Squiggle dot org

When creating a some system inventory groups in Altiris, I noticed that it didn’t seem to be collecting information for certain exe’s that had been deployed onto the system.

After a bit of reading, I found out the the software audit scan can run in two modes… Package and file mode. In package mode, it only reports on a single exe from each package, which makes reporting faster and keeps your Altiris database much smaller. This is what runs from a vanilla installation. The second type of can is file scan, where every exe is audited, you can set this by editing ‘AeXInvSolnAdm2.ini ‘ in the NSCap folder to run the following:

AeXAuditPls.exe /file /hidden /output xml

You’ll have to wait a day or two for all your systems to re-run the inventory, but after you should be able to report on alot more!

During migration to our new one of our new firewalls, I became aware that our outbound mail was not getting out and the queue was just growing. After a bit of digging around I found that our internal mail server could establish a SMTP connection to the server it was trying to send to, the message just wasn’t going down the connection.

I telnet’ed to the SMTP server that we were trying to deliver to, to try and manually send a message by issuing SMTP commands, the conversation went something like the following:

RECV>  220 ****2************************************
SEND> HELO mail. squiggle.org
RECV> 500 5.5.1 Command unrecognized: “XXXX”

Every command that I issued resulted in not being recognised, but each letter substituted as XX’s. After a bit more investigation (netcat listning on port 25 to see what was really being sent), it became apparent that something was altering the SMTP commands, and also the server header on the initial 220 by the looks of it.

After looking into what could be making these alterations, I found out that the likly culprit was our newly configured Cisco PIX firewall… Cisco fixup can run on a firewall and inspect the data in a SMTP session, to try and secure it more, by restricting it to a certain commandset, ours just looked to be restricting the whole lot! Disabling the fixup for SMTP with the following command fixed the issue:

> no fixup protocol smtp 25 

As soon as this rule was added, mail started flowing again!

I came across a peculiar issue today with Lotus Notes 7, running on my newish Vista system, I was doing some c# development with the Notes COM objects, but was having some trouble, and needed to edit my notes.ini file to try and fix something.

The peculiar part was that in my program files directory, there was a notes.ini file – but with no real config in it, only a few lines – this files usually full of stuff! I also couldn’t see my ID file in the notes data directory when using explorer, but Notes could see it and access it fine!

After a bit of Googling, it turned out it was Vista redirecting application write access to the program files folder to “C:\Users\ %USERNAME% \AppData\Local\VirtualStore’. When the app reads from the program files folder it sees a merged version of the real program files folder and the users VirtualStore, so in essence forces apps to support multi users by the looks of it.

From time to time you’ll come across the problem where a system’s machine account in active directory has either become out of sync (Usually due to multiple systems with the same name) or has just been deleted somehow! Telltale signs of this are errors about domain’s being unavailable, and trust relationships failing whenever the system tries to perform any authentication. In these situations you can usually log in as a local administrator, unjoin/rejoin the domain, then reboot and the problem is sorted.

However, this isn’t so easy if you aren’t in front of the system (which is often the case), although it is possible to do:

First you need to locate the IP address of the system (Names will be unreliable if you’ve got multiple systems with the same name!). The best way to find the IP is probably from looking at DHCP leases on your DHCP server. Once you have the IP address, run regedit.exe on another system, then from the file menu select ‘Connect remote registry’. In the following box, connect to \\<IPaddress>. You should then be able to log on to the system as the local admin user (SYSTEMNAME\Administrator), you should then be able to navigate to:

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server

In this key, look for the ‘fDenyTSConnection’ value, and set this to 0. This should enable remote desktop if it isn’t already, you’ll need to reboot in order to enable this:

shutdown -m \\<IPAddress> -r

Once the system has rebooted, you should be able to remote desktop to it, log in as the local admin user, and rejoin as if you were in front of it. Although if it was a case of multiple systems with the same name, don’t forget to give it a unique name!

I should also point out that if it was a deleted computer account, you could always restore the object in AD, but that’s another story…

You’ll sometimes have a server that has loads of scheduled tasks that need to run as a specific user account, and sometimes you might need to update the account they run as, or reset the password.

I recently had to change loads of these on our Altiris server, and didn’t really fancy doing it by hand! The following script will update the runas user/password for all scheduled tasks on your system…

@echo off

set Password=password
set Username=DOMAIN\username

cd /d "%SystemRoot%\tasks
for %%a in (*.job) do call :ChangePW %%a
goto :eof

:ChangePW
set TaskName=%*
set TaskName=%TaskName:~0,-4%
SCHTASKS /Change /RU %Username% /RP %password% /TN "%TaskName%"

I was faced with a problem the other day, where a user wanted to use an application from one of our remote offices. This particular application requires internet access in order to authenticate the license. Due to our setup, we do not allow users internet access locally from the office.  I first tried to edit the proxy.pac to allow the application to go direct, which didn’t work. I then realised that a hole had to be made in the firewall in order to allow the application to go directly through the firewall.

