If you've a forest trust with selective authentication you may get the following error when trying to authenticate with users or groups between the forest domains:
Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.
Error Code: 1935
Either you switch to domainwide authentication in you trust settings (just remcommended when the two forests belongs to the same company...), or you have to explicit allow the specific user or group to authenticate against the computer in the other forest.
To resolve the issue, open Active Directory Users and Computers --> enable Advanced Features on View tab --> Select the Computer Object --> Properties --> Security --> Add the User or Group you want to authenticate and check Allowed to Authenticate
8/13/2009
Failed to run ADAM setup 0x80074e46
If you install ISA Server 2006 EE (no SP) with Configuration Storage Server (CSS) on a Windows 2003 Server SP2 you maybe get the following error:
Failed to run ADAM setup Error Code: 0x80074e46
You maybe can solve the problem by configuring a DNS Server on your interface which is pointing to active directory.
Failed to run ADAM setup Error Code: 0x80074e46
You maybe can solve the problem by configuring a DNS Server on your interface which is pointing to active directory.
6/05/2009
Certificates for internet-based site systems in SCCM
Internet-based site systems in SCCM needs certifcates which has server authentication purpose e.g. Webserver Certificate. Important for this certificates is the FQDN name of the Server (or the defined DNS Alias) in either the certificate subject name field or the subject alternative name (SAN) field.
For Example: MYSCCM01.MYDOMAIN.LOCAL or SCCM.MYDOMAIN.COM
BUT!!! It's getting difficult if you want to use one certificate for Intranet and Internet usage. In this case both FQDN names must be included in certificate, but only one certificate subject name can be configured. In normal case also a Windows PKI issues only certificates with one SAN name, but this can be changed!
Execute the following command to extend the CA with the SAN2 extension, so that certificated getting issued with this fields:
certutil.exe -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTNAME2
After this stop and start the CA service
net stop certsvc && net start certsvc
Now you can issue certificates with more that one SAN name
To requst the certificate with more SAN names goto to your computer certificates mmc, request a new cetificate, choose your server authentication template and go to the properties page by clicking the details arrow.
Under alternative name select type 'DNS' and type in you FQDN names.
For Example: MYSCCM01.MYDOMAIN.LOCAL or SCCM.MYDOMAIN.COM
BUT!!! It's getting difficult if you want to use one certificate for Intranet and Internet usage. In this case both FQDN names must be included in certificate, but only one certificate subject name can be configured. In normal case also a Windows PKI issues only certificates with one SAN name, but this can be changed!
Execute the following command to extend the CA with the SAN2 extension, so that certificated getting issued with this fields:
certutil.exe -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTNAME2
After this stop and start the CA service
net stop certsvc && net start certsvc
Now you can issue certificates with more that one SAN name
To requst the certificate with more SAN names goto to your computer certificates mmc, request a new cetificate, choose your server authentication template and go to the properties page by clicking the details arrow.
Under alternative name select type 'DNS' and type in you FQDN names.
6/03/2009
Assign Windows PE Boot Image to Client
Windows Deployment Service (WDS) delivers a command line tool named wdsutil.exe, which can be used to prestage computers into Active Directory. I was personally intersted to get a Windows PE Boot Image automatically get choosen from a Client during Windows Boot Manager.
One purpose is for example if there are different Windows PE images for different processor architecture (x86, x64).
The parameter /BootImagePath defines the boot image which will be started by the client after the countdown
Example x86
WDSUTIL /Add-Device /Device:ComputerName /ID:MACAddress /ReferralServer:WDSServerName /BootProgram:boot\x86\pxeboot.com /BootImagePath:boot\x86\images\bootx86.wim
Example x64
WDSUTIL /Add-Device /Device:ComputerName /ID:MACAddress /ReferralServer:WDSServerName /BootProgram:boot\x64\pxeboot.com /BootImagePath:boot\x64\images\bootx64.wim
After executing the command, there's created a computer account in Active Directory which stores the configured options. Once a Client is booting from network now, it gets all information needed to choose the assigned boot image.
Note: Scripting the "WDSUTIL /Add-Device" command is nice for creating mutiple prestaged computer objects very comfortable
Further you can configure your WDS Server to only answer to known clients which delivers more control about the deployment.
One purpose is for example if there are different Windows PE images for different processor architecture (x86, x64).
The parameter /BootImagePath defines the boot image which will be started by the client after the countdown
Example x86
WDSUTIL /Add-Device /Device:ComputerName /ID:MACAddress /ReferralServer:WDSServerName /BootProgram:boot\x86\pxeboot.com /BootImagePath:boot\x86\images\bootx86.wim
Example x64
WDSUTIL /Add-Device /Device:ComputerName /ID:MACAddress /ReferralServer:WDSServerName /BootProgram:boot\x64\pxeboot.com /BootImagePath:boot\x64\images\bootx64.wim
After executing the command, there's created a computer account in Active Directory which stores the configured options. Once a Client is booting from network now, it gets all information needed to choose the assigned boot image.
