Monthly Archives: March 2014

How-To Deploy Adobe Reader with GPO

Download, Customize, and Deployment method of Adobe Reader 11

1.

Preparations

Download the latest EXE package from:
http://www.adobe.com/products/reader/distribution.html
(Apply to distribute Reader – Fill fields – Accept and Submit)
You will find download link in the email.

Download and Install “Adobe Customisation Wizard XI”
http://www.adobe.com/support/downloads/detail.jsp?ftpID=5515

2.

Administrative Install Point

Run the following commands to extract the EXE file:
c:\AdbeRdr11004_en_US.exe -nos_ne -nos_o”C:\Extract”
(update filename to latest version)

msiexec /a C:\Extract\AcroRead.msi
(When the install dialogues prompt for a location, install to ‘C:\Install’)

msiexec /a C:\Install\AcroRead.msi /p C:\Extract\AdbeRdrUpd11004.msp
(When the install dialogues prompt for a location, install to ‘C:\Install’)

Copy ‘setup.ini’ from ‘C:\Extract’ to C:\Install’

3.

Customisation

Open “Adobe Customisation Wizard XI”
File – Open Package (C:\Install\AcroRead.msi)

Personalization tab:
EULA display – Suppress

Installation tab:
Installation – Silently (no interface), Reboot – Suppress

Online tab:
Disable: Updates, Help > Purchase, Help > Digital – Product Improvement, All Adobe online

Click File – Save Package

4.

GPO Deployment

Copy folder “C:\Install” to “\\%UserDomain%\NETLOGON\AcroRead”

Open “Group Policy Management MMC”
Open OU of testing computers – Right-Click and “Create GPO and Link it here”
(no need to upgrade existing package – installer will remove old version anyway)

Name it according to the version – “Deploy_AcroRead_11.0.04”
Edit GPO – Expand “Computer Configuration – Policies – Software Settings”

Right click “Software Installations” and select ‘New – Package’
Browse to “\\%UserDomain%\NETLOGON\AcroRead” and select the MSI

Select deployment method: Advanced
Under “Modifications” tab, press “Add” and select the MST file.
Press OK to save the installation package.

Side-note:
Right-Click the GPO and set “GPO Status” to “User Configuration Settings Disabled” (speed-up startup)

5.

Testing

Assign GPO to Test OU, Run “gpupdate /force” – restart on prompt

If install went OK, assign the GPO to Production OUs.

How-To Deploy Adobe Flash with GPO

Download, Customize, and Deployment method of Adobe Flash 12

1.

Preparations

Download the latest MSI from:
http://www.adobe.com/products/players/flash-player-distribution.html
(Apply to distribute Flash Player – Fill fields – Accept and Submit)
You will find download link in the email.

Download ORCA (MSI Editor)
http://www.technipages.com/wp-content/uploads/2007/11/orca.Msi

2.

Customize MSI

Open the MSI file in ORCA editor
Open Table “Property”
Change ISCHECKFORPRODUCTUPDATES from 1 to 0
Change RebootYesNo from Yes to No
Save and Close

3.

GPO Deployment

Copy MSI to “\\%UserDomain%\NETLOGON\Flash12”
Open Group Policy Management console

Create new GPO “Deploy_Flash12.X”
Expand “Computer Configuration – Policies – Software Settings”
Right click “Software Installations” and select ‘New – Package’
Browse to “\\%UserDomain%\NETLOGON\Flash12” and select the new MSI
Select deployment method: Assigned – Click OK

4.

Testing and Assigning

Assign GPO “Deploy_Flash12.X” to Test OU
Run “gpupdate /force” – restart on prompt

If install went OK, assign the GPO to Production OUs.

Download: ORCA MSI Editor

Orca MSI Editor allows you to edit the properties of any MSI file. With this tool, you can change the title and text within the installer an look at how and where the files are delivered.

Download the Orca MSI then install it. Once installed you can right-click any MSI and select “Open with Orca”.

This tool used to be a part of Microsoft Developer Tools but is now retired and no longer supported by the company. Use it at your own risk. If you’re going to link to the file from your website, please link to this page and not the file directly, otherwise I’ll have to remove it.

Sysprep on windows 2003 r2 sp 2

This is only a note to remind me how to sysprep a windows server 2003.

To sysprep a windows 2003 R2 image, follow the below action :

  • Insert CD1
  • go to  Support\Tools\Deploy.cab
  • select everything and extract them to c:\sysprep ( a folder that you have created it)
  • Double click sysprep.exe.

