Get-WmiObject Win32_OperatingSystem -ComputerName <computer> | fl LastBootUpTime
Command Prompt/ WMI:
wmic /node:"<computer>" OS get LastBootUpTime
Double quotes are important for the WMI method.
Command Prompt/ WMI:
Double quotes are important for the WMI method.
This isn’t going to be a coherent post really (unlike my usual posts which are more coherent, I hope!). I came across a bunch of new stuff as I was troubleshooting this WMI issue and thought I should put them all somewhere.
The issue is that we are trying to get Solarwinds to monitor one of our DMZ servers via WMI but it keeps failing.
Other servers in the DMZ work, it’s just this one that fails. WMI ports aren’t fixed like I had mentioned earlier but I don’t think that matters coz they aren’t fixed for the other servers either. Firewall configuration is the same between both servers.
I thought of running Microsoft Network Monitor but realized that it’s been replaced with Microsoft Message Analyzer. That looks nice and seems to do a lot more than just network monitoring – I must explore it sometime. For now I ran it on the DMZ and applied a filter to see traffic from our Solarwinds server to it. The results showed that access was being denied, so may not a port issue after all.
Reading up more on this pointed me to a couple of suggestions. None of them helped but I’d like to mention them here for future reference.
First up is the command
If all is well with WMI you should get no error.
Now try the same from the Solarwinds server, but this time try connecting to the DMZ server and enter credentials if any.
That worked with the local administrator account but failed with the account I was using from Solarwinds to monitor the server.
So now I know the issue is one of permissions and not ports.
Another tool that can be used is WmiMgmt. Just type
Problem with WmiMgmt is that unlike
In my case the Administrators group members had full permissions as expected. The account I was using from the Solarwinds server was a member of this group too yet had access denied.
Another place to look at is Component Services > Computers > My Computer > DCOM Config > “Windows Management and Instrumentation” – right click and “Properties”.
Make sure “Authentication Level” is “Default”. Then go to the “Security” tab and make sure the account/ group you want has permissions.
Also right click on “My Computer” and go to “Properties”.
Under the “COM Security” tab go to the “Edit Limits” of both access & launch and activation permissions and ensure the permissions are correct. My understanding is that the limits you specify here over-ride everything else.
In my case none of the above helped as they were all identical between both servers and at the correct setting. What finally helped was this Serverfault post.
Being DMZ servers these were on a workgroup and the Solarwinds server was connecting via a local account. Turns out that:
That is a good link to refer to. It is about Remote UAC and WMI. The solution is to go to the following registry key –
Remote UAC. Ah! Am surprised I didn’t think of that in the beginning itself. If the
Hope this helps someone. :)
Trying to set up monitoring for some of our Windows DMZ servers via SolarWinds and came across a few interesting links. At the same time I noticed that my carefully organized bookmarks folders seem to be corrupt. Many folders are empty. This happened a few days ago too, but that time it was just one folder (well one folder that I knew of, could be more who knows) and so I was able to view and older copy of my bookmarks via Xmarks and add the missing entries back.
But this time it’s a whole bunch of folders and the only option Xmarks has it to either export the older copy or overwrite your current copy with this older set. I don’t want the latter as that would mean losing all my newer bookmarks. Wish there was some way of merging the current and older copies! Anyhow, what’s happened is happened, I think I’ll stick to using this blog for bookmarks. I keep referring to this blog over my bookmarks anyway, so this is a sign to stop with the unnecessary filing.
To start off, this is a must read on WMI ports and how to allow firewall exceptions for WMI. Gist of the matter is that WMI uses dynamic ports via the RPC Portmapper. When the Solarwinds server (for example) wants to talk to WMI on a target server, it contacts the RPC Portmapper service on the target server on port 135 (which is the standard port for the Portmapper service) and gets a dynamic port to use for WMI. This port can be anywhere between 1024 – 65535.
The fix for this is to give the Portmapper service a specific set of ports to use. One method is to use the registry (see the previous link or this KB article). Add a key called
Although I haven’t tried it, I think a similar effect as the above can be achieved via Component Services (type
Another method is to use Group Policies.
