Oct 27, 2014

Preparing for the End of Windows Server 2003

It’s a little embarrassing, or maybe I should say lucky, that somehow I hadn’t the need to review the changes to the dynamic port range assignments. I say it that way because the range wasn’t something that recently changed. By recent, let’s call it 2012. No, in fact, it goes back to 2008. Microsoft changed the dynamic port range to comply with IANA recommendations effectively moving the range:

 

From

To

Old

1025

5000

New

49152

65535

 

SYMPTOMS

The troubles you’ll find with this kind of change usually won’t present itself until you try to restrict it somehow. This issue was noticed when domain controllers were upgraded to 2012. The version previous was 2003. :-|

The kinds of issues witnessed appeared all over the place, compounded with confusion since the issues weren’t well captured or documented during troubleshooting. Here’s what was seen along with the corresponding error messages:

  • Failure to connect to a share
    • Windows cannot access <share>
    • The trust relationship between this workstation and the primary domain failed
  • Failure to test secure channel
    • Access Denied
  • Failure to join a domain
    • The join operation was not successful. This could be because an existing computer account having name <myComputer> was previously created using a different set of credentials. Use a different computer name, or contact your administrator to remove any stale conflicting account. The error was: Access is denied.

Notably, netlogon.log would also show errors suggesting problems during the domain join such as:

10/03/2014 02:00:52:695 SamOpenUser on 564842 failed with 0xc0000022
10/03/2014 02:00:52:695 NetpManageMachineAccountWithSid: status of attempting to set password on <myDomainController> for <myComputer>: 0x5
10/03/2014 02:00:52:695 NetpJoinDomain: status of creating account: 0x5
10/03/2014 02:00:52:695 NetpJoinDomain: initiaing a rollback due to earlier errors

 

DIAGNOSTICS

Sometimes the quickest way to resolution is what some people assume to be the hardest. It’s important to get trace packets from both hosts at the same time. After that, the other trick is to read it. :o)

In this dump, you’ll see where EPM (endpoint mapper) negotiates to port 50445. After that, all hell breaks loose. Just kidding. In reality, you simply won’t see any of those packets reaching the destination port since the environment was configured to respect the old dynamic port range. (Never mind the IPs. I’m protecting the innocent.)

4846    4:12:03 AM 10/3/2014    62.5715595      svchost.exe     192.168.94.34   <myDomainController>  EPM     EPM:Request: ept_map: NDR, DRSR(DRSR) {E3514235-4B06-11D1-AB04-00C04FC2DCD2} v4.0, RPC v5, 0.0.0.0:135 (0x87) [DCE endpoint resolution(135)]    {MSRPC:857, TCP:856, IPv4:130}
4847    4:12:03 AM 10/3/2014    62.5721299      svchost.exe     <myDomainController>  192.168.94.34   EPM     EPM:Response: ept_map: NDR, DRSR(DRSR) {E3514235-4B06-11D1-AB04-00C04FC2DCD2} v4.0, RPC v5, 192.168.11.34:50445 (0xC50D) [50445]  {MSRPC:857, TCP:856, IPv4:130}
4848    4:12:03 AM 10/3/2014    62.5944302      svchost.exe     192.168.94.34   <myDomainController>  TCP     TCP:Flags=......S., SrcPort=65207, DstPort=50445, PayloadLen=0, Seq=3334272165, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:858, IPv4:130}
5010    4:12:06 AM 10/3/2014    65.5937718      svchost.exe     192.168.94.34   <myDomainController>  TCP     TCP:[SynReTransmit #4848]Flags=......S., SrcPort=65207, DstPort=50445, PayloadLen=0, Seq=3334272165, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192    {TCP:858, IPv4:130}
5380    4:12:12 AM 10/3/2014    71.5937519      svchost.exe     192.168.94.34   <myDomainController>  TCP     TCP:[SynReTransmit #4848]Flags=......S., SrcPort=65207, DstPort=50445, PayloadLen=0, Seq=3334272165, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192    {TCP:858, IPv4:130}

A quick, client-side port query would confirm that in fact, it cannot do anything over that port.

 

SUMMARY

In short, prepare for your transition away from 2003. I know many of you (myself included) still have things running on 2003. This is one you should look for and remediate wherever possible. Here’s a link to the article describing the default dynamic port range changes:

The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008

By the way, did you know you can run a packet trace from netsh? Oh yes, you can. Here’s a link to my blog post: Using netsh to Capture Packets

Oct 14, 2014

boosting the powershell ise with ise steroids

Ever since the PowerShell ISE was released, I slowly moved away from using some of the other things I was pretty fond of like PowerShellPlus and PrimalScript. It’s mostly because it’s super convenient.

