Troubleshooting

Today I was presented with a Windows 7 Home Premium laptop, that until a couple of days ago had sound and LAN connectivity.

The sound worked when diagnostics were run, but would not run when Windows 7 was loaded. So I knew it was not defective hardware.

The solution which was relatively easy to implement took a while to discover and I will update this post at a later date with the troubleshooting steps.

The solution was to add to the local administrators group the networkservice and the localservice

This can be done by running these two commands from an elevated command prompt:

net localgroup Administrators /add networkservice

net localgroup Administrators /add localservice

Once these two commands are run, restart the laptop and if your issue was the same as mine, sound (and LAN) should now be working.

When troubleshooting Active Directory the first place that most people look is the Windows Server event logs, the event logs can provide a wealth of information about the state of an Active Directory, but by default the recorded information is limited to the logging of critical and error events.

To enable detailed diagnostic logging there are a series of registry keys under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics which when set to a defined value will populate the information to the event logs.

The defined values are:

Option Description
0 (None) Only critical events and error events are logged. (Default)
1 (Minimal) Very high-level events are recorded in the event log
2 (Basic) Events with a logging level of 2 or lower are logged.
3 (Extensive) Events with a logging level of 3 or lower are logged.
4 (Verbose) Events with a logging level of 4 or lower are logged.
5 (Internal) All events are logged, including debug strings and configuration changes received.

Any logging above level 3 can generate a lot of additional logged information and should be used with caution.

These values can be set against the one or more of these 24 keys

clip_image002[4]

Key Name:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics

1 Knowledge Consistency Checker

The KCC derives its input configuration from objects in the directory (for example, sites, servers and site links). The KCC reports if these objects are incorrect or missing. Events occurring during a run of the KCC.

Messages fall into the following categories:

KCC runtime errors, such as inconsistencies, resource errors or directory access problems. KCC output configuration problems. The new configuration cannot be built or is incomplete in some way.  Perhaps too many servers are down to build a complete topology at this time.

2 Security Events

Events related to security such as a user who tries to read or write an attribute with insufficient permissions, a user binding through MAPI, or a domain that has been changed to native mode.

3 ExDS Interface Events

Events related to communication between Active Directory and Exchange clients.

4 MAPI Interface Events

Events related to communication between Active Directory and Exchange clients.

5 Replication Events

Events related to outbound replication, where changed objects are found and inbound replication, where these changes are applied to a local database. “Normal” errors during the course of replication, such as a domain controller being down, are not logged. They are kept as status and are available through the replication tools. The errors logged during replication are generally critical inconsistencies that require user intervention, as database errors. The other kind of events logged by the replication category are information about which objects and attributes were updated and why.  Note that many attributes are updated each time replication occurs. Logging detail about attributes can generate a great deal of messages very quickly.

A level of 1 is safe and might be informative as to the general types of operations occurring for replication. A level higher than level 2 can result in filling up the log file and performance degradation.

6 Garbage Collection

Events generated when objects marked for deletion are actually deleted.

7 Internal Configuration

Interpretation and display of the internal directory service operations.

8 Directory Access

Reads and writes directory objects from all sources.

9 Internal Processing

Events related to the internal operation of Active Directory code such as processing security descriptor propagation. Error events in this category might be an indicator of serious problems in Active Directory. When the directory returns the status of “internal error,” this category can be used to identify the problem for Microsoft support. Set this category to 1 on all computers involved (client and server) and reproduce the problem. Note the point in the code where the internal error was raised.

10 Performance Counters

Events related to loading and unloading the NTDS performance object and performance counters.

11 Initialization/Termination

Events related to starting and stopping Active Directory.

12 Service Control

Processes Active Directory service events.

13 Name Resolution

Resolution of addresses and Active Directory names.

14 Backup

Events related to the backup of Active Directory. Specifically, errors occurring when ESE database records are read or written for backup purposes. Generally only logged when a backup operation is underway.

