Wednesday, March 2, 2016

Operating system deployment slowness at remote sites.



Up until last week Task Sequence was taking approximately 9 hours to finish the image at remote sites; now it’s taking a little less than 2 hours. Below is the detailed explanation of the issue and the fix.

While checking the SMSTS.log and DataTransferService.log logs on TEST001 (Testing machine) (this one took 9 hours to finish), I found out that the packages and applications were getting downloaded from One of the Primary site (PRI01). We wanted all the packages and applications to be downloaded from Remote distribution point (RDP01) as this server is local on remote network (RN01) and has all the required packages/applications. I looked at the boundaries on PRI02 site (RDP01 belongs to PRI02) and everything was correct. I tried to redistribute packages, delete and re-add the boundary and boundary group for Remote office, but none of these fixed the issue. After struggling for a bit, I decided to check the boundary on PRI01 site. 

When I connected to PRI01 site, I realized that there was a typo for boundary IN CRP - 1. Below is the snapshot of the IN CRP - 1 boundary that I found.











As you can see here, the starting IP is 10.193.8.1 and ending IP is 19.193.11.254. This includes all the IP addresses between these two IP addresses, which includes all of our remote sites as they have IP addresses like 10.202/204/205/210 etc. Because of this conflict, the client was thinking that although it belongs to PRI02 site, its currently roaming in PRI01 site and hence was using PRI01 distribution point. After I changed the ending IP address to 10.192.11.254, the client in RN01  started downloading packages/applications from RDP01 and TS execution time went down from 9 hours to just under 2 hours.

So going forward, please pay special attention to details like this, any miss-configuration can lead to issues at some other office location.



Creating Chrome extension package in SCCM 2012


Last month I was asked to create an SCCM package for chrome extension - 'RingDNA' (Intelligent dialer for salesforce) .  Well , at first place , it looks stupid, creating an package for chrome ext. which is just one click away installing from chrome web store, anyways , I still gave a try.

Steps:-
1. First of all, I downloaded the .crx file using this Chrome Extension down loader - http://chrome-extension-downloader.com/

2. In the Registry, I created a new key under the Extensions key with the same name as the ID of your extension. If you don't know the ID, follow these steps to note the ID-
            a) Install the required extension manually
            b) Open settings from chrome menu bar> click on Extensions> enable developer mode                         from top right corner, will show the IDs for all installed extensions.
            c) Alternate way, open C:\Users\<currentuser>\AppData\Local\Google\Chrome\User                       Data\Default\Extensions , will create a folder with same name as ID of your extension

3. I created a .reg file with following keys.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\coeeccnnaonnljjhoonkmmoihpibgane]
"update_url"="https://clients2.google.com/service/update2/crx"

Now, you'll be wondering, why I had to create 'Extensions' key in first line because  it wasn't created default in registry, ideally it should create automatically at the time of chrome installation,  that's why I had to create this key first, followed by a  new key under the Extensions key with the same name as the ID of 'RingDNA' and in the extensions key , then created a property, "update_url"="https://clients2.google.com/service/update2/crx"  (this points to your extension's crx in the Chrome Web Store)
4. Now create a package in sccm using above .reg file.
3. Click install, Click on Yes, it’ll install in the background. 
4. After a while, re-open chrome.
5. A pop up will prompt on the upper right corner and will stay there for a while, click on Enable extension before it fade away.
6. Extension icon should display on upper right corner will clear that extension has been added successfully.


Monday, January 18, 2016

How Symantec disabled Corporate Wifi on some of the machines.

Issue - Today , some laptop users started reporting as they are unable to connect to corporate wireless after System Center Endpoint protection(SCEP) installation took place. I found, most of the laptop users were having this issue. 
Troubleshooting done - I immediately uninstalled SCEP but that didn’t help , tried removing Wi-Fi profiles under the path ‘C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\Interface’ but that didn’t help too.

Error- When checking event viewer, the only error that showed up is as follows 5 times in a row.
         “Error skipping EAP method DLL path name validation failed. Error: typeId=25, authorId=0,vendorId=0,vendorType=0”, This error indicates a registry or missing corrupt file issue.