Yet another method seems to be to get WMI to not use the RPC Portmapper for dynamic ports. By default WMI runs as a shared service, which is why it uses the RPC Portmapper. It is possible to make it run as a standalone service so it doesn’t use the Portmapper and instead defaults to port 24158. (This port number too can be changed via
These two links didn’t make much sense to me, but I know they are of use so linking them here as a reference to myself for later:
IP routing involves metrics. This is the cost of each route. If there are multiple routes to a destination then the route with lowest metric/ cost is chosen.
In the context of Windows OS there are two metrics that come into play.
One is the metric of the interface/ NIC itself (that’s the “Automatic metric” checkbox above). By default its set to automatic, and this determines the cost of using that interface itself. For example if both your wireless and wired connection can access the Internet, which one should the machine choose? The interface metric is used to make this decision. You can assign a value to this metric if you want to force a decision.
Each interface can have multiple gateways to various networks it knows of. Could be that it has more than one gateway to the same network – say, your wired connection can connect to the Internet from two different routers on your network, which one should it choose? Here’s where the gateway metric comes into play (circled in the screenshot above). By default when you add a gateway its metric is set to automatic, but here too you can assign a value.
So far so good. Now how does all this come into play together?
The first thing to know is that gateway metrics have a value of 256 by default (when set to “Automatic metric”). So if you have more than one gateway to a particular destination, and the metric is set to automatic, then by default both gateways have a metric value of 256 and hence equal preference. Remember that.
The next thing to know is that interface metrics have a value ranging from 5 to 50 (when set to “Automatic metric”) based on the speed of the interface. Lower numbers are better than higher numbers. See this KB article for the numbers, here’s a screenshot from that article.
So if you have two wired connections for instance, one of speed 1 GB and other of speed 10 GB, then the 1 GB interface has a metric of 10 and the 10 GB interface has a metric of 5 – thus making the latter preferred.
To view the interface & gateway metrics assigned to your interfaces use the
Yes, just copy paste from other places so I can quickly refer to this post later than all those other posts. I don’t know much about .NET but had to read a bit about it today, so figured I might as well put some snippets here.
.NET Framework has two components:
The CLR is like the foundation/ core of the .NET Framework. It “manages memory, thread execution, code execution, code safety verification, compilation, and other system services. These features are intrinsic to the managed code that runs on the common language runtime. Code that targets the runtime is known as managed code, while code that does not target the runtime is known as unmanaged code. The managed environment of the runtime eliminates many common software issues. For example, the runtime automatically handles object layout and manages references to objects, releasing them when they are no longer being used. This automatic memory management resolves the two most common application errors, memory leaks and invalid memory references. The runtime also accelerates developer productivity. For example, programmers can write applications in their development language of choice, yet take full advantage of the runtime, the class library, and components written in other languages by other developers. Any compiler vendor who chooses to target the runtime can do so. Language compilers that target the .NET Framework make the features of the .NET Framework available to existing code written in that language, greatly easing the migration process for existing applications.” (source)
The .NET Framework Class Library is “a collection of reusable types that tightly integrate with the common language runtime. The class library is object oriented, providing types from which your own managed code can derive functionality. For example, the .NET Framework collection classes implement a set of interfaces that you can use to develop your own collection classes. Your collection classes will blend seamlessly with the classes in the .NET Framework.” (source)
“Each version of the .NET Framework contains the common language runtime (CLR), the base class libraries, and other managed libraries. Each new version of the .NET Framework retains features from the previous versions and adds new features. The CLR is identified by its own version number. The .NET Framework version number is incremented at each release, although the CLR version is not always incremented. For example, the .NET Framework 4, 4.5, and later releases include CLR 4, but the .NET Framework 2.0, 3.0, and 3.5 include CLR 2.0. (There was no version 3 of the CLR.)” (source)
