Tuesday, January 28, 2014

Computers not registering with WSUS

I'm not like some of these bloggers who live to post, it takes time and that's something I don't have a lot of.  Still, I really need to make an effort to post fixes when I find them.

For example I just fixed an issue that has been plaguing us for weeks.  We are teetering between using Windows WSUS and a 3rd party product for patch management.  For now we will use WSUS.  I set up a global policy in our domain to assign each system to one of our two WSUS servers according to AD site.  We're not using client side targeting (yet) so the GPO setup is fairly straightforward.

Initially about 2/3 of our systems registered with one or the other of the WSUS servers but the rest would not.  We tried everything but nothing would get these things to register.  The OS type ranged from XP to Server 2012 and everything in between.

Finally One of the guys here hit on a Technet article that cinched it. https://social.technet.microsoft.com/Forums/en-US/f983bb7b-cbb1-4acf-9665-638be4cc6a60/client-computers-not-registering-on-wsus-server?forum=winserverwsus

This article described the same issues another user had.  The person answering it hit the issue on the mark.

Seems there is a unique SID used for registering with WSUS located at
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINDOWSUPDATE\SUSCLIENTID
When you use cloned virtual systems this SID doesn't get changed.  When two or more systems have the same SID, the first registers with WSUS.  The second tries to register but since the SID is known WSUS says "you already registered and I told you what to do".  The result is the first system gets patched and all others with duplicate SID don't and they never register themselves with WSUS.

To fix this I first ran a PowerShell script to extract the SIDs.


clear-host
$ErrorActionPreference = "SilentlyContinue"

$TargetKey = "SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINDOWSUPDATE"
$TargetValueName = "SUSCLIENTID" 

Function GetString ($ValueName, $ValueData){
  $ReadBack = ""
  $ReadBack = $SubKey.getValue($ValueName)
  Write-Host $ReadBack
}
  $Computers = Get-ADComputer -Filter {OperatingSystem -Like "*"} -Property * | ForEach-Object {$_.Name}

ForEach ($Target in $Computers){
  $Target = $Target.ToUpper()

  If(Test-Connection -ComputerName $Target -count 1 -ea 0) {
    $BaseKey = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey("LocalMachine", $Target)
    $SubKey = $BaseKey.OpenSubKey($TargetKey, $True)
    GetString $TargetValueName $TargetValueData
  }Else{
    Write-host "Failed to connect to $Target..."
  }
}
Write-host "--- Run Completed ---"


The script is quick and dirty and just prints the SIDs to the screen.  I copied them into Excel, sorted and filtered it down to the list of just duplicates.

Once I had the list of duplicate SIDs I needed to detect them, clear them out, and get the affected system to register.  For this I created a variation of the script.  This script also has a debug mode that allows you to target a single system.  That way you can test it without affecting the entire domain.


clear-host
$Debug = $true
$DebugTarget = "testbox"
$ErrorActionPreference = "SilentlyContinue"

$TargetKey = "SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINDOWSUPDATE"
$TargetValueName = "SUSCLIENTID" 

Function SetString ($ValueName, $ValueData){
  $ReadBack = ""
  $ReadBack = $SubKey.getValue($ValueName)

  foreach ($GUID in $GUIDArray){

  if ($GUID -eq $ReadBack){
  Write-Host $target
  Write-Host "deleting key"
  $SubKey.DeleteValue("SusClientID", [Microsoft.Win32.RegistryValueKind]::String)

  Write-Host "running fix"
  Invoke-Command -ComputerName $Target -ScriptBlock { Start-Process "\\dc01\netlogon\wsusfix.bat" }

  Write-Host "restarting service"
  Restart-Service -InputObject $(Get-Service -Computer $Target -Name "wuauserv");
  }
}
}

$GUIDArray = @("07b0b81c-80c6-4755-9d60-361b922a029e")
$GUIDArray += "1180369a-0b69-4542-86f3-a2437ef593dd"
$GUIDArray += "2be0adc5-b137-4fd0-a28d-cd470de2fe09"
$GUIDArray += "2f29bacf-5385-445e-ad4f-26e6c6a2b2eb"
$GUIDArray += "3dd11e2a-a8ad-4eb0-bde5-7f3ee07da9c9"
$GUIDArray += "56f220f0-01ea-4df7-af3e-9cba3be8b957"

If ($Debug){
  Write-host "===================== DEBUG MODE ENABLED ============================="
  $Computers = $DebugTarget
}Else{
  $Computers = Get-ADComputer -Filter {OperatingSystem -Like "*"} -Property * | ForEach-Object {$_.Name}
}

ForEach ($Target in $Computers){
  $Target = $Target.ToUpper()
  $IP = [System.Net.Dns]::GetHostAddresses($Target)

  Write-host "----------------------------------------------------------------------"

  If(Test-Connection -ComputerName $Target -count 1 -ea 0) {
    $BaseKey = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey("LocalMachine", $Target)
    $SubKey = $BaseKey.OpenSubKey($TargetKey, $True)
    SetString $TargetValueName $TargetValueData
  }Else{
    Write-host "Failed to connect to $Target..."
  }
}
Write-host "--- Run Completed ---"


This script required an external batch file in a common location (the netlogon share on a DC).  I tried all sorts of ways to reliably get the register command to run, this was the most reliable.

