/home

Icon

Informations, tips and technics.

2012 in review

The WordPress.com stats helper monkeys prepared a 2012 annual report for this blog.

Here’s an excerpt:

4,329 films were submitted to the 2012 Cannes Film Festival. This blog had 17,000 views in 2012. If each view were a film, this blog would power 4 Film Festivals

Click here to see the complete report.

Filed under: Uncategorized

Dell XPS and the loading DMRK infinite loop

The week end, I was thinking that it was time to see if there are some updates on the Dell web site. I saw 3 or 4 of them including a firmware update for a seagate hard drive. I have to confess right now that I have checked my hard drive model but as soon as downloaded the software I was thinking that waors t case, the firmware update will detect that there are no drive to update and finish there.
After downloading all the updates, I started install them. For the hard drive update, it ask me to reboot to complete the update. After the post (Dell Logo), the software lauch, detect and found no drive. Cool, that was expected. So reboot and then… the loading DRMK fires and the Dell diagnostic software appear wit honly 3 options (memory, system and exit). what ever you choose exit will reboot the system and go back to this utility.
This is because of the Dell diagnostic software installed as a partition.
I will post the how to I solve this soon, just as a reminder, her ea the important links:

ref : http://www.goodells.net/dellutility/recreate.shtml (see “Using Other Tools to Build a Utility Partition
“)
ref: http://windows-seven-support.blogspot.com/2010/04/how-to-change-active-partition-in.html

I have been able to solve my laptop and recover my Windows 7 system bu simply make my Windows 7 partitoion active again and recover the boot loader. Be sure I will post the how to soon.

Filed under: Uncategorized,

Checking imap/exchange connectivity

Sometimes, you want to troubleshoot network connectivity and access to an imap server, like Exchange or other ones. Of course you can use telnet, like:

  • telnet <your exchange server> <port>

The tcp port could be 143 or 993 if it has been configured to only accept secure connections (SSL).

In some cases, even by telnet, it does not work which does not mean that there is a connectivity problem. In this case, you can use opensslto test your connection to your imap server. Note that you can install openssl even on Windows, just go here. On linux, openssl you be available.

So, use this string to connect to your imap server over a secure channel:

  • openssl s_client -connect <server>:<port> -crlf

The port could be 993. Just don’t forget the option -crlf. Without this, you will not be able to use Return after entering a command at the prompt.

Then, when the connection is made, you can use this commands:

  • ? LOGIN username password
  • ? SELECT Inbox
  • ? LOGOUT

Use ‘? <command>‘ (The ? sign, a space, and the command) or this will not work. The username is the username you have on your domain/exchange/imap server (the @domainname should not be needed here).

Ref : link1, link2, link3

Filed under: Uncategorized, , , , , , ,

Happy New Year 2008!

Dear visitor,

I wish you, your friends and family to have a great 2008 year, with plenty of success in your professional an personal life, happiness and of course health. May this year 2008 the year of the accomplishment of all your dreams and hopes.

May also this year give us at last working drivers for Linux and Windows for those having trouble like me to make them work correctly.. ūüėČ

Happy new year 2008!

Filed under: Uncategorized,

Merry Christmas!

Just a word to¬†wish every visitor of this blog a Merry Christmas and a very happy Christmas time! I hope that you will enjoy this great and¬†magic moments with family and friends. I hope of course for everybody some very nice presents (if you have been nice during this year of course). If you have to travel by car, don’t drink and be caution. Take care everybody!

Merry Christmas!

Filed under: Uncategorized

Building a community around an open source project

I am pretty sure that you may have some project that you want to share with the world and need help from the developer or users community. I have several project in mind too and I found this article which is very interesting and it may be useful for you too.

http://www.redhatmagazine.com/2007/09/21/building-a-community-around-your-open-source-project/

Filed under: Uncategorized, ,

EventID 1202: Security policies are propagated with warning. 0x4b8 : An extended error has occurred.

Issue:
Security policies are propagated with warning. 0x4b8 : An extended error has occurred.

This happen on a Windows 2000 server not connected to a domain.

