Syed Jahanzaib Personal Blog to Share Knowledge !

April 27, 2012

Windows Deployment Services (WDS) / Short Reference Notes


Following are short reference notes , I worked on WDS long time ago, recently I was assigned to deploy WDS in my company.
It took some time to recall old memories and did waist some time in googling, So this time I took short notes on how I manage to did some Advance configuration of WDS by integrating Acronis / Winternals ERD Commander 2007 / Win 7 / WinXP, Injecting Drivers on xp/win7.

# DHCP SERVER SETTINGS

If WDS and DHCP Server are NOT on same machine, Use the following Setting to inform client from which server to boot.

# TFTP ERROR:

After configuring WDS, you may get following error while trying to boot from Network.

.
Solution : You have to configure boot ROM in WDS console to tell Client which boot ROM file to use.
>

Note: startrom.com & pxeboot.com Boot ROM files can found at this location

\\WDS_SERVER\RemoteInstall\Boot\x86

# startrom.com is suitable if you have only legacy images on your WDS Server.
# pxeboot.com is suitable if you have both legacy WinXP/ERD/Acronis and Windows 7 images configured on your WDS Server.

TIP: You can also use startrom.n12 & pxeboot.n12 If you want to directly boot to WDS skipping F12.

Howto Add Drivers in XP Image (Legacy)

First create following folder structure

\$OEM$\$1\Drivers

in your Windows XP RIS image location e.g:

\\wds_server\RemoteInstall\Setup\English\Images\WINDOWS-XP-SP3\i386\$OEM$\$1\Drivers\

Copy your network card driver here. (in drivers folder)

Now open unattended file like winnt.sif or ristndrd.sif in notepad
(Depend on your deployment structure)
e.g:

WDS_SERVER\RemoteInstall\Setup\English\Images\WINDOWS-XP-SP3\i386\templates\

Add following lines in [Unattended] section

[Unattended]
DriverSigningPolicy=Ignore
OemPreinstall=yes
OemPnpDriversPath=Drivers\Nic

Make sure there are no duplications.
Restart WDS Service.

Adding ERD COMMANDER 2007 in WDS

Simply Add Windows 2003 Standard Edition  from WDS Legacy Console,
Now Copy I386 folder from ERD folder to WDS windows 2003  image folder. If it asks for Overwrite , Select Yes.
Now  add the /minint synatx in this file

\\wds_server\RemoteInstall\Setup\English\Images\ERD\i386\templates\ristndrd.sif

[SetupData]
OsLoadOptions = “/noguiboot /fastdetect /minint”

To add driver in ERD Commander, copy your network driver in
(I don’t know the exact path, so copy it in all possible folder, some1 please point which exactly should these files be pasted in, i guess only system32 is enough)

\\wds_Server\RemoteInstall\Setup\English\Images\ERD\i386
\\wds_Server\RemoteInstall\Setup\English\Images\ERD\i386\system32
\\wds_Server\RemoteInstall\Setup\English\Images\ERD\i386\system32\drivers

Add Win7 Boot Image:

Following is an excellent guide on howto add Windows 7 Boot Image in WDS
http://www.windows-noob.com/forums/index.php?/topic/261-how-can-i-capture-an-image-using-wds/

Add Drivers in Windows 7 Boot Image:

First copy boot.wim from windows 7 CD to your desktop.
Now we have to mount this image in any temporarily directory,
Then add drivers, then commit change,
Now dismount this image,
Now copy it to any folder in WDS server,
From wds console, replace current boot image with this new image. The traditional way is to use the DISM tool provided with your win7/vista, but the easiest way to do is to use 3rd party GUI tool (Free edition).

