How to implement Web Proxy Auto-Discovery Protocol

April 8th, 2014 4 comments

Web Proxy Auto-Discovery Protocol known as WPAD is protocol used by web browsers to locate URL of configuration file using DHCP or DNS.

How does it work?

Computer running web browser must be configured to detect settings automaticaly. It can be turned on in Internet Explorer:

When this browser starts it detects WPAD URL. If browser supports DHCP discovery it will send DHCPINFORM query on network asking for WPAD option. If client doesn’t get DHCP answer it will try DNS query. Let’s assume we have local domain expo.domain.local. Client will try following URLs:

  • http://wpad.expo.domain.local/wpad.dat
  • http://wpad.domain.local/wpad.dat

When this DNS is not successful browser will try URL with NetBios name http://wpad/wpad.dat.

This behaviour can depend on WPAD implementation in browser. Some browser doesn’t use DHCP detection. Some will try also http://wpad.local/wpad.dat URL. I will write only about Internet Explorer behaviour.

Finally when browser gets wpad.dat file from WPAD URL it will parse this file and set proxy settings described in wpad.dat file.

How to make it work?

Let’s assume we have DHCP and DNS services running on Windows Server. We also need IIS installed on server. First of all we need to create new IIS Website:

We will bind this website to port 80 and Host name will be set to wpad.domain.local. We will create new directory C:\inetpub\wpad where website will point. Second, we need to define new MIME type in IIS. Click on IIS server name in IIS console. Then click on MIME Types:

On right side click on action Add.. and define new MIME type (.dat - application/x-ns-proxy-autoconfig):

In directory C:\inetpub\wpad create new file called wpad.dat with following content:


function FindProxyForURL(url, host) {

if(shExpMatch(url,"*intranet/*")) { return "DIRECT"; }

if(shExpMatch(url,"*.domain.local/*")) { return "DIRECT"; }

if(shExpMatch(url,"10.0.*")) { return "DIRECT"; }

if(shExpMatch(url,"192.168.*")) { return "DIRECT"; }

// DEFAULT RULE: All other traffic, use below proxies, in fail-over order.

return "PROXY 10.0.0.100:8080";

}

This file is in format Proxy auto-config (PAC file) and it is self-explanatory. It’s kind of fucntion which says if URL is “*intranet/*, “*.domain.local/*,… browser will go directly to this URL. Those are proxy exceptions. Other not defined traffic will be send to proxy server 10.0.0.100 and its port 8080. This script can be more advanced. Be aware, if you make some mistake some stupid browsers (including Internet Explorer) will skip whole script and not use it :-)

Now when we have our wpad.dat file ready we can try if we are able to download it using browser. Just try if you can download file http://wpad.domain.local/wpad.dat.

If everything works let’s inform browsers we have published autoconfiguration file.

Publish in DHCP

We need to create new DHCP Option 252 first:

  • Open DHCP Console
  • Right click on DHCP server and select Set Predefined Options and then click Add
  • In Name type wpad, Data type select String and Code type 25

  • Click OK
  • Enter value http://wpad.domain.local/wpad.dat in Value String field
  • Click OK
  • Right-click on Scope Options in DHCP scope where you want add DHCP value 252 and select Configure Options…

  • Scroll all the way down and select DHCP value 252 and click OK

This is all for DHCP setup. Let’s look on DNS setup.

Publish in DNS

You need to create DNS A record wpad.domain.local and point it to IP where WPAD Website runs. Windows servers will not answer on DNS A “wpad” requests. It’s basically for security reason. “wpad” is blocked in DNS by default. In default DNS block list are two records: wpad and isatap. To enable wpad we need to left only isatap in block list. You can do it by command dnscmd /config /globalqueryblocklist isatap.