The batch file contains one line of text "wuauclt /resetauthorization /detectnow".

When run, the script detects all systems in the domain, and checks the registry key for one of the listed SIDs.  If found it removes the key, generates a new SID and restarts the Windows Update service.  Within about 10 to 15 seconds , if you are watching the registry, you'll see the key regenerate with a new SID. 

I recommend letting things sit over night.  The next day you should see all your missing systems in the WSUS server.

Friday, May 24, 2013

Force PowerShell scripts to run from C:\scripts

Here is a little tidbit I came up with because I like to be picky about how my scripts run.  It forces a script to relocate itself and run from the C:\Scripts folder.  I usually prefer to place the comments that describe a line on the end of that line.  In this case I had to go below the line.


$ErrorActionPreference = "SilentlyContinue"
$rand = New-Object System.Random

#--------------------[ Create and relocate to C:\scripts ]----------------------
if (!(Test-Path -pathtype Container "C:\Scripts")){
   new-item C:\Scripts -itemType Directory -Force  #--[ Create local scripts folder.
}

$TargetPath = "C:\Scripts"                              #--[ Where the script "should" live
$ScriptFullName = ($MyInvocation.MyCommand).Name        #--[ EX: script.ps1
$ScriptFullPath = ($MyInvocation.MyCommand).Path        #--[ EX: C:\Scripts\script.ps1
$ScriptHomeDir = split-path -parent $ScriptFullPath     #--[ EX: C:\Scripts, where the script resides
$ScriptWorkingDir = $pwd.path                           #--[ EX: C:\Scripts or C:\temp, where the script executes from
$ScriptShortName = [system.io.path]::GetFilenameWithoutExtension($ScriptFullPath)     #--[ EX: script (no extention)
$ErrorDetected = $False
$osv = [environment]::osversion.VersionString           #--[ Get Windows version, not required, just for convenience
$windir = [System.Environment]::ExpandEnvironmentVariables("%WINDIR%")     #--[ Get %windir% environment variable
#$windir = $env:windir                                  #--[ Alternate format
$ThisComputer1 = [System.Net.Dns]::GetHostName()        #--[ NOTE: No reason for both forms, just because.
$ThisComputer2 = $env:COMPUTERNAME
$eMailDomain = "gmail.com"                              #--[ Domain where emails will be sent
$ErrorDetected = $false

#--------------------[ Assure things run from C:\scripts ]----------------------
if (!($ScriptHomeDir -eq $TargetPath)){                 #--[ Paths are NOT same ]--
   if (!(Test-Path -path $TargetPath)){                 #--[ Does target path exist?  If not, create it ]--
      New-Item $TargetPath -type directory
   }
   if (!(Test-Path "$TargetPath\ThisScriptName")){      #--[ Is the script there?  If not, copy it there ]--
      Copy-Item $ScriptFullPath $TargetPath\$ScriptFullName
   }
   $WshShell = New-Object -comObject WScript.Shell      #--[ Place a shortcut on the desktop of current user to call the script
   $Shortcut = $WshShell.CreateShortcut("$Home\Desktop\MyScript.lnk")
   $Shortcut.TargetPath = 'powershell.exe'
   $Shortcut.Arguments = "-WindowStyle Hidden –Noninteractive -NoLogo -Command `"$TargetPath\$ScriptFullName`""
   $Shortcut.Arguments =
   $Shortcut.Save()

   #iex (.{Join-Path $TargetPath \$ScriptFullName})
      #--[ re-invoke the script from the new location ]--
   #EXIT    
      #--[ Force termination ]--
}Else{        
      #--[ Paths ARE good, script exists, OK to execute ]--
   #if (!(Test-Path "$ScriptPath\ThisScriptName"))        
      #--[ an optional additional check ]--
}
 

Tuesday, May 14, 2013

Mommy my desktop icons keep disappearing...

Well it's been a while.  I've since gotten a great new job and am back on my feet.  Busy as all get-out but that's a good thing.

