Disclaimer: All postings are provided "AS IS" with no warranties, and confer no rights. This weblog does not represent the thoughts, intentions, plans or strategies of Microsoft. Because a weblog is intended to provide a semi-permanent point-in-time snapshot, you should not consider out of date posts to reflect current thoughts and opinions.
Here are the latest networking-related Knowledge Base articles to report this week. Next week, there will be no update due to the upcoming holiday. I will publish an update the week after next that will encompass anything published between now and then. If you get to have a holiday next week, I hope you enjoy it!
976759 WFP drivers may cause a failure to disconnect the RDP connection to a multiprocessor computer that is running Windows Vista or Windows Server 2008
976484 Some IIS clients cannot connect to the Remote Desktop Gateway (RD Gateway) that is hosted on a computer that is running Windows Server 2008 R2
- Mike Platts
We have just one newly-published KB article to share this week:
974126 Network policies on a computer that is running Windows Server 2008 do not work when a format that uses commas as the decimal separator is specified in Regional and Language Options
A few months ago, I wrote a post on how to migrate a DHCP Server database from Windows 2000 to Windows Server 2008. As Windows Server 2008 R2 has since released, I wanted to update the information on this subject. The process has not changed in any way from my original post. I am publishing this to confirm the original steps will work whether the target server is running Windows Server 2008 or Windows Server 2008 R2.
These steps describe how to move a Dynamic Host Configuration Protocol (DHCP) database from a computer that is running Microsoft Windows NT Server 4.0 or Microsoft Windows 2000 to a computer that is running Windows Server 2008 or Windows Server 2008 R2.
Note These steps should not be used to migrate to or from a clustered DHCP server. There is no direct migration path from a Windows 2000 cluster to Windows Server 2008 or Windows Server 2008 R2. A Windows 2000 cluster must be upgraded to Windows Server 2003 before DHCP can be migrated to Windows Server 2008 or Windows Server 2008 R2. For more information on migrating DHCP from a cluster on Windows Server 2003 or Windows Server 2008 to Windows Server 2008 R2, please see the following TechNet article here.
Note You can use the Microsoft Windows backup utility (ntbackup.exe) to back up and restore the DHCP database on a single server. Do not use the backup utility to migrate or to move a DHCP database from one DHCP server to another.
1.
Stop the DHCP Server service on the server:
a.
Log on to the source DHCP server by using an account that is a member of the local Administrators group.
b.
Click Start , click Run , type cmd in the Open box, and then click OK .
c.
At the command prompt, type net stop dhcpserver , and then press ENTER. You receive a "The Microsoft DHCP Server service is stopping. The Microsoft DHCP Server service was stopped successfully" message.
d.
Type exit , and then press ENTER.
2.
Compact the DHCP database by using the JetPack utility:
At the command prompt, type cd %systemroot%\system32\dhcp , and then press ENTER.
Type jetpack dhcp.mdb temp.mdb , and then press ENTER.
After the database is compacted successfully, type exit , and then press ENTER.
3.
Export the DHCP database by using the DHCP Export Import utility (Dhcpexim.exe). You can obtain this utility from the Windows 2000 Resource Kit Supplement 1. You can also visit the following Microsoft Web site to obtain Dhcpexim.exe:
http://support.microsoft.com/kb/927229
To export the database:
Install the Dhcpexim.exe utility, and then start the Dhcpexim.exe utility.
At the Welcome to DHCP Export Import tool screen, click Export configuration of the local service to a file , and then click Ok .
In the File name box, type the file name for the exported file, and then click Save . For example, type dhcpdatabase.txt .
Click the scope or scopes that you want to export, click to select the Disable the selected scopes on local machine before export check box, and then click Export .
e.
Click OK .
4.
Disable the DHCP Server service on the server. Disabling the DHCP Server service prevents the service from starting after the database has been transferred. To disable the DHCP Server service:
Click Start , point to Settings , click Control Panel , and then double-click Services .
In the Service list, click Microsoft DHCP Server , click Startup , click Disabled , and then click OK .
If the service is started, click Stop , and then click Yes to confirm the stopping of the service.
Click Close to close the Services dialog box.