Remember

  • If browser has DHCP discovery and get some DHCP Option 252, it will not do DNS discovery
  • Some browsers don’t support DHCP discovery. Only Internet Explorer and Konqueror support both the DHCP and DNS discovery functions

That’s all folks for today :-)

Remote Powershell in domain environment

March 21st, 2014 3 comments

Sometimes you need to run some command on remote computer. If you don’t want to bother user using Remote Assistance or user is not at the computer you can try Remote Powershell. Powershell was new feature when Windows Vista and Windows Server 2008 came. So we can divide operating systems into three categories. Each category requires some things and some requirements.

Windows 7 / Windows Server 2008 R2 and higher

  • Needs to open ports in firewall (is your firewall is not open all the way)
  • Needs to enable and configure WinRM
  • Needs to configure WinRM service to run

Windows Vista / Windows Server 2008

  • Needs everything from first group
  • Needs to install PowerShell 2.0

Windows XP / Windows Server 2003

  • Needs everything from second group
  • Needs to install .NET Framework

Probably your environment will be mixed of all three types of operating systems. So let’s look how to configure it. I will use GPOs everywhere it can be used.

Enable Remote PowerShell for Windows Vista and Windows Server 2008

Create GPO and set following:

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service > Allow automatic configuration of listeners (Allow Remote Server management through WinRM):

Firewall exceptions

Firewall exceptions for Windows 7 / Windows Server 2008 and higher

If you have Microsoft firewall closed and you need to make exception using GPO in Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile > Windows Firewall: Define inbound port exceptions:

Firewall exceptions for Windows XP / Windows Server 2003

You have to define New Firewall rule under Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules and create new Inbound rule with predefined type “Windows Remote Management”:

Configure Service

To enable Remote Powershell I need to configure service. WinRM service has to start automatically. Create new setting in GPO in Computer Configuration > Policies > Windows Settings > Security Settings > System Services. Setup service Windows Remote Management (WS-Management) following way:

Let’s change startup for this service using GPO settings under Computer Configuration > Preferences > Control Panel Settings > Services. Create new Service setting with following settings:

Windows XP / Windows 2003 specialities

To make Powershell work remotely on older operating systems you need to make sure your operating systems have installed two hotfixes: KB968930 and KB951847. These hotfixes are distibuted via Windows Updates so if you use WSUS, there updates are already on your older operating systems.

To enable PowerShell for remote connection you need to enable it using startup script. So you need to create new GPO which will run only on older OS. You can use following WMI filter to make this GPO apply only on older OS:

You can use following script as a startup script to enable Powershell Remote for Windows XP.

To test it you can run following command:

Enter-PSSession -ComputerName COMPUTER_NAME

Active Directory Users and Computes Implementation

To make it look better you can implement connection to computer using Active Directory Users and Computers.

On location \\domain.local\NETLOGON create new Powershell.vbs file:

' ' Script to run Remote Powershell on domain computer '

Set wshArguments = WScript.Arguments Set objComputer = GetObject(wshArguments(0))

' ' Check if Remote Assistance is installed '

Set fso = CreateObject("Scripting.FileSystemObject") 
If (fso.FileExists("C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe")) Then  
' Is istalled  
   Set objShell = WScript.CreateObject("WScript.Shell")  
   Return = objShell.Run("C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit \\domain.local\NETLOGON\Remote_Session.ps1" & objComputer.dNsHostName, 1, false) 
Else  
   ' Is not installed, error.  
   Wscript.Echo "Microsoft Remote PowerShell is not enabled on this machine." 
End If

On location \\domain.local\NETLOGON create new Remote_Session.ps1 file:

[CmdletBinding()]
Param(
  [Parameter(Mandatory=$True,Position=1)]
   [string]$computerName
)

Enter-PSSession -ComputerName $computername

 When files are ready, you need to create new record in Active Directory using adsiedit.msc. Connecto to configuration partition of your domain:

Go to Configuration > CN=Configuration,DC… > CN=DisplaySpecifiers > CN=409 > CN=computer-Display and edit property called adminContextMenu.