Download DISM GUI tool from

Mr Jinje DISM Tool™
http://www.msfn.org/board/topic/138804-mr-jinje-dism-tool/

Now first copy the boot.wim from the wds server or from the windows 7 dvd from \sources\ folder.
Now open the Jinje DISM Tool, Click on MOUNT WIM, select boot.wim , and mount it in any temp folder, e.g: c:\wds_temp_mount_dir
Now Click ADD DRIVERS, point it to folder where your windows 7 drivers are located. It will auto add it to boot.wim.
Now Click on COMMIT WIM, it will write changes to this boot.wim
Now click on DIS-MOUNT WIM.

Copy this updated boot.wim to wds temporarily directory.
From WDS Console, replace current boot image with your newly updated image you copied in temp folder of wds.

.

Final ~ Screenshots 🙂 <WDS running in Mixed Mode>

.

.

.

Boot image disappear from Menu / List after adding network driver [26th Febraury, 2013]

Recently (26th Feb 2013) we receive new range of HP PROBOOK 4540s series. When I tried to inject drivers in boot wim and replace previous wds boot image with this new one, it disappeared after refresh and it didn’t showed up in the pxe boot menu. I tried several ways and different drivers set including x86 and 64bit, but no use.
Finaly I made it. When adding drivers via DISM, selected INDEX 2 while mounting the WIM image Because most drivers get deposited in the 2nd index

Side NOTES for WDS:

Some Client PC’s are unable to receive ip from DHCP Server:

Some clients / LAN cards are unable to get ip’s from DHCP Server. Timeout occurs.
Possible causes:

1#)  If you are using managed switches, you probably have STP (Spanning tree protocol) enabled. This will cause a small delay with the WDS/RIS handshaking process. If you find that you have STP enabled, do the following to make RIS respond.

When you see the screen

CLIENT MAC ADDRESS: XX XX XX XX XX XX
DHCP ….

Press the ‘Pause/Break’ key on , wait about 10-15 seconds and then press ENTER, Your client will be able to get the ip from DHCP Server.

2#  If you have WDS running on a Domain Controller with DHCP also running. There is a workaround which microsoft provides in detail.
http://support.microsoft.com/?kbid=842608

I suffered this issue and was really exhausted with this issue 🙂 then google came to rescue me 🙂
Syed Jahanzaib

====================================================
How can I CAPTURE an Image using WDS image capture
http://www.windows-noob.com/forums/index.php?/topic/261-how-can-i-capture-an-image-using-wds/
====================================================
WIN_PE Related
If you get x0x0x03fb error
change the WAIK version.
====================================================
http://www.edugeek.net/forums/windows-server-2000-2003/30233-solved-wds-error-injecting-drivers.html
http://www.microsoft.com/downloads/details.aspx?FamilyID=94BB6E34-D890-4932-81A5-5B50C657DE08&displaylang=en

(The right version of WAIK that worked :D for me was  6001.18000.080118-1840-kb3aikl_en.iso )
====================================================

WDS deploying VISTA : If you are testing it in VMWARE, you will receive error that the wdsclient is unable to find the matching drivers. please read the following links.
http://www.msfn.org/board/topic/81802-winpe-20-networking-in-vmware/

VMWARE DRIVER Location:
http://rapidshare.com/files/6595029/VMware_Drivers_5.5.3.rar.html

===============================================
WDS: error running wds in legacy mode.
use this command.

wdsutil.exe /Uninitialize
===============================================

Encountered problem during Dell Optiplex GX280 NIC in RIS
http://en.community.dell.com/support-forums/network-internet-wireless/f/3324/p/17218793/17341779.aspx#17341779
===============================================

Regard’s
SYED JAHANZAIB

April 23, 2012

IBM Lotus Notes : Howto Change/Recover ID password


Recently, I forgot my lotus user password. There was no copy of ‘ID‘ file available in backup, So I was frustrated to get my mail account back. I searched all over the internet but couldn’t found any solution that worked for me.
Finally I applied the following method and was able to successfully get the ID password by create new ID while maintaining old mail file.

The logic is that You must register the user again with the same name. That way, a new user ID will be issued. This new ID will give access to the mail file.

