00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

After increasing the level of LDAP logging for Active Directory troubleshooting, a number of machine accounts were generating an Event 1535, ActiveDirectory_Domain Service error “00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0.” This event appeared about every hour for a variety of machine accounts (i.e, the user is DOMAIN\MACHINENAME$).

 

 

It turns out that this error is generated by that machine account not having full access to the AD object that corresponds to that machine’s DNS entry. These ACLs can be manipulated through the DNS MMC, or programmatically through the DC=DomainDNSZones,DC=[DOMAIN_NAME],DC=[TLD] AD LDAP tree.

Microsoft IT Environment Health Scanner – Functional Level Error

It appears that as of April 7, 2010, the Microsoft IT Environment Health Scaner does not support Active Directory domains in a 2008 R2 functional level.

 

Dell Unified Server Configuration Platform Update Error

On a Dell PowerEdge R710, the Platform Update mysteriously stopped working after one round of platform updates.

After configuring networking, the Platform Update feature in the Dell Unified Server Configurator (Release 1.1)  worked fine with the default settings:

 

But after the update, the Platform Update feature seemed broken. We kept getting the error “A network error occured while trying to connect to the FTP server. Check your network connections, cables, settings, and configuration. Consult with your network administrator, as required.”

I discovered an easy fix after a bit of trial and error. There was an change in the Platform Update had changed, and now required that the location of the update catalog be specified. Entering “catalog” (without quotes) into the Catalog Location field fixes the problem. I suppose the previous version automatically knew where to look.

You can tell the major and minor version of the USC from it’s first screen. During the writing of this post, the before and after looked like this.

Before Platform Update

After Platform Update

 

Off of the home screen, there is now an ‘About’ option that will tell you the current USC configuration. Much better.

Team Foundation Server 2008 (October 2008 Release) Best Practices Analyzer Errors

 

Despite our TFS installation operating correctly, after running the Team Foundation Server 2008 Best Practices Analyzer – October 2008 Release (which I will just call the TFS BPA from this point forward) , we were getting a variety of strange errors. Particularly, a bunch of calls to web services were complaining that the “property ‘UseDefaultCredentials’ cannot be found on this object.” This error would appear over and over again in the TFS BPA logs and the detailed results view.

It turns out that installing PowerShell 2.0 breaks the TFS BPA in an ungraceful manner. The clue was this MSDN Forums post.

File Locations and the Hyper-V New Virtual Machine Wizard

In our lab, I like to have each Hyper-V virtual machine entirely self-contained within a single folder. The following describes how the answers to the New Virtual Machine Wizard changes the location of the Hyper-V files themselves.

Let [VHDs] and [VMs] be respective placeholders for the default Virtual Hard Disks and Virtual Machines folders defined in the Hyper-V Settings panel.

If, on the Specify Name and Location page, the virtual machine is named [Name], and the Store the virtual machine in a different location checkbox is unchecked, then 

• The Connect Virtual Hard Disk page defaults to creating a VHD with the (file)name [Name].vhd in the location [VHDs]. Data from multiple virtual machines created in this fashion will be comingled, but traceable to a particular machine.
• Upon completion, the wizard places all other VM data within the directory [VHDs]. Data from multiple virtual machines created in this fashion will be comingled, but not easily traceable to a particular machine since Hyper-V uses GUIDs (as opposed to machine names) for file and folder names.

If, however, the Store the virtual machine in a different location is checked, then

• The Location field of the Specify Name and Location page, defaults to [VMs], but can be overwritten. Let [Location] represent the contents of this field.
• The Connect Virtual Hard Disk page defaults to creating a VHD with the (file)name [Location].vhd in the location [Location]\[Name]\. (Naturally, if you did not override the default data in the location field, then the location would be [VMs]\[Name]\)
• Upon completion, all of the files for the virtual machine will be located in the folder [Location]\[Name]\. Even when though Hyper-V uses GUIDs for file and folder names, they will be directly traceable to a particular virtual machine, by virtue of their place in the file system hierarchy.

Rotating Windows Event Logs

Microsoft Knowledge Base article KB312571 discusses how to enable automation rotation of event logs.