041613_0450_syspreponwi1

  • Keep the default settings (Options un-selected, shutdown mode: shutdown)
  • click on Reseal

041613_0450_syspreponwi2

  • And press Ok

041613_0450_syspreponwi3

Set the default Organisational Unit for new computers in Windows Server

Once you have your domain and group policies set up, it can become frustrating to constantly have to remember to move a new computer into the correct OU.

Luckily in Windows 2003 Server and above, you can set a default OU:

  1. <code>redircmp ou=ComputersOU,dc=mydomain,dc=com</code>

Remember to replace the path with your own domain’s OU path. Also, your domain has to be running in at least Windows Server 2003 native mode – otherwise you will receive an error:

Error, unable to modify the wellKnownObjects attribute. Verify that the domain functional level of the domain is at least Windows Server 2003:
Unwilling To Perform
Redirection was NOT successful.

To change this:

  • On the server go to Administrative Tools > Active Directory Domains and Trusts.
  • Right-click on your domain name, and click on Raise Domain Functional Level.
  • Set the domain level to at least 2003

Now you should be ready to go!

Sysprep your Windows OS for more than 3 times

If you attempt to sysprep a machine for acquisition of an Image and the machine crashes during the sysprep process it is likely that the image has been sysprepped more than 3 times.

Symptoms of this issue

run sysprep.exe with /generalize /oobe switches and the process is running for few seconds when then the sysprep window disappears. Opening the sysprep log file under \sysprep\Panther the logfile contains this line:

Date Time, Error [0x0f0073] SYSPRPRunExternalDlls:Not running DLLs; either the machine is in an invalid state orwe couldn’t update the recorded state, dwRet = 31

This error indicates that the image has been syspreped more than 3 times

First check if you can re-arm by running:

slmgr.vbs /dlv

and check the re-arm counter. if it set to zero you need to do the following: http://support.microsoft.com/kb/929828 (set the <SkipRearm>1</SkipRearm> like in the example, note: this option will make the product key window to appear in the setup process).
You can also try running : slmgr.vbs -rearm, to rearm Windows.

Reset the sysprep count to zero

1 – Change few keys in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\Setup\Status\SysprepStatus\GeneralizationState\CleanupState:2

HKEY_LOCAL_MACHINE\SYSTEM\Setup\Status\SysprepStatus\GeneralizationState\GeneralizationState:7

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\SkipRearm:1

2 – Reset MSDTC

Start -> Run : msdtc -uninstall (wait few seconds)

Start -> Run : msdtc -install (wait few seconds)

3 – Restart the machine
4 – You can now run:

sysprep.exe /generalize /oobe

 

VNC Deployment via Group Policy

I have had a few people ask how to deploy VNC via group policy. If you have a large network where you want to install VNC on a large amount of computers this would be an ideal solution.

For this guide i used TightVNC – the website is here: tightvnc.com

I decide to go for TightVNC becuase

  • Easy to use
  • Free
  • Ability to hide the icon in the system tray
  • Built in access control options
  • Very lightweight
  • Ability for the end user to approve connections
  • Fully compatible with Windows 7

I have tested this on the following systems

  • Windows XP x32
  • Windows 7 x32
  • Windows 7 x64
  • Windows 8 x32
  • Windows 8 x64
  • Windows 8.1 x32
  • Windows 8.1 x64
  • Windows Server 2008 R2

With the below guide, anything in red are paths you need to change to make it suitable for deployment in your network.
Once this script has installed VNC it is designed to automatically quit when you run it again.

Creating the installer files

  1. Create a network share on a server to store the script and installers. You will need to give the group “Domain Computers” the right to read and execute.
  2. Download TightVNC v2.0.2 and save it in the above share and install onto 1 computer.
  3. On the computer you installed TightVNC, configure to how you like it (eg set a password). Click Here for Documentation & Click Here for FAQ
  4. Once configured go to regedit and export the following folder. “HKEY_LOCAL_MACHINE\Software\TightVNC” & save it in the above share. To export right click the TightVNC folder and press export.
  5. Open NotePad and copy the below code. Please change the red areas to the path of your network share. The script will remove the VNC stuff from the program files to stop users from playing. If you do not want to do this remove the last line of the code.
    Code:
    if exist "C:\Program Files (x86)\TightVNC" goto :eof ELSE
    if exist "C:\Program Files\TightVNC" goto :eof ELSE
    "c:\vnc\tightvnc-2.0.2-setup.exe" /S
    regedit /S "c:\vnc\tightvnc.reg"
    net stop "TightVNC Server"
    net start "TightVNC Server"
    rmdir /s /q "C:\Documents and Settings\All Users\Start Menu\Programs\TightVNC\"
  6. Save the file in your shared folder. You need to save it as a .bat file. For example mine is called installvnc.bat