“In general, you should not uninstall any versions of the .NET Framework that are installed on your computer, because an application you use may depend on a specific version and may break if that version is removed. You can load multiple versions of the .NET Framework on a single computer at the same time. This means that you can install the .NET Framework without having uninstall previous versions.” (source)
“The .NET Framework 4.5 is an in-place update that replaces the .NET Framework 4 on your computer, and similarly, the .NET Framework 4.5.1 4.5.2, 4.6, 4.6.1, and 4.6.2 are in-place updates to the .NET Framework 4.5, which means that they use the same runtime version, but the assembly versions are updated and include new types and members. After you install one of these updates, your .NET Framework 4, .NET Framework 4.5, or .NET Framework 4.6 apps should continue to run without requiring recompilation. However, the reverse is not true. We do not recommend running apps that target a later version of the .NET Framework on the an earlier version of the .NET Framework. For example, we do not recommend that you run an app the targets the .NET Framework 4.6 on the .NET Framework 4.5.” (source)
How to determine which .NET Framework versions are installed – see here. Basically, check the
If you have .NET 4.5 and above installed there will be an additional key
In the screenshot above
Lastly, what is the .NET Multi-Targeting Pack? It was to learn more about it that I started reading about .NET today. Found this post about it but it mostly went over my head. :) Best I could understand is that it is used as part of compiling programs and installed as part of Visual Studio so doesn’t matter much from a Sys Admin point of view.
Was brushing up about DFS referrals today as I had a doubt about something at work. Thought I’d put a shout out to this interesting link that I came across.
A DFS namespace (e.g.
Apart from these three possibilities, there’s also a fail back (which is hidden behind the drop down in the screen shot above).
So if a server has no targets to offer a client, it will fail back to whatever targets are set as preferred for a link. I’ll show what preferred targets are in a bit.
The above settings can be defined on the namespace itself or on each DFS link.
Now on to preferred targets. If you go to the
By default there are no preferred targets.
The cool thing I learnt from that post is that if the referral order is set to in-site (i.e. exclude targets from outside the client site) and fail back to preferred targets is enabled (the default) and a target outside the site is set as preferred, then it too will be returned in the list of targets along with the ones in site. This way you can limit referrals to be in-site but have a few selected targets out of site as a fail-back.
One thing to keep in mind though is that since you want the out of site target to be set to lower priority than the in-site one, you must specify its priority as “Last among all targets”. Because if it were set as “First among all targets” then it will take precedence over the in-site target too – which is not what we want. Lastly, there’s no point setting the priority to “First among targets of equal cost” (or “Last”) in the case of in-site referrals as it will have no effect (because the cost of the in-site target and the external targets are different so it doesn’t apply).
I had to set folder & file permissions (basically, take ownership and enable inheritance) for a bunch of Windows folders the other day. Thing is the folders had levels and levels of sub-folders so Windows Explorer kept failing when applying permissions. I tried to use
One workaround I had in mind was use
Anyhoo, long story short, I came across this Server Fault thread from where I learnt the following –
See this MSDN page too.
So what I needed was a tool that made use of the Unicode versions of the Windows API functions. A quick Google search bought me to SetACL – an amazing command-line tool that is able to set ACLs without the path limitations and that also has a nice syntax (I don’t know why, but
The only gotcha I encountered was that I got the following error message after a while with the above command:
Thankfully a forum post from the SetACL forums sorted that out for me. Trick is to do the take ownership first, and then the permission inheritance – apparently doing both together causes the above error.
So I did this first:
Followed by this:
SetACL is free but but command-line oriented. If you want a GUI version there’s SetACL Studio. That’s a paid product with a 30-day trial. I haven’t tried it yet. There is a SetACL t-shirt I might buy coz I was quite pleased with this tool yesterday. :)
To get a list of OUs and the status of GPO inheritance:
To get a list of OUs that have GPO inheritance blocked:
To get a list of OUs that have GPO inheritance blocked and a don’t have a particular GPO applied to them directly:
There’s probably a better way to do this, but this is the best I could come up with …
I need to enable/ disable the Windows Firewall on a Server 2008R2 core box but didn’t know what the Windows Firewall service name was for use with the
Also, as a reminder to myself the
But the following won’t –
Here’s what happens when you do a
In my case the Windows Remote Management (WS-Management) service was already running, so its startup type was merely changed to “Automatic (Delayed)”, but if it wasn’t already running then it would have been started too.
So what all happens here?
Thus, to undo the effect of
1. Disabling the service
Either go via the Services MMC console and (1) stop the service and (2) change its type to disabled; or use PowerShell (running as administrator of course):
2. Delete the listener
You can see the listener thus:
And delete it thus:
The command has no output, so enumerate the listeners again if you want to confirm.
3. Delete the firewall exceptions
Either go via the GUI and disable the highlighted rule:
Or use PowerShell:
4. Disable Remote UAC
Either open the Registry Editor and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, then set the value of LocalAccountTokenFilterPolicy to 0 (zero).
Or via PowerShell:
My laptop’s running Windows 10, desktop’s running Windows 8.1. Since both have client Hyper-V I thought it would be cool to install Hyper-V manager on the laptop and use it to manage Hyper-V running on the desktop. Did that and came across the following error –
DOGBERT is the Windows 8.1 desktop. The error is from my Windows 10 laptop.
First I followed the steps in this blog post. Actually, I didn’t have to do much as the account I was using on the desktop was already in the local Administrators group and so I didn’t have to do anything in terms of COM (step 3) & WMI (step 4) permissions. But I did enable the firewall rules for the
Additionally, I noticed that the
Then I had to enable the
Probably a good idea to see what your existing trusted hosts are before you run this command (so you can append to the list instead of removing existing entries). You can do that thus:
After this Hyper-V manager from the laptop was able to connect to the desktop, but in the Virtual Machines section I had the following error:
The solution for that (thanks to this blog post) is to open “Component Services” on the laptop. Alternatively open a run window/ command prompt and type
In the windows that opens expand to
That’s it! After this Hyper-V on my laptop was able to talk to the desktop.
Just some notes to myself so I am clear about it while reading about it. In the context of this VMware KB article – Microsoft NLB not working properly in Unicast mode.
Before I get to the article I better talk about a regular scenario. Say you have a switch and it’s got a couple of devices connected to it. A switch is a layer 2 device – meaning, it has no knowledge of IP addresses and networks etc. All devices connected to a switch are in the same network. The devices on a switch use MAC addresses to communicate with each other. Yes, the devices have IPv4 (or IPv6) addresses but how they communicate to each other is via MAC addresses.
Say Server A (IPv4 address 10.136.21.12) wants to communicate with Server B (IPv4 address 10.136.21.22). Both are connected to the same switch, hence on the same LAN. Communication between them happens in layer 2. Here the machines identify each other via MAC addresses, so first Server A checks whether it knows the MAC address of Server B. If it knows (usually coz Server A has communicated with Server B recently and the MAC address is cached in its ARP table) then there’s nothing to do; but if it does not, then Server A finds the MAC address via something called ARP (Address Resolution Protocol). The way this works is that Server A broadcasts to the whole network that it wants the MAC address of the machine with IPv4 address 10.136.21.22 (the address of Server B). This message goes to the switch, the switch sends it to all the devices connected to it, Server B replies with its MAC address and that is sent to Server A. The two now communicate – I’ll come to that in a moment.
When it’s communication from devices in a different network to Server A or Server B, the idea is similar except that you have a router connected to the switch. The router receives traffic for a device on this network – it knows the IPv4 address – so it finds the MAC address similar to above and passes it to that device. Simple.
Now, how does the switch know which port a particular device is connected to. Say the switch gets traffic addresses to MAC address 00:eb:24:b2:05:ac – how does the switch know which port that is on? Here’s how that happens –
Now let’s talk about NLB (Network Load Balancing).
Consider two machines – 10.136.21.11 with MAC address 00:eb:24:b2:05:ac and 10.136.21.12 with MAC address 00:eb:24:b2:05:ad. NLB is a form of load balancing wherein you create a Virtual IP (VIP) such as 10.136.21.10 such that any traffic to 10.136.21.10 is sent to either of 10.136.21.11 or 10.136.21.12. Thus you have the traffic being load balanced between the two machines; and not only that if any one of the machines go down, nothing is affected because the other machine can continue handling the traffic.
But now we have a problem. If we want a VIP 10.136.21.10 that should send traffic to either host, how will this work when it comes to MAC addresses? That depends on the type of NLB. There’s two sorts – Unicast and Multicast.
In Unicast the NIC that is used for clustering on each server has its MAC address changed to a new Unicast MAC address that’s the same for all hosts. Thus for example, the NIC that holds the NLB IP address 10.136.21.10 in the scenario above will have its MAC address changed from 00:eb:24:b2:05:ac and 00:eb:24:b2:05:ad respectively to (say) 00:eb:24:b2:05:af. Note that the MAC address is a Unicast MAC (which basically means the MAC address looks like a regular MAC address, such as that assigned to a single machine). Since this is a Unicast MAC address, and by definition it can only be assigned to one machine/ switch port, the NLB driver on each machines cheats a bit and changes the source MAC address address to whatever the original NIC MAC address was. That is to say –
Why does this happen? This is because –
In the context of VMware what this means is that (a) the port group to which the NLB NICs connect to must allow changes to the MAC address and allow forged transmits; and (b) when a VM is powered on the port group by default notifies the physical switch of the VMs MAC address, since we want to avoid this because this will expose the cluster MAC address to the switch this notification too must be disabled. Without these changes NLB will not work in Unicast mode with VMware.
(This is a good post to read more about NLB).
Apart from Unicast NLB there’s also Multicast NLB. In this form the NLB NIC’s MAC address is not changed. Instead, a new Multicast MAC address is assigned to the NLB NIC. This is in addition to the regular MAC address of the NIC. The advantage of this method is that since each host retains its existing MAC address the communication between hosts is unaffected. However, since the new MAC address is a Multicast MAC address – and switches by default are set to ignore such address – some changes need to be done on the switch side to get Multicast NLB working.
One thing to keep in mind is that it’s important to add a default gateway address to your NLB NIC. At work, for instance, the NLB IPv4 address was reachable within the network but from across networks it wasn’t. Turns out that’s coz Windows 2008 onwards have a strong host behavior – traffic coming in via one NIC does not go out via a different NIC, even if both are in the same subnet and the second NIC has a default gateway set. In our case I added the same default gateway to the NLB NIC too and it was then reachable across networks.
Consider the following multiple A records for a DNS record proxy.mydomain.com:
These records are defined on a DNS server. When a client queries the DNS server for the address to proxy.mydomain.com, the DNS server returns all the addresses above. However, the order of answers returned keeps varying. The first client asking for answers could get them in the following order for instance:
The second client could get them in the following order:
The third client could get:
This is called round-robin. Basically it rotates between the various IP addresses. All IP addresses are offered as answers, but the order is rotated so that as long as clients choose the first answer in the list every client chooses a different IP address.
Notice I said clients choose the first answer in the list. This needn’t always be the case though. When I said clients above, I meant the client computer that is querying the DNS server for an answer. But that’s not really who’s querying the server. Instead, an application on the client (e.g. Chrome, Internet Explorer) or the client OS itself is the one looking for an answer. These ask the DNS resolver which is usually a part of the OS for an answer, and it’s the resolver that actually queries the server and gets the list of answers above.
The DNS resolver can then return the list as it is to the requesting application, or it can apply a re-ordering of its own. For instance, if the client is from the 192.168.10.0 network, the resolver may re-order the answers such that the 192.168.10.5 answer is always first. This is called Subnet prioritization. Basically, the resolver prioritizes answers that are from the same subnet as the client. The idea being that client applications would prefer reaching out to a server in their same subnet (it’s closer to them, no need to go over the WAN link for instance) than one on a different subnet.
Subnet prioritization can be disabled on the resolver side by adding a registry key
Subnet prioritization can also be set on the server side so it orders the responses based on the client network. This is controlled by the registry key
By default the server also does round-robin for the results it returns. This can be turned off via the DNS Management tool (under server properties > advanced tab). If round-robin is off the server returns records in the order they were added.