15 Field Engineering

Internal debugging trace.

16 LDAP Interface Events

Events related to LDAP. An example of events logged include the following: the LDAP server closed a socket to a client, unable to initialize LDAP Simple Bind Authentication, and LDAP over SSL is now available.

17 Setup

Events related to running the Active Directory Installation Wizard.

18 Global Catalog

Events related to Global Catalog. For example, “Promotion of this server to a Global Catalog will be delayed for %1 minutes. This delay is necessary so that the required partitions can be made ready before the GC is advertised.

The operations that occurs during this time include the KCC being run to generate the new topology, all read-only partitions in the enterprise being added to this server, and the contents of these partitions being replicated into this system.  If you want to promote the GC immediately without enforcing this precondition, set the registry variable

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\
GlobalCatalogDelayAdvertisement

(sec) to a DWORD value of 0. The GC will be promoted on the next attempt to check preconditions. This value can also be set to the maximum number of seconds that the DSA will wait before promoting to a GC.”

19 Inter-site Messaging

These messages are logged by the “Intersite Message” service, which is a separate service from the directory itself. There are two kinds of messages that are generated in this category:
The ISM Service is responsible for transporting replication messages between sites.
The ISM Service is also responsible for calculating site routes for the KCC to use. Note that the messages in this category are either fatal configuration errors, or informational messages about the amount of traffic being carried.

20 Group Caching

Events related to Universal Group Membership Caching on a domain controller in a site where this feature is enabled. The value is set to an integer from 0 (no logging) through 5 (most verbose logging). Significant events are reported at logging level 2. with many additional events reported at logging level 5.

21 Linked-Value Replication

Events related to Linked-Value Replication.

22 DS RPC Client

Events related to RPC Client

Controls the logging of events that are related to communication with the Directory Service.
Examples of logged events include remote procedure call (RPC) errors, cancelled calls, and service principal name (SPN)– related operations.

Real world example: Only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all individual failure events, set diagnostics registry value to 1.

23 DS RPC Server

Controls the logging of events that are related the RPC server service.

Example, during outbound replication and replication setup operations.

24 DS Schema

Events related to the Active Directory schema.

Example of an event logged includes a successful Active Directory Schema updates which records the event with and Event ID of 1582

All though Active Directory has been available for over ten years, one question that comes up time and time again at customer sites is “What do the Forest and Domain Functional Levels do and should I set them?”  After validating their Active Directory my answer is usually yes,  but what do these levels enable within Active Directory?

Domain functional levels

There are six domain functional levels:

The functional level for a domain enables features that affect the only that domain.

Windows 2000 mixed (the default in Windows Server 2003) DFL 0
Windows 2000 native DFL 0
Windows Server 2003 interim DFL 1
Windows Server 2003 DFL 2
Windows Server 2008 DFL 3
Windows Server 2008 R2 DFL 4
Windows Server 2012  DFL 5
Windows Server 2012 R2 DFL 6

Forest functional levels

There are five forest functional levels:

The functional level for a forest enables features in all domains within a forest.

Windows 2000 (the default in Windows Server 2003 and Windows Server 2008) FFL 0
Windows Server 2003 interim FFL 1
Windows Server 2003 (the default in Windows Server 2008 R2) FFL 2
Windows Server 2008 FFL 3
Windows Server 2008 R2 FFL 4
Windows Server 2012  FFL 5
Windows Server 2012 R2 FFL 6

Domain Functional Level

Windows 2000 native

All default Active Directory features and the following features:

Universal groups are enabled for both distribution groups and security groups.

Group nesting.

Group conversion is enabled, which makes conversion possible between security groups and distribution groups.

Security Identifier (SID) history

Supported Domain Controllers

Windows 2000 Server
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2

Windows Server 2003

All default Active Directory features,

All features from the Windows 2000 native domain functional level, plus the following features:

The availability of the domain management tool, Netdom.exe, to prepare for domain controller rename.