Note: Scripting the "WDSUTIL /Add-Device" command is nice for creating mutiple prestaged computer objects very comfortable
Further you can configure your WDS Server to only answer to known clients which delivers more control about the deployment.
3/06/2009
SQL SCCM Query to return Advertisements, Programs and Main Users of all Computers
This SCCM SQL Query return each Computer, it's Advertisements & Programs and the Main User
SELECT v_Advertisement.AdvertisementName, v_Advertisement.ProgramName,Netbios_Name0 as Computername,v_GS_SYSTEM_CONSOLE_USER.SystemConsoleUser0 as MainUsername
FROM
(SELECT ResourceID, MAX(TotalUserConsoleMinutes0) as Anmeldezeit
FROM v_GS_SYSTEM_CONSOLE_USER
GROUP BY ResourceID) AS Table1,v_GS_SYSTEM_CONSOLE_USER, v_R_System_Valid, v_ClientAdvertisementStatus, v_Advertisement WHERE Table1.ResourceID = v_GS_SYSTEM_CONSOLE_USER.ResourceID
AND Table1.Anmeldezeit = v_GS_SYSTEM_CONSOLE_USER.TotalUserConsoleMinutes0
AND Table1.ResourceID = v_R_System_Valid.ResourceID
AND Table1.ResourceID = v_ClientAdvertisementStatus.ResourceID
AND v_ClientAdvertisementStatus.AdvertisementID = v_Advertisement.AdvertisementID
1/28/2009
vbScript to validate SMS/SCCM Sourcepaths
This Script will check the Sourcepath for each package in SMS or SCCM if it is valid.
Siteserver = InputBox("Please enter the name of the SMS/SCCM Site Server")
Sitecode = InputBox("Please enter the Site Code of the SMS/SCCM Site")
Dim objFSO: Set objFSO = CreateObject("Scripting.FileSystemObject")
Dim objFile : Set objFile = objFSO.CreateTextFile("ValidatePkgSourcePath.log")
Dim objSWbemLocator : Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
Dim objSWbemServices : Set objSWbemServices = objSWbemLocator.ConnectServer (Siteserver, "root\sms\site_" + Sitecode)
Set colPackages=objSWbemServices.ExecQuery("SELECT * FROM SMS_Package")
For Each objPackage In colPackages
strPackageName = objPackage.Manufacturer &" " &objPackage.Name &" " &objPackage.Version &" " &objPackage.Language
If objPackage.PkgSourcepath = "" Then
objFile.WriteLine strPackageName &" - Sourcepath is empty"
End If
If Not objFSO.FolderExists(objPackage.PkgSourcepath) Then
objFile.WriteLine strPackageName &" - Sourcepath is not valid (" &objPackage.PkgSourcepath &")"
End If
Next
WScript.Echo "Finished"
9/04/2008
Retrieving "exit strings" from vbScript
Retrieving exit codes from vbScript is not very tricky, but there's no method to retrieve "exit strings" from a script.
Below there's listed a little workaround to keep strings in "computers mind" after a script finished without using tempfiles, registry keys or environment variables as data store.
Step by Step:
ShowResult.vbs
AskUser.vbs
Below there's listed a little workaround to keep strings in "computers mind" after a script finished without using tempfiles, registry keys or environment variables as data store.
Step by Step:
- ShowResult.vbs calls the script AskUser.vbs
- AskUser.vbs captures somes user input
- AskUser.vbs writes the user input into the windows clipboard
- AskUser.vbs ends
- ShowResults.vbs queries the clipboard for the written text
- ShowResults.vbs shows the result
ShowResult.vbs
Dim objShell : set objShell = CreateObject("Wscript.Shell")
Dim objIE :Set objIE = CreateObject("InternetExplorer.Application")
objShell.Run "\AskUser.vbs",1,True
objIE.Navigate("about:blank")
WScript.echo objIE.document.parentwindow.clipboardData.GetData("text")
AskUser.vbs
Dim objIE : Set objIE = CreateObject("InternetExplorer.Application")
If Msgbox("Please press YES or NO", vbYesNo) = vbYes Then
YourText = "YES was pressed"
Else
YourText = "NO was pressed"
End If
'Write to clipboard
objIE.Navigate("about:blank")
objIE.document.parentwindow.clipboardData.SetData "text", YourText
Subscribe to:
Posts (Atom)