As a Premier Field Engineer, I am constantly doing presentations and delivering workshops to large groups of people, usually about PowerShell. One of my favorite tools to use is ZoomIt which is part of the SysInternals suite. I may not use ZoomIt for its “break” feature since I have my display-countdown script, but it’s a really great tool. It can however be difficult to remember all of the shortcut keys if you haven’t used it before (and even to someone who uses it all of the time). A while back I created a little printable card of all of the shortcut keys that are built in so I could tape it to the presentation screen and never fumble through it. I decided to redo the card using a metro inspired design and am now sharing it with you!
The image is set up for 300 dpi and will print the same size as a business card. Be sure to print it with the best options set on your printer and maybe you can even laminate it, if you want, and keep it in your gear bag.
Download the high-res version: Printable ZoomIt Shortcut Card.
I was excited about the Windows 8 developer preview that was released earlier tonight, so I fired up Virtual PC to start playing around with it. I ended up with an error when it was loading so I thought maybe I had a bad copy of the ISO so I thought "I know, I'll do a checksum test." Unfortunately, I don't have a tool to take a checksum on my current machine so naturally I wrote a simple function in PowerShell to do the checksum test for me.
It has only a few simple parameters that you can enter, file and algorithm. "File" is for the actual file you want to checksum. "Algorithm" is either "sha1" or "md5" and will let you get both an MD5 and a SHA1 checksum of the specified file.
Update: If you came here looking for the SHA1/MD5 hashes for the Windows 8 CTP iso’s, here you go.
Windows Developer Preview with developer tools English, 64-bit (x64)
Windows Developer Preview English, 64-bit (x64)
Windows Developer Preview English, 32-bit (x86)
You can download the full script after the jump.
A reader sent me a message asking how to modify the original CA monitoring script I wrote back in November so that instead of monitoring the pending requests, it would send a message based on expiring certificates. The answer is just a modification to the certutil command that was used in the original script. The new script also allows you to specify the number of days advanced notification you are looking for, the default is 30 days. Just keep in mind that if you run this script once a day, you will receive a notification every day until the certificate is either revoked/superseded or the certificate is passed the time period specified. Of course this is all irrelevant if you have the money to spend on SCOM which can do this with one of the released management packs.
The modified certutil command looks a bit like this:
certutil -view -restrict "NotAfter>=8/9/2010,NotAfter<=9/9/2010" -out "Request ID, Request Submission Date, Request Common Name, Requester Name, Request Email Address, Request Distinguished Name, CertificateTemplate, NotAfter" -config "<CA_SERVER_NAME>\<CA_NAME>"
This will return to you all of the certificates that are scheduled to expire between today (August 9th, 2010) and 30 days from now (September 9th, 2010)
You can download the new script here: Download monitor_ca_expiry.ps1
Update: Thanks to Aaron (from New Mexico? the original reader) who noticed I forgot one really useful bit of information from the status report that displays when you run the command: the date of expiration for the certificate. I have updated the script and the sample above to reflect the change.
Rolling out a certificate authority in Windows 2003 and Windows 2008 is a relatively trivial task if you are deploying a stand-alone CA, Enterprise CA’s are a bit more complex, but that’s a post for another day. The web interface (http://server.domain.local/certsrv/) is pretty limited and doesn’t provide the greatest interface for manually requesting certificates, it even relies on cookies for managing requests. It would be really nice to see Microsoft build this into a truly useful application like what you get with the Thawte Certificate Center.
One thing that is a bit frustrating is that even when you have the logging options fully enabled for the CA, events aren’t logged for new certificate requests so you have to manually check the server on a regular basis for outstanding requests. Usually this is a low priority kind of service in your enterprise and can get neglected, which has happened in my case a few times.
This neglect prompted me to write the following Powershell script which very simply uses certutil to check if there are any pending requests, and then fire off an email to a list of users if there are. This script could also be easily modified to check for revoked certificates or to generate a weekly report on existing certificates to monitor expiration dates, among a bunch of other things, however I really only needed this for requests so that’s all it does for right now. If anyone has any interest in something else, let me know and I’ll see about updating the script to include additional features.
To use this script, all you need to do is ensure you have a copy of certutil on the machine running this, update the configurable pieces of the script, then create a scheduled task to run it every hour or so, or whatever time-frame is appropriate for you and your organization.
More information and a download link is after the break…
Update 2010-03-03: Keep in mind that this was fixed in vSphere 4 Update 1. Although if you can’t move to Update 1 for some reason, this will still work.
Update 2009-09-08: I just updated the script because I received a report from wohali (Joan) over at VMware communities that they had a problem when the vSphere client was installed on a different drive and I have now fixed that problem. I also added in support for making the host update utility work as well. Lastly, I added a few output messages so you can see what’s going on and know what is getting done.
The past few months I have been enjoying Windows 7 quite a bit (both the RC and now the RTM), but at the office we use VMware for many of our clients and the vSphere Client unfortunately has an issue with Windows 7 due to an incompatibility with a .Net 2.0 library dll that comes installed on Windows 7. When you install the vSphere client, you will be able to get through the install without an issue usually (If you have J# already installed you may encounter issues installing the vSphere client), but once you try to connect to your vSphere server you get an error stating “Error parsing <server> clients.xml file Login will continue contact your system administrator” followed immediately by another error “The type initializer for “VirtualInfrastrcture.Utils.HttpWebRequestProxy” threw an exception” which then brings you back to the login screen and you are unable to connect in.