Add another record into existing list of records. I used following record:

3, &PowerShell Remote,\\domain.local\NETLOGON\Powershell.vbs

which means:

3 – order of record in the list of records (if you have only one existing record, your number will be 2)

&PowerShell Remote – name of the item in context menu

\\domain.local\NETLOGON\Powershell.vbs – path to vbs script you created

Here is how it looks in one of the environments:

When all is done, your Active Directory Users and Computers console has to be reopened and you will find new record under computer account:

When you click on this new item in context menu new powershell window opens. This powershell window is remote powershell windows from remote computer.

I hope people start using powershell more often,

Broken ForestPrep

March 19th, 2014 1 comment

Friend of mine tried to promote Windows Server 2012 into Windows Server 2003 SBS environment. He had installed Windows Server 2012 Server. He also installed role Active Directory Domain Services. When he tried to promote new installed Windows Server 2012 into existing SBS domain he received following error:

Error was generated while Windows Server 2012 tried to do preparation of AD forest. So I have tried to do it using command line:

So same error (Adprep could not retrieve data from the server through Windows Managment Instrumentation WMI). Some problem with WMI on existing domain controller. I have tried to rebuild WMI from scratch using this article. No luck. Message saying “Access is denied” was not true, because account used to run setup.exe /forestprep was Enterprise, Domain and Schema Admin. When I read this article I found out that DCOM has to be enabled and accessible when doing domain controller promotion. So I looked into configuration of old domain controller following way:

Run command dcomcnfg.exe

Browse down to Component Services -> Computers -> My Computer. Right click and select Properties. I found that DCOM was disabled:

So I enabled it with following settings:

…and I was able to promote Windows Server 2012 as a new domain controller. No more access or WMI errors.

This was really hard one to find out :-)

DNS netmask ordering

March 19th, 2014 No comments

One customer has two physical locations. Here is following IP setting for both locations:

Location 1 – IP range 10.0.0.0/23 and wpad server is 10.0.0.22

Location 2 – IP range 10.0.2.0/24 and wpad server is 10.0.2.22

When you create two same A records in DNS you get two IP addresses on DNS query. Order of DNS record is changing, because we have Round Robin enabled on our DNS servers. This is default behaviour.  Here is some testing with nslookup:

Same results were in both locations. What we wanted to achieve was that we need DNS servers to return IP address 10.0.0.22 in location Location 1 on first place and IP address 10.0.2.22 in location Location 2 on first place. To make it work we need to look on feature called netmask ordering on DNS servers. You can read more here.

Let’s transfer IP addresses in each location into binary:

10.0.0.0/23

00001010.00000000.00000000.00000000 — 00001010.00000000.00000001.11111111

10.0.2.0/24

00001010.00000000.00000010.00000000 — 00001010.00000000.00000010.11111111

Networks in both locations are same to 22 bit from begging. First different bit in 23rd. So we need to change netmask ordering on DNS server to use first 23 bits to compare when returning results to client. It means our netmask ordering has to be set to:

00000000.00000000.00000001.11111111 — 0×000001FF

We need to set it on all DNS server and restart DNS service:

Once we do this on server we can see following result in Location 1:

and following result in Location 2:

So now it’s all set and ready to go.

Have a great day,

Quickie: Tail in Powershell

February 28th, 2014 2 comments

There is lots of great tools in Linux which are needed in Windows environment. One of the great tool from linux is “tail”. You can use it following way:

tail -f /var/log/mail.log

You will get end of the file and you see all content added to file on screen. You can view log files without need to reopen it. In Windows I use utility Trace32.exe. I was looking for some more native way to do it in Windows. There is a cmd-let Get-Content in Powershell which you can use following way:

Get-Content C:\Windows\WindowsUpdate.log -Wait -Tail 10

This tails only 10 lines from the end of the file and “waits” for new added lines. Switch “Tail” is accessible only in PowerShell 3 and higher.

Powershell is getting there,

RemoteApp Name problem

February 26th, 2014 No comments

At one customer I have implemented RemoteApp on Windows Server 2012 R2. Clients connecting to RemoteApp were Windows 7. Everything worked fine besides one computer. When I launched RemoteApp from application provided automatically using Control Panel, I received following error (This RDP file is corrupted. The remote connection cannot be started.):

When I tried to run application using Web portal everyhing worked fine.