1# Open Lotus Domino Admin Client, on People & Groups, Goto People.
Now search for the user , whom ID password you want to change . Double Click on it.
Note down all the info like email / user name / Short name. After making note, close it.

As showed in the image below . . .

.

2# Now Register a new ID by right click on People and select Register Person.
Register with exactly the same first name, middle name and last name.
Make sure you select Mail System to NONE.
THIS IS IMPORTANT. otherwise previous mail file will be overwritten with new file and all Emails will be lost.
As showed in the image below . . .

.

Now Goto ID Info
In Set ID File, select the destination where you want to save the new ID file. This file will contain the new password and will be used by the user.
As showed in the image below . . .

.

Now Register it. and you will see the following warning.

An entry with the specified person name ‘test1 test1/xxx’ is already in the Domino Direcotry. Update the entry?

Click YES to continue.
As showed in the image below . . .

.

3# Now again take user properties, in mail tab you will see something like below image

As showed in the image below . . .

Select Notes  in mail system.
Now define path to user mail file , for example mail\ttest1

Save & Close.

.
Provide this newly created ID file to user, either replace it with the previous file available in C:\Program Files\IBM\Lotus\Notes\Data , OR user can manually change ID by selecting Other option in username , when Lotus Notes prompts for password

As showed in the image below . . .

.
.

Regard’s
Syed Jahanzaib

April 16, 2012

April 14, 2012

Howto Exempt any User / Website from Mikrotik PCC

Filed under: Mikrotik Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 11:32 AM

I recently deployed Dual WAN P.C.C configuration  at a local cable.network. The scenario is something like below . . .

USERS  >>  MIKROTIK  PPPOE SERVER >>> MIKROTIK RB 750 PCC with 2 DSL Link>>> INTERNET

The problem they were facing of one particular Banking web site name bankalhabib.com , The best method to resolve such P.C.C issues is to use src-address as classifier, this way user WAN ip won’t be change and they will be stick to 1 wan for there session. But in above scenario I cant use src-address as users are not directly hitting PCC. So I made a workaround and exempted the user and in one case , the destination website from being processed by the P.C.C

The simple theory is to make a address with the user ip or the destination web site IP address. and then create an rule in mangle to exempt it from P.C.C, Then create a new default route in with your desired WAN selected , for that traffic which is exempted from P.C.C

Important:  Move this rule above of other PCC rules, so it will accept the data before PCC catches it.

=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x

To Exempt Any User IP from PCC Rule,

/ip firewall address-list
add list=usere-exempted-from-pcc address=172.16.0.2/32

Now create Mangle Rule to accept traffic from above list, then PCC will not precess this user ip address , and Mikrotik will use the Default route for this user Traffic. (We will add it later)

Example:

/ip firewall mangle
add action=accept chain=prerouting disabled=no src-address-list=user-exempted-from-pcc

To Exempt Any Web Site from PCC, first track its IP Address (or pool), then add it in exempt list.

/ip firewall address-list
add list=site-exempted-from-pcc address=108.59.160.167/32

(108.59.160.167/32 is mywanip.com for test purpose)

Now create its mangle rule

/ip firewall mangle
add action=accept chain=prerouting disabled=no dst-address-list=site-exempted-from-pcc


Adding Route for Un-Marked Traffic

You have to add Default ROUTE rule to tell Mikrotik to use this ROUTE as default route for all other UNMARKED traffic not processed / marked by the PCC. and in this route, you can bind exempted traffic request to always go through Specific Link only.

/ip route
add comment=”Default Route For Un-Marked Traffic” disabled=no distance=3 dst-address=0.0.0.0/0 gateway=101.11.11.36 scope=30 target-scope=10

(Change IP Address as per your network configuration)


=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x


			

April 11, 2012

Howto Manage Active Directory using Webmin/Linux Customized Panel


Article by
~!~ Syed Jahanzaib ~!~

Dedicated to ALL Pakistani Soldiers who gave there Life in SIACHIN
Z@iB  

Following is one of  the simplest way to manage your Active Directory Using WEBMIN base customized panel. I always prefer to create my own in-house made solutions for daily routine tasks.

