Zoho Banner September 2011

Archive for January, 2009

Yesterday I blogged about some of the confusion that Windows Server 2008 User Account Control can cause.  Continuing on the same theme, here is another example – this time using slmgr.vbs to query the licence activation status of a Windows Server 2008 machine.

This is what you see when you run the command line from a command window that was opened without elevated privileges.

cscript %windir%\system32\slmgr.vbs -dli

Name: Windows Server(R), ServerStandard edition
Description: Windows Operating System – Windows Server(R), VOLUME_KMSCLIENT channel
Partial Product Key: BFGM2
License Status: Licensed
Volume activation expiration: 250200 minute(s) (173 day(s))

Key Management Service client information
    Client Machine ID (CMID): 3af05e3c-b291-47ad-bbf9-cc6278b3c923
    DNS auto-discovery: KMS name not available
    KMS machine extended PID: 55032-00152-339-003838-03-5129-6001.0000-0062009
    Activation interval: 120 minutes
    Renewal interval: 10080 minutes

As you can see, the name of the Key Management Server (KMS) is unavailable, which is not very helpful if you are trying to troubleshoot a KMS issue. 

But now look what happens when you run the same command as Administrator (i.e. with elevated privleges).

Name: Windows Server(R), ServerStandard edition
Description: Windows Operating System – Windows Server(R), VOLUME_KMSCLIENT channel
Partial Product Key: BFGM2
License Status: Licensed
Volume activation expiration: 250200 minute(s) (173 day(s))

Key Management Service client information
    Client Machine ID (CMID): 3af07e3c-b291-47ad-bbf9-cc6278b3c923
    KMS machine name from DNS: kms1.contoso.com:1688
    KMS machine extended PID: 55032-00152-339-003838-03-5129-6001.0000-0062009
    Activation interval: 120 minutes
    Renewal interval: 10080 minutes

In this case the name of the KMS server is shown correctly.

I think it would be more helpful if, in the first example above, the whole command were to fail with an error indicating that elevated privileges are required to successfully complete the command.  The fact that the command partially completes only causes confusion.

I’ve been working with both Vista and Windows Server 2008 for quite a while now, but I still manage to fall foul of User Account Control, especially when working from the command prompt.  As you will no doubt be aware, there are certain tasks that need elevated privileges and these require you to open the command window as Administrator (you do this by right-clicking the command prompt icon and selecting “Run As Administrator”).

If you try to run tasks that require elevated privilege in a normal (i.e. unprivileged) command window, one of two things will happen.  Either the command that you are attempting to run will tell you that it requires elevated privileges, or it will fail with an (often obscure and unhelpful) error message.  Here’s an example.

The other day I wanted to run the Active Directory Schema MMC snap-in (schmmgmt.msc) on a DC.  To access the snap-in you first need to register a dll named schmmgmt.dll.  The command to do this is:

 regsvr32 schmmgmt.dll

On a Windows Server 2008 machine this activity requires elevated privileges, so you need to run the command as Administrator.  If you don’t, you will see the error below.

The module “schmmgmt.dll” was loaded but the call to DllRegisterServer failed with the error code  0x80040201

uac1.JPG

It took me a good few minutes to work out what I had done wrong. Doh!  Hopefully I’ll eventually get the hang of User Account Control.

Most people are (quite rightly) terrified of seeing a whole bunch of errors in the DS event log following a schema update.   This happened to me in a lab environment at a customer recently and I thought I would share the information here.

I ran Windows Server 2008 adprep /forestprep on a Windows Server 2003 SP1 DC.  All seemed to go well and the schema update completed successfully.  Before moving on I checked the Directory Service event log and found a large number of 1136 error events.  There were effectively two events that were recurring, as shown below.

Event Type: Error
Event Source: NTDS General
Event Category: DS Schema
Event ID: 1136
Date:  23/01/2009
Time:  1:02:38 p.m.
User:  NT AUTHORITY\ANONYMOUS LOGON
Computer: DC1
Description:
Active Directory failed to create an index for the following attribute.

Attribute identifier:
591789
Attribute name:
msFVE-RecoveryGuid

A schema cache update will occur 5 minutes after the logging of this event and will attempt to create an index for the attribute.

Additional Data
Error value:
-1403 JET_errIndexDuplicate, Index is already defined

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: NTDS General
Event Category: DS Schema
Event ID: 1136
Date:  23/01/2009
Time:  1:01:53 p.m.
User:  NT AUTHORITY\ANONYMOUS LOGON
Computer: DC1
Description:
Active Directory failed to create an index for the following attribute.

Attribute identifier:
591822
Attribute name:
msFVE-VolumeGuid

A schema cache update will occur 5 minutes after the logging of this event and will attempt to create an index for the attribute.

Additional Data
Error value:
-1403 JET_errIndexDuplicate, Index is already defined

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp

Some Googling revealed the problem to be to do with a combination of the BitLocker Drive Encryption schema updates that are included as part of the Windows Server 2008 schema extensions together with certain language locales (New Zealand English in my case).

The resolution of the issue involves removing the CONTAINER_INDEX setting within the searchFlags attribute value of the msFVE-VolumeGuid and msFVE-RecoveryGuid attribute schema objects.  To do this you can use ADSIEdit to modify the value for both attributes from 27 to 25, as shown in the screenshot below.

 ms-fve-recoveryguid.jpg

Once the modifications have been made, the errors no longer recur.

Interestingly, I could not reproduce the problem when running Windows Server 2008 forestprep on a Windows Server 2003 R2 SP2 DC with the same language locale.

For more information see the Microsoft KB article below.

Error messages after you install the BitLocker Drive Encryption schema updates in a Windows Server 2003 domain

It’s been a while, but Joe Richards has released a new version of his most excellent (and free!) command line tool, ADFIND.  This latest version is V01.39.00 and incorporates a number of new features, switches and shortcuts.  Check it out here.