Friday, November 18, 2011

Disabling Auto Restart After Windows 7 Update

I have recently choose Windows 7 as the Operating System for my home NAS. After testing FreeNAS, Ubuntu, Linux Mint, Windows XP and Windows 2003 Server, I must say that there are many reasons that pushed me to this difficult choice and there are a lot of advantages to use Windows 7 as a File Server.

However I am not going to talk about this right now.

What I wanted to talk about is NAS availability: if there is one thing I expect from my NAS, it is it to be on and ready to serve all the time. Not a minute less.

Unfortunately this Microsoft OS is too often trying and sometimes succeeding in rebooting my home server in the middle of the night, when I less expect it. And this is something I don't like at all, not even to apply critical security patches that clever people at Big Brother Microsoft have crafted for me.

That's why I want to share a not-so-secret hint on how to stop Windows update from restarting your system once and for all. It is a easy painless method which, as usual under Windows, consists of adding a registry key.

Tuesday, November 15, 2011

Windows 2008 R2 folder security issue and UAC

It is incredible how many Windows system administrators have been impacted by the introduction of UAC in Windows 2008 R2. These days I have been asked how to solve general security issues with folder security in 2008 R2. These issues weren't present in previous Windows versions such as Windows 200/2003, that's why many of us were surprised by new unknown behaviors.

In particular people were facing a situation in which on some folders or drives, when opening the Properties window as a member of the local Administrators group and selecting the Security tab, they had to click on 'Continue' before they could see the folder NTFS permissions.

The particular message shown was: 

"To continue, you must be an administrative user with permission to view this object's security properties. Do you want to continue?" 

and they were supposed to click the 'Continue' button.

If they explicitly granted the very same user account Full Control access to the folder, the NTFS permissions showed up without any further hassle.

In the same context, they got an 'Access Denied' error on the same folders even if they were members of the local Administrators group. Enabling Auditing on these folders showed up many 4656 events telling that their access was not granted.

If you have this problem also, the solution is simple: lower UAC to 0, following the procedure I have posted here:

How to disable UAC

How to disable UAC for System Administrators only

UAC is a major change (or 'improvement' if you wish..) in Windows 2008 R2, but it can be a real obstacle to everyday sysadmin tasks. So getting rid of it can sometimes be the only possible solution.

Do not hesitate to comment if you find this post useful or if you wan to share your point of view on UAC.

Tuesday, November 8, 2011

Disabling automatic KMS to DNS publishing

If for some reasons you want to stop your Windows 2008 R2 KMS server from publishing everyday its Resource Record (RR) to the DNS, you have to use the built-in Software Licensing Management Tool (slmgr.vbs).

To do so, open  an elevated command prompt on the KMS server and run:

slmgr /cdns

A pop-up will appear telling to you to reboot the KMS Service:



From the same elevated command prompt, run the following command to restart the KMS Service:

Net Stop sppsvc && Net Start sppsvc

If you are running your KMS service on a older Windows version (not R2), run the following command instead (the service executable has been renamed in Windows 2008 R2... don't know why...):

Net stop slsvc && Net start slsvc

Now there are two ways to check that your KMS server has stopped trying to register its Resource Record in the DNS.

The first one is to open the Registry and see that the DisableDnsPublishing DWORD key has been added under :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform

The value of this key has also been set to 1.

The second way to check that KMS publishing to DNS is off is with the command:

slmgr.vbs dlv
 
 

I hope this solution helped you. If you have any question or any comment do not hesitate to post.

Friday, November 4, 2011

Cluster Validation Error due to duplicate NIC GUIDs

If you are running a Windows 2008 R2 Failover Cluster, you may see the following error when running the Failover Cluster Validation tests:

 It tells:

Validate Windows Firewall Configuration
Validate that the Windows Firewall is properly configured to allow failover cluster network communication.
Validating that Windows Firewall is properly configured to allow failover cluster network communication.
An error occurred while executing the test.
There was an error verifying the firewall configuration.
An item with the same key has already been added.

The last line is telling us that two elements have the same value. These elements are the Network adapters and the offending value are the adapter GUIDs. These GUIDs should be unique but if you have cloned your servers or if your Cluster servers are cloned VMWare Virtual Machines, this error might occur.

To solve this issue, start by running a Powershell session, then run the following command on every Cluster node and compare the GUID of your Network adapters:
 
Get-WmiObject Win32_NetworkAdapter | format-list Name,GUID

You should see that the Network adapters have the same GUID on different servers.

If this is your case, uninstall all of your Network adapters from Device Manager from all the Cluster members except one (but first note your IP address configuration!). Reboot them, re-run the Powershell command and you should find that your Network adapters are back with brand new GUIDs (thanks Plug and Play!).

Re-run the Cluster Validation Report and everything should be OK.

Please leave a comment if this post helped you!

Wednesday, November 2, 2011

Setting DisableStrictNameChecking in Windows 2008 R2

I recently faced a problem whereby I had to install a Windows 2008 R2 Failover Cluster Server and make a CNAME alias point to it but I was unable to get to the CNAME network share from remote clients.

Fortunately this wasn't a difficult problem to solve as I was aware of the existence of the DisableStrictNameChecking registry key under previous Windows versions. This key tells the server to allow inbound connections which are not explicitly directed to its main hostname, so it is a protective feature, not a bug.

So, to loosen security a bit allowing proper network access to a Windows server using a DNS alias, fire an elevated command prompt, type regedit and move to the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters


Right-click Parameters, click New, and then click DWORD (32-bit) Value.

Type DisableStrictNameChecking and press ENTER.

Double-click the DisableStrictNameChecking registry value and type 1 in the Value data box, click OK and close the Registry Editor.

This should solve your issue with accessing a Windows 2008 R2 server with a CNAME.

Related Posts Plugin for WordPress, Blogger...