/home

Icon

Informations, tips and technics.

Automatic Update icon not showing up in Windows

In my WSUS deployment story, I came across a little problem: the AU icon is no more showing up in the task bar, even if the log seems to indicate that some updates are availalbe to install or that they are installed and the computer needs to reboot.

I don’t really know why this is happening. The affected systems runs Windows 2003 R2 SP1 and prevously those servers retreive well all the updates.

Well, it seems that during the installation of SP2 of Windows 2003, the service Automatic Update was stopped (even if it is set as Automatic).

So what I have done:

In a DOS prompt:

regsvr32 wuapi.dll
regsvr32 wuaueng.dll
regsvr32 wuaueng1.dll
regsvr32 wucltui.dll
regsvr32 wups.dll
regsvr32 wups2.dll
regsvr32 wuweb.dll

and go to the Services console and start the service Automatic Update. Wait a little and the icon should appear.

Update

Just a note for those who are using a Terminal Server. When you log on a remote session you will be notified with the Automatic Update icon in the task bar BUT if you log on a second time (maybe you have closed an old session instead of doing a log off), you will not be notified. Just check in Terminal Service that you don’t have some zombie sessions.

Filed under: WSUS, , , , ,

Give your bash scripts some colors

I am pretty sure that every guy that everyone that manage Linux or Unix systems have to deal with bash to create some scripts.

I am currently create one that retrieve some informations on different NIX platforms, like Suns Solaris and Unix.

The goal of this post is not to explain you how to deal with bash but to add some fun to your bash scripts. Adding colors to a scripts could be cool when you have to display important messages, errors or information. Adding colors to those messages make the user more aware of what’s happening and add some eye candy to you script.

We use the echo command with the -e parameter. Here is a small example :

ESC_SEQ=\x1b[
COL_RESET=$ESC_SEQ39;49;00m
COL_RED=$ESC_SEQ31;01m
COL_GREEN=$ESC_SEQ32;01m
COL_YELLOW=$ESC_SEQ33;01m
COL_BLUE=$ESC_SEQ34;01m
COL_MAGENTA=$ESC_SEQ35;01m
COL_CYAN=$ESC_SEQ36;01m

echo -e $COL_BLUEINFO: $COL_RESETThis is an info message
echo -e $COL_REDAn error has occurred$COL_RESET

ref : http://www.bioinspired.com/users/ajg112/software/bashTips.shtml

Filed under: Bash, , ,

EventID 1202: Security policies are propagated with warning. 0x4b8 : An extended error has occurred.

Issue:
Security policies are propagated with warning. 0x4b8 : An extended error has occurred.

This happen on a Windows 2000 server not connected to a domain.

I have tried several things to solve this issue:

  • Tried to repair the database that could be corrupted using 
    esentutl /g %Windir%\security\Database\Secedit.sdb
    But the database does not seems to be corrupted
  • Tried to delete the logs, then the logs and database with no success
  • Some site pointed the fact that a renamed administrator account could cause this issue, which is my case.
    I have tried to had an ‘Administrator’ fake account and disabling it but that did not solve the issue.
  • I tried to open the security policy (secpol.msc) to modify a behaviour (rename administrator account) but I can’t connect/open the folder Account Policies (Windows cannot open the local policy database. An unknown error occured when attempting to open the database.) Ref :http://support.microsoft.com/kb/816109
  • Tried to delete the database and the logs and then execute
    secedit /refreshpolicy machine_policy /enforce
    with no luck (Ref : http://3dgpu.com/forums/lofiversion/index.php?t3321.html)
  • Then the only thing that have worked for me was to copy a valid database from a working Windows (same OS version) that also is not connected to a domain, replace the database and then execute
    secedit /refreshpolicy machine_policy /enforce

Tada! Problem solved.

Filed under: Uncategorized,

EventID 1015 : The timeout waiting for the performance data collection function “PerfOS” in the “C:\WINNT\system32\perfos.dll”

In Windows Event viewer :
The timeout waiting for the performance data collection function “PerfOS” in the “C:\WINNT\system32\perfos.dll” Library to finish has expired. There may be a problem with  this extensible counter or the service it is collecting data from or the  system may have been very busy when this call was attempted. 

