Windows 2008: Difference between revisions

From vwiki
Jump to navigation Jump to search
(→‎Procedures: Added "NTP Client")
m (→‎Scheduled Tasks: Added note to 0x8007010B)
 
(7 intermediate revisions by the same user not shown)
Line 48: Line 48:


See http://support.microsoft.com/kb/816042 for further info on setting the above parameters
See http://support.microsoft.com/kb/816042 for further info on setting the above parameters
== Memory Counters ==
Memory management in any OS can be a complex and confusing business, especially as meanings change with time, and the same counter can be called different things in different OS's from the same family.
The first thing to appreciate is that Windows 2008 likes to fill its memory up, in order to improve system performance (Unix like to do this too).  For example, it will try to prefetch drivers etc into memory before they're actually required, and cache files that are being accessed.
In the virtual world this can cause concern for Virtual Infrastructure admins, as they see lots of machines, using lots of memory, even when they're not doing anything.  But this isn't a problem.  The VM's are merely trying make as a good a use of the available system resources as possible.  If your ESX becomes congested, then it'll instruct VMTools to start inflating balloon drivers.  The first thing that the OS will dump from memory is the unnecessary stuff that's been optimistically loaded into memory but isn't actually providing any worth.  This is good, efficient system operation.
=== Total ===
Total physical memory available to the OS
=== Cached ===
This is data that has been cached into memory to improve IO times.  For example, open files that are being read or written to.
Cached memory pages are broadly speaking either...
* [[#Standby|Standby]] - loaded into memory ready for use, and can be immediately dropped if required
* [[#Modified|Modified]] - loaded into memory and since modified, and can be flushed to disk if required
Data in the cache can be written to disk (or dropped) if the memory space is required for something else to make space.  Data in the cache does ''not'' get paged out to disk, its only in memory in the first place to improve access times, therefore if there's no space for it in physical memory, there's no point writing it to virtual memory.
=== Available ===
Physical memory that is immediately available for use.  Equal to [[#Free|Free]] plus [[#Standby|Standby Cached]].
This is memory that can be immediately written to if required, it may currently contain cache data, but this data can be dropped and overwritten (does not need to written to disk 1st).
If your system has a available memory (more than 100MB or so - but really dependant on the workload its sustaining) then its not experiencing physical memory constraints.
=== Free ===
Physical memory space that is completely free, its not been populated with data.
=== In Use ===
''Found in Resource Monitor''
Memory that is populated and can't be immediately used for something else.  Equal to [[#Total|Total]] - [[#Standby|Standby]]
=== Modified ===
''Found in Resource Monitor''
[[#Cached|Cached]] memory that has been modified since it was originally loaded in.  It can be freed up on demand, but will need to be written to disk before it can be re-used
=== Standby ===
''Found in Resource Monitor''
[[#Cached|Cached]] memory that has not been modified and can be dropped.  It can be immediately freed up on demand.
=== Commit ===
Memory that the OS has committed to providing, to an application, normally shown as <code> committed / total </code>.  Total includes both physical and virtual memory.
An application can request an allocation of memory from the OS, for its own use, which the OS will set aside/reserve for it.  When that allocation has been completed, that amount of memory has been ''committed''.
Committed memory, needn't actually be populated with data, so needn't contribute to the amount in use.  If you have no physical memory available, an application can still start and request an allocation.  But that allocation will effectively be provided for by virtual memory.
Just because an application requests a large commit, and then doesn't populate it with data doesn't mean its misbehaving.  Certain OS API calls will cause large Commits (eg [http://msdn.microsoft.com/en-us/library/windows/desktop/aa366761%28v=vs.85%29.aspx MapViewOfFile]), which means that have a decent amount of page file free is useful to ensure your system keeps running.  I'd only consider reducing your page file to a small size on locked-down servers on which only certain thoroughly tested applications run.
Sources...
* http://blogs.technet.com/b/markrussinovich/archive/2008/11/17/3155406.aspx
* http://brandonlive.com/2010/02/21/measuring-memory-usage-in-windows-7/
* http://communities.vmware.com/thread/278778
* http://msdn.microsoft.com/en-us/library/windows/desktop/aa965225%28v=vs.85%29.aspx


