Wednesday, July 1, 2009

Group Policy and the Registry

Interesting - this job really keeps you on your toes. I thought GPOs weren't applying correctly - turns out I had the wrong definition of 'correctly'. I changed this:

Policies\Administrative Templates: Policy Definitions\Windows Components\Terminal Services\Remote Desktop Connection Client\Do not allow LPT port redirection

and expected that policy to set this:

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-TCP\fDisableLPT

But it didn't. It changed this:

HKLM\SOFTWARE\POLICIES\MICROSOFT\Windows NT\Terminal Services\fDisableLPT

which disagreed with the first one. Very confusing. Also, I noticed that the only GPO's not taking effect were under policies\administrative templates. But, according to page 524 of the GPO guide (which a very smart client admin friend of mine pointed me towards), all group policy registry changes are changed in only two registry paths:

HKLM\SOFTWARE\POLICIES
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\POLICIES

And these settings are POLICIES, which take priority over PREFERENCES. Apparently, changes made by a user on a per-machine basis are considered PREFERENCES.

The sum of all this is that GPO's take effect by creating a duplicate registry value, and that is the setting that is effected onto the machine.

Additional important notes:
1. GPResult and gpotool are cool tools. Work on 2008. Come with the 2003 resource kit.
2. If you go to the local group policy object editor mmc, you will find that your GPO's are not represented there. This is because the GPOEDIT does not dig into settings to check what is currently there - rather, it's a mask that is applied to the computer. Interesting, eh?





Thursday, June 25, 2009

VM NIC Issue

One more thing - Had a 2008 vm that I created, installed the OS, but for some reason wouldn't connect to anything. Device Manager showed Ethernet Controller as being unrecognized, and said that it needed drivers. There were no connections showing in connection manager. Installing vmware tools did not solve it.

I shut down the server, downloaded the .vmx file to my laptop, edited it in wordpad, added this line:

ethernet0.virtualDev = "e1000"

above the other references to ethernet0.

Saved another copy of the old .vmx to be safe, uploaded the new copy, and everything was golden. My resource was this: http://communities.vmware.com/message/1078349

Time for jiu jitsu.

Carry on!

ESX Server Craziness

Had two server 2008 research VM's (which were deployed from a template) that wouldn't power on. After the initial attempt to power on, they both would not allow any other changes to be performed on them, because there was already a "task in progress," "fault null" or something to that end. Couldn't remove from inventory, couldn't delete, was able to migrate sometimes, couldn't power on.

Now, does VMware 2.5 support server 2008 templates? Nope. I knew that going into this. But somehow, I've gotten away with it before on other test servers, so it was worth a shot. Research suggested a solution would be to kill the process on the esx server that is hung trying to reboot the server. I tried all sorts of things, including stuff like

ps -ef grep
Kill -9 <>
rm -rdf machine_name

etc. What it came down to was that our vmware virtual center thought a task was being performed on these screwed up VMs, although the breakdown could have been with either the communication between the vcenter and the esx server, or the esx server with the guest OS.

Anyway, this was resolved not by leet linux commands, but by a good old restart, which was what I had been trying to avoid the whole time. First I tried a "service mgmt-vmware restart," which made all the guest OS's appear offline in vcenter. I have since learned that you should accompany this command with a "service vmware-vpxa restart."

The two services are tied together in some way - I didn't have a chance to research this today. When the servers did not come back online after 10+ minutes, I did a restart of the entire machine using

/sbin/reboot

You should preferably put the esx server in maintenance mode before doing this.
vimsh -n -e /hostsvc/maintenance_mode_enterbounce
vimsh -n -e /hostsvc/maintenance_mode_exit

I satisfied my engineering curiosity of "what if" by just bouncing it :-) Not to worry, it only hosts research vms, so this was as risk-free as you get. There are two esx servers in this cluster, and I rebooted B. Interestingly, A eventually went down (red mark on the esx server in vcenter). Then came back up. Then went down again. B stayed down. After 10+ minutes, both esx servers came up in very close chronological proximity, happy and refreshed.

And I was able to remove those two VM's from inventory, delete them, and free up space to continue my GPO testing :-D

Speaking of which, found today two issues with my GPO admx testing.
1. "Policy Definitions" is not the same thing as "PolicyDefinitions" in the sysvol. Only the second will be recognized by the DC.
2. You need SOME adml files to support the ADMX files. ADML's are only optional after you implement the first set. Else you'll get swarmed with errors when you open GPMC.

There's one of the problems I solved today.

Carry on!

Friday, June 19, 2009

CSE's, Windows Server 2008, Vista, and Craziness

There is a lot of confusion here that I sorted out in the last couple days. Let's look at some terms:

1. Group Policy - Umbrella concept of configuring setting on more than one machine using AD to organize everything.
2. Policies: Settings that cannot be changed by the user.
3. Preferences: These are applied, but the ability of the user to change a setting back is not impeded.
4. Group Policy Preferences - An umbrella concept that really just means all of the CSE's, and there's practically no difference between these and regular preferences.
5. Client Side Extensions - this is an install on client machines to allow more settings to be configured in a group policy object, including the registry.
6. AGPO (Advanced Group Policy Management) - Acronym that means "basically worthless."

A quick look at this site:
http://support.microsoft.com/kb/943729

Will confuse the crap out of you for the following reasons:
1. It never mentions that Windows Server 2008 has the CSE's installed out of the box.
2. It gives you install files for Vista that won't work on Vista SP2. Why won't they work? Because, as several other people have noted, MS meant to include the CSE's packaged in SP2, but forgot. So every SP2 Vista machine thinks that it already has that update applied, even though it doesn't. Workaround here:
http://blog.tiensivu.com/aaron/archives/1505-Generic-way-of-brute-force-installing-a-.MSU-package-in-Vista-or-Server-2008.html

Disabling Windows Update in Windows Server 2008 and Vista

This will come in handy for those of us who don't want MS installing patches at will on our clusters: I spent a long time looking for a MS-validated solution and came up empty-handed. Sysinternal's process monitor came through FTW:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\AUOptions
Settings are as follows:
1. Don't check ever. (Disabled)
2. Check for updates but let me choose whether to download or install.
3. Download, but let me choose when to install.
4. Automatic install and download.

Note that GPO doesn't have a native method for disabling AU: you have to use Group Policy Preferences to create and enforce the reg value. There is however a native GPO setting for changing to states 2-4 above.