I have tried several things to solve this issue:

  • Tried to repair the database that could be corrupted using¬†
    esentutl /g %Windir%\security\Database\Secedit.sdb
    But the database does not seems to be corrupted
  • Tried to delete the logs, then the logs and database¬†with no success
  • Some site pointed the fact that a renamed administrator account could cause this issue, which is my case.
    I have tried to had an ‘Administrator’ fake account and disabling it but that did not solve the issue.
  • I tried to open the¬†security policy (secpol.msc) to modify a behaviour (rename administrator account) but I can’t connect/open the folder¬†Account Policies (Windows cannot open the local policy database. An unknown error occured when attempting to open the database.) Ref :http://support.microsoft.com/kb/816109
  • Tried to delete the database and the logs and then execute
    secedit /refreshpolicy machine_policy /enforce
    with no luck (Ref : http://3dgpu.com/forums/lofiversion/index.php?t3321.html)
  • Then the only thing that have worked for me was to copy a valid database from a working Windows (same OS version) that also is not connected to a domain, replace the database and then execute
    secedit /refreshpolicy machine_policy /enforce

Tada! Problem solved.

Filed under: Uncategorized,

EventID 1015 : The timeout waiting for the performance data collection function “PerfOS” in the “C:\WINNT\system32\perfos.dll”

In Windows Event viewer :
The timeout waiting for the performance data collection function “PerfOS” in the “C:\WINNT\system32\perfos.dll” Library to finish has expired. There may be a problem with¬† this extensible counter or the service it is collecting data from or the¬† system may have been very busy when this call was attempted.¬†

I have found on the http://www.eventid.net/display.asp?eventid=1015&eventno=773&source=Perflib&phase=1 web site that doing :

  • winmgmt /resyncperf

Can solve the problem. In my case, that worked.

Filed under: Uncategorized,

The Open procedure for service Service in .dll DllPath failed.

This error message appear sometimes on some Windows 2000 or 2003 servers. How to fix this stuff?

Well in my case, I have located in the registry what is the name of the service whoch perfomance DLL seems to have some issue to register.

  • Open regedit and navigate in HKLM\System\CurrentControlSet\Services and try to find the name of the service. (in my case, I have some troubles with IAS and the DLL iasperf.ddl, the service name here is IAS)
  • Next, go in C:\Windows\system32 (or winnt if you are with Windows 2000)
  • unlodctr IAS
    (unlodctr <name of the service>)
  • findstr drivername *.ini
    Which list all file that have the string ‘drivername’ in it
  • Locate the ini file for your service
  • lodctr <name of the ini file>.ini
    in my case it was iasperf.ini

And the error message whould disappear.

Thanks to : http://support.microsoft.com/?id=299059

There is also a more complexe procedure wich involve rebuilding the performance counters. You can find the procedure here : http://support.microsoft.com/kb/300956/en-us

I had to use this procedure because of the same issue with perfomance counters and .NET Framework. Note that sometimes the ini file are not located in the %systemroot%\system32 but in the folder where the application is installed (like C:\windows\Framework\<the version>\). Then use the lodctr program with the ini file, like aspnet_perf.ini or sometimes directly with the dll aspnet_perf.dll.

Filed under: Uncategorized

WSUS Installation with SSL

I would like to share with you some stuff that could help you with an new installation of WSUS (Windows Server Update Service 3).

In fact the setup itself is quite straitforward, the only thing that you have to care about is :

  • If possible, put the WSUS server in a Active Directory domainb because that way it will be simplier to administer the computers, groups and the certificate if you use SSL
  • Put the database of WSUS and the downloaded files on a bug disk and if possible in a different drive than the one where the OS and SQLServer will be installed
  • If you have SQLServer 2005 you can use it instead of the embeded version shipped with this tool but in any case, do not use the SQLServer 2005 Express edition simply because this version has some limitation that the embeded version (Windows Internal Database as Windows reports it) has not like the amount of memory you can give to the server, the number of CPU that SQLServer can use and the database size. (ref : http://blogs.codes-sources.com/christian/archive/2007/04/19/sql-server-2005-sql-server-embedded-edition-windows-internal-database.aspx)
  • Well maybe this embeded version is cool but what if you want to manage it a little more? Well you have the option to install and use the SQLServer Management Studio Express and as a parameter of the connection, use :
    \\.\pipe\mssql$microsoft##ssee\sql\query
  • For the backup now. Well, in my case I use a simple script that :
    • Create the backup of the WSUS database using NTBACKUP by command line
    • Then, use 7-zip to compress the resulting file (NTBackup does not …)
      Here is the listing :
      REM Date 1 have now the yyymmdd date format
      for /f “tokens=1-3 delims=/ ” %%a in (‘date/t’) do set Date1=%%c%%a%%b
      REM delete of the old bkf file, the echo y| stuff if to auto-confirm
      echo y|del D:\*.bkf
      ntbackup backup D:\Databases\WSUS\UpdateServicesDbFiles\¬† /J “WSUS Databases backup” /FU /V:yes /HC:on /L:f /F “D:\WSUS_DB_BCK_%Date1%.bkf”
      cd “C:\Program Files\7-Zip”
      7z.exe a -tzip d:\WSUS_DB_BCK_%Date1%.bkf.zip “d:\WSUS_DB_BCK_%Date1%.bkf”
      echo y|del D:\WSUS_DB_BCK_%Date1%.bkf

