Network drives were dropping out

grouppolicy_thumb.jpgNetwork drives were dropping out.  We were also seeing 15+ minutes slow logon times at some remote sites.

We’d mostly see the slow logon times with Windows 7.  We’d see the “network drives dropping out” issue with Windows 8.

Looking at OfflineFiles event log we saw several 1004 events logged.  Looking at the details of the event, we’d see details like:
Path \\Noddyland\CorpData$ transitioned to slow link with latency = 140 and bandwidth = 202123

Why was it happening?  The following table might help:

Operating system Slow bandwidth limit Slow latency threshold
Windows XP 64Kbps n/a
Windows Vista <nil> (opt-in policy) n/a
Windows 7 64Kbps 80ms
Windows 8 64Kbps 35ms

From the event above “transitioned to slow link with latency = 140 and bandwidth = 202123“, you can see we had plenty of bandwidth, but our network latency was too high at 140ms.  Which triggered the network share (\\Noddyland\CorpData$) to go Offline.

We fixed the issue by setting Latency=200 for \\Noddyland\CorpData$, in Group Policy Computer Configuration\Administrative Templates\Network\Offline Files\Configure slow-link mode.

References:
“Configure slow-link mode” policy on Vista for Offline Files
Configuring New Offline Files Features for Windows 7 Computers Step-by-Step Guide
Slow-Link with Windows 7 and DFS Namespaces
The “Configure slow-link mode” Policy is not taking effect

Getting a list of printers published in an Active Directory domain

c2800c5000printers-thumb.jpg
So I need to get a list of print servers and printers in the domain.

Using Powershell.

Looking around the interwebs, I found a PowerShell commandline here which formed the basis of this commandline:
Get-ADObject -LDAPFilter "(objectCategory=printQueue)" -Properties cn, drivername, location, printername, portname, servername | select portname, cn, drivername, location, printername, servername | Format-Table -Property * -AutoSize | Out-String -Width 4096 | Out-File C:\wisefaq\printerlist.txt

Which outputs to a text file, like this:
portname cn drivername location printername servername
-------- -- ---------- -------- ----------- ----------
{101.112.138.188} PRT001-APPLELWR001 APPLE LASERWRITER II US/UT/Boort/10 Anytown St APPLELWR001 PRT001.noddyland.com
{112.142.229.22} PRT001-LZR960-2 Dataproducts LZR 960 PS US/UT/Boort/99 Anytown St LZR960-2 PRT001.noddyland.com
{101.192.107.56} PRT001-LZR960-1 Dataproducts LZR 960 PS US/UT/Boort/99 Anytown St LZR960-1 PRT001.noddyland.com
{101.192.107.56} PRT001-LZR960-3 Dataproducts LZR 960 PCL US/UT/Boort/99 Anytown St LZR960-3 PRT001.noddyland.com
{101.46.14.220} PRT001-LZR960-4 Dataproducts LZR 960 PS US/UT/Boort/99 Anytown St LZR960-4 PRT001.noddyland.com
{101.46.14.220} PRT001-LZR960-5 Dataproducts LZR 960 PCL US/UT/Boort/99 Anytown St LZR960-5 PRT001.noddyland.com

So why did I use Out-File instead of Export-CSV?
Export-CSV is refusing to output the {ip.addresses}. I don’t know why, and I’ve wasted an hour trying to work around the issue.

Update: December 2015
Adrian suggests that I could use Powershell Custom Objects to fix the issue of ip.addresses not outputting.

References:
PowerShell Quick Tip: Creating wide tables with PowerShell

Searching for Specific Printers in a Domain (Attributes for the printQueue Object)

Print-Queue class

PowerShell print server inventory script (looks very useful, but you need admin access to each of the printers)

Disabling Windows Update via Group Policy

grouppolicy You can do this via Group Policy via Computer Configuration –> Administrative Templates –> Windows Components –> Windows Update –> Configure Automatic Updates.

BUT

It seems that Windows Update will still deliver updates if it was previously configured to do so.  In other words, this policy only seems to work with freshly built PCs.

My current workaround is to stop the Windows Update service via Group Policy Preferences.

Saturday Link Roundup

Mirror_Dinghy_on_Combs_ReservoirGroup Policy Search – powered by Windows Azure.

How to bring harmony to your mixed wired and wireless networks
The article discusses several different ways to cause your WiFi enabled Windows PCs to switch to a wired connection when it is available.  The one which impresses me is the use of DHCP Default Router Metric Base property.

Sandy Mackinnon’s unlikely voyage through the canals of Europe
In a Mirror Dinghy no less.

Getting a list of users in an AD Group. using Vbscript.

I much prefer using Quest to do this (see this post), but I needed to use Vbscript as I had to output the results into an Excel spreadsheet.

If you look around the internet, you’ll find plenty of examples of how to do that.

But when I ran the following code on my system, it failed:
For Each objUser in objGroup.Members
    Wscript.Echo "Name: " & objUser.DisplayName
    Wscript.Echo "Department: " & objUser.department
    Wscript.Echo "Street address: " & objUser.streetAddress
    Wscript.Echo "Title: " & objUser.title
    Wscript.Echo "Description: " & objUser.description
    Wscript.Echo “Account Disabled?: “ & objUser.AccountDisabled
    Wscript.Echo
Next

After much head scratching, I realised that another AD Group was a member of the current group, AND AD Groups do not have a AccountDisabled attribute.