Update of the logon time stamp. The lastLogonTimestamp attribute is updated with the last logon time of the user or computer. This attribute is replicated within the domain.

The ability to set the userPassword attribute as the effective password on the inetOrgPerson object and user objects.

The ability to redirect Users and Computers containers. By default, two well-known containers are provided for housing computer and user/group accounts: cn=Computers,<domain root> and cn=Users,<domain root>. This feature makes it possible to define a new well-known location for these accounts.

Authorization Manager can store its authorization policies in AD DS.

Constrained delegation is included, which makes it possible for applications to take advantage of the secure delegation of user credentials by means of the Kerberos authentication protocol. You can configure delegation to be allowed only to specific destination services.

Selective authentication is supported, which makes it possible to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest.

Supported Domain Controllers

Windows Server 2003
Windows Server 2008
Windows Server 2008 R2

Windows Server 2008

All default Active Directory features, all features from the Windows Server 2003 domain functional level, plus the following features:

Distributed File System Replication support for SYSVOL, which provides more robust and detailed replication of SYSVOL contents.

Advanced Encryption Services (AES 128 and 256) support for the Kerberos authentication protocol.

Last Interactive Logon Information, which displays the time of the last successful interactive logon for a user, from what workstation, and the number of failed logon attempts since the last logon.

Fine-grained password policies, which make it possible for password policies and account lockout policies to be specified for users and global security groups in a domain.

Supported Domain Controllers

Windows Server 2008
Windows Server 2008 R2

Windows Server 2008 R2

All default Active Directory features, all features from the Windows Server 2008 domain functional level, plus the following features:

Authentication mechanism assurance, which packages information about the type of logon method (smart card or user name/password) that is used to authenticate domain users inside each user’s Kerberos token. When this feature is enabled in a network environment that has deployed a federated identity management infrastructure, such as Active Directory Federation Services (AD FS), the information in the token can then be extracted whenever a user attempts to access any claims-aware application that has been developed to determine authorization based on a user’s logon method.

Supported Domain Controllers

Windows Server 2008 R2

Windows Server 2012

All default Active Directory features, all features from the Windows Server 2008 R2 domain functional level, plus the following features:

The KDC support for claims, compound authentication, and Kerberos armoring.

Supported Domain Controllers

Windows Server 2012
Windows Server 2012 R2

Windows Server 2012 R2

All default Active Directory features, all features from the Windows Server 2012 domain functional level, plus the following features:

DC-side protections for Protected Users. Protected Users authenticating to a Windows Server 2012 R2 domain can no longer:

  • Authenticate with NTLM authentication
  • Use DES or RC4 cipher suites in Kerberos pre-authentication
  • Be delegated with unconstrained or constrained delegation
  • Renew user tickets (TGTs) beyond the initial 4 hour lifetime

Authentication Policies

New forest-based Active Directory policies which can be applied to accounts in Windows Server 2012 R2 domains to control which hosts an account can sign-on from and apply access control conditions for authentication to services running as an account.

Authentication Policy Silos

New forest-based Active Directory object, which can create a relationship between user, managed service and computer, accounts to be used to classify accounts for authentication policies or for authentication isolation.

 

Supported Domain Controllers

Windows Server 2012 R2

Forest Functional Level

Windows 2000 ServerAll default Active Directory features, plus the following features:

Supported Domain Controllers

Windows NT 4.0
Windows 2000
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2

Windows Server 2003

All default Active Directory features, plus the following features:

Forest trust

Domain rename

Linked-value replication (Changes in group membership store and replicate values for individual members instead of replicating the entire membership as a single unit.) This results in lower network bandwidth and processor usage during replication and eliminates the possibility of lost updates when different members are added or removed concurrently at different domain controllers.

The ability to deploy a read-only domain controller (RODC) that runs Windows Server 2008.