Here is the basic. I will not go into configuring the entire system because you are big boys and some configurations may differ depending how your setup is.

 Anyway, for the SSL part now.

Just remember that when WSUS is configured to use SSL, in fact SSL will not be used to encrypt the transfert of the patchs or updates. This part is done by the BITS system (I really don’t know if the file transfert is encrypted or not). SSL will be used to secure communications for :

  • The remote console with the server itself (which is accessible using IIS)
  • Communication between client (computers and servers) and the WSUS server when they request about new updates or send status reports
  • Communication between and upstream server and a downstream server

That’s all.

Now see what will be the process to use SSL.

  • Install Certificate Service for Windows (this is good when you don’t want to pay for a certificate and when you want to only udpates internals systems)
  • Generate the certificate for the web server
  • Configure IIS to use SSL
  • Configure the console to connect using SSL
  • Deploy the certificate on the clients machines and on other¬†remote WSUS administration console

 You want details now? Here they are :

¬†Install ‚ÄėCertificate Service‚Äô

  • Control Panel / Add Remove programs / Add remove windows components¬† and select ‚ÄėCertificate Service‚Äô
  • Confirm (Yes), Next
  • Choose what ‘kind’ of CA you want to install (in my case Stand Alone Root CA)
  • Choose a common name (the name of the server) WSUSSRV
  • Distinguish name suffix¬†dc=yourdomain,dc=com
  • Validity perdiod¬†5 years
  • Next. A message may popup if you already have installed and then uninstalled Certificate Service : ‘The private key “WSUSSRV” already exists. Do you want to overwrite this key with a new one?’,¬†confirm by ‚ÄėYes‚Äô
    Certificate Service setup will generate a new key
  • Options¬†Certificate database¬†C:\WINDOWS\system32\CertLog
  • Certificate database log¬†C:\WINDOWS\system32\CertLog
  • Shared folder¬†C:\CAConfig
  • Next. A message will popup saying that IIS will be restarted,¬†confirm ‚ÄėYes‚Äô
    Certificate Service setup will then install and copy some files (the Windows CD maybe required)
  • Finish¬†

Certificate request for the WSUS web site

  • In IIS, right click on the WSUS web site and¬†then Properties\Directory Security\Secured Communications
  • Click on ‘Server certificate’,¬†Next¬†
  • Create new certificate
  • Choose¬†Prepare request now but send it later, Next
  • Name¬†: WSUSSRV WSUS SSL
  • Bit length ¬†1024
  • Do not check the option ‚ÄėSelect cryptographic service provider (CSP) for this certificate‚Äô¬†, Next
  • Organization¬†: your organization
  • Organizational unit : again, you know¬†your company better than me
  • Next
  • Common name¬†WSUSSRV
  • Next
  • Country/Region¬†: CA (canada) (at least for me, you know where you live)
  • State/Province : Qu√©bec
  • City/Locality¬†: Montr√©al
  • Next
  • Give the path and the file name¬†for the certificate request file :
    c:\certreq.txt
  • Next, Next, Finish