Adding to a group policy

  1. Open up an appropriate group policy that applied to your computers or create a new one.
  2. Navigate to: Computer Configuration > Policies > Windows Settings > Scripts > Startup
  3. Press add, then browse and find the .bat file we created before in the shared folder. Then press ok & ok again.
  4. Make sure the following group policy is enabled. Computer Configuration > Policies > Administrative Templates > System > Logon > Always wait for the network at computer startup & Logon

When your computer startup it should install VNC and be configured.

Enjoy!

Find Computer Name User is Logged Onto

To automatically log users that login to domain based computers:

  • Create a Share on a Server and give right NTFS and Share permissions
  • Create a Batch file in which you put this script: echo user: %username% computer: %computername% date: %date% >> \\Server\Share\info.txt
  • Use group policies to apply this Batch file as a logon script

At the end you will get in the text file info.txt:

  • The user name
  • The used computer
  • The date of logon

For instant discovery of what PC a user has logged into:

Right click My Computer – Click Manage – Expand Shared Folders – Click Sessions

This will provide the username and the IP of the PC they are logged into

You can then go to DHCP under Administrative Tools and view the leases to see the PC name

View from within Server 2008 R2:

425842

Windows Server – How to Re-Register an Active Directory Domain Controller DNS Records

An Active Directory domain controller (DC) registers quite a few resource records of different types in DNS. When troubleshooting a network, DNS, or Active Directory issue, it is sometimes necessary to manually re-register these records. This can be accomplished by following a few simple steps:

  1. Open an elevated command prompt.
  2. Type ipconfig /all and verify that the correct DNS servers are listed. A domain controller, like any other domain-joined machine, should use only DNS servers that are inside the domain.
    1376433217313.ipconfig-all
  3. Type ipconfig /flushdns to clear the DC’s resolver cache.
    1376433329486.flushdns
  4. Type ipconfig /registerdns to register the DC’s host and PTR records.
    1376433389628.registerdns
  5. To register the DC’s SRV records, type net stop netlogon and net start netlogon to restart the Net Logon service, which is responsible for registering those records.
    1376433459676.restart-netlogonAlternatively, open the Services console and restart the Net Logon service from there.
    1376433493363.restart-netlogon-gui
  6. Wait a few minutes, then check DNS to verify that the records have been registered.

For information on the DNS records registered by a DC, see DNS Records Registered by an Active Directory Domain Controller.

dig DNS query Tool for Windows

dig  for Windows  8, 7, Vista, XP, 2000  win98-logo windows vista-logo windows8

(dig is a powerful tool to investigate [digging into] the DNS system)

Source of the binary is from ftp.isc.org
Manual Page of dig, in the cryptic Unix style, for reference only.

(1) Download:
dig version 9.3.2
Create a folder   c:dig
Download dig-files3 and save it to c:dig
Use Open source 7-zip to extract all the files inside dig-files3.zip to c:dig

Note: If msvcr70.dll already exists in %systemroot%system32 , then you can delete c:digmsvcr70.dll

Note: Included in dig-files*.zip is a command line whois, version 4.7.30:
The canonical site of the whois source code is http://ftp.debian.org/debian/pool/main/w/whois/
The whois.exe file inside dig-files*.zip is compiled using cygwin’s gcc-mingw compiler.

(2) File integrity check (reason: some stupid anti-virus programs mis-identify certain dll files as virus and destroy them without giving warnings)
windows Windows XP and  win98-logo Windows 2000: Click Start.Run … type CMD
vista-logo Windows Vista and Windows 7: Click vista-logo … type CMD
cd   c:dig

sha1sum   *

You should see the SHA1 hashes (SHA1 hash is used as an integrity check, similar to the legacy checksum idea).
Compare your hashes with the following table.