I thought I'd post this since even though it was easy to find I had never heard of it before and I expect others will be looking for info on it as well.


I've been investigating a bizarre issue with desktop icons that's been plaguing users here at the new job. Here is what I found as well as an associated fix.


This is the response to a question posed about desktop shortcuts mysteriously disappearing:
This is a well-known problem, which as it turns out is actually a kind of twisted "feature" of Windows 7. 

Basically, there's a script that Windows 7 runs that regularly checks your desktop shortcuts and if it finds more than 4 of them "broken" (i.e., pointing to something that's not available at the moment), it removes all the "broken" ones!

I guess Microsoft feels somehow responsible for helping you keep your desktop clean. Perhaps this is a Good Thing for the non-technical people in their commercials who think up things in the back of a taxi.
This is the script that governs this activity:
C:\Windows\Diagnostics\Scheduled\Maintenance\TS_BrokenShortcuts.ps1

If you look in it, not too far from the end is a statement that compares the length of the list of broken shortcuts to 4. It's the only occurrence of the numeral 4 in the entire script.  If you replace the 4 with a very large number, your problem should be solved.

There is also a Support Article and hot-fix from Microsoft that claims to fix the issue here: https://support.microsoft.com/kb/2642357
Here are scenarios that will trigger this:
  • You create five or more shortcuts on the desktop of a computer that is running Windows 7.
  • These shortcuts are pointed to an external location. For example, the shortcuts are pointed to network resources or to removable storage devices.
  • The computer is disconnected from the network where the network resources reside. Or, the removable devices are disconnected from the computer.
  • You run the System Maintenance troubleshooter on the computer. (this also runs on a schedule)
The third item means ANY disconnect. That means network congestion, server overload, IPSEC issues, firewall issues, issues with the local PC that cause it to pause (CPU over loaded or RAM overloaded).  If you see the dreaded red X on your mapped drive that would indicate a disconnect.

The easiest way to fix this problem is go to Control Panel; Action Center; Troubleshooting; click Change Settings on the left hand side; then turn Computer Maintenance off.

I found out that to edit the file (which is protected) you first need to take ownership of it (or the folder), then reset the permissions of the user/group you just gave ownership to to "full control".  Once that's done you can COPY the file and paste a new copy, then delete the original and rename the copy using the old name.  At this point you can edit it.  I set the offending count to 499 and (so far) so good. 

Sunday, December 23, 2012

WRT54 firmware woes

I've been running DD-WRT on my LinkSys WRT54G routers for years.  It's always served me well.  I recently found out that if you want to make the new Windows 7 homegroups work you MUST have IPv6 connectivity on your LAN.  That does not work out of the box with DD-WRT.  It doesn't help that there hasn't been a new build of DD-WRT for a few years.  DD-WRT has IPv6 options but they are clunky and require additional scripting to work properly.

So, I started looking for alternatives.  I had heard of Tomato firmware before but never tried it.  Seems the "Shibby" version has most of the features I wanted so I grabbed a copy.  I must say I am truly impressed.  This firmware has so many sweet features it almost blew me away.  Go to the site and check the list.  The really nice thing is that IPv6 support just works out of the box.

The one issue I had was in flashing to the new firmware.  I would up bricking my WRT54GS v3.  Normally that's not an issue and I can recover it pretty easy.  This time the boot loader crashed hard and it was looking like I was headed to a JTAG cable to clear it.  I found this nice guide "The WRT54G Revival Guide"  that allows you to bypass the JTAG option.  By using the methods here I was able to reset the flash on the router and it cam back running the Shibby Tomato firmware I had loaded.

One gotcha with Tomato when upgrading from DD-WRT:

  • The GUI username is "admin" or "root" (username is required), ssh and telnet username is always "root", and the default password is "admin".
  • By default, the SES (aka AOSS, EZ-Setup) button is programmed to start a password-less telnet daemon at port 233 if held for 20+ seconds. If you run into a problem of not being able to login, you can use this to view or reset the password ("nvram get http_passwd" and "nvram set http_passwd=newpassword"). You can disable this behavior in Admin/Buttons.

This is from the Tomato read me file.

So everything is good.....for now.  Now I just need to get the remote units upgraded and the homegroup should start working.

 

Wednesday, December 12, 2012

Life is full of wayward wrenches...

and sometimes you get in ones way...

Just last week I was happily working on servers, decommissioning old equipment, writing scripts, and doing those things that a system admin does.  Then, wham, I get laid off.  The company is being reorganized and has to eliminate  1/3 of the staff.  A bit cliche I must say, to be laid off just before Christmas, but it is what it is.  So, here I am sending out resumes.  Oh well, life goes on.