== Network Connectivity Status Indicator (NCSI) ==
== Network Connectivity Status Indicator (NCSI) ==
Line 151: Line 92:


=== Scheduled Tasks ===
=== Scheduled Tasks ===
More common scheduled task error codes...
{|class="vwikitable"
|-
! Code        !! Constant                || Cause / meaning
|-
| 0x0        ||                        || Success / no error
|-
| 0x1        ||                        || Incorrect function called or unknown function called.  Can also be caused by file permission problems.
|-
| 0x2        ||                        || File not found
|-
| 0xa        ||                        || The environment is incorrect
|-
| 0x41300    || SCHED_S_TASK_READY            || Task is ready to run at its next scheduled time
|-
| 0x41301    || SCHED_S_TASK_RUNNING          || Task is currently running
|-
| 0x41302    || SCHED_S_TASK_DISABLED          || Task is disabled
|-
| 0x41303    || SCHED_S_TASK_HAS_NOT_RUN      || Task has not yet run
|-
| 0x41304    || SCHED_S_TASK_NO_MORE_RUNS      || No more scheduled runs for the task
|-
| 0x41305    || SCHED_S_TASK_NOT_SCHEDULED    || One or more of the config properties needed to run the task on a schedule have not been set
|-
| 0x41306    || SCHED_S_TASK_TERMINATED        || Task was terminated by user
|-
| 0x41307    || SCHED_S_TASK_NO_VALID_TRIGGERS || Task either has no triggers or the existing triggers are disabled or not set
|-
| 0x41308    || SCHED_S_EVENT_TRIGGER          || Event triggers do not have set run times
|-
| 0x4131B    || SCHED_S_SOME_TRIGGERS_FAILED  || Task is registered, but not all specified triggers will start the task
|-
| 0x4131C    || SCHED_S_BATCH_LOGON_PROBLEM    || Task is registered, but may fail to start. Batch logon privilege needs to be enabled for the task principal.
|-
| 0x41325    || SCHED_S_TASK_QUEUED            || Task Scheduler service has asked the task to run
|-
| 0x80041309  || SCHED_E_TRIGGER_NOT_FOUND      || Task's trigger is not found
|-
| 0x8004130A  || SCHED_E_TASK_NOT_READY        || One or more of the properties required to run this task have not been set
|-
| 0x8004130B  || SCHED_E_TASK_NOT_RUNNING      || There is no running instance of the task
|-
| 0x8004130C  || SCHED_E_SERVICE_NOT_INSTALLED  || Task Scheduler service is not installed
|-
| 0x8004130D  || SCHED_E_CANNOT_OPEN_TASK      || Task object could not be opened
|-
| 0x8004130E  || SCHED_E_INVALID_TASK          || The object is either an invalid task object or is not a task object
|-
| 0x8004130F  || SCHED_E_ACCOUNT_INFORMATION_NOT_SET || No account information could be found in the Task Scheduler security database for the task
|-
| 0x80041310  || SCHED_E_ACCOUNT_NAME_NOT_FOUND || Unable to establish existence of the account specified
|-
| 0x80041311  || SCHED_E_ACCOUNT_DBASE_CORRUPT  || Task Scheduler security database has been reset due to detected corruption
|-
| 0x80041312  || SCHED_E_NO_SECURITY_SERVICES  || Task Scheduler security services are available only on Windows NT
|-
| 0x80041313  || SCHED_E_UNKNOWN_OBJECT_VERSION || Task object version is unsupported or invalid
|-
| 0x80041314  || SCHED_E_UNSUPPORTED_ACCOUNT_OPTION || Task has unsupported/conflicting combination of account settings and run time options
|-
| 0x80041315  || SCHED_E_SERVICE_NOT_RUNNING    || Task Scheduler Service is not running
|-
| 0x80041316  || SCHED_E_UNEXPECTEDNODE        || Task's XML contains an unexpected node (corruption?)
|-
| 0x80041317  || SCHED_E_NAMESPACE              || Task's XML contains an element or attribute from an unexpected namespace
|-
| 0x80041318  || SCHED_E_INVALIDVALUE          || Task's XML contains a value which is incorrectly formatted or out of range
|-
| 0x80041319  || SCHED_E_MISSINGNODE            || Task's XML is missing a required element or attribute
|-
| 0x8004131A  || SCHED_E_MALFORMEDXML          || Task's XML is malformed
|-
| 0x8004131D  || SCHED_E_TOO_MANY_NODES        || Task's XML contains too many nodes of the same type
|-
| 0x8004131E  || SCHED_E_PAST_END_BOUNDARY      || Task cannot be started after the trigger end boundary
|-
| 0x8004131F  || SCHED_E_ALREADY_RUNNING        || An instance of this task is already running
|-
