Saturday, March 21, 2009

Unable to Ping or Be Pinged

In some situations this can be caused by a corrupted IPNAT.sys file and you would either be required to expand it from the I386 dump or get an updated version from Microsoft.

However in this case. The issue occurred after McAfee was updated. This is caused by the McAfee Firewall driver located in the System32\Drivers directory. Filename : Mpfp.sys

Uninstall the McAfee software. Reboot the machine. If this does not resolve your issue. Do the following:

Move the Mpfp.sys file to any desired folder, then locate the following key in registry.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MPFP

Backup the registry key. Then delete it. The key will look something like the image below

Once you have done this reboot the machine and you issue is resolved.

The Exported Key is below

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MPFP]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"Tag"=dword:0000000a
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,4d,00,70,00,66,00,70,00,2e,00,73,\
00,79,00,73,00,00,00
"DisplayName"="MPFP"
"Group"="PNP_TDI"
"DependOnService"=hex(7):54,00,63,00,70,00,49,00,70,00,00,00,00,00
"DependOnGroup"=hex(7):00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MPFP\Security]
"Security"=hex:01,00,14,80,b8,00,00,00,c4,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,88,00,06,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,\
00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,00,00,14,00,00,01,\
00,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,02,00,01,02,00,\
00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,\
01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MPFP\Enum]
"0"="Root\\LEGACY_MPFP\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

Sunday, March 8, 2009

AD Integrated DNS Zone(s) missing.

One fine day you come to work and your users are complaining that they can resolve any name...
You very calmly say, alrighty i'll look into the issue right away.
You walk over to the server room.
Login and then open the DNS Management Console (dnsmgmt.msc) and your jaw just drops.
You grab your head and tug on your hair, thinking to yourself "Last Night when i left for home, i had 4 zones, now i have none. What the #!@% is happening!!"
You follow the basic steps. Restart DNS, Check Event Viewer, Google the error. Then you think lets just recreate the zones.
You try to create your zone only to realize that u cant!! "NOW What!!"

Well I'd Say just "Relax brother!!, its just a small command to fix the issue."

The Event IDs generated are :

Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4000
Date: 3/8/2009
Time: 12:50:56 AM
User: N/A
Computer: dc2-pnq-2k3
Description:
The DNS server was unable to open Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2d 23 00 00 -#..

Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 4013
Date: 3/8/2009
Time: 12:50:56 AM
User: N/A
Computer: dc2-pnq-2k3
Description:
The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2d 23 00 00 -#..

Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4004
Date: 3/6/2009
Time: 4:25:39 AM
User: N/A
Computer: dc2-pnq-2k3
Description:
The DNS server was unable to complete directory service enumeration of zone .. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2a 23 00 00 *#..

Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4015
Date: 3/6/2009
Time: 4:25:39 AM
User: N/A
Computer: dc2-pnq-2k3
Description:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 51 00 00 00 Q...

Download Support Tools from http://download.microsoft.com/ for your version of Windows Server (X86 or x64)
After installing, open command prompt and run netdiag. In the output you should see the following error or close to it.

Trust relationship test. . . . . . : Failed
[FATAL] Secure channel to domain 'psytrix.local' is broken. [ERROR_NO_TRUST_SAM_ACCOUNT]

Where psytrix.local is your domain name.
This error message indicates that the Secure Channel between that machine and the Domain is broken.

To fix this just run the below command

netdom resetpwd /server:dc1-pnq-2k3 /userd:psytrix\Administrator /passwordd:*

NOTE: dc1-pnq-2k3 is the PDC, you could also use the IP Address.
at the prompt below enter the password for the Administrator user account.
NOTE: you cannot see what is being typed. So just enter the password and hit enter.

Type the password associated with the domain user:

The output should be:

The machine account password for the local machine has been successfully reset.

The command completed successfully.

Then restart the DNS Server Service (net stop dns & net start dns)
Refresh or Re-Open the DNS Management Console (dnsmgmt.msc) and you will see the difference.