Using this method you can customize the options you want to use. For example, this panel access can be granted to support personnel or help-desk staff , so they will be limited to the features / options you provide them with.

For example, Support personnel can access your panel via using there browser
http://yourlinuxbox

and after entering his credentials, he will be redirected to command panel, Only those commands will appear here which you have granted access for.

A very basic example is showed in the image below . . . But you can create more advance, sophisticated functions with beautification using this panel to control every aspect of your network, whether its Microsoft, Linux or Mikrotik or any compatible device

To create this panel, you will need following components

1) Linux box with WEBMIN installed,

2) sshpass Utility on Linux box,

3) freeSSHD application installed on Windows AD Server .

4) Testing ssh connection to A.D from your Linux BOX

5) Create Scripts on Linux and Link them to WEBMIN

6) Create User in Webmin and Grant Custom Commands Rights

We will discuss above six topics in minimum details as following. . .

1) INSTALL WEBMIN ON YOUR LINUX BOX:

I assumed that you have installed and configure your Linux box (preferably Ubuntu, but any flavor can do the job, this is the main quality of Linux OS :)~
To install Webmin , first add its repositories to sources.list, to do this first open sources.list

nano /etc/apt/sources.list

Now paste the following lines in the end of this file.

deb http://download.webmin.com/download/repository sarge contrib
deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib
deb http://archive.canonical.com/ lucid partner

Save & Exit.

Now update apt-get and install webmin using

apt-get update
apt-get install webmin

It will take some time to install webmin depend on your internet connection (usually less then 10 minutes) , afterward you can access it using

https://yourlinuxboxip:10000

(TIP: you can change the webmin port by editing in /etc/webmin/miniserv.conf and change the port number to any port you like, for example 443 or 1234)

Now moving to ahead . . .

2) INSTALL ‘ SSHPASS ‘ ON YOUR LINUX BOX

sshpass utility is required so that you can do ssh to your windows box with the provided password, otherwise if you do normal ssh it will stop and ask you  the password , which you can’t provide in automated way while using the webmin script, thus the script will stop on password function and will not perform as desired,
[However The best approach is to generate SSH keys and use them, but i am not going in that detail, just Google for it]

To install sshpass , use the below command . . .

sudo apt-get install sshpass

Done.

3) INSTALL freeSSHD SERVER ON WINDOWS Active Directory SERVER

First download freeSSHD server and install it. Installation procedure of this app is very simple , just clicking few next next button :p You can download it from

http://www.freesshd.com/freeSSHd.exe

At the end of the installation, it will ask you to run freeSSHD as Service, Select YES , so that it may run automatic when windows start as a windows service.

After Finishing setup, You will see its icon in your taskbar area , Right click on it and select SETTINGS,
Goto Users TAB, and add your users, (You can add local users in it , OR you can select NT Authentication for domain.
For domain, you wont have to enter password, choice is yours).
As shows in the image below . . .

4) TESTING SSH CONNECTION FROM LINUX BOX TO WINDOWS A.D SERVER

Now its time to test if your freeSSHD box is working. From your Linux box you can use the following command to test the connection.

sshpass -p ‘freessdh_password’ ssh userid@10.0.0.1

And if successful, you will see the windows command prompt
As shows in the image below . . .

If you are testing it from Windows, you can Use any sshclient tool, like PUTTY, and enter your freeSSHD Box IP and try to connect, if all goes OK, you will see the user id . Enter your id password you added in the freeSSHD , and you will see command prompt of windows.