I have found on the http://www.eventid.net/display.asp?eventid=1015&eventno=773&source=Perflib&phase=1 web site that doing :

  • winmgmt /resyncperf

Can solve the problem. In my case, that worked.

Filed under: Uncategorized,

The Open procedure for service Service in .dll DllPath failed.

This error message appear sometimes on some Windows 2000 or 2003 servers. How to fix this stuff?

Well in my case, I have located in the registry what is the name of the service whoch perfomance DLL seems to have some issue to register.

  • Open regedit and navigate in HKLM\System\CurrentControlSet\Services and try to find the name of the service. (in my case, I have some troubles with IAS and the DLL iasperf.ddl, the service name here is IAS)
  • Next, go in C:\Windows\system32 (or winnt if you are with Windows 2000)
  • unlodctr IAS
    (unlodctr <name of the service>)
  • findstr drivername *.ini
    Which list all file that have the string ‘drivername’ in it
  • Locate the ini file for your service
  • lodctr <name of the ini file>.ini
    in my case it was iasperf.ini

And the error message whould disappear.

Thanks to : http://support.microsoft.com/?id=299059

There is also a more complexe procedure wich involve rebuilding the performance counters. You can find the procedure here : http://support.microsoft.com/kb/300956/en-us

I had to use this procedure because of the same issue with perfomance counters and .NET Framework. Note that sometimes the ini file are not located in the %systemroot%\system32 but in the folder where the application is installed (like C:\windows\Framework\<the version>\). Then use the lodctr program with the ini file, like aspnet_perf.ini or sometimes directly with the dll aspnet_perf.dll.

Filed under: Uncategorized

WSUS Installation with SSL

I would like to share with you some stuff that could help you with an new installation of WSUS (Windows Server Update Service 3).

In fact the setup itself is quite straitforward, the only thing that you have to care about is :

  • If possible, put the WSUS server in a Active Directory domainb because that way it will be simplier to administer the computers, groups and the certificate if you use SSL
  • Put the database of WSUS and the downloaded files on a bug disk and if possible in a different drive than the one where the OS and SQLServer will be installed
  • If you have SQLServer 2005 you can use it instead of the embeded version shipped with this tool but in any case, do not use the SQLServer 2005 Express edition simply because this version has some limitation that the embeded version (Windows Internal Database as Windows reports it) has not like the amount of memory you can give to the server, the number of CPU that SQLServer can use and the database size. (ref : http://blogs.codes-sources.com/christian/archive/2007/04/19/sql-server-2005-sql-server-embedded-edition-windows-internal-database.aspx)
  • Well maybe this embeded version is cool but what if you want to manage it a little more? Well you have the option to install and use the SQLServer Management Studio Express and as a parameter of the connection, use :
    \\.\pipe\mssql$microsoft##ssee\sql\query
  • For the backup now. Well, in my case I use a simple script that :
    • Create the backup of the WSUS database using NTBACKUP by command line
    • Then, use 7-zip to compress the resulting file (NTBackup does not …)
      Here is the listing :
      REM Date 1 have now the yyymmdd date format
      for /f “tokens=1-3 delims=/ ” %%a in (‘date/t’) do set Date1=%%c%%a%%b
      REM delete of the old bkf file, the echo y| stuff if to auto-confirm
      echo y|del D:\*.bkf
      ntbackup backup D:\Databases\WSUS\UpdateServicesDbFiles\  /J “WSUS Databases backup” /FU /V:yes /HC:on /L:f /F “D:\WSUS_DB_BCK_%Date1%.bkf”
      cd “C:\Program Files\7-Zip”
      7z.exe a -tzip d:\WSUS_DB_BCK_%Date1%.bkf.zip “d:\WSUS_DB_BCK_%Date1%.bkf”
      echo y|del D:\WSUS_DB_BCK_%Date1%.bkf

Here is the basic. I will not go into configuring the entire system because you are big boys and some configurations may differ depending how your setup is.

 Anyway, for the SSL part now.

