or browse it chronologically.
* Access the raw data to perform your own analysis. Use the "Export Raw Data" button on the Trends page.
* Transfer your history to a new computer. See instructions on the Options page.

NOTES:
* Uninstalling this extension will delete all of the history it has saved. To create a backup of your history, use the "Export History" button on the Options page.
* This extension stores your history separate from Chrome's history, which means 1) clearing Chrome's history will not delete your history in this extension, and 2) this extension will not preserve the color of links you have already visited.


It has a search feature, and search tips for searching by date.  To search by date use format date:YYYY-MM-DD (four digit year - two digit month - two digit day).  Ex, date:2016-12-25

I found this helpful for narrowing down my history to the day I wanted.  If you do need to scroll back through the days though, it is generally much faster/easier than in Chrome's History.



SOURCES:

http://superuser.com/questions/739001/how-do-i-view-a-specific-date-in-my-google-chrome-history

https://chrome.google.com/webstore/search/history%20trends
Posted by at No comments:
Labels: , , , , , ,

Friday, April 22, 2016

Deploying OS X: Package Deployment & Network Boot Issues

Here is some interesting information I've come across at great pains and searching.

When deploying Mac's, and therefore needing a customized image of sorts to do so, it would appear that a NetRestore has proven to be much more beneficial and generally all around easier than a NetInstall.

I created a NetRestore image with System Image Utility (SIU) on a Mac running Mac Server by using the OS X install file from the AppStore.  Once defining that as my source for the image, I opted for creating "NetRestore" rather than NetInstall once continuing within the utility.  This allows for creation of a local admin, and post-installs packages without fail once the image passes creation, as well as other customizable features that are otherwise not applicable to NetInstall.

For example (although this data is old), the below chart from an Apple Deployment Guide (Apple Training Series Mac OS X Deployment v10.6: A Guide to Deploying and Maintaining Mac OS X and Mac OS X Software)
It indicates that some of the Automator workflow actions simply are not compatible or applicable with some of the methods of network installs.


Anywho, here are a couple of things that helped me tremendously.

First off, our Macs we were testing were on an isolated network switch.  Although the switch appeared to be configured correctly, and the DHCP and DNS and everything was set on the Mac Server, the clients would NOT perform a network boot (either holding down option key upon startup or holding down N key), although at times they could see the images in the Startup Disk within the OS X or Recovery Mode.  Long story short -  if network images in the /Library/NetBoot/NetBootSP0 folder are not showing up as startup disks on client Macs, make sure spanning-tree portfast is enabled on your switch interfaces!  I also found it helpful to not have them in the default vlan 1 but create a new one with an associated vlan interface.  See this link
https://discussions.apple.com/thread/1815801?tstart=0 down in the resource section below for more info.

Second, packages were a pain, and trying to figure out why some of them would or would not add to the workflow.

Here are a few tricks I found:

To create a package (.pkg) from a .dmg so you can add the desired app to the workflow, do this...


1) Mount the .dmg (can double click or do in Terminal) to make it an attached volume.  Note the name of the volume and the .app within.

2) In terminal, type: sudo pkgbuild --install-location /Applications --component "/Volumes/<volume name>/<appname.app>" "./Desktop/<desiredname.pkg>"

3) Authenticate the sudo

This will create a pkg from an .app within a .dmg, on your desktop.

Now, to fix packages for deployment within the Automator workflow, the below may also need to be done to make it deployable:


In terminal type: productbuild --package "./Desktop/<appname.pkg>" "./Desktop/<newnameforpackage.pkg>"

 This will create a deployable .pkg on your desktop, from the one created in the other steps just above.


Now, I do recommend, as I've found this helpful - when using System Image Utility for creating images, just before saving and creating the image click "Customize" to open Automator.  Then go to File and Save the workflow or else you may not be able to look back at what was in the image in case you forget when testing/creating multiples.