EAPHost is a Microsoft Windows Networking component that provides an Extensible Authentication Protocol (EAP) infrastructure for the authentication of following protocols such as 802.1X and Point-to-Point(PPP).

Cause - Symantec didn’t uninstall properly caused this issue.

Resolution – After checking the Group Policy  ‘Wireless Network (IEEE 802.11) Policy’ offering all Wi-Fi profiles , none of the profiles were listed as shown in the figure below
While checking the event viewer found above error, lead me to think that’s a registry issue. I immediately checked the registry path under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP found Symantec .dll files were registered, I exported the EAP registry files from working machine and imported in to the affected machines , rebooted the system and it connected back to WiFi successfully.





Error message when you try to install a SQL Server 2008/2008 R2 SP3: “The NT service 'MSSQLSERVER' could not be started

Issue - We encountered an issue while working on a SQL 2008 R2 SP3 Installation. While running SP43 setup files suddenly a window populated with message.

Error Message – “SQL Server has encountered the following error: The NT Service: MSSQLSERVER could not be started, error code 0x884B20001”




Troubleshooting done –
1.     Some blogs were suggesting, it’s a permission issue, immediately we logged in to the server with different admin account and tried to install SP3 but it threw the same error.
2.     When we checked the “installed updates” under “programs and features”, we found that SP3 got installed. We tried to remove installed components of service pack 3 but again it was giving “Access Denied” error.
3.     We tried to repair SQL instance but again we came across “Access Denied” error.
4.     We checked the summary.txt (C:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Log) and observed following logs:

Final result:  The patch installer has failed to update the following instance:. To determine the reason for failure, review the log files.
Exit code (Decimal):   -2068709375
Exit facility code:        1202
Exit error code:          1
Exit message:            The NT service 'MSSQL' could not be started.
Requested action:       Patch

Additionally, observed below error message in the Details log placed at (C:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Log\Instancenamefolder\Details.txt

Slp: The following NT service was in a stopped state prior to patch action: SQLServer
Slp: Sco: Attempting to open SC Manager
Slp: Attempting to run patch request for instance: Instancename
Slp: Error: Failed to run patch request for instance: SQLinstance (exit code: -2068709375)

Above logs clearly says while patching installer not able to start and stop the NT services, which seems to be issue with the permissions of the account running the upgrade. While checking the permissions and goggling we found that account used for patching should have administrative rights on SQL and Windows server including below permissions in local policies listed below.

Backup files and directories (SeBackupPrivilege)
Debug Programs (SeDebugPrivilege)

Manage auditing and security log (SeSecurityPrivilege)
Local policies can be accessed from below path
Control Panel--> Administrative Tools --> Local Security -->Settings --> Local Policies --> User Rights Assignment

Resolution - Immediately, we checked Group policies being applied on this server and found that our patching account does not have rights on these above polices i.e. causing issues while for NT services start/stop.

To resolve this we moved this affected server in proper OU where administrators are being added to these above group policies, we rebooted the server and re-initiate the installation and it completed successfully this time. 

Monday, December 21, 2015

Troubleshooting Frequent Account lockout

Most of the users account will get locked from locally desktops and Mobile devices or idle sessions left on Server / workstation, We need to start Account lookout troubleshooting from below order.
  1. Client side troubleshooting
  2. Mobile devices
  3. Server side  troubleshooting
Client side
Perform the below steps on client side (Local desktop / Laptop)
  • Clear Temporary Files
  • Delete Cookies ->Temp Files -> History -> Saved passwords -> Forms from all the Browsers.
  • Start — > Run –> Temp –> Delete all temp files.
  • Start –> Run –> Prefetch –> Delete all Prefetch files.
  • Remove Mapped drives from my computer.  My Computer –> Right click on Shared drive –> click on Disconnect
  • If Adobe reader is installed, backend it will be trying to check for latest update, Delete the Adobe updater file from below path. Delete the AdobeUpdater.dll file in the folder C:\Program Files\Adobe\Reader version \Reader
  • Remove stored passwords from Control Panel
  • Start –> Run –> Type Control UserPasswords2 , Click on Advanced managed passwords and delete all the passwords
  • Remote unwanted applications from startups (Run-> msconfig –> startup –> Uncheck unwanted software’s)
  • Scan the entire HDD and update the Antivirus agent
  • Check the third party software’s installed on client side, If it’s not required, Uninstall.
  • Open the Task Scheduler (Run --> Tasks) and delete the unwanted tasks. Most of the time, Automatic backup / Google Update / Apple Updates will be installed by default) Remove all.
  • Uninstall Auto update software’s in control panel (You can update these software’s manually)
  • If user’s account acts as a service account (Update the latest password in Service).
  • Check if User’s account used as an IIS application pool identity.