The solution was to check the class attribute to see if the group member was a “user” or something else.
For Each objUser in objGroup.Members
    Wscript.Echo "Name: " & objUser.DisplayName
    Wscript.Echo "Department: " & objUser.department
    Wscript.Echo "Street address: " & objUser.streetAddress
    Wscript.Echo "Title: " & objUser.title
    Wscript.Echo "Description: " & objUser.description
    If LCase(objUser.class) = “user” Then
        Wscript.Echo “Account Disabled?: “ & objUser.AccountDisabled
    Else
        Wscript.Echo “I am a AD Group. “
    End If
    Wscript.Echo
Next

References:
How Can I Return Information For Each Member in a Group? (Hey Scripting Guy! Blog)
User Attributes – Inside Active Directory by Sakari Kouti
Active Directory Explorer by Sysinternals

Configuring DNS Suffix Search List via Group Policy

DNS Suffix Search List It seemed like a good idea at the time, configure the DNS Suffix Search List centrally so everyone gets the same thing.

The wheels fell off when I went to configure the 15th domain suffix.  The DNS Suffix Search List Group Policy accepted the value, but the desktop client wasn’t reading it.

The reason I needed to add another prefix, was that an off-site internal website, http://Noddyhome, was not resolving.  It was working if the customer typed in the fully qualified domain name, http://Noddyhome.othergroup.internal.beatfeet.com

After much head scratching, it looks as if there is a 200 character limit to that policy.  “othergroup.internal.beatfeet.com“ just wouldn’t fit.

The fix?  We used the GlobalNames Zone feature of Windows 2008.

References:
Setting DNS Suffix Search List via GPO (Ryan Adams Blog)

Bypassing Internet Explorer Group Policy lockdowns.

We lock down Internet Explorer, to prevent our non IT-savvy staff from changing settings which will break their internet access.  We apply those same settings to ourselves, which isn’t as bad as it sounds.  It ensures that when we make a Group Policy change, we’re impacted in the same way if it goes wrong.

But there are times when we need to bypass those settings.  One way we do that is by deleting the Group Policy Registry keys which control Internet Explorer.  We put the following in a .reg file and execute it:

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer]

[-HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer]

[-HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]

[-HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]

It works quite well.

What happens if my Windows Domain time clock is fast …

… and I want to change it back?

It depends on the operating system.

The latest documentation from Microsoft states

MaxAllowedPhaseOffset

Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config

Version
Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry specifies the maximum offset (in seconds) for which W32Time attempts to adjust the computer clock by using the clock rate. When the offset exceeds this rate, W32Time sets the computer clock directly. The default value for domain members is 300. The default value for stand-alone clients and servers is 1. …

The article goes on to show you, with a formula, how to calculate what will happen if you change your time clock.

How Windows 2000 did it
clip_image001

References

Slow startup and/or logon times with Windows 7?

Our users were complaining of slow startup and logon performance with our Windows 7 fleet.  We got Microsoft in.  One of the things they recommended was deploying two hotfixes:

An update that improves the startup performance of Windows 7 and of Windows Server 2008 R2 is available
Svchost.exe holds a lock on a service when the libraries for the service are loaded. This behavior prevents other services in the same Svchost.exe instance from starting until the call to the LoadLibrary function is returned.

and

You experience a long domain logon time in Windows 7 or in Windows Server 2008 R2 after you deploy Group Policy preferences to the computer
Issue 1
Assume that you have a client computer that is running Windows 7 or Windows Server 2008 R2 in a domain environment. You deploy Group Policy preferences (GPP) to the client computer by using item-level targeting using security groups. In this situation, a user of the client computer experiences a long domain logon time. This issue becomes more noticeable if the domain controller is only reachable over a slow link.
Issue 2
When you apply GPP by using item level targeting for security groups, local ports are leaked in an OPEN_WAIT state. After some time, the nonpaged pool is depleted and the computer stops responding.

They both worked very well in our environment.

400 Bad Request and Internet Explorer.

Bad RequestThe customer reported that they were unable to access our company intranet site.  They were getting an "400 Bad Request" error from Internet Explorer.

So what did I do?  I picked up the phone and asked our "Web Admin" chap,
"What have you done to our poor customer".

‘Nothing Wisefaq, but here’s the answer to the problem:
The customer is a member of 140+ Active Directory Groups, and this is causing the Kerberos token to be far too long for our Apache Web Server to authenticate.’

Once I knew that, I was able to find lots of answers to the problem.  Here are some of them:

  1. 400 Bad Request (Header Field Too Long) when using Kerberos authentication
  2. Apache Bad Request “Size of a request header field exceeds server limit” with Kerberos SSO
  3. New resolution for problems with Kerberos authentication when users belong to many groups
    Number 3 was the crux of the problem, “when users belong to many groups”.  We took the easy way out, and reduced the number of AD Groups the customer was a member of.

Bonus information
Not only was Internet Explorer broken, but any system which used Kerberos, such as our email and document management system.
140+ Active Directory Groups, which were direct membership.  I suspect there are some additional nested group memberships in there too.