Sources/Resources:

https://discussions.apple.com/thread/1815801?tstart=0

http://www.techrepublic.com/article/pro-tip-use-terminal-to-create-packages-for-software-deployment/

http://apple.stackexchange.com/questions/167522/packagemaker-alternative

https://github.com/munki/createOSXinstallPkg#further-note-on-additional-packages-and-yosemite

http://stackoverflow.com/questions/11487596/making-os-x-installer-packages-like-a-pro-xcode-developer-id-ready-pkg

https://youtu.be/CIEuUAmvjwQ


Posted by at No comments:
Labels: , , , , , , , , ,

Monday, April 18, 2016

FIX: Outlook 2013/2016 - Email Address No Longer Valid

**Update thanks to anonymous commentor, this apparently works for Outlook 2016 also**


One of our users was getting an undeliverable message error in Outlook 2013 warning that one of the recipient's email addresses was "no longer valid" when sending mail to another particular user within the company.



The recipient was able to still receive the emails regardless, and the sender did not receive the error in the Outlook Web App.

This lead me to believe it was something local to the Outlook client, particularly related to the Autocomplete.

Tried removing the recipients address from the Autocomplete list to no avail.

After some research, tried this and it worked.

For Windows 7:

Turn off Outlook.
Open widows explorer and turn on "show hidden files"
Go to C:\Users\**USER**\AppData\Local\Microsoft\Outlook\Offline Address Books
and re-name the f[older] here (add "old" to the end).
Restart Outlook.

The user was then able to send mail to the recipient without the warning message.  We re-downloaded the Global Address Book and they were still able to send mail to the other user without error.

Source:

https://community.spiceworks.com/topic/397609-weird-email-issue-e-mail-address-is-no-longer-valid-using-office365?page=2
Posted by at 6 comments:
Labels: , , , , , ,

Monday, March 7, 2016

VMware Fusion: "Insufficient Permissions" and "File Already Exists"

These issues have been coming up more and more on some of the Macs in our Windows environment.  Yes.....I know what you are thinking.

Anyway, there are two issues that I will be addressing in this post.

The first is an error you might receive when trying to expand the hard drive space of a VMware Fusion virtual machine.

Unfortunately I do not have a screen shot for this particular error, but it shows something along the lines of "File already exists" when trying to increase space on the virtual machine hard disk space.

This is often caused if there was already an attempt to increase the hard disk space, but after the reconfiguring and expanding of the HDD the process fails with some sort of error, like a permissions error.

The reconfiguring and expanding process apparently creates some temp files within the virtual machine file.  Simply moving these to another folder (rather than deleting, should it accidentally break the virtual machine) should allow for the hard drive space to be modified again.  DO THIS ONLY WITH THE VM IN SHUTDOWN STATE AND VMWARE FUSION CLOSED/QUIT.

The contents files I encountered was a file with "converttmp" in the name, and a folder with "converttmp.lck" in the name.  I moved only the files containing "converttmp" out of the .vmwarevm file and restarted the space modification process as a local admin of the Mac.

(To access the virtual machine file contents, select the virtual machine file, right click/secondary click the file, and select "Show Package Contents")

The second error/issue I will address is this:

If you are receiving permissions errors, either while trying to modify the hard disk space of the vm, or when trying to launch/open the vm itself, it might look something like the below error.


The fix I have found for this is the following:

When logged in as the end user (the user with the permissions error)
- Open a Terminal session
- Change directories to the location of the virtual machine (ex: cd /Users/Shared/VMware\ Fusion/)
- Type/Enter:     sudo chown -R <username> <Virtual-machine-name.vmwarevm>
           For example, for an EU with username "joesmith" and a virtual machine file named "VirtualPC.vmwarevm," type:     sudo chown -R joesmith VirtualPC.vmwarevm

After pressing ENTER (or RETURN) the user should be prompted for a password for the sudo command, so they will need to enter their password in.

 After this the user should be able to launch the virtual machine with no problem, and be able to change the space of the virtual hard disk (when the vm is shutdown) because they are now the owner of the folder and files.


Sources:

 https://communities.vmware.com/thread/223803?start=0&tstart=0

 https://communities.vmware.com/thread/338243
Posted by at 2 comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)