No SPN means No logon

Published on Friday, November 27, 2009 in , ,

Mostly when I have issues logging on to a server, it's due to DNS problems. Sometimes the secure channel is messed up, but the last time it was actually quit simple: there was no SPN for the server in Active Directory.

The error: "The security database on the server does not have a computer account for this workstation trust relationship."

On a windows 2008 server the setspn command is built in. When I exectued "setspn -l servername" it returned no spn's for the server. Simply running "setspn -r servername" fixed the whole thing, immideately allowing me to log on again.


Windows 2008 automatic user profile hive cleanup

Published on in ,

After the upgrade of HP RDP to version 6.0 (cfr the other post), we seem to have a lot of scripts failing with weird errors. because these scripts ran fine in the past, I blamed the RDP upgrade. What we we're seeing is that whenever in one of the vbscripts we tried to execute a command like netsh, bcdedit, diskpart, it would fail with the following errorcode: -2147023741

Google didn't came up with much, just that it would mean something like "windows doesn't know the file extension used". Huh? So we started looking in the scripts for errors in the path, or quotes, but all in vain.

Then we noticed that the same scripts wouldn't always fail at the same point, and very soon after that we noticed the following errors in the eventlog:

Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

1 user registry handles leaked from \Registry\User\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxx-1106: Process 3616 (\Device\HarddiskVolume1\Windows\System32\cmd.exe) has opened key \REGISTRY\USER\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxx-1106 Event Xml: 1530 0 3 0 0 0x80000000000000 121 Application server.domain.tld
1 user registry handles leaked from \Registry\User\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxx-1106: Process 3616 (\Device\HarddiskVolume1\Windows\System32\cmd.exe) has opened key \REGISTRY\USER\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxx-1106
<:event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

Bottom line, some kind of race condition was occuring with the profile of our user account being forced to unload while the script was running. And thus causing all kind of weird unexainable behaviour. It seemed like we were doing to much, or to fast logons with the scripts running in the context of a domain user.

Some possible workarounds exists:
  • Run scripts under "local system"
  • Use the following workaround: remkoweijnen blogpost
  • Insert a sleep inside the HP RDP job. This is the part where you configure which script will be executed. This is the content who gets copied to a file called rxscript.bat and thus executed. Note: for the sleepcommand: download the Windows 2003 resource kit tools.
We choose the first option as that seemed the nicest one. We had to give some security on our shares containing packages and logs to the "domain computers"

Oh, almost forgot, this behaviour is "by design": http://support.microsoft.com/kb/947238, nevertheless I think it's a nice feature for the Terminal Server boys


HP RDP 3.80 NIC teaming issue solved!

Published on in , ,

A year ago I encountered issues when deploying Windows 2008 based servers on HP proliant blades and servers. Everything went fine, but when the NICS where configured as a team, the deployment agent lost connection with the deployment server. Odly enough, we only had this issue on Windows 2008 servers, Windows 2003 servers were fine.

On the ITRC forums other people were complaining aswell. HP 3.81 or 3.82 didn't solve the issue. With HP RDP 3.83 I don't know, but what I do know is that HP RDP 6.0 actually does solve the issue.

Using the remote install feature to deploy the new agents to the disconnected systems saved us some time as well.


Explaining UAC related behavior

Published on Saturday, November 21, 2009 in ,

Some days ago I encountered some fun with UAC. I wrote up some email with some examples for some collegues. Today I stumbled upon the following: http://thoughtsonopsmgr.blogspot.com/2009/11/srs-uac-ie-esc-to-name-few.html
To be honest, I'm not against enabling/disabling UAC. However sometimes I hate the way it alters expected output. Commands simple behave in an other way instead of just telling you: "hey you need to run me elevated". In the end of this post I'll give some examples.
As an answer to the behavior of the reporting website:
Suppose you got SRS (SQL reporting server) and OS (Other Server)
If you start IE on SRS, you do it with a "deny group membership" for the following --built-in--- groups: SRS\Administrators, SRS\backup operators, SRS\power users and SRS\network configuration operators.
So, IF the reporting services website require you to have local administrator rights (membership of SRS\administrators), things will go wrong because those are stripped of your token (actually a deny group membersip) and you are accessing the website as a memberof SRS\users
However IF you visit the website remotely from the server "OS", the group OS\Administrators will be denied (due to UAC being enabled to), but the group SRS\Administrators will be in your token this time. Hence you have enough rights to actually see the required Items.
If you execute "whoami /groups" whether in a normal and elevated prompt, you can actually see what is denied.
Withouth elevation:

With elevation:

Other examples of UAC behaviour:
repadmin /showrepl (on a domain controller):

With elevation:

slmgr -dlv (show license information, determine which KMS server activated your server):

More on UAC: http://technet.microsoft.com/en-us/library/cc512679.aspx