So if you want to do this with a Cisco PIX, then it can be done easily via the command line (as an example, I will use the Google Earth app as the external hosts are well documented):

Step 1: Create a new object group:
object-group network GoogleEarth

Step 2: Add a description onto the object group:
description Google Earth Hosts

Step 3: Create a network object for each destination IP that your application needs to go direct:
network-object 64.233.183.190 255.255.255.255
network-object 64.233.183.93 255.255.255.255
network-object 64.233.183.91 255.255.255.255
network-object 64.233.183.136 255.255.255.255
network-object 65.87.18.132 255.255.255.255
network-object 65.87.18.134 255.255.255.255

Step 4: Create an ACL so that the PIX knows what to do when the object is fired:
access-list inside_access_in remark Unrestricted outbound access to Google Earth
access-list inside_access_in permit tcp any object-group GoogleEarth

Step 5: Create pdm’s for each IP Address listed in Step 3, whilst stating what Interface the IP is on:
pdm location 64.233.183.190 255.255.255.255 outside
pdm location 64.233.183.93 255.255.255.255 outside
pdm location 64.233.183.91 255.255.255.255 outside
pdm location 64.233.183.136 255.255.255.255 outside
pdm location 65.87.18.132 255.255.255.255 outside
pdm location 65.87.18.134 255.255.255.255 outside
pdm group GoogleEarth outside

Don’t forget that if you use a proxy.pac, to set the following Google Earth external hosts to go direct:

http://kh.google.com/

http://geo.keyhole.com/

http://auth.keyhole.com/

There isn’t much documentation on configuring the Cisco PIX, so I hope this helps someone!

Ever get tired of having seperate windows for Active Directory, DHCP, Group Policy etc etc???

Sick of trawling through Administrative Tools & browsing to your Company website/intranet???

This post details how to create your own custom Admin Toolbar complete with snap-ins that will manage a wide array of your day to day IT administrative duties. You can even embed frequently visitied URL’s such as your Spam filter.

Step 1:

Go to Start>Run>mmc.exe

This opens a blank Windows management console that is ready to be customized

Step 2:

Click File>Add/Remove Snap-in

You can now add items to view on your toolbar I tend to add my frequently accessed stuff rather that everything from Admin Tools as this defeats the point.

Step 3:

Click File>Save As MyAdminPack.msc

I tend to add the file into my Startup folder so it launches first thing in the morning and leave it open throughout the day then there is no need to go trawling through menus each time you want to use Active Directory or check your Spam filter

You will find that this tool saves a lot of time through the day – why not email your Admin Pack to the rest of your IT department so you can all use it?!

Enjoy

If you’re having a problem where collections on your Altiris server are not updating, despite them being set to Membership update: automatic, and the options in ‘Configuration > Server Settings > Notification Server Settings > Automatic Collection updating’ are correctly set…. Take a look at the scheduled tasks on the server… Ours weren’t updating, turned out it was due to the scheduled tasks trying to run with invalid credentials.

After bringing a Windows 2003 cluster back online after an unexpected outage today, we had a problem where the file cluster service group wasn’t coming back online, in particular the disk resource (A separate volume on a SAN) was just stuck in the ‘Online Pending’ state, as were all of its dependant resources, and as it was in the pending state you couldn’t take it offline or move it to another cluster node (Not that it would have helped!).

The event log wasn’t too helpful about what the issue might have been, until I came across an entry advising that the volume on the SAN should have ‘chkdsk /f’ run against it. Wondering how you can perform a chkdsk on a volume that the system is having problems mounting it, I turned to google and found the following KB article: How to run the “chkdsk /f” command on a shared cluster disk. The article starts to explain how the chkdsk can be performed, but mentions the following interesting point:

” If the dirty bit was previously set, Chkdsk may automatically run and the Physical Disk resource may take awhile to come online. In Windows NT 4.0, you will see a Command Prompt window with Chkdsk running. In Windows 2000, if you open Task Manager you will see Chkdsk running as a process.”

A quick look in task manager did indeed reveal the chkdsk process running! And the output was being dumped into a file in c:\windows\cluster\chkdsk……. – although not brilliant to read ‘type c:\windows\cluster\chkdsk…’ at the command line made it a bit better to look at! Once the chkdisk had completed (After around 3hrs on our 1.7TB volume!) it came straight online again!

I believe that the chkdsk process could have been killed to quickly bring the volume back online again, but as the dirty but was set, it’s most probable that the same thing will happen next time the disk resource moves nodes.

Sometimes when trying to uninstall a foobar’d installation of the Symantec antivirus client, the uninstall password isn’t accepted, despite entering the correct one… The default is usually ‘symantec’.

A little work around is to disable the uninstall password by altering a registry key:
HKLM \ SOFTWARE \ INTEL \ LANDesk \ VirusProtect6 \ CurrentVersion \ AdministratorOnly \ Security
Then set ‘UseVPUninstallPassword’ to 0.