Mobile Devices

Perform the below steps on Mobile devices / Smart phone (BYOD)
 If user recently changed password and forgot to update in Mobile devices, that cause the account lockout  sometime for user ID,Does user involved has a smartphone or some kind of mobile device using AD credentials for connecting (like exchange), if it fails to connect 5 times (depending on your GPO’s), it locks his account. Have a look on all his stuff using his user account automatically, specially his mobile (90% of the time guilty).
  • Go to account settings in Mobile device and update the latest password.
  • Reboot the device if required.
  • Is issue persists, Delete and reconfigure the device,
  • If you found that account is getting locked from mobile device, and unable to fix the by performing above steps, Take necessary backup and Wipe the device completely and reconfigure the device.

Server / Active Directory

User below tools to find out source of the account lockout - On Server
  1. Account Lockout and Management Tool.http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465 

Tuesday, December 15, 2015

Unable to connect to Wireless profile being pushed using GPO

Today , some laptop users started reporting as they are unable to connect to ‘Wireless profile’ after SCEP installation has taken place. I found, most of the laptop users were having this issue. I immediately uninstalled SCEP but that didn’t help , tried removing Wi-Fi profiles under the path ‘C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\Interface’ but that didn’t help too.

Error- When checking event viewer, the only error that showed up is as follows 5 times in a row.
         “Error skipping EAP method DLL path name validation failed. Error: typeId=25, authorId=0,vendorId=0,vendorType=0”, This error indicates a registry or missing corrupt file issue.

EAPHost is a Microsoft Windows Networking component that provides an Extensible Authentication Protocol (EAP) infrastructure for the authentication of following protocols such as 802.1X and Point-to-Point(PPP).

Cause - Symantec didn’t uninstall properly caused this issue.

Resolution – After checking the Group Policy  ‘Wireless Network (IEEE 802.11) Policy’ offering all CRP Wi-Fi profiles , none of the profiles were listed as shown in the figure.
While checking the event viewer found above error, lead me to think that’s a registry issue. I immediately checked the registry path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP found Symantec .dll files were registered, I exported the EAP registry files from working machine and imported in to the affected machines , rebooted the system and it connected back to INCRP successfully.

Lesson learned – We have to rethink about our strategy to deploy SCEP (specifically on laptops) using client settings which uninstall the ‘Symantec  Client’ automatically but this method is not removing ‘Symantec Client’ completely leaving behind some registry files tied to Symantec. We need to have a package created  in SCCM, uninstall ‘Symantec Client’ Completely , let’s deploy it to laptop machines before we push SCEP Client settings in order to install SCEP.

References -   
1. https://social.technet.microsoft.com/Forums/windowsserver/en-US/e81ff332-8ba4-4a70-bbc7-763a7103f6dc/windows-wireless-profile-deleting-itself?forum=w7itpronetworking
2. https://social.technet.microsoft.com/Forums/en-US/f59ef79c-e699-46d7-bb49-7c5a5338a3cd/auto-add-wireless-profile?forum=mdt
3. http://www.edugeek.net/forums/windows-7/102466-windows-7-64bit-wireless-profile-disappears-but-gpo-stays.html
4. http://www.itexperience.net/2014/03/11/offering-wifi-profiles-as-a-gpo-preference-in-windows-7/
5. https://technet.microsoft.com/en-us/magazine/gg266419.aspx
6. http://securityxploded.com/wifi-password-secrets.php
7. http://windowssecrets.com/forums/showthread.php/159676-Error-event-2002-EAPHOST-amp-1-other