| 0x80041320  || SCHED_E_USER_NOT_LOGGED_ON    || Task will not run because the user is not logged on
|-
| 0x80041321  || SCHED_E_INVALID_TASK_HASH      || Task image is corrupt or has been tampered with
|-
| 0x80041322  || SCHED_E_SERVICE_NOT_AVAILABLE  || Task Scheduler service is not available
|-
| 0x80041323  || SCHED_E_SERVICE_TOO_BUSY      || Task Scheduler service is too busy to handle request
|-
| 0x80041324  || SCHED_E_TASK_ATTEMPTED        || Task Scheduler service attempted to run the task, but it did not run due to one of the constraints in the task definition
|-
| 0x80041326  || SCHED_E_TASK_DISABLED          || Task is disabled
|-
| 0x80041327  || SCHED_E_TASK_NOT_V1_COMPAT    || Task has properties that are not compatible with earlier versions of Windows
|-
| 0x80041328  || SCHED_E_START_ON_DEMAND        || Task's settings do not allow the task to start on demand
|-
| 0x8007010B  ||                                || The ''start in'' folder path is invalid.  Note that quotation marks around paths with spaces in are not required, and will cause this error if used.
|-
| 0x800704DD  ||                                || The service is not available (is ''Run only when an user is logged on'' checked?)
|-
| 0xC000013A  ||                                || The task was terminated, user pressed Ctrl+C
|-
| 0xC06D007E  ||                                || Unknown software exception
|}
The above was sourced from...
* http://msdn.microsoft.com/en-us/library/aa383604
* http://ict.ken.be/scheduled-task-exit-result-and-error-codes.aspx
Other scheduler errors...
* '''Error 2147943712'''
* '''Error 2147943712'''
** You're trying to save a task that wants to save credentials (maybe because you want the task to run even when the user is logged off), but credential saving has been disabled by a GPO.
** You're trying to save a task that wants to save credentials (maybe because you want the task to run even when the user is logged off), but credential saving has been disabled by a GPO.
Line 171: Line 220:
#* EG <code> chkdisk d: /f </code>
#* EG <code> chkdisk d: /f </code>
# Then re-attempt the partition extension
# Then re-attempt the partition extension
=== Re-Add Server to Domain ===
Sometimes the domain membership of a server becomes broken, needing the server to be re-added to the domain.  In order to perform you need...
* A domain administrator account
** Or at least a domain account with permissions to add/remove machines from the domain
* A local administrator account
** Or a domain account that has recently logged into the server, that has admin rights over it
If you don't have any account that can be a local administrator of the server, you'll need to break into your server.  There are utilities on the web that let you boot to a recovery CD/ISO, and overwrite the admin password.  I haven't used any of these since NT4 days, so can't comment how capable they are today.
# Log into the server as a local admin
#* If you don't have the password, but have logged on previously with a domain account that has admin rights over the server
#*# Disconnect the server from the network
#*# Login with the domain account that has admin rights (this forces the server to use locally cached credentials, rather than validating with the domain)
#*# Reconnect to network
#*# Change the local admin password to something you'll remember (you must do this otherwise you'll lose access once the machine is off the domain!)
# Go to '''System Properties''' and record the name of the current domain
# Then change the domain membership to '''Workgroup''' (provide a dummy workgroup name, ''WORKGROUP'' is the defalt for new machines)
# Provide a domain account that has rights to remove a server from the domain
# If successful you should get a pop-up stating ''Welcome to the WORKGROUP workgroup'', and then a prompt to restart
# Go back into '''System Properties''' and change the domain membership to '''Domain''', supplying the original domain name
# Provide a domain account that has rights to add a server to the domain
# If successful you should get a pop-up stating ''Welcome to the <domain> domain'', and then a prompt to restart
[[Category:Microsoft]]
[[Category:Windows]]
[[Category:Windows 2008]]