Improved Knowledge Consistency Checker (KCC) algorithms and scalability. The intersite topology generator (ISTG) uses improved algorithms that scale to support forests with a greater number of sites than can be supported at the Windows 2000 forest functional level.

The ability to create instances of the dynamic auxiliary class called dynamicObject in a domain directory partition.

The ability to convert an inetOrgPerson object instance into a User object instance, and the reverse.

The ability to create instances of the new group types, called application basic groups and Lightweight Directory Access Protocol (LDAP) query groups, to support role-based authorization.

Deactivation and redefinition of attributes and classes in the schema.

Supported Domain Controllers

Windows Server 2003
Windows Server 2008
Windows Server 2008 R2

Windows Server 2008

This functional level provides all of the features that are available at the Windows Server 2003 forest functional level, but no additional features.

Supported Domain Controllers

Windows Server 2008
Windows Server 2008 R2

Windows Server 2008 R2

All of the features that are available at the Windows Server 2008 forest functional level, plus the following features:

Active Directory Recycle Bin, which provides the ability to restore deleted objects in their entirety while AD DS is running.

Supported Domain Controllers

Windows Server 2008 R2

Windows Server 2012

All of the features that are available at the Windows Server 2008 R2 forest functional level, but no additional features.

All domains that are subsequently added to the forest will operate at the Windows Server 2012 domain functional level by default.

Supported Domain Controllers

Windows Server 2012
Windows Server 2012 R2

Windows Server 2012 R2

All of the features that are available at the Windows Server 2012 forest functional level, but no additional features.

All domains that are subsequently added to the forest will operate at the Windows Server 2012 R2 domain functional level by default.

Supported Domain Controllers

Windows Server 2012 R2



This handy Excel spreadsheet  (All 19785 lines of it) provides a Windows 7 Application Compatibility List for IT Professionals, it details software applications that have met Windows 7 Logo Program testing requirements for compatibility with 32-bit and 64-bit Windows 7. In the spreadsheet these products are identified with the compatibility status “Compatible Windows 7 Logo.”

In addition this list includes applications with the following compatibility statuses:

Compatible
Free Update Required
Paid Update Required
Future Compatibility
Not Compatible

These statuses are based upon the software publishers’ statements of compatibility (not Microsoft). These products have not met the Windows 7 Logo Program testing requirements.

I would also recommend visiting the Windows 7 Compatibility Center for the latest compatibility information.

Office 2010 has been available since April this year and Microsoft has made available a series of updates to improve the Office 2010 experience.

The updates whilst all grouped under “Office 2010 Cumulative Update for June 2010 KB 2259686“, they are in fact a series of invidual updates targeted at specific products that are part of the Office 2010 family.

Quick Links

Product Knowledge Base article number
Project http://support.microsoft.com/kb/2075992
Access http://support.microsoft.com/kb/2075994
FilterPack 2.0 http://support.microsoft.com/kb/2124512
Publisher http://support.microsoft.com/kb/2204025
Word http://support.microsoft.com/kb/2204026
Excel http://support.microsoft.com/kb/2204028


Summary Detail

Product Knowledge Base article number Issue that this hotfix package fixes 
Project http://support.microsoft.com/kb/2075992   When you use the Visual Reports feature in Project 2010, you receive an error message that states that you do not have access to the .mdb file.Some Visual Basic for Applications (VBA) methods such as FileOpen, FileOpenEx, and OutlineIndent, do not raise error messages when they should.

You copy formatted cells from an Excel workbook and then paste them into the Task Name column in Project 2010. When you click to select the Match Destination Formatting option from the Paste Options list, Project 2010 may crash.

Note If you use the option button directly, this issue does not occur.

You insert many tasks into a project that is connected to a server. When you save, close, and then reopen the project, all null (empty) tasks in the file are moved.

When you print or preview a project that has a dependency to a task and that task ends up as the last task on the page, the link line goes off the left side of the page

When you print or preview a project that has a dependency to a task and that task ends up as the last task on the page, the link line goes off the left side of the page toward infinity.