Important Dhcpexim.exe is required to move the database successfully from a server that is running Windows 2000 to a server that is running Windows Server 2008 or Windows Server 2008 R2. Netsh commands for DHCP are not available in Windows NT 4.0. Note If only the configuration (not the database) is required, use the following command (instead of Dhcpexim.exe) on the Windows 2000-based server that you want to export from. (Do not use Dhcpexim.exe.)
netsh dhcp dump > C:\dhcp.txt
where C:\dhcp.txt is the name and path of the export file that you want to use. Note The export option does not exist in the netsh command on Windows 2000 Server. The netsh dhcp server dump and netsh dhcp server import commands are not compatible. If you try to import the data that is created by netsh dhcp server dump > C:\dhcp.txt by using netsh DHCP server import > C:\dhcp.txt , you receive the following error message on the Windows Server 2008 or Windows Server 2008 R2-based computer:
The request is not supported.
You can migrate the exported configuration file to the new Windows Server 2008/R2 server by using the following command:
netsh exec c:\dhcp.txt
To install the DHCP Server service on an existing Windows Server 2008/R2-based computer:
Click Start , point to All Programs , point to Administrative Tools , and then click Server Manager .
In the console tree of Server Manager, right-click Roles , and then click Add Roles .
In the Add Roles Wizard, click Next .
On the Select Server Roles page, click to select the DHCP Server check box, and then click Next .
5.
Review the information on the Introduction to DHCP Server page, and then click Next .
8.
Follow the instructions in the Add Roles Wizard to complete the installation.
Note You may receive an "access denied" message during this procedure if you are not a member of the Backup Operators group. If you receive an "Unable to determine the DHCP server version for server" error message, make sure that the DHCP Server service is running on the server and that the user logged on is a member of the local Administrators group.
Important Do not use Dhcpexim.exe to import a DHCP database in Windows Server 2008 or Windows Server 2008 R2. Additionally, if the target Windows Server 2008 / Windows Server 2008 R2 server is a member server, and if you plan to promote it to a domain controller, we suggested that you perform the DHCP database migration before promoting it to a domain controller. Although you can migrate the DHCP database to a Windows 2008/R2 domain controller, the migration to a member server will be easier because of the existence of the local administrator account.
Log on as a user who is an explicit member of the local Administrators group. A user account in a group that is a member of the local Administrators group will not work. If a local Administrators account does not exist for the domain controller, restart the computer in Directory Services Restore Mode, and use the administrator account to import the database as described later in this section.
Copy the exported DHCP database file to the local hard disk of the Windows Server 2008/R2-based computer.
Verify that the DHCP service is started on the Windows Server 2008/R2-based computer.
At the command prompt, type netsh dhcp server import c:\dhcpdatabase.txt all , and then press ENTER, where c:\dhcpdatabase.txt is the full path and file name of the database file that you copied to the server. Note When you try to export a DHCP database from a Windows 2000 domain controller to a Windows Server 2008/R2 member server of the domain, you may receive the following error message:
Error initializing and reading the service configuration - Access Denied
Note You must have local administrator permissions to import the data.
6.
To resolve this issue, add the Windows Server 2008/R2 DHCP server computer to the DHCP Admins group at the Enterprise level.
7.
If the "access is denied" error message occurs after you add the Windows Server 2008/R2 DCHP server computer to the DHCP Admins group at the Enterprise level that is mentioned in step 4, verify that the user account that is currently used to import belongs to the local Administrators group. If the account does not belong to this group, add the account to that group, or log on as a local administrator to complete the import.
After you receive the message that the command completed successfully, quit the command prompt.
Click Start , point to All Programs , point to Administrative Tools , and then click DHCP . Note You must be logged on to the server by using an account that is a member of the Administrators group. In an Active Directory domain, you must be logged on to the server by using an account that is a member of the Enterprise Administrators group.
In the console tree of the DHCP snap-in, expand the new DHCP server. If there is a red arrow in the lower-right corner of the server object, the server has not yet been authorized.
Right-click the server object, and then click Authorize .
After several moments, right-click the server again, and then click Refresh . A green arrow indicates that the DHCP server is authorized.
Here are the most recently published networking-related Knowledge Base articles:
975830 The memory usage of the Dns.exe process keeps increasing after you install hotfix 941672 on a computer that is running Windows Server 2003 SP2 and that has the DNS server role installed
975792 Numeric host names cannot be resolved on a computer that is running Windows Vista or Windows Server 2008
972887 Error message when multiple network adapters are configured to use static IP addresses on a computer that is running Windows Server 2008 SP2 or Windows Vista SP2: "0x000000D1 DRIVER_IRQL_NOT_LESS_OR_EQUAL"
976973 ICMP ping requests cannot wake a Windows 7-based computer from sleep
Here is the list of the most recently published networking-related Knowledge Base articles:
976723 IPv6 network address seems case-sensitive at address assignment for multiple network adapters installed on a Windows7 and Windows Sever 2008 R2 based computer.