Just remember that when WSUS is configured to use SSL, in fact SSL will not be used to encrypt the transfert of the patchs or updates. This part is done by the BITS system (I really don’t know if the file transfert is encrypted or not). SSL will be used to secure communications for :

  • The remote console with the server itself (which is accessible using IIS)
  • Communication between client (computers and servers) and the WSUS server when they request about new updates or send status reports
  • Communication between and upstream server and a downstream server

That’s all.

Now see what will be the process to use SSL.

  • Install Certificate Service for Windows (this is good when you don’t want to pay for a certificate and when you want to only udpates internals systems)
  • Generate the certificate for the web server
  • Configure IIS to use SSL
  • Configure the console to connect using SSL
  • Deploy the certificate on the clients machines and on other remote WSUS administration console

 You want details now? Here they are :

 Install ‘Certificate Service’

  • Control Panel / Add Remove programs / Add remove windows components  and select ‘Certificate Service’
  • Confirm (Yes), Next
  • Choose what ‘kind’ of CA you want to install (in my case Stand Alone Root CA)
  • Choose a common name (the name of the server) WSUSSRV
  • Distinguish name suffix dc=yourdomain,dc=com
  • Validity perdiod 5 years
  • Next. A message may popup if you already have installed and then uninstalled Certificate Service : ‘The private key “WSUSSRV” already exists. Do you want to overwrite this key with a new one?’, confirm by ‘Yes’
    Certificate Service setup will generate a new key
  • Options Certificate database C:\WINDOWS\system32\CertLog
  • Certificate database log C:\WINDOWS\system32\CertLog
  • Shared folder C:\CAConfig
  • Next. A message will popup saying that IIS will be restarted, confirm ‘Yes’
    Certificate Service setup will then install and copy some files (the Windows CD maybe required)
  • Finish 

Certificate request for the WSUS web site

  • In IIS, right click on the WSUS web site and then Properties\Directory Security\Secured Communications
  • Click on ‘Server certificate’, Next 
  • Create new certificate
  • Choose Prepare request now but send it later, Next
  • Name : WSUSSRV WSUS SSL
  • Bit length  1024
  • Do not check the option ‘Select cryptographic service provider (CSP) for this certificate’ , Next
  • Organization : your organization
  • Organizational unit : again, you know your company better than me
  • Next
  • Common name WSUSSRV
  • Next
  • Country/Region : CA (canada) (at least for me, you know where you live)
  • State/Province : Québec
  • City/Locality : Montréal
  • Next
  • Give the path and the file name for the certificate request file :
    c:\certreq.txt
  • Next, Next, Finish

 Installation and Approval of the certificate request

  • Programs /Administrative Tools / Certification Authority 
  • Right click on the name of the server then, All tasks / Submit new request
  • Give the path of the the certificate request you have just done earlier
    c:\certreq.txt
  • Click in the folder ‘Pending Requests’
  • Select the certificate in the right pane (Ex : Request id 2)
  • Right click / All tasks / Issue 
  • Do to the folder ‘Issued Certificates’
  • Select in the right pane the certificate that we have just issued
  • Double click on the certificate (Ex : Request id 2)
  • In the Detail tab click on ‘Copy to file’, Next
  • Select the format (Base-64 encoded x509 (DER)), Next
  • Give the path and the name of the file
    C :\cert_wsus
  • Save, Next, Finish
  • A message should be displayed ‘The export was successfull’
  • In IIS, right click on thr WSUS web site, then Properties / Directory Security / Secured Communications
  • Click on ‘Server certificate’, Next
  • Select ‘Process the pending request and install the certificate’, Next
  • Select the certificate file 
    C :\cert_wsus.cer
  • Next
  • Select the SSL port (defaut : 443)
  • Next, Next, Finish, OK
  • Now, for the folders :
    • ApiRemoting30,
    • ClientWebService,
    • DssAuthWebService,
    • ServerSyncWebService,
    • SimpleAuthWebService
  • Right click on the folder, Properties / Directory Security / Secured Communications and then ‘Edit’
  • Check the option ‘Require Secure Shannel (SSL)
  • OK, Apply, OK 
  • Open a dos prompt and type iisreset to restart the web service
  • Run the dos command 
    Cd c:\program files\update services\tools
    wsustuil configuressl WSUSSRV
    (Note : be carefull to uppercase and lowercase. In my case, I have first used lowercase for the server name which make the server appear twice in the WSUS console)
  • Open the WSUS console
  • Check that you can connect and see the server. Or, delete the server and add it again cheking the option to use SSL this time