When you click Replace All, Project 2010 crashes. For example, Project 2010 crashes when you click Replace All to replace TaskName to TaskName2.

If a subproject task on the timeline is deleted from the subproject, the timeline data becomes corrupted, and tasks cannot be added to the Timeline view.

When you save a project as an XML file, the values that are in that XML file do not have a period as the XML decimal symbol. Instead, the values have a decimal symbol that is determined by the regional settings. For example, the values are the cost values. 

Access http://support.microsoft.com/kb/2075994  Consider the following scenario in Microsoft Access 2010.You use a BeforeChange event or an AfterInsert event to update data. In a subform, you select a record and then create a new record in Connected mode. Then, you edit the form data. In this scenario, when you select the subform, the form data is committed and the event causes an update that displays the wrong subform data. 
FilterPack 2.0 http://support.microsoft.com/kb/2124512   Article is currently not posted
Publisher http://support.microsoft.com/kb/2204025  Consider the following scenario:You create a merged publication in Microsoft Publisher 2010.
You close the merged publication.
You change the data source of the merged publication.
You reopen the merged publication.
You print or publish the merged publication.

In this scenario, Publisher 2010 crashes.

You use a non-English version of Publisher 2010. When you click Share in the Share with Template Community section, you are always directed to the English logon page.

Word http://support.microsoft.com/kb/2204026  When you print from Word 2010 by using the scaling function of the print driver, you receive the following warning message:The margins of section 1 are set outside the printable area of the page. Do you want to continue?

After you click Yes, the scaling is incorrect and some text is cut when the document is printed. This problem occurs when the document size differs from the default paper size.

Excel http://support.microsoft.com/kb/2204028 Consider the following scenario:You have form controls in an Excel 2010 document.
You adjust the scale of the document.
You print the document.

In this scenario, the form controls are printed by using the actual size of the controls.

 
As per normal Microsoft Policy: Only apply hotfix packages to systems that are experiencing the specific problems documented.

Microsoft have released version 1.4 of the Sysinternals tool “Active Directory Explorer “.  AD Explorer is an advanced Active Directory (AD) viewer and editor. You can use AD Explorer to easily navigate an AD database, define favorite locations, view object properties and attributes without having to open dialog boxes, edit permissions, view an object’s schema, and execute sophisticated searches that you can save and re-execute.

http://technet.microsoft.com/en-gb/sysinternals/bb963907.aspx

Recently I had a couple of issues with Resultant Set of Policy (RSOP) and enabling it to work for IT teams who were not Administrators.

One issue I had was that every time Resultant Set of Policy was run for users with delegated permissions (and on further testing “Domain Admins” too) they all received an error message stating “provider not loaded“.

This transpired to be a relatively simple fix and was nothing to do with delegated permissions.

The Resultant Set of Policy service had been disabled on all domain controllers and to resolve this issue I enabled the Resultant Set of Policy service on all the domain controllers.

The other issue I had was “Access Denied” when selecting the Domain Controller to run the Resultant Set of Policy against, when in planning mode for users with delegated RSOP rights – Administrators functioned correctly.

After some research I discovered Resultant Set of Policy in Planning mode needs some additional DCOM permissions set in order for it to work remotely when not an Administrator.

To enable delegated groups to run Resultant Set of Policy in Planning mode remotely, DCOM permissions on all Domain Controllers need to be amended, this group policy setting needs to be configured and applied to all domain controllers.

DCOM: Machine launch restrictions in Security Descriptor Definition Language (SDDL) syntax

By default the Everyone group only had the permission to execute and activate DCOM locally, where as Domain Admins had local and remote execute and activate permissions.

By adding the group that had the delegation RSOP permissions set and adding to their default permissions the “Remote Activation” right resolved the issue and Resultant Set of Policy (Planning Mode) now functioned remotely for the teams that needed the functionality but are not administrators.