Names of the RemoteApp contained diacritics and name was displayed in bad form:

So I tried to disable all diacritics in RemoteApp names and everything started to work as it should.

Weird things are:

  • There are not limits defined on web for RemoteApp names
  • There are not errors logged anywhere with saying anything about “bad name” in RemoteApp

So remember not to have any other characters in RemoteApp names besides clasis english ones.

Have a nice day,

 

Moj prvý pokus o prezentáciu na ShowIT 2013

February 12th, 2014 No comments

Nech sa paci LINKA.

 

Categories: Microsoft, Windows Tags: ,

Moje prednášky pre ShowIT 2014

February 12th, 2014 No comments

Na ShowIT tento rok som dostal priestor pre dve prednasky:

Deep-dive do Group Policy plus novinky Windows 2012 R2

Úložisko a de-duplikácia dát vo Windows 2012 R2 s podporou VDI

Casom budu aj videa :-)

 

Categories: Microsoft, Windows Tags: , , ,

Quickie: Exchang database migration over 24 hours

December 9th, 2013 No comments

Over the weekend I was setting up Exchange 2010 database copies using DAG. Those databases were huge (total of 3,5 TB). Line between primary and backup datacenter was 100Mbps. This migration ran over 24 hours for couple databases. When I checked the status I saw job was running 23 hours and 20 minutes:

When I have checked status in about hour and half I saw interesting time:

This happened on all databases which ran over 24 hours :-) So it looks like Microsoft engineers haven’t think about job running more than 24 hours :-)

That’s all from weekend,

AVMA key in Hyper-V

November 26th, 2013 No comments

When you buy Windows Server 2012 R2 Datacenter edition you don’t have to activate every Windows Server 2012 virtual machine (Windows Server 2012 R2 Datacenter, Windows Server 2012 R2 Standard or Windows Server 2012 R2 Essentials.). There is new license key for Windows. It’s called Automatic Virtual Machine Activation (AVMA). You have to active Hyper-V host operating system. Then you use one of following AVMA keys for VMs on your Hyper-V hosts:

Datacenter Y4TGP-NPTV9-HTC2H-7MGQ3-DV4TW
Standard DBGBW-NPF86-BJVTX-K3WKJ-MTB6V
Essentials K2XGM-NMBT3-2R6Q8-WF2FK-P36R2

You use this keys using elevated command prompt on VM:

slmgr /ipk <AVMA_key>

When you do all of these steps all your Windows Server 2012 will be automatically activated. Even without  access of Internet from VM.

I hope something similar will be deployed on VMWare virtualization.

More oficial from Microsoft here.

Categories: Microsoft, Windows Tags:

Quickie: Nice utility to check DNS in AD

November 19th, 2013 No comments

Where there is a problem with AD replication, there is most of the time problem with DNS. Most of the time there are bad DNS records or missing DNS records. There is cool utility to check DNSLint.exe from Microsoft. It is designed to do all manual check I do when trying to solve AD replication problems.

You can download it from here and also read more about it.

It’s bad it’s not included into operating system by default.

Quickie: Delete all Offline files on Windows XP

November 19th, 2013 No comments

Couple days ago I migrated fileserver. We moved redirected My Documents for users on another server. We also hided these shares behind DFS namespace to make it more manageable in future. But we found out problem with this setup -  offline files. Windows XP kept offline copies of old and new redirected files. We had to clean this offline data database. I setup start up script:

@ECHO OFF
IF EXIST C:\OfflineFilesClean.txt (
  REM Do one thing
) ELSE (
  reg.exe add “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\NetCache” /v FormatDatabase /t REG_DWORD /d 1 /f
  echo Vymazane > C:\OfflineFilesClean.txt
)

This script was dedicated just for Windows XP, so I had to apply GPO using WMI filter:

SELECT * FROM Win32_OperatingSystem WHERE Version LIKE “5.1%” and ProductType = “1″

This script would work also on Windows 7 and Windows 8, but those OS didn’t have problem.