Constructing Automated E-mail with Predictable Linefeed Behavior in Outlook

In our lab, we have a series of system administration scripts that are run on a regular basis. Part of these scripts is sending an automatic email that contains various information about the disposition of those scripts.

Unfortunately, Outlook has a tendency to either delete or insert line breaks in an unpredictable (but deterministic, I imagine) manner. After some searching, I found the article Newsletter Formatting And The Remove Extra Line Breaks Issue that describes a workaround. It turns out, that if each line starts with two spaces, then Outlook will do a better job in preserving your format.

Thank you Robin Good!

Fixing a Visual Studio Remote Debugging “No symbols have been loaded” Error

 

We recently ran across the problem in our lab where remote debugging a .NET application did not seem to be working. Visual Studio kept popping up a "No symbols have been loaded" error.

 

It turns out that you need to specify the type of code you wish to debug remotely. However, given our configuration, only the Remote (no authentication) transport was working. And, as shown in the dialog box itself, the Remote transport "only supports debugging native code." Implicitly, this suggests that if you want non-native code (i.e., .NET) that a different transport mechanism must be used. What we wanted, was to use the Default transport mechanism. Unfortunately, the ability to select your code type is enabled  appears only after you establish the remote debugging connection. There seems to be no way to explicitly know that we would be able to select an alternate code type if we had changed the transport.

 

For (valid) reasons beyond the scope of this post, neither the build nor the test machine was joined to our domain. This meant we need to implement the security controls described in the MSDN Remote Debugging Across Domains. 

1. We needed to create a user account on both machines with the same username and password. On one machine we ran Visual Studio 2008 as that ‘shared’ user. On the other machine we ran the application to be debugged, and the Visual Studio Remote Debugging Monitor.
2. On both machines we needed to change the Local Security Policy setting Network access: sharing and security model for local accounts to Classic – local users authenticate as themselves.

There are security implications for this type of debugging. Therefore, unless we are joined to a domain, we will likely keep this type of debugging limited to particular troubleshooting tasks.  Fortunately, both of these machines are fairly well isolated from the outside world; so the risk of any security breach from this was fairly minimal, and certainly acceptable for our purposes.

Our internal documentation for setting up remote debugging should include a ‘clean up’ step that will revert both machines to their more secure configuration.

“Sharing” versus “NTFS” File Permissions

Here is an excellent article by Derek Melber on the distinction between Share Permissions and NTFS File Permissions:  http://www.windowsecurity.com/articles/Share-Permissions.html.

He makes several excellent points:

• “Share permissions are only associated with the folder that is being shared. NTFS permissions can be established on every file and folder within the data storage structure, even if a folder is not shared.”
• “The share permissions are not part of the folder or file, so when the share name is changed, the folder is moved, or the folder is backed up, the share permissions are not included. This makes for a fragile control of the share permissions if the folder is modified.”
• “[… W]hen the NTFS permissions are combined with the share permissions, the most secure of the two permissions controls the access to the resource.”
• “As a best practice, it is most efficient to configure share permissions with Authenticated Users having Full Control access. Then, the NTFS permissions should configure each group with standard permissions.”

Keeping these points in mind greatly simplifies CIFS (file sharing).

WSUS 3.0 SP2 – KB972493 Update shows as ‘Needed’ Workaround

A WSUS Server may report that some clients (Windows Server 2008 SP2) need the update "Windows Server Manager – Windows Server Update Services (WSUS Dynamic Installer (KB972493)." The clients to not detect that they need this update, but the WSUS server label the client as needing the update regardless.

Similar behavior for the WSUS SP1 Dynamic Installer was seen in the past. See the Microsoft Discussion Forum public.windows.server.updates_services — see the thread titled "WSUS 3.0 SP1 KB948014 shows needed even though roll is not install [sic]" for details.

Regardless, here is the workaround:

On the client machine, install the WSUS30-KB972455-x86.exe or WSUS30-KB972455-x64.exe hotfix, but select the Administrator Console only during the install. This will install the Update Services MMC on the machine, but not enable WSUS on the client itself.  After this, clients the WSUS server should no longer show the KB972493 as ‘Needed.’