 Configuration

  • Now, in the domain controller or the the registry for the server that are not in the Active Directory and are managed by script, change the url of the WSUS server to http://WSUSSERVER. Note that on your domain controller, this setting is managed by a GPO.
  • On the client computer, open a dos prompt and type
    gpupdate
    To refresh the policy settings
  • Download and install the WSUS client diagnostic tool ‘clientdiag.exe’ and the execute it to check if all is correct (ref : http://technet.microsoft.com/en-us/wsus/bb466192.aspx)

Checkin certification installation

  • Start / Run / mmc and select the snap-in ‘Certificate’ for Local Machine
  • Check that in the ‘Personnal’ folder, the 2 cetificates (root and wsus) are present
  • Check that the root certificate is also listed in the Trusted Root Certification Authorities’ (You can do a copy paste if is not)
  • Open the root certificate by double click on it
  • In the Detail tab, click on ‘Copy to file’, Next
  • Select the format (Base-64 encoded x509 (DER)), Next
  • Select the name and path
    C :cert_root_wsussrv.cer
  • Save
  • Next, Finish. The message ‘The export was successfull’ should appear
  • Close the console

 Certificate installation on the client side

You can use a setting in AD Users and Computers to automatically push a certificate to your clients computers AND if you have configured your Certificate Service to be an Enterprise Root CA (so it will be integrated into the Active Directory). I will not cover this part now. I will assume that the certificat installation on the client computer will be done by hand. Of course, if you have under of PCs, doing it using AD Users and Comuters is more than recommanded.

 Do the folowing operations for any computers that will contact the WSUS server and any Server, computers where the WSUS console is installed. I will assume that you have copied the certificates on the C drive of each computer but you can put those files on a share in your network.

  • Start / Run / mmc, Select the snap in ‘Certificate’ for the local machine
  • In the Personnal / Certificate folder, right click / All tasks / Import
  • Next
  • Select the file 
    C:\cert_root_wsussrv.cer
  • Next
  • Select  ‘Place all certificate in the folowing store’ [Personnal]
  • Next, Next, Finish, OK
  • Do exactly the same process for the web certificate cert_wsus_wsussrv.cer
  • In the Trusted Root Certification Authorities / Certificate folder,  right click and All tasks / Import
  • Next
  • Select the file 
    C\:cert_root_wsussrv.cer
  • Select ‘Place all certificate in the folowing store’ [Trusted Root Certification Authorities]
  • Next, Next, Finish, OK
  • Close the console
  • Open the WSUS console to check if you can connect (in the case where this console in in another computer that the one where WSUS server is installed, like you desktop for example)

To check if you newly configured client can contact the server, remember to use in DOS:

wuauclt /detectnow

And then locate and open the file in C:\Windows\WindowsUpdate.log to see if all is correct.

Filed under: Uncategorized, , , , ,

WSUS 3

Ok, first post.

I will talk soon about WSUS (Windows Server Update Service 3) from MS. I will specially cover the SSL aspect and some infos that could ne usefull for you guys.

Stay tuned.

Filed under: Uncategorized

Hello world!

This is a gread day today : I finally decided to blog! Tada!

Why blogging?

You can read more in the about section but to make short, I have spend hours and days on the Internet, doing searches in Google to find a answer to some issues that I had on some project (linux, windows, vista, hardware, etc) and I thinkink to myself : “Ok, I think that it is time now to share with the world some of my knowlege in IT, some stuff, tips and technics that I use to solve some issue and maybe help others admini guys around a little like other also helped me in the past.”

And this is how the story of this blog begin.

Filed under: Uncategorized