That’s all for today,

Quickie: When you disable Data Decuplication you will lose Shadow Copies data

October 22nd, 2013 No comments

We had some problems with backup system backing up Windows Server 2012 deduplication enabled volumes. We decided to disable Data Deduplication on volume. After volume was converted back into “non data deduplication mode”, we found out that all Shadow Copies meta data was lost. It means all “Previous Versions” were lost. I really don’t see any reason to act like that, but there is probably some. It would be great if Windows warns you before you do the change. But it doesn’t :-)

Have a nice day,

Internet Explorer 10.0 doesn’t get Proxy settings from Preferencies

October 17th, 2013 6 comments

I had weird problem today. Customer called that GPO I have created to set Proxy server for Internet Explorer doesn’t work anymore on Windows 7. He was right. There was Internet Explorer 10 installed on Windows 7. Proxy configuration was made by Internet Explorer Maintenance:

This was not applied on Windows 7 Internet Explore 10, even there was eventlog it should be applied. Then I set these settings using GPO Preferences. I could create settings just for IE 5,6,7 and 8:

I have decided to create settings using Internet Explorer 8. I set all settings I wanted and saved GPO:

Nothing happened. It’s because this settings are limited to Internet Explorer 8.0. So we need to dig into XML file which handles these settings. XML file InternetSettings.xml is located at \\DOMAIN\SYSVOL\DOMAIN\Policies\{76C1E5D1-9CA6-4682-AD41-FD038DDED1E9}\User\Preferences\InternetSettings. When you open this file you can see XML file with all settings. There is one attribute called MAX which defines on which version these settings are applied. I changed it to value “10.50.0.0″ and now everything works:

What a stupid work around :-)

Powershell script to change User Principal Name to Primary SMTP Address

October 2nd, 2013 No comments

When you install Exchange in environment you want to allow users to log into mails using their e-mail address. If your domain name is different from your e-mail domain, you have to add UPN suffix first. More abour it HERE. Then you need to change User Principal Name into Primary SMTP Address. I wrote little script to do so:

Get-Mailbox |
  ForEach-Object{
   Write-Host “For: ” + $_.SamAccountName
   Write-Host ”   - change UPN from: ” + $_.UserPrincipalName + ” to: ” + $_.PrimarySmtpAddress
   Set-ADUser -Identity $_.DistinguishedName -UserPrincipalName $_.PrimarySmtpAddress
 }

Have a nice day,

Categories: Exchange, Microsoft, Powershell Tags: ,

News in DHCP client since Windows 7

September 26th, 2013 No comments

Imagine you have DHCP server on network. You have all Windows XP and older clients. When DHCP server was not accessible on network during client’s startup, client computer couldn’t get IP address and it assigned APIPA address. This was a problem. So let’s look what’s new since Windows 7.

I prepared following scenario:

  • One DHCP server Windows Server 2012 – 192.168.0.10
  • One DHCP server Windows Server 2012 acting as default gateway – 192.168.0.11
  • One Windows 8 client – DHCP assigned
  • One Windows 7 client – DHCP assigned

When I client wants to get TCP/IP settings from DHCP server, there are four DHCP packets (DISCOVER, OFFER, REQUEST and ACK) going on network. Network dump on DHCP server:

This is normal behaviour even in old clients. Now I shutdown client and stop DHCP server. When I started client computer I found out that client computer has IP address it received from DHCP server before reboot.

So let’s restart client again and see what happends. Client computer has same TCP/IP settings, it had before reboot (TCP/IP settings received from DHCP server before I stopped DHCP server). Client computer keeps asking DHCP server to renew TCP/IP settings (using DHCP REQUEST):

So how client computer knows if it has to set cached TCP/IP settings before DHCP server stopped to respond? I assume it depends on gateway and its IP or MAC address. So let’s disconnect gateway from network and reboot client computer. Now client has APIPA TCP/IP settings and it looks for DHCP server by DHCP DISCOVERY: