Archives for: January 2011

In this post I want to share another issue from the field. I ran into this issue when I was preparing the customer his Active Directory for a fresh ConfigMgr R3 environment.

Part of the preparation is creating the System Management container which all went well and extending the schema.

I have done this many times so I made sure I met all the prerequisites like the required Schema Admin permissions and that the Schema Master (FSMO role) was online and that I was able to reach it.

So when running the ExtAdSch.exe tool the familiar DOS prompt popped up but also closed immediately. It should be displayed for at least a couple of seconds, so that was a bad sign.

I always check the ExtADSch logfile which is automatically created in the root when you launch the tool. If you don’t have a logfile you probably run Windows Server 2008 with User account Control which prohibit the tool from creating it.

My logfile looked like this:

<01-19-2011 13:56:29> Modifying Active Directory Schema - with SMS extensions.
<01-19-2011 13:56:29> DS Root:CN=Schema,CN=Configuration,DC=services,DC=mdc
<01-19-2011 13:56:29> Failed to create attribute cn=MS-SMS-Site-Code. Error code = 8224.
<01-19-2011 13:56:29> Failed to create attribute cn=mS-SMS-Assignment-Site-Code. Error code = 8224.
<01-19-2011 13:56:29> Failed to create attribute cn=MS-SMS-Site-Boundaries. Error code = 8224.
<01-19-2011 13:56:29> Failed to create attribute cn=MS-SMS-Roaming-Boundaries. Error code = 8224.
<01-19-2011 13:56:29> Failed to create attribute cn=MS-SMS-Default-MP. Error code = 8224.
<01-19-2011 13:56:29> Failed to create attribute cn=mS-SMS-Device-Management-Point. Error code = 8224.
<01-19-2011 13:56:29> Failed to create attribute cn=MS-SMS-MP-Name. Error code = 8224.
<01-19-2011 13:56:29> Failed to create attribute cn=MS-SMS-MP-Address. Error code = 8224.
<01-19-2011 13:56:29> Failed to create attribute cn=mS-SMS-Health-State. Error code = 8224.
<01-19-2011 13:56:29> Failed to create attribute cn=mS-SMS-Source-Forest. Error code = 8224.
<01-19-2011 13:56:29> Failed to create attribute cn=MS-SMS-Ranged-IP-Low. Error code = 8224.
<01-19-2011 13:56:29> Failed to create attribute cn=MS-SMS-Ranged-IP-High. Error code = 8224.
<01-19-2011 13:56:29> Failed to create attribute cn=mS-SMS-Version. Error code = 8224.
<01-19-2011 13:56:29> Failed to create attribute cn=mS-SMS-Capabilities. Error code = 8224.
<01-19-2011 13:56:29> Failed to create class cn=MS-SMS-Management-Point. Error code = 8202.
<01-19-2011 13:56:29> Failed to create class cn=MS-SMS-Server-Locator-Point. Error code = 8202.
<01-19-2011 13:56:29> Failed to create class cn=MS-SMS-Site. Error code = 8202.
<01-19-2011 13:56:29> Failed to create class cn=MS-SMS-Roaming-Boundary-Range. Error code = 8202.
<01-19-2011 13:56:29> Failed to extend the Active Directory schema, please find details in "C:\ExtADSch.log".

Those errors are typically Active Directory Services errors. So I again checked my permissions and even logged on and off again.

Because extending the schema has also to do with replication I checked for any replication errors. Here I found the issue as there was a child domain but no domain controllers for that domain were online. It was a ‘ sleeping’ domain for migration purposes.

By booting the domain controller for the child domain the replication errors were solved. I ran the ExtADSch.exe tool again and now the extensions were successfully applied.

Related information:
How to Extend the Active Directory Schema Using ExtADSch.exe
How to Extend the Active Directory Schema Using an LDIF File
How to Create the System Management Container in Active Directory Domain Services
How to Set Security on the System Management Container in Active Directory Domain Services

In this post I want to share some experience from the field. At a previous project I ran into an issue where Remote Control was not working.

The environment was basic, two-tier hierarchy all running on Windows Server 2008 R2, clients where running Windows XP with Service Pack 3.

When we initiated remote control we ran into the problem that the starting screen was displayed but after that it was not responding and hanging on the line; Starting remote session. So no errors where displayed at all.
My first thought was the firewall, we disabled that. No luck, we also checked if the permissions that where set in the Remote Tools settings in ConfigMgr and if those allowed users where published in the local group on the client. This was also the case.

Next was checking the RemoteControl.log logfile on the client. Here we saw that the session was received by the client, but terminated immediately. No further errors at all in the log.
In the event viewer we received the following event:

Event ID: 50
Source: TermDD
Type: Error
Description: The RDP protocol component "DATA ENCRYPTION" detected an error in the protocol stream and has disconnected the client.

So this one was my first clue that it had to do with some kind of encryption. We tested remote control to the other Windows Server 2008 R2 systems and this worked all fine. So second clue was it had to do with Windows XP.
In the end we disabled the desktop policies one buy one and found that FIPS encryption on the RDP level was set on the servers.
So to sum up the Windows Server 2008 R2 servers where expecting an FIPS answer from the Windows XP clients which they cannot.

As stated in http://support.microsoft.com/kb/811833 :

Windows XP clients that use the RDP 5.2 client program and later versions of RDP can connect to Windows Server 2003, Windows Vista, or Windows Server 2008 computers when you enable this option. However, remote desktop connections to Windows XP computers fail when you enable this option on either the client or the server.

Microsoft also confirmed this scenario is not going to work with Windows XP SP3.