Along came ISE Steroids. I can’t really speak to 1.0 since I just started on 2.0 and just started very recently, actually. So far, I’m pretty impressed. The best part of using it, is it doesn’t force the convenience factor to change at all. Installing it is as simple as unzipping the files to your module path ($env:PSModulePath -split ';'). After that, you launch it with Start-Steroids. That gives me the convenience of using the plain ol’ ISE or switching into a hyper-capable ISE.

I’ve only begun scratching the surface of its capabilities though here are some things I’ve been using so far:

VERTICAL ADD-ON TOOLS PANE

Help. I love this feature. Anything I click on in a script, the help add-on will attempt to look up and present relevant information.

image

Variables. This is another feature I love. Having a variables window makes debugging so much easier.

image

REFACTORING

Is there someone on your team that codes in a manner that only their mother could love? If so, you might benefit from using the Refactor process. It’s basically a series of scripts that will comb the hair and wash behind the ears of your PowerShell script. It’s not perfect, but it performs admirably. It’s also configurable if you need to tune things down from default. Here’s an example:

Bad

foreach ($item in $smsobjects){
#write-host $item.name
$machinesfromSMS = $machinesfromSMS + $item.name}

foreach ($item in $sms2012objects){
#write-host $item.name
$machinesfromSMS = $machinesfromSMS + $item.name}

Better

foreach ($item in $smsobjects)
{
    #write-host $item.name
    $machinesfromsms = $machinesfromsms + $item.name
}

foreach ($item in $sms2012objects)
{
    #write-host $item.name
    $machinesfromsms = $machinesfromsms + $item.name
}

Which would you rather read and interpret?

ROOM FOR IMPROVEMENT

I would love to see the context sensitive help add-on retrieve things from the console or at least a search box to look up information manually. At this time, I have an empty script where I type in the command to make it show me help information.

SUMMARY

ISE Steroids isn’t a new shell, a giant development environment, or anything that fancy. It’s a lot of little things that tunes out the default PowerShell ISE into a highly functional shell and scripting environment. It’s extensible with other add-ons and supports launching applications from the ISE. (ILSpy and WinMerge come loaded.)

It’s my new favorite. I’m hooked. If you like the PowerShell ISE environment, you should check it out. There are many more features I haven’t brought up (signing, version control, wizards, etc.)

Oct 8, 2014

using netsh to capture packets

Outages. Aside from the massive pressure of having to restore service, they can be pretty useful to learn new things. One recent discovery that was news to me is that you can use netsh to capture network traces. WHAT?! Yeah1.

It appears on modern-ish operating systems (Windows 7/Windows 2008 R2 and above) you no longer need to install your favorite packet tracing application to capture packets. Who doesn’t like to cuddle up with a nice packet trace, eh? Obviously if you’re on a desktop OS, you should just load packet capturing utility of choice (and it had better be Network Monitor if you intend to open the .ETL trace) -- unless you like to read it in some other way. That would mean your skillz are simply amazing and are wasting your time here!

 

RUNNING A TRACE

The most basic way to start and stop a trace is by performing the following commands:

As you can see, netsh displays the trace configuration as well. It’s not the full configuration of defaults though.

netsh trace start capture=yes

Trace configuration:
-------------------------------------------------------------------
Status:             Running
Trace File:         C:\Users\me\AppData\Local\Temp\NetTraces\NetTrace.etl
Append:             Off
Circular:           On
Max Size:           250 MB
Report:             Off

netsh trace stop
 

KNOWING THE DEFAULTS

Pulling the help file (trace start help) will provide the list of defaults if you run the command as indicated above. I have them illustrated here for reference.

capture=no (specifies whether packet capture is enabled in addition to trace events)
report=no (specifies whether a complementing report will be generated along with the trace file)
persistent=no (specifies whether the tracing session continues across reboots, and is on until netsh trace stop is issued)
maxSize=250 MB (specifies the maximum trace file size, 0=no maximum)
fileMode=circular
overwrite=yes (specifies whether an existing trace output file will be overwritten)
correlation=yes (specifies whether related events will be correlated and grouped together)
traceFile=%LOCALAPPDATA%\Temp\NetTraces\NetTrace.etl (specifies location of the output file)

I have highlighted the defaults which do not show up in the trace file output.

 

VIEWING THE RESULTS

Message Analyzer. You can open the file in Message Analyzer quite simply. (It’s also a brilliant tool.) By simply, I mean, just open the file once you have it running. This is my favorite way.

image

Network Monitor. You can expect the same results in Network Monitor but will need to do one additional step. Even without doing it, you’ll be able to read the frame details. The frame summary won’t make much sense though.

  1. Go to Tools | Options | Parser Profiles.
  2. Choose Windows and select Set As Active.

Wireshark. You are pretty much on your own. There are ways2 to convert .ETL to .CAP or whatever if you really need to stick that much to your guns.