954373 The Network Access Protection Agent service may not start after you restart a Windows Vista Service Pack 1-based computer
976160 Converting an active lease to a reservation causes the lease to become inactive on Windows Server 2008
975815 File corruption occurs under a stress situation when the CopyFileEx function is used to copy a file between two computers that are running Windows Server 2008 or Windows Vista
974759 Stop error message on a computer that is running Windows Server 2008 or Windows Vista: "0x00000027 RDR_FILE_SYSTEM"
974924 You cannot make a VPN connection successfully by entering a correct PIN after an incorrect PIN is entered when the connection uses a smart card and PEAP authentication on a computer that is running Windows Server 2008 or Windows Vista
975512 Some SMB clients cannot access cluster file shares but they can access non-cluster file shares that are located on a computer that is running Windows Server 2008
974909 The network connection of a running Hyper-V virtual machine is lost under heavy outgoing network traffic on a Windows Server 2008 R2-based computer
Here are the latest networking-related Knowledge Base articles:
973509 The advanced security settings for Windows Firewall that you deploy by using a Group Policy object (GPO) are not displayed in Windows Vista or in Windows 2008
975212 When you use a VPN connection that uses Smart Card authentication on a client computer that is running Windows Vista or Windows Server 2008, the computer stops responding
974178 Error code 1450 after you transfer data by using the named pipes protocol between a client computer and a server that are running Windows Vista or Windows Server 2008
975598 The Nslookup.exe utility does not use all the suffixes in the DNS suffix search list if the total length of the DNS suffix search list is longer than 255 characters on a computer that is running Windows Server 2008 or Windows Vista
975698 A computer that is running Windows Server 2008 or Windows Vista receives various stop codes that cause the system to automatically restart after you enable the NetDMA feature on the new "Crystal Beach" (DMA) chip from Intel
975808 All IP addresses are registered on the DNS servers when the IP addresses are assigned to one network adapter on a computer that is running Windows Server 2008 SP2 or Windows Vista SP2
If you are unable to access shares on Windows Server 2003 or Windows XP or are being prompted for credentials, or are having authentication issues, then it might be due to an incorrect installation of the hotfix described in KB 968389. Please check to see if you have KB 968389 installed and if you see any of the below symptoms:
If you capture network traces while trying to access shared folders, you may see a response of Error, Code =(13) STATUS_INVALID_PARAMETER from the server for the session setup:
192.168.0.2 192.168.0.1 SMB:C; Session Setup Andx, NTLM AUTHENTICATE MESSAGE, Workstation: WRK001
192.168.0.1 192.168.0.2 SMB:R; Session Setup Andx - NT Status: System - Error, Code = (13) STATUS_INVALID_PARAMETER
This error code means that there is an issue with NTLM authentication. The update in KB 968389 introduces a new feature that enhances protection and handling of credentials when authenticating network connections by using Integrated Windows Authentication.
This behavior can occur if the update discussed in KB 968389 did not install properly. To correct the issue, please uninstall the update completely and then reboot the server. After the restart, you should find that the symptoms no longer occur. Reinstall the update from KB 968389 and restart the server again. The issue should not re-occur. You should be able to access all shares successfully locally and remotely.
- Shabana Vali
This post covers recently published Networking-related KB articles for the week of September 27th through October 3rd as well as October 4th through October 10th:
973097 Error message when the Smb.sys driver unloads on a computer that is running Windows Server 2003: "Stop 0x00000019"
973780 Some TCP connections between an NLB server that is running Windows Server 2008 and its clients are broken after the Port Scalability feature is enabled on the NLB server
976159 BITS jobs are lost when you downgrade from BITS 4.0
973245 On a computer that is running Windows Server 2008 or Windows Vista, you cannot add one or more servers to the securelist of a DNS service instance that is hosted on a server that is running Windows 2000 or Windows Server 2003
973246 Write error when you upload files into a shared folder that is hosted on a computer that is running Windows Vista or Windows Server 2008
972907 Stop error message on a computer that is running Windows Vista or Windows Server 2008: "STOP: 0x0000007F"
There is only 1 new KB article related to our networking technologies this time:
975497 Microsoft Security Advisory: Vulnerabilities in SMB could allow remote code execution
975608 When a user, belonging to Network Configuration Operators group, installs a networking component, bindings that involve filter drivers may not be created.