Latest revision as of 11:52, 7 May 2019

Build

Best practice for VMware VMs (take with a pinch of salt, one man's best practice can be another man's gotcha)

Disable ASLR

Address space layout randomisation is a feature which involves randomly arranging the positions of key data areas, in order to mitigate memory snapshot image vulnerabilities (which is generally not a problem). There are suggestions that this can reduce reduce VMware's page sharing between VM's, increasing overall physical memory usage. However, its probably true that whilst memory page locations will be randomised, the VMkernel will still be able to match up identical pages between different OS instances.

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\"MoveImages"=dword:00000000

Procedures

Sysprep

  1. Start sysprep from C:\Windows\System32\sysprep\sysprep.exe
  2. Leave action as Enter System Out-of-Box Experience (OOBE) and tick the poorly spelt Generalize tick-box, then hit OK
  3. Sysprep will run and reboot the OS
    • You'll need to provide a new password, and any hostname and IP details will need updating

NTP Client

Machines that are part of a domain will synchronise their time with the domain controllers, but standalone machines (or domain controllers) need to be configured to behave as NTP clients.

The server's NTP config in the registry hive HKLM\SYSTEM\CurrentControlSet\Services\W32Time needs to be updated as follows to enable the server's system clock to update via NTP. Restart the NTP service to apply.

Key Name Value Notes
Parameters Type NTP
NtpServer 192.168.206.25,0x1 192.168.206.26,0x1 Space separated list, each name/IP must have ,0x1 appended to the end
TimeProviders \ NtpServer Enabled 1 Only required if you wish other servers to be able to poll your server for time
TimeProviders \ NtpClient SpecialPollInterval 1800 Secs. Interval between successive NTP polls
Config AnnounceFlags 5
MaxAllowedPhaseOffset 30 Secs. If clock if off by more, its' abruptly set rather than incremented
MaxPosPhaseCorrection 5400 Secs. Maximum positive phase correction allowed (if greater, no change occurs)
MaxNegPhaseCorrection 5400 Secs. Maximum negative phase correction allowed (if greater, no change occurs)

Once completed, restart the Win32 Time service

  • net stop w32time
  • net start w32time

To locate suitable NTP servers to use, see http://www.pool.ntp.org/

See http://support.microsoft.com/kb/816042 for further info on setting the above parameters

Network Connectivity Status Indicator (NCSI)

NCSI is the feature that causes the "No Internet Access" alert pop-up that can appear over your network connection.

  • An HTTP request for http://www.msftncsi.com/ncsi.txt
    • Which returns a single line Microsoft NCSI
  • A DNS request for dns.msftncsi.com
    • Which is expected to resolve to 131.107.255.255

To disable NCSI checks

  1. Start the relevant Group Policy editor (gpmc.msc or GPEdit.msc)
  2. Browse through to Internet Communication settings
    • Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication settings
  3. Set Turn off Windows Network Connectivity Status Indicator active tests to Enabled
  4. Run gpupdate to apply

To disable the "No Internet Access" pop-up

  1. Start the relevant Group Policy editor (gpmc.msc or GPEdit.msc)
  2. Browse through to Network Connections
    • Computer Configuration > Administrative Templates > Network > Network Connections
  3. Set Do not show the “local access only” network icon to Enabled
  4. Run gpupdate to apply

The underlying settings that govern how NCSI operates can be found in the following registry key