 

I’m not really sure why I used this photo. Maybe it’s because it looks like a tangled mess of grapevines when in reality, it’s stacked. It’s a matter of perspective, I suppose. Right, LouisG?

1 Probably as strange as just realizing I wrote this blog post with capitalization.

 

REFERENCES

http://technet.microsoft.com/en-us/library/jj129382.aspx#bkmk_TraceUsingTrace

http://blogs.msdn.com/b/canberrapfe/archive/2012/03/31/capture-a-network-trace-without-installing-anything-works-for-shutdown-and-restart-too.aspx

2 http://blogs.technet.com/b/yongrhee/archive/2013/08/16/so-you-want-to-use-wireshark-to-read-the-netsh-trace-output-etl.aspx

Oct 1, 2014

Microsoft Most Valuable Professional (MVP) 2015

Hello everyone. I received the news today that my MVP award has been renewed. I feel privileged to receive such a distinguished honor in company with some of the brightest minds in technology. Congratulations to all of my fellow MVPs who were also renewed today.

imageIt is with great pride we announce that Marcus Oh has been awarded as a Microsoft® Most Valuable Professional (MVP) for 10/1/2014 - 10/1/2015. The Microsoft MVP Award is an annual award that recognizes exceptional technology community leaders worldwide who actively share their high quality, real world expertise with users and Microsoft. All of us at Microsoft recognize and appreciate Marcus’s extraordinary contributions and want to take this opportunity to share our appreciation with you.

With fewer than 4,000 awardees worldwide, Microsoft MVPs represent a highly select group of experts. MVPs share a deep commitment to community and a willingness to help others. They represent the diversity of today’s technical communities. MVPs are present in over 90 countries, spanning more than 30 languages, and over 70 Microsoft technologies. MVPs share a passion for technology, a willingness to help others, and a commitment to community. These are the qualities that make MVPs exceptional community leaders. MVPs’ efforts enhance people’s lives and contribute to our industry’s success in many ways. By sharing their knowledge and experiences, and providing objective feedback, they help people solve problems and discover new capabilities every day. MVPs are technology’s best and brightest, and we are honored to welcome Marcus as one of them.

To recognize the contributions they make, MVPs from around the world have the opportunity to meet Microsoft executives, network with peers, and position themselves as technical community leaders. This is accomplished through speaking engagements, one on one customer event participation and technical content development. MVPs also receive early access to technology through a variety of programs offered by Microsoft, which keeps them on the cutting edge of the software and hardware industry.

As a recipient of this year’s Microsoft MVP award, Marcus joins an exceptional group of individuals from around the world who have demonstrated a willingness to reach out, share their technical expertise with others and help individuals maximize their use of technology.

Sincerely,
Rich Kaplan
Corporate Vice President
Customer and Partner Advocacy
Microsoft Corporation

 

If interested, this is my MVP profile: http://mvp.microsoft.com/en-us/mvp/Marcus%20C.%20Oh-10604

Sep 26, 2014

atlanta systems management user group 10.03.14

I cannot honestly believe it’s already time for our user group meeting. It’s one week from now. It’s kind of crazy how fast time goes by. It’s also a lot more effort to put these together than you would expect.

So for that, I am grateful to all of the folks that help keep this going, all of the sponsors that help keep us eating, our perpetual sponsors that give us lots of great giveaways and benefits, all of the speakers that bring great content, and all of the people, like you, that come share your knowledge.

At our last user group meeting, we took an opportunity to use the space in the MTC side of the Microsoft office. What we discovered was the interaction was entirely different than the classroom spaces. It provided a better environment for interaction which is ultimately what we’ve always strived for -- networking, meeting your peers in the industry, and sharing knowledge. That’s the benefit of tying into a user community. You grow your access to knowledge exponentially.

Shavlik is our sponsor this quarter. Their product addresses the big hole of patch management where Windows patching ends -- third party. Here’s a little blurb:

Today, it's not Windows that represents the most vulnerabilities, but instead it's the applications that run on Windows that expose businesses to holes in computing security. The National Vulnerability Database reports that 86% of reported vulnerabilities come from third party applications. With Shavlik Patch for Microsoft System Center, administrators have the ability to automate the patching of third party applications within the System Center Configuration Manager console, providing confidence that third party application vulnerabilities are covered.

Here’s the rest of the schedule:

image

We have three seats left by last count. The drawback to using the MTC space is we lose some room so we’ll be running a tight ship trying to maximize all the seating available. If you haven’t registered yet, there’s still time! Get all the details here, including the registration link: http://www.atlsmug.org/events/atlanta-systems-management-user-group-100314

See you there!