973155 The getpeername function may return an incorrect IP address when the AcceptEx function accepts a new Winsock connection through an I/O completion port on a computer that is running Windows Server 2008 or Windows Vista
Passive-mode FTP is sometimes referred to as "server-managed", because after the client issues a PASV command, the server responds to that PASV instruction with one of its ephemeral ports that will be used as the server-side port of the data connection. With that information, the client then makes a new connection to that port on the server and starts the data transfer.
Example: Frames seen in a network trace
Note: Client and server are on the same subnet in this example.
Client's request for passive mode:
Source Dstn Protocol Desc 10.0.0.5 10.0.0.1 FTP Request: PASV
Server's response to PASV Request:
Source Dstn Protocol Desc 10.0.0.1 10.0.0.5 FTP Response: 227 Entering Passive Mode (10,0,0,1,8,7).
FTP Header: File Transfer Protocol (FTP) 227, Entering Passive Mode <h1,h2,h3,h4,p1,p2> 227 Entering Passive Mode (10,0,0,1,8,7).\r\n Response code: Entering Passive Mode (227) Response arg: Entering Passive Mode (10,0,0,1,8,7). Passive IP address: 10.0.0.1 (10.0.0.1) Passive port: 2055
Client opens a new connection with the server on the port 2055 as requested by the server:
Source Dstn Protocol Desc 10.0.0.5 10.0.0.1 TCP 1122 > 2055 [SYN] Seq=0 Win=8192 Len=0 MSS=1460
TCP Header: Transmission Control Protocol, Src Port: 1122, Dst Port: 2055, Seq: 0, Len: 0
However, you are likely to encounter problems when you use FTP over the Internet to an FTP Server that is behind a Network Boundary Securing Device (NBSD) such as a proxy, firewall, or Network Address Translation (NAT) device. In most cases, the NBSD allows the control connection to be established over TCP 21 (that is, the user can successfully log on to the FTP server). However, when the user attempts a data transfer such as DIR, LS, GET, or PUT, the FTP client appears to stop responding because, the servers PASV packet (Passive IP address field) contain the internal IP address of the FTP server. The client’s existing connection is with the NATed IP address of the FTP server, which it is not aware of.
The client will not attempt to open a data connection if the IP address specified in the "Passive IP address" field is not same as the IP address to which the client is connected for the control connection. It simply starts the process all over again and connects to the NATed IP address of the server on port 21 and so on.
When the client receives a PASV response command from the server, it tries to open a new connection for the data channel, and the firewall should create a dynamic temporary rule to allow that new connection on the port that was specified in the PASV response command.
In other words, the firewall probes the application layer of the control channel data and reads the requests and responses to determine what TCP ports the server is using for data connections.
As seen in the example above, when a client requests a passive FTP connection by sending the PASV Request command, the FTP server responds positively with a string like "227 Entering Passive Mode h1,h2,h3,h4,p1,p2", instructing the client to initiate a TCP connection to IP address h1,h2,h3,h4 on port p1,p2. The firewall monitors this string and creates a dynamic rule allowing an inbound TCP connection from the client to the server on the specified port. Once the data transfer is over, the firewall will erase the temporary rule that it created for the data channel.
Make sure your Firewall is capable of the following:
IIS 7.0 for Windows Server 2008 has a new feature that allows you configure it with information about the firewall the server is behind. Check out http://www.iis.net to learn about IIS 7.0.
For information on configuring the FTP passive port range in IIS 5.0 or 6.0, please see KB 555022. It is also discussed on the following Windows Server 2003 TechCenter page: Configuring FTP Site Properties (IIS 6.0).
- Arun Kumar (P)
972840 The SNMP service does not respond to all SNMP requests on a computer that is running Windows Server 2003 after the Group Policy settings are refreshed
972071 Applications that use the UDP protocol may encounter poor performance on a computer that is running Windows Server 2003
960670 IPv6 network adapters are reinstalled when network connectivity is restored on a computer that is running Windows Vista or Windows Server 2008
973196 Stop error 0xD1 may occur on a computer that is running Windows Vista or Windows Server 2008
973482 Stop error 0xD1, Stop error 0x0A, or Stop error 0x7E may occur on a computer that is running Windows Vista or Windows Server 2008
What is the purpose of this alert?
This alert is to notify you that Microsoft has released Security Advisory 975497– Vulnerabilities in SMB Could Allow Remote Code Execution - on September 08, 2009.