 Installation and Approval of the certificate request

  • Programs /Administrative Tools / Certification Authority¬†
  • Right click¬†on the name of the server¬†then, All tasks / Submit new request
  • Give the path of the the certificate request you have just done earlier
    c:\certreq.txt
  • Click in the folder¬†‘Pending Requests’
  • Select the certificate in the right pane (Ex : Request id 2)
  • Right click / All tasks / Issue¬†
  • Do to the folder¬†‘Issued Certificates’
  • Select in the right pane the certificate that we have just issued
  • Double click on the¬†certificate¬†(Ex : Request id 2)
  • In the Detail tab click on¬†‘Copy to file’, Next
  • Select the format (Base-64 encoded x509 (DER)), Next
  • Give the path and the name of the file
    C :\cert_wsus
  • Save, Next, Finish
  • A message should be displayed ‘The export was successfull’
  • In IIS, right click on thr WSUS web site, then¬†Properties /¬†Directory Security /¬†Secured Communications
  • Click on¬†‘Server certificate’, Next
  • Select¬†‘Process the pending request and install the certificate’, Next
  • Select the certificate file¬†
    C :\cert_wsus.cer
  • Next
  • Select the SSL port (defaut : 443)
  • Next, Next, Finish, OK
  • Now, for the folders :
    • ApiRemoting30,
    • ClientWebService,
    • DssAuthWebService,
    • ServerSyncWebService,
    • SimpleAuthWebService
  • Right click on the folder, Properties /¬†Directory Security / Secured Communications and then¬†‘Edit’
  • Check the option¬†‘Require Secure Shannel (SSL)
  • OK, Apply, OK¬†
  • Open a dos prompt and type iisreset to restart the web service
  • Run the dos command¬†
    Cd c:\program files\update services\tools
    wsustuil configuressl WSUSSRV
    (Note : be carefull to uppercase and lowercase. In my case, I have first used lowercase for the server name which make the server appear twice in the WSUS console)
  • Open the WSUS console
  • Check that you can connect and see the server. Or, delete the server and add it again cheking the option to use SSL this time

 Configuration

  • Now, in the domain controller or the the registry for the server that are not in the Active Directory and are managed by script, change the url of the WSUS server to http://WSUSSERVER. Note that on your domain controller, this setting is managed by a GPO.
  • On the client computer, open a dos prompt and type
    gpupdate
    To refresh the policy settings
  • Download and¬†install the WSUS client diagnostic tool ‘clientdiag.exe’ and the execute it to check if all is correct (ref : http://technet.microsoft.com/en-us/wsus/bb466192.aspx)

Checkin certification installation

  • Start / Run / mmc and select the snap-in ‚ÄėCertificate‚Äô for Local Machine
  • Check that in the¬†‚ÄėPersonnal‚Äô folder, the 2 cetificates (root and wsus) are present
  • Check that the root certificate is also listed in the Trusted Root Certification Authorities’ (You can do a copy paste if is not)
  • Open the root certificate by double click on it
  • In the Detail tab, click on¬†‘Copy to file’, Next
  • Select the format¬†(Base-64 encoded x509 (DER)), Next
  • Select the name and path
    C :cert_root_wsussrv.cer
  • Save
  • Next, Finish. The message ‘The export was successfull’ should appear
  • Close the console

 Certificate installation on the client side

You can use a setting in AD Users and Computers to automatically push a certificate to your clients computers AND if you have configured your Certificate Service to be an Enterprise Root CA (so it will be integrated into the Active Directory). I will not cover this part now. I will assume that the certificat installation on the client computer will be done by hand. Of course, if you have under of PCs, doing it using AD Users and Comuters is more than recommanded.

 Do the folowing operations for any computers that will contact the WSUS server and any Server, computers where the WSUS console is installed. I will assume that you have copied the certificates on the C drive of each computer but you can put those files on a share in your network.

  • Start / Run / mmc, Select the snap in¬†‚ÄėCertificate‚Äô for the local machine
  • In the¬†Personnal / Certificate¬†folder, right click / All tasks / Import
  • Next
  • Select the file¬†
    C:\cert_root_wsussrv.cer
  • Next
  • Select¬† ‘Place all certificate in the folowing store’ [Personnal]
  • Next, Next, Finish, OK
  • Do exactly the same process for the web certificate¬†cert_wsus_wsussrv.cer
  • In the¬†Trusted Root Certification Authorities / Certificate folder, ¬†right click and¬†All tasks / Import
  • Next
  • Select the file¬†
    C\:cert_root_wsussrv.cer
  • Select¬†‘Place all certificate in the folowing store’ [Trusted Root Certification Authorities]
  • Next, Next, Finish, OK
  • Close the console
  • Open the WSUS console to check if you can connect (in the case where this console in in another computer that the one where WSUS server is installed, like you desktop for example)

To check if you newly configured client can contact the server, remember to use in DOS:

wuauclt /detectnow

And then locate and open the file in C:\Windows\WindowsUpdate.log to see if all is correct.

Filed under: Uncategorized, , , , ,