More on subnet prioritization at this link.
That’s is not the end though. :)
Consider a server who has round-robin and subnet prioritization enabled. Now consider the DNS records from above:
The first and last records are from class C networks. The other three are from Class A networks. In reality though thanks to CIDR these are all class C addresses.
Now say there’s a client with IP address 10.136.50.2/24 asking the server for answers. On the face of it the client network does not match any of the answer record networks so the server will simply return answers as per round-robin, without any re-ordering. But in reality though the client 10.136.50.2/24 is in the same network as 10.136.52.5/24 and both are part of a larger 10.136.48.0/20 network that’s simply been broken into multiple /24 networks (to denote clients, servers, etc). What can we do so the server correctly identifies the proxy record for this client?
This is where the
A netmask can be written as xxx.xxx.xxx.xxx. 4 pairs of numbers. The
For example: you want a /8 netmask. That is 255.0.0.0. Subtracting this from 255.255.255.255 leaves you with 0.255.255.255.255. What’s that in hex? 00ffffff. So
So in the example above I want a /20 netmask. That is, I am telling the server to assume the clients and the record IPs it has to be in a /20 network, so subnet prioritize accordingly. A /20 netmask is 255.255.240.0. Subtract from 255.255.255.255 to get 0.0.15.255. Which in hex is 00000fff (15 decimal is F hex). So all I have to do is put this value as
Update: Some more links as I did some more reading on this topic later.
Had an interesting problem at work yesterday about which I wish I could write a long and interesting blog post, but truthfully it was such a simple thing once I identified the cause.
We use AppV for streaming applications. We have many branch offices so there’s a DFS share which points to targets in each office. AppV installations in each office point to this DFS share and thanks to the magic of DFS referrals correctly pick up the local Content folder. From day-before, however, one of our offices started getting errors with AppV apps (same as in this post), and when I checked the AppV server I found errors similar to this in the Event Logs:
The DFS share seemed to be working OK. I could open it via File Explorer and its contents seemed correct. I checked the number of files and the size of the share and they matched across offices. If I pointed the DFS share to use a different target (open the share in File Explorer, right click, Properties, go to the DFS tab and select a different location target) AppV works. So the problem definitely looked like something to do with the local target, but what was wrong?
I tried forcing a replication. And checked permissions and used tools like
I also used robocopy to compare the the local target and another one and saw that they were identical.
Bummer. Looked like a dead end and I left it for a while.
Later, while sitting through a boring conference call I had a brainwave that maybe the AppV service runs in a different user context and that may not be seeing the DFS share? As in, maybe the error message above is literally what is happening. AppV is really seeing an empty content root and it’s not a case of a corrupt content root or just some missing files?
So I checked the AppV service and saw that it runs as
Awesome! Now we are getting somewhere.
I fired up the Local Security Policy console on the server hosting the DFS target (it’s under the Administrative Tools folder, or just type
Sure enough this was limited to a set of computers which didn’t include the AppV server. When I compared this with our DFS servers I saw that they were still on the default values (which includes “Everyone” as in the screenshot above) and that’s why those targets worked.
To dig further I used
Turns out the server was added to the group by error two days ago. Removed the server from this group, waited a while for the change across the domain, did a
Moral of the story: if one of your services is unable to access a shared folder, check what user account the service runs as.
Non domain joined computers (including servers) use SNTP.
Any Windows machine can be set up to sync time in one of four ways: (1) no syncing! (2) sync from specified NTP servers (3) sync via domain hierarchy (i.e. members sync from a DC in the domain; DCs sync from PDC of the parent domain/ forest root domain) (4) use either of the above (i.e. NTP and domain hierarchy). Default mechanism on domain joined computers is domain hierarchy (the setting is called
For machines that are off and on the domain – e.g. laptops – it is better to set their time sync mechanism as any. They needn’t always have contact with the DC to sync time.
When specifying NTP time servers you also specify flags. Check this post for an explanation of the flags. There are four possible flags: 0x01
p.s. To turn on w32tm debugging check out this link.