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet

Further reading... http://technet.microsoft.com/en-us/library/ee126135%28WS.10%29.aspx http://defaultreasoning.wordpress.com/2010/05/14/disable-%E2%80%9Cno-internet-access%E2%80%9D-notification-on-windows-server-2008-r2/

Troubleshooting

Default Gateway Loss

Known bug in Windows 2008 SP2 causes the default gateway of a machine to disappear on reboot. Resolved by resetting the IP stack and re-entering the IP config

  1. Record IP details
    • ipconfig/all > C:\ipconfig.txt
  2. Reset the IP stack
    • netsh int ip reset
  3. Restart server
  4. Re-enter IP config
  5. Reboot to confirm its held

There's a bugfix available from http://support.microsoft.com/kb/973243

Scheduled Tasks

More common scheduled task error codes...

Code Constant Cause / meaning
0x0 Success / no error
0x1 Incorrect function called or unknown function called. Can also be caused by file permission problems.
0x2 File not found
0xa The environment is incorrect
0x41300 SCHED_S_TASK_READY Task is ready to run at its next scheduled time
0x41301 SCHED_S_TASK_RUNNING Task is currently running
0x41302 SCHED_S_TASK_DISABLED Task is disabled
0x41303 SCHED_S_TASK_HAS_NOT_RUN Task has not yet run
0x41304 SCHED_S_TASK_NO_MORE_RUNS No more scheduled runs for the task
0x41305 SCHED_S_TASK_NOT_SCHEDULED One or more of the config properties needed to run the task on a schedule have not been set
0x41306 SCHED_S_TASK_TERMINATED Task was terminated by user
0x41307 SCHED_S_TASK_NO_VALID_TRIGGERS Task either has no triggers or the existing triggers are disabled or not set
0x41308 SCHED_S_EVENT_TRIGGER Event triggers do not have set run times
0x4131B SCHED_S_SOME_TRIGGERS_FAILED Task is registered, but not all specified triggers will start the task
0x4131C SCHED_S_BATCH_LOGON_PROBLEM Task is registered, but may fail to start. Batch logon privilege needs to be enabled for the task principal.
0x41325 SCHED_S_TASK_QUEUED Task Scheduler service has asked the task to run
0x80041309 SCHED_E_TRIGGER_NOT_FOUND Task's trigger is not found
0x8004130A SCHED_E_TASK_NOT_READY One or more of the properties required to run this task have not been set
0x8004130B SCHED_E_TASK_NOT_RUNNING There is no running instance of the task
0x8004130C SCHED_E_SERVICE_NOT_INSTALLED Task Scheduler service is not installed
0x8004130D SCHED_E_CANNOT_OPEN_TASK Task object could not be opened
0x8004130E SCHED_E_INVALID_TASK The object is either an invalid task object or is not a task object
0x8004130F SCHED_E_ACCOUNT_INFORMATION_NOT_SET No account information could be found in the Task Scheduler security database for the task
0x80041310 SCHED_E_ACCOUNT_NAME_NOT_FOUND Unable to establish existence of the account specified
0x80041311 SCHED_E_ACCOUNT_DBASE_CORRUPT Task Scheduler security database has been reset due to detected corruption
0x80041312 SCHED_E_NO_SECURITY_SERVICES Task Scheduler security services are available only on Windows NT
0x80041313 SCHED_E_UNKNOWN_OBJECT_VERSION Task object version is unsupported or invalid
0x80041314 SCHED_E_UNSUPPORTED_ACCOUNT_OPTION Task has unsupported/conflicting combination of account settings and run time options
0x80041315 SCHED_E_SERVICE_NOT_RUNNING Task Scheduler Service is not running
0x80041316 SCHED_E_UNEXPECTEDNODE Task's XML contains an unexpected node (corruption?)
0x80041317 SCHED_E_NAMESPACE Task's XML contains an element or attribute from an unexpected namespace
0x80041318 SCHED_E_INVALIDVALUE Task's XML contains a value which is incorrectly formatted or out of range
0x80041319 SCHED_E_MISSINGNODE Task's XML is missing a required element or attribute
0x8004131A SCHED_E_MALFORMEDXML Task's XML is malformed
0x8004131D SCHED_E_TOO_MANY_NODES Task's XML contains too many nodes of the same type
0x8004131E SCHED_E_PAST_END_BOUNDARY Task cannot be started after the trigger end boundary
0x8004131F SCHED_E_ALREADY_RUNNING An instance of this task is already running
0x80041320 SCHED_E_USER_NOT_LOGGED_ON Task will not run because the user is not logged on
0x80041321 SCHED_E_INVALID_TASK_HASH Task image is corrupt or has been tampered with
0x80041322 SCHED_E_SERVICE_NOT_AVAILABLE Task Scheduler service is not available
0x80041323 SCHED_E_SERVICE_TOO_BUSY Task Scheduler service is too busy to handle request
0x80041324 SCHED_E_TASK_ATTEMPTED Task Scheduler service attempted to run the task, but it did not run due to one of the constraints in the task definition
0x80041326 SCHED_E_TASK_DISABLED Task is disabled
0x80041327 SCHED_E_TASK_NOT_V1_COMPAT Task has properties that are not compatible with earlier versions of Windows
0x80041328 SCHED_E_START_ON_DEMAND Task's settings do not allow the task to start on demand
0x8007010B The start in folder path is invalid. Note that quotation marks around paths with spaces in are not required, and will cause this error if used.
0x800704DD The service is not available (is Run only when an user is logged on checked?)
0xC000013A The task was terminated, user pressed Ctrl+C
0xC06D007E Unknown software exception