Microsoft is investigating new public reports of a possible vulnerability in Microsoft Server Message Block (SMB) Protocol. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time.
We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.
Review Microsoft Security Advisory 975497 for an overview of the issue, details on affected components, mitigating factors, suggested actions, frequently asked questions (FAQs), and links to additional resources.
Customers who believe they are affected can contact Customer Service and Support (CSS) in North America for help with security update issues or viruses at no charge using the PC Safety line (866) PCSAFETY. International customers can contact Customer Service and Support by using any method found at http://www.microsoft.com/protect/worldwide/default.mspx.
Thank you,
Microsoft CSS Security Team
"I wish there was a way to run a Netmon capture for an extended time and to have it stop when a certain event is recorded in the event logs. I don't have the hard drive space for large captures that are many gigs in size. I only want to see the Netmon traffic at the time a particular event is logged. If there was only a way to do this......."
The good news is that there is a way to do this by using NM3EventCap.exe as per the steps below.
Prerequisites: Network Monitor 3.2 or later, NM3EventCap 1.0, and Visual C++ 2005
Download Links:
Network Monitor 3.3 NM3EventCap 1.0 Visual C++ 2005 SP1 x86 Visual C++ 2005 SP1 x64
Goal: To take a continuous network trace and for it to stop once a particular Event ID is written in an event log. This will enable us to look at what took place on the wire up until the time the event was triggered. The frames of interest will be the last part of the capture. This is useful for sporadic intermittent issues that record entries in the Event Log when they happen.
Instructions:
1.) Download and install Network Monitor. Once it is installed, launch Netmon and make sure the parsers load the first time. This takes a few seconds. Make sure that the correct NIC is selected with a checkbox, as in the example below. Exit Network Monitor.
2.) Download and install Visual C++ 2005 (or Visual C++ 2008).
3.) Download NM3EventCap.exe and save it to a folder on the desktop or where ever you have available space. Make sure that there is at least 100MB of available space for the default size of the capture.
4.) Open a command prompt and change directories to the location where you saved NM3EventCap.exe. If you type in “nm3eventcap.exe” you will see the available switches as below:
NM3EventCap.exe /? Usage: NM3EventCap.exe Capture EventNumber [m_LogFile] [-options] Capture - Name of capture file to use. use -o to overwrite if capture already exists. EventNumber - numeric event error message to stop on. LogFile - For example, Application, Security, System. Default searches all logs.
Options: -b # - Buffer size in Mbytes for capture. Default is 100MB. -c - Use chain capture instead of the default of circular. -f - Filter to use for capturing traffic. -o - Overwrite capture if it exists. -d - Disable Conversations. Warning, you could shoot yourself in the foot. -n # - Number of adapter to capture on. Use Nmcap /displaynetworks to get list -v - Be verbose. Show NPL compilation messages.
Example: At the command prompt, type: nm3eventcap FailedCapture 7036 You should see the output below. This shows NM3EventCap listening and waiting for an Event ID 7036 to appear in the event logs.
Once the event is logged, you should see:
What have we done? We setup NM3EventCap to take a network capture and listen for Event ID 7036. Once that event is recorded, it stops the capture and saves it with the name of “FailedCapture”. It will be saved with a .cap extension in the same directory in which NM3EventCap is being run. A breakdown of the command we used:
NM3EventCap = initializes the executable.
FailedCapture= name of the capture.
7036= the event ID to look for. Once it is recorded, this triggers NM3EventCap to stop the capture.
Note: Event ID 7036 is logged by Service Control Manager when many services enter a stopped state. Any Event ID can be used.
By default, NM3EventCap will watch all event logs. To have NM3EventCap search only the System Event Log, for example, the command would be: Nm3eventcap FailedCapture 7036 system
Other syntax examples:
1.) “Nm3eventcap FailedCapture 7036 –o”
This initiates NM3EventCap to listen for Event ID 7036 in all the event logs and save a capture with the name FailedCapture and if a capture with that name already exists, then overwrite it as specified by the “-o” switch.
2.) “Nm3eventcap FailedCapture 7036 –o –n #5”
This initiates NM3EventCap to watch for Event ID 7036 in all the event logs and save a capture with the name FailedCapture, and if a capture with that name already exists, overwrite it. The “-n #0” switch is used to specify which interface to capture on if this was a multihomed machine. At a command prompt in the same directory you can type: nmcap /displaynetworks” which will give you a list like in the example below:
- Shane Brasher