Due to a security update to SMB that fixes a remote code execution vulnerability, you may experience 401.1 or 401.2 errors in certain situations while performing a WebRequest to one of your servers. This is because part of the security update institutes a loopback check on the authentication requests to prevent replay attacks. The Microsoft KB article refers to a few different scenarios where you can see authentication problems after applying this patch, but the one I’m most interested in is when you start getting 401 errors after an HttpWebRequest on an ASP.Net page.
The issues I experienced were while creating a page to display general status of one of my companies Sharepoint servers. The main issue which is the meat of this article was when I switched the authentication over to use NTLM instead of Digest, which broke my script. Everything I had in place should have worked, but the previously mentioned security update slipped under the radar and it took a while to figure out what was going on. You can do a basic web request on a server with Basic authentication by doing the following:
Dim _response As String
Dim _auth As String = "Basic"
Dim _uri As Uri = New Uri("http://my.domain.local/my-page.aspx")
Dim _req As HttpWebRequest = WebRequest.Create(_uri)
Dim _cc As CredentialCache = New CredentialCache()
Dim _res As HttpWebResponse
Dim _sr As StreamReader
_cc.Add(_uri, _auth, New NetworkCredential("username", "password", "domain"))
_req.PreAuthenticate = True
_req.Credentials = _cc.GetCredential(_uri, _auth)
_res = _req.GetResponse
_sr = New StreamReader(_res.GetResponseStream)
_response = _sr.ReadToEnd
Have you ever had a login screen show up in Windows where everything is black except for the logo like the image below? This happens sometimes when the system drive on a server fills up, and a bug in windows causing all of the color settings to default to black. It is a pretty common problem, however for some reason Microsoft has not released a KB article about this even though I have seen this happen numerous times.
Black Login Screen With Logo in Windows 2003
While browsing Newegg looking for some hardware, I came across an issue where the images on their site were not loading. I couldn’t figure out exactly what was going on since it wasn’t a browser cache issue, and it didn’t seem to be a DNS issue, at least not on my workstation anyway. After doing a little digging, I tried clearing the DNS cache on our DNS server and everything came up and the images started loading again fine.
Over the course of the last three months this happened a few times, not only for Newegg but for other sites as well, mostly in the .co.uk TLD though. This happening once was easy enough to dismiss, even happening a second time, ok, but after a third time, there had to be some other underlying issue. Fortunately, Microsoft released a KB article that explains what is going on and how to get around the problem. You can read all about it here: http://support.microsoft.com/kb/968372
What is happening is basically that root hints are not updating on the DNS server and SERVFAIL is getting returned to the client requesting the DNS lookup. This can cause pages to not load on certain domains, including but not limited to .co.uk, .cn, and .br, as well as certain .com’s that I have seen. Fortunately the fix is easy enough; you can either configure forwarders or simply tweak the TTL of the root hints on your server. I’m not going to get into the debate of which is better, root hints or forwarders; but for those of you using forwarders this problem will not affect you, and for those of you using root hints, below is a very easy set of commands you can run to fix the problem.
Launch an elevated command prompt and execute the following commands. This will stop your DNS server, add the Microsoft recommended registry value, and start DNS back up again.
NET STOP DNS
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v MaxCacheTTL /t REG_DWORD /d 0x0002a300
NET START DNS
One of my least favorite, and recurring, issues with Windows is one that pops up all the time where you try to reboot a server while you are in a remote desktop session; the RDP session will end but the server never reboots. In my experience this only happens when you reboot within a normal RDP session, but if you are logged in with the /console or /admin switch it will work fine. This fix is relatively old, but it is one that is not talked about very frequently. This can also happen if you are logged into a regular RDP session and are trying to run Windows Updates.
This problem is a result of deadlocks occurring between the NTFS shutdown process and disk resource access. Usually, your server will remain online responding to ping when this happens, and you can even get into computer management, remote registry, and other things remotely. Getting back into the server through RDP however does not work because terminal services is already shutting down. You can read more about this at the link below for the KB article.
Without this fix your options are limited to bring the server down gracefully, in fact many people would just do a hard reset from the power button to finish the reboot. You can however issue a remote shutdown command from the command line. Simply run “shutdown /r /t 5 /m \\computer_name” without the quotes to reboot the machine in question. Make sure you don’t forget the /m switch otherwise you will end up rebooting your own machine. /t is for the time to wait before shutting down and you can use 0 if you like to shutdown immediately, but this doesn’t give you a chance to send an abort (/a) if you enter the wrong server accidentally. You can also issue “shutdown /i” without the quotes to get the interactive dialog which will let you enter a list of servers to reboot and a few other options.
The Microsoft patch for this can be acquired from the following page: http://support.microsoft.com/kb/930045
Note: This does not solve the problem every single time. I have seen the issue occur even after applying this patch, but it seems to fix the problem for the vast majority.