4) Create Scripts on Linux and Link them to WEBMIN

Now that we have finished configuring base requirements, It is time to create various Scripts to perform our desired functions and link them to webmin GUI user interface (Usermin?) 😀

On your Linux box, Create an folder

mkdir /scripts
cd /scripts

Now create first script which will ssh to A.D Server and will fetch the DISABLED USERS list.

touch viewdisabledusers.sh
chmod +x viewdisabledusers.sh
nano viewdisabledusers.sh

and paste the following line

sshpass -p '123' ssh zaib@10.0.0.1 'dsquery user -disabled'

Now Save & Exit.You can test it by execute it by ./viewdisabledusers.sh and you will see its result on your screen.

Now its time to link it with the webmin GUI Interface.

Login to Webmin.
Goto OTHERS / CUSTOM COMMANDS and click on Create a new custom command.
As showed in the image below . . .

After Entering Command Details as showed in the image above, Click on SAVE
Now you will see your newly created command box on Custom Commands Menu, click on it and you will see the result 🙂

# VIEW USER INFO SCRIPT

I will show you howto create custom command for specific User Info with input box.

Create a new Custom Command ,
As showed in the image below . . .

After entering all details, click on SAVE.

Now you will see View User Info Box on Custom Commands menu, Enter any valid user id (which exists on AD Users) and click on view user info button.
As showed in the image below . . .

Result . . .
As showed in the image below . . .



6) CREATE USER IN WEBMIN USERS & Grant Custom Command Rights

Now we will create a support staff user account and grant Custom Commands rights only , so when the support staff logged in to webmin, they see only Custom Commands Box, (Not all webmin access)

Goto Webmin / Webmin Users
Click on Create a new Webmin user
As showed in the image below . . .


In User name, type your user name
In Password field, select SET TO  and enter password in the box.
In Available Webmin modules section, select Custom Commands
Click SAVE to finish.

As showed in the image below . . .

Now logout Webmin and again login with the new user id you just created in above step.

After successfully logedin . . .

User will see only Custom Commands Menu . . .

TIP: You can replace WEBMIN default logo with your company logo , default image location is/usr/share/webmin/images/webmin-blue.png

To change webmin default 10000 port

To change webmin default port which is 10000, you have to edit minisev.conf , following is an example. Open it and change port (usually appears in 1st line to one required)

sudo nano -w /etc/webmin/miniserv.conf

SCRIPTS EXAMPLES

</pre>
<pre>root@linux:/scripts# cat viewpcname.sh
sshpass -p 'freesshd_passowrd' ssh zaib@10.0.0.1 dsquery computer  -limit 1000 | sort >  /scripts/temp.txt
sed -e 's/"CN=//g' -e 's/,CN=Computers,DC=YOURDOMAINNAME"//g' -e 's/,OU=WSUS,DC=agp1"//g' /scripts/temp.txt

cat alluserinfo.sh
sshpass -p 'freesshd_password' ssh zaib@10.0.0.1 'cmd /c dsquery user -limit 0 | dsget user -dn -disabled -display -email -dept -title' > /scripts/temp.txt
cat /scripts/temp.txt

root@linux:/scripts# cat disableuser.sh
sshpass -p 'freesshd_password' ssh zaib@10.0.0.1 Net user $UID /DOMAIN /active:NO

root@linux:/scripts# cat inactiveusers.sh
sshpass -p 'freesshd_password' ssh zaib@10.0.0.1  'cmd /c dsquery user "dc=YOURDOMAINNAME" -inactive 2 | dsget user -display -email -dept -title'> /scripts/temp.txt
sort /scripts/temp.txt -o /scripts/temp.txt
cat /scripts/temp.txt

root@linux:/scripts# cat viewdisabledusers.sh
sshpass -p 'freesshd_password' ssh ssh@10.0.0.1 'cmd /c dsquery user -disabled | dsget user -display -email -dept -title' > /scripts/temp.txt
cat /scripts/temp.txt

root@linux:/scripts# cat enableuser.sh
sshpass -p 'freesshd_password' ssh zaib@10.0.0.1 Net user $UID /DOMAIN /active:YES

root@linux:/scripts# cat userinfo.sh
sshpass -p 'freesshd_password' ssh zaib@10.0.0.1 Net user $UID /domain