Friday, March 6, 2009

DHCP Custom Scope Options

Ever came across a situation where your boss, or customer says i want to configure my Windows 2003 Server as a DHCP server that servers my IPLC (IP Phones).

Hmmmm!! Well this should be easy you think. Well honestly it is but only if you know where to look and what to configure.

Here is a heads up!!
  • Open DHCP Manager (dhcpmgmt.msc)
  • Right-Click the DHCP Server and select Pre-Defined Options
  • Click Add.

  • Set Name to IP Phone Boot Server (actually whatever you want to name it, its fine)
  • Set Data Type to String
  • Set Code to 156
  • Add a Description, if you want to.
  • Navigate to the Scope Options and add Option 156

  • Each Option should be entered with a comma as a separating character.

The following is just a example of how you should normally setup your Scope:

  • Management server - 172.16.5.2
  • Country - INDIA
  • Language - English
  • VLAN Tagging – Turned Off
  • VLAN ID – 127
Ex: ftpserver=172.16.5.2,country=91,language=1,layer2tagging=n,vlanid=127

Thursday, March 5, 2009

DNS Server Event ID 407, 408.

The DNS server refuses to start at times. Or the Event ID 404, 407 and 408 are generated.

Details of the Event ID are given Below:

Log Name: DNS Server
Source: Microsoft-Windows-DNS-Server-Service
Date: 3/5/2009 12:03:00 PM
Event ID: 408
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DC1-NY-2K8.psytrix.local
Description:
The DNS server could not open socket for address 127.0.0.1.
Verify that this is a valid IP address for the server computer. If it is NOT valid use the Interfaces dialog under Server Properties in the DNS Manager to remove it from the list of IP interfaces. Then stop and restart the DNS server. (If this was the only IP interface on this machine and the DNS server may not have started as a result of this error. In that case remove the DNS\Parameters\ ListenAddress value in the services section of the registry and restart.)
If this is a valid IP address for this machine, make sure that no other application (e.g. another DNS server) is running that would attempt to use the DNS port.
For more information, see "DNS server log reference" in the online Help.

Log Name: DNS Server
Source: Microsoft-Windows-DNS-Server-Service
Date: 3/5/2009 12:03:00 PM
Event ID: 407
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DC1-NY-2K8.psytrix.local
Description:
The DNS server could not bind a User Datagram Protocol (UDP) socket to 127.0.0.1. The event data is the error code. Restart the DNS server or reboot your computer.

Log Name: DNS Server
Source: Microsoft-Windows-DNS-Server-Service
Date: 3/5/2009 12:03:00 PM
Event ID: 408
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DC1-NY-2K8.psytrix.local
Description:
The DNS server could not open socket for address 192.168.1.151.
Verify that this is a valid IP address for the server computer. If it is NOT valid use the Interfaces dialog under Server Properties in the DNS Manager to remove it from the list of IP interfaces. Then stop and restart the DNS server. (If this was the only IP interface on this machine and the DNS server may not have started as a result of this error. In that case remove the DNS\Parameters\ ListenAddress value in the services section of the registry and restart.)
If this is a valid IP address for this machine, make sure that no other application (e.g. another DNS server) is running that would attempt to use the DNS port.
For more information, see "DNS server log reference" in the online Help.

Log Name: DNS Server
Source: Microsoft-Windows-DNS-Server-Service
Date: 3/5/2009 12:03:00 PM
Event ID: 407
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DC1-NY-2K8.psytrix.local
Description:
The DNS server could not bind a User Datagram Protocol (UDP) socket to 192.168.1.151. The event data is the error code. Restart the DNS server or reboot your computer.

Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 404
Date: 3/5/2009
Time: 1:08:24 PM
User: N/A
Computer: DC1-NY-2K8.psytrix.local
Description:
The DNS server could not bind a Transmission Control Protocol (TCP) socket to address 127.0.0.1. The event data is the error code. An IP address of 0.0.0.0 can indicate a valid "any address" configuration in which all configured IP addresses on the computer are available for use.
Restart the DNS server or reboot the computer.

Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 404
Date: 3/5/2009
Time: 1:08:24 PM
User: N/A
Computer: DC1-NY-2K8.psytrix.local
Description:
The DNS server could not bind a Transmission Control Protocol (TCP) socket to address 192.168.1.151. The event data is the error code. An IP address of 0.0.0.0 can indicate a valid "any address" configuration in which all configured IP addresses on the computer are available for use.
Restart the DNS server or reboot the computer.

This is caused by another process using port 53 (TCP / UDP). To verify this do the following:

net stop DNS (i.e. If it is not already stopped)

netstat –ano find “:53” the output should be something like:

TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 2752
TCP 192.168.1.151:53 0.0.0.0:0 LISTENING 2752
TCP [::1]:53 [::]:0 LISTENING 2752
UDP 127.0.0.1:53 *:* 2752
UDP 192.168.1.151:53 *:* 2752
UDP [::1]:53 *:* 2752

In the output the last digit indicates the PID of the process using the port. Open up the Task Manager and add the PID (Process Identifier) to the process column (how: go to View > Select Columns ).

Once you have located the PID, finding which service / process is using Ports TCP 53 / UDP 53, should be a breeze.

Then just stop the respective process and restart the DNS server service. And the Event IDs will go away.

NOTE: If only the UDP 53 is in use by another process but the TCP 53 port is not, then DNS will start but will still give the same Event ID. However if both TCP 53 and UDP 53 are in use DNS will sometimes not start at all.

Wednesday, March 4, 2009

IAS Server Crashes Randomly

IAS server crashes when a user tries to authenticate to the network. Irrespective weather the authentication is for 802.1x Wired / Wireless or VPN.
The following Event ID can be found in the System Log.
Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 2/27/2009
Time: 2:19:05 PM
User: N/A
Computer: SERVER
Description:
Faulting application svchost.exe, version 5.2.3790.3959, faulting module iassam.dll, version 5.2.3790.4242, fault address 0x0000ec89.

Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 73 76 63 ure svc
0018: 68 6f 73 74 2e 65 78 65 host.exe
0020: 20 35 2e 32 2e 33 37 39 5.2.379
0028: 30 2e 33 39 35 39 20 69 0.3959 i
0030: 6e 20 69 61 73 73 61 6d n iassam
0038: 2e 64 6c 6c 20 35 2e 32 .dll 5.2
0040: 2e 33 37 39 30 2e 34 32 .3790.42
0048: 34 32 20 61 74 20 6f 66 42 at of
0050: 66 73 65 74 20 30 30 30 fset 000
0058: 30 65 63 38 39 0ec89
Resolution: 
This is generally caused by a corrupt IAS database. The best thing is to try and re-create the IAS database. However it the service starts and stops immediately then deleting the old policies and re-creating them is going to be a tough one. 
So what i suggest is that we replace the files involved. Here is how we go about achieving this.
Get a copy of the CD for your OS or an I386 dump. Either one will serve the purpose well. 
Then use the ‘expand’ command to decompress the files from the CD/I386 distro to the System32. Just to be on the safe side, make sure to backup the old files.
Backing Up the old files:
 C:\> ren %windir%\system32\ias\dnary.mdb %windir%\system32\ias\dnary.mdb.old
C:\> ren %windir%\system32\ias\ias.mdb %windir%\system32\ias\ias.mdb.old
C:\> ren %windir%\system32\iassam.dll %windir%\system32\ias\iassam.dll.old

Now to expand the files. In Command Prompt navigate to the I386 Folder of your OS’s CD or the distro. (For example my I386 folder is in the ‘D’ drive.)
D:\I386> expand dnary.md_ %windir%\system32\ias\dnary.mdb

D:\I386>expand ias.md_ %windir%\system32\ias\ias.mdb


D:\I386>expand iassam.dl_ %windir%\system32\iassam.dll

Then register the ‘iassam.dll’ using regsvr32. [regsvr32 iassam.dll /s]

Start the IAS service. Using ‘Services.msc’ or ‘net start ias’

Oops!!! Almost forgot to add... Don't Forget to Register IAS in AD.

This should solve you issue. Now have your users try to authenticate. They should be able to login just fine.