C:dig>sha1sum *
489a8ca7c7851088ade58c404ddde1a926559003  cygwin1.dll
57487baeaa0eb2848557b7ca54ed9183eafc73fa  dig.exe
97dbd755d67a5829c138a4708be7a4f26ed0894c  host.exe
d22e4b8956e1831ff0f9d07620ec19bf171f0c29  libbind9.dll
81588f0be7d3c6b320edc314532d9f2d0a105594  libdns.dll
e0bd7187bbc01003abfe7472e64b68cd1bdb6bab  libeay32.dll
f445362e728a902796ec6871a79c6307054974e4  libisc.dll
b3255c0e4808a703f95c217a91ffcd6940e680c9  libisccfg.dll
dfbde4f9e25fd49a0846e97fd813d6876dc94067  liblwres.dll
61b8f573db448ae6351ae3475c2e7c482d81533c  msvcr70.dll
da39a3ee5e6b4b0d3255bfef95601890afd80709  resolv.conf
4a578ecd09a2d0c8431bdd8cf3d5c5f3ddcddfc9  sha1sum.exe
9d9ec0e2cf59e14d9db618d10b55b881bb7d195b  whois.exe

If your hashes are the same as the above table, then your files pass the integrity check.
Type exit to close the black screen.

(3) Installation and setup:

Windows Vista vista-logo Windows 7 windows_7
Install a Vista Powertoy utility:
File name: CmdHereAsAdmin (right click the link, choose save; then on your local copy, right click the .inf file, choose Install)
(Thanks to Aaron Spurlock of Ogden, UT, USA and Patryk Bratkowski for their contributions)
Click vista-logo …click Computer, click C:
right click on c:dig , choose Cmd Prompt Here As Administrator 
copy resolv.conf  %systemroot%system32driversetc

Windows XP windows Windows 2000 win98-logo
Click start…run… type  cmd 
cd c:dig
copy resolv.conf  %systemroot%system32driversetc

(4) Add path:
(thanks to Jason Partridge of Akento Technology Sourcing, Bloomington, IN, USA for his contribution)
Windows 7: Click vista-logo … type environment variables … choose “edit environment variables for your account
Windows Vista: 
Click vista-logo …click Control Panel, in the Search Box, type environment variables … choose “edit environment variables for your account
Windows XPwindows : Click..Start…click Control Panel …in Category “Performance and Maintenance“, SystemAdvancedEnvironment Variables.
Windows 2000win98-logo : right click My Computer icon, choose properties, Advanced, Environment Variables.

Look in the top half of the screen, “User variables” section.
If a PATH variable exists, double click the variable PATH to enter edit mode,
append  ;c:dig  to the Variable value.
If the PATH variable does not exist, click the New button,
Variable name:  PATH
Variable value:  c:dig


How to use dig to query the DNS system:

You can also use dig to help setting up your security camera system. First add a “A record” to your name server to point the “A record” of your chosen domain to an ip address. Make sure that the “A record” points to an ip address of your dvr recorder’s external ip address (or the D-Link/Linksys router that sits in front of your security device). If all is good and you have the necessary ports open or forwarded, you should be able to remotely access your security system over a network of Internet.

vista-logo  Windows Vista/Windows 7: Click vista-logo … type  cmd

windows Windows XP/Windows 2000 win98-logo : Click Start… Run… type  cmd

dig   –help will show you a “help screen” to intimidate and confuse you.
dig   -h will show you a even more intimidating “help screen”.
dig  ns . 
 will show you the 13 “root-level name servers”, these are the 13 Internet gods.


dig  com.  NS
shows you the (gTLD) top level domain name servers controlling the .com domain

dig  net. NS
shows you the (gTLD) top level name servers controlling the .net domain

dig  org.  NS
shows you the (gTLD) top level name servers controlling the .org domain

dig  gov. NS
shows you the (TLD) top level name servers controlling the .gov (US Government) restricted domain

dig  mil.  NS
shows you the (TLD) top level name servers controlling the .mil  (US military) restricted domain

dig  edu.  NS
shows you the (TLD) top level name servers controlling the .edu (US post secondary) restricted domain

dig  int. NS
shows you the (TLD) top level name servers controlling the .int (international treaties) restricted domain


Each country code has its authoritative name servers (below is some of the 244 ccTLD)

dig  ca. NS
shows you the top level name servers controlling the .ca (Canada ca ) domain

dig  us.  NS
shows you the top level name servers controlling the .us (US us ) domain

dig  uk. NS
shows you the top level name servers controlling the .uk (United Kingdom uk ) domain

dig  de. NS
shows you the top level name servers controlling the .de (Germany de ) domain

dig  au. NS
shows you the top level name servers controlling the .au (Australia au ) domain

dig  cn. NS
shows you the top level name servers controlling the .cn (China cn ) domain

dig  kr. NS
shows you the top level name servers controlling the .kr (Korea kr ) domain

dig  tw. NS
shows you the top level name servers controlling the .tw (Taiwan tw ) domain

dig  hk. NS
shows you the top level name servers controlling the .hk (Hong Kong hk ) domain

dig  gs. NS
shows you the top level name servers controlling the .gs (South Georgia and the South Sandwich Islands gs ) domain

dig  ws. NS
shows you the top level name servers controlling the .ws (Western Samoa ws ) domain,
some “domain registrars” confuse the public by inferring this domain as the “Website” top level domain.

dig  tv. NS
shows you the top level name servers controlling the .tv (Tuvalu tv ) domain,
some “domain registers” confuse the public by inferring this domain as the “Television” top level domain.

dig  ae. NS
shows you the top level name servers controlling the .ae (United Arab Emirates ae ) domain

dig  gr. NS
shows you the top level name servers controlling the .gr (Greece gr ) domain

dig  id.  NS
shows you the top level name servers controlling the .id (Indonesia id ) domain

dig  ru.  NS
shows you the top level name servers controlling the .ru (Russia ru ) domain


dig  aero. NS
shows you the (gTLD) top level name servers controlling the .aero domain (for aviation industry)

dig  biz. NS
shows you the (gTLD) top level name servers controlling the .biz domain (for businesses)

dig  coop. NS
shows you the (gTLD) top level name servers controlling the .coop domain  (for co-op associations)

dig  info. NS
shows you the (gTLD) top level name servers controlling the .info domain

dig  jobs. NS
shows you the (gTLD) top level name servers controlling the .jobs domain (for human resources)

dig  mobi. NS
shows you the (gTLD) top level name servers controlling the .mobi domain (for mobile products and services)

dig  museum. NS
shows you the (gTLD) top level name servers controlling the .museum domain (for museums)

dig  name. NS
shows you the (gTLD) top level name servers controlling the .name domain (for individuals)

dig  pro. NS
shows you the (gTLD) top level name servers controlling the .pro domain  (for credentialed professionals)

dig  travel. NS
shows you the (gTLD) top level name servers controlling the .travel domain  (for travel industry)

The Internet god approved these gTLD domains.

As of 2008, the Inernet god has changed its policy, anyone who can afford to pay lots of money each year can administer any name as a top level name.
In addition, non-Latin scripts are allowed.


More examples of how to use dig to query the DNS system:

dig  dell.com.  NS
shows you the Name Servers for “dell.com

dig  dell.com.  MX
shows you the mail servers for receiving email for the “dell.com” domain (geeky terminology: Mail eXchange ).
The mail server with the smallest number in front of it will be contacted first. If that mail server is down or busy,
the mail server with the larger number will be contacted next (for fault tolerant).

dig  www.dell.com. 
shows you the IP address of the computer www.dell.com (geeks call computer a “host)
(geeks also like to call www.dell.com a FQDN to intimidate others around them)

Sometimes you see the word CNAME in the answer section, CNAME is a geeky way of saying “an alias“.

dig  www.ibm.com.    @hub.ubc.ca
lookup the IP address of www.ibm.com by making a DNS query to the DNS server “hub.ubc.ca”

Most DNS name servers are recursive (friendly), they try to find an answer for you.
However, some “system administrators” suffering from extreme-paranoia configure their name servers to
refuse answering queries that are outside of their “comfort zones”.
These extreme-paranoia servers are called “non-recursive” (aka unfriendly) name servers.

dig   -x    216.21.128.22
will look up the “host name” from an IP address
(geeks call this a “reverse DNS lookup” to intimidate and impress others around them)
The equivalent human-friendly command is   
host  216.21.128.22

dig  www.ibm.com. +trace
will give you some DNS server performance data.


dig   vs   whois

The DNS system and the whois system are not the same, they are only loosely tied together.
If the whois system is broken, (while the DNS system is working) the whole Internet will work fine.
If the DNS system is broken (while the whois system is working), the whole Internet will die.

The whois system is supposed to display who owns the domain and their corresponding name servers,
however, due to usually defective software at whois servers at domain registrars,
(the amount of defects is proportional to the registrar’s domain registration fees),
the DNS name servers information obtained from the whois query is often wrong, out of date, and inaccurate.

Use whois to find out approximately who owns the domain.

Use dig to lookup the DNS name servers of that domain.

For example, to find out who owns the name ibm.com

whois   ibm.com

or

whois   ibm.com  |  more (hit space bar to scroll forward)