The above was sourced from...

Other scheduler errors...

  • Error 2147943712
    • You're trying to save a task that wants to save credentials (maybe because you want the task to run even when the user is logged off), but credential saving has been disabled by a GPO.
  • Error 2147943785
    • Logon failure: the user has not been granted the requested logon type at this computer. Grant the user log on as a batch job rights in Local Security Policy, User Rights Assignment

Extend Partition Fails

Disk looks to have extended in disk manager, but file manager/windows explorer still show the old size

  1. Start diskpart from a command line
  2. List the volumes, then select the appropriate one
    • list volume
    • select volume 2
  3. Extend the volume
    • extend filesystem
  4. If this fails, select the partition and extend
    • list partition
    • select partition 1
    • extend filesystem
  5. This can sometimes throw up disk errors, in which case you'll need to a check disk on the affected partition (if there are open file handles you'll either need to stop the applications or schedule after a reboot, and reboot)
    • EG chkdisk d: /f
  6. Then re-attempt the partition extension

Re-Add Server to Domain

Sometimes the domain membership of a server becomes broken, needing the server to be re-added to the domain. In order to perform you need...

  • A domain administrator account
    • Or at least a domain account with permissions to add/remove machines from the domain
  • A local administrator account
    • Or a domain account that has recently logged into the server, that has admin rights over it

If you don't have any account that can be a local administrator of the server, you'll need to break into your server. There are utilities on the web that let you boot to a recovery CD/ISO, and overwrite the admin password. I haven't used any of these since NT4 days, so can't comment how capable they are today.

  1. Log into the server as a local admin
    • If you don't have the password, but have logged on previously with a domain account that has admin rights over the server
      1. Disconnect the server from the network
      2. Login with the domain account that has admin rights (this forces the server to use locally cached credentials, rather than validating with the domain)
      3. Reconnect to network
      4. Change the local admin password to something you'll remember (you must do this otherwise you'll lose access once the machine is off the domain!)
  2. Go to System Properties and record the name of the current domain
  3. Then change the domain membership to Workgroup (provide a dummy workgroup name, WORKGROUP is the defalt for new machines)
  4. Provide a domain account that has rights to remove a server from the domain
  5. If successful you should get a pop-up stating Welcome to the WORKGROUP workgroup, and then a prompt to restart
  6. Go back into System Properties and change the domain membership to Domain, supplying the original domain name
  7. Provide a domain account that has rights to add a server to the domain
  8. If successful you should get a pop-up stating Welcome to the <domain> domain, and then a prompt to restart