More commands references are available here.

https://aacable.wordpress.com/2013/01/16/active-directory-dsquery-miscellenous-commands-with-syntax/

Regard’s

SYED JAHANZAIB
aacable [at] hotmail . com

April 9, 2012

Lotus iNotes DWA: Unable to Open some Mails with Attachement [SOLVED]


From past one month we were having issue with Lotus iNotes (Domino Web Access) that some mails with attachments were not opening and displayed multiple errors while viewing using web access, on the other hand, they open properly via Notes client. We have Symantec Endpoint Protection Manager Server installed and all of our users have Symantec Client installed [Managed].

This issue was referred to IBM, and their engineers found out that a set of fields were being added to the emails. Those fields,

LastScannedVersion,
LastScannedVersionOID,
LastScanOID,
LastScanOIDCheck,

Which contained garbage that caused the emails to fail to open with messages indicating that they

failed due to an unterminated string.

The fields only apply to some emails with attachments,

The fun part is :> The effected emails open without any error in the Notes client. 

After considerable searching I’ve found out that Symantec Antivirus is the culprit. A feature was added in Notes (SEP) AutoProtect to cache scanning results on attachments, so that emails with unaltered attachments could be sent without redundant scanning. The fields create no problems in the Notes client, but some (not all) emails with these fields cannot be read in DWA (Webmail iNotes).

I confirmed it by sending the effected mail twice, with and without Notes Auto-Protect enabled. The 4 effected fields were only found on the message where Auto-Protect was Enabled.

I solved it by disabling the ‘NOTES Auto-Protect’ feature on SEPM or client, so far I haven’t seen this issue reproducing again.

Reply From Symantec Support:

Subject: Fixed in the next maintenance build
We are fixing this issue in the upcoming SEP 11 ru7 mp2 build.
Our apology for the inconvenience caused.
Feedback response number WEBB8Q78WM created by Symantec Symantec on 01/04/2012

# REPAIR EFFECTED MAIL USING NOTES CLIENT AGENT

You can create an Agent to run on all mail files to repair the documents. to create agent follow the below procedure.
(But you must have IBM LOTUS DOMINO DESIGNER installed. You can download it from following link.
http://www.ibm.com/developerworks/downloads/ls/dominodesigner/ )

# Open your Notes Client

# Click on CREATE  >  AGENT
As showed in the image below . . .

# Now Type the Agent Name , and in RUN drop down menu, select FORMULA
As showed in the image below . . .

Now paste the following code in empty box.

FIELD LastScanOID := @DeleteField;
 FIELD LastScanOIDCheck := @DeleteField;
 FIELD LastScannedVersion := @DeleteField;
 FIELD LastScannedVersionCheck := @DeleteField;

As showed in the image below . . .

.

Save it by Goto FILE menu and select SAVE.

On your NOTES Clients, Select your effected mail message which is not opening in webmail. (You can also select ALL by pressing CTRL + A)

Open Action menu , and here you will see your newly created AGENT name, click on it to execute it. upon execution it will repair your mail file by removing four SEP fields from it, then this mail will open on webmail without any error.

As showed in the image below . . .

.

.

#DISABLING NOTES AUTO PROTECT FROM SEPM SERVER

You can also disable NOTES Auto Protect from Symantec Endpoint Protection Manager Server.
As showed in the image below . . .

.

 

More information can be obtained here.

www-10.lotus.com/ldd/nd85forum.nsf/DateAllFlatWeb/7579bdbad9ac26d1852578fd006314b9?OpenDocument

Regard’s
Syed Jahanzaib

April 5, 2012

Blog at WordPress.com.

%d bloggers like this: