Thursday, September 10, 2009

script to recreate sysvolsysvol


Const HKEY_LOCAL_MACHINE = &H80000002
On Error Resume Next

WScript.Echo "Stopping the File Replication Service"
Set objWMINameSpace = GetObject("winmgmts:{impersonationLevel=impersonate}//LOCALHOST/root/CIMV2")
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
If LCase(srvcInstance.state) = "running" Then Set srvcOutParam = srvcInstance.ExecMethod_("stopservice")
If srvcOutParam.ReturnValue <> 0 Then Wscript.Echo "The NTFRS service failed to stop with a return value of: " & srvcOutParam.ReturnValue

Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
For k = 1 to 150
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
If LCase(srvcInstance.status) = "ok" Then Exit For
wscript.sleep (k * 100)

Set WSHShell = CreateObject("WScript.Shell")

Set objRegistry = GetObject("winmgmts:{impersonationLevel=impersonate}//LOCALHOST/root/default:StdRegProv")
Set objMethod = objRegistry.Methods_("ENUMKEY")
Set objInParam = objMethod.inParameters.SpawnInstance_()
objInParam.sSubKeyName = "SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets"
Set objOutParam = objRegistry.ExecMethod_("ENUMKEY", objInParam)
Set objSubKeys = objOutParam.Properties_("sNames")

For i = 0 To UBound(objSubKeys)
intTomb = 1
strSetName = ""
intTomb = WSHShell.RegRead("HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\" & objSubKeys.Value(i) & "\Replica Set Tombstoned")
strSetName = WSHShell.RegRead("HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\" & objSubKeys.Value(i) & "\Replica Set Name")
If intTomb = 0 AND strSetName = "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" Then

Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
if LCase(srvcInstance.state) = "stopped" Then Set srvcOutParam = srvcInstance.ExecMethod_("startservice")
If srvcOutParam.ReturnValue <> 0 Then Wscript.Echo "The NTFRS service failed to start with a return value of: " & srvcOutParam.ReturnValue

Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
For k = 1 to 150
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
If LCase(srvcInstance.state) = "running" Then Exit For
wscript.sleep (k * 100)

For j = 1 to 60
If WSHShell.RegRead("HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\" & objSubKeys.Value(i) & "\Replica Set Tombstoned") = 1 Then Exit For
wscript.sleep (j * 500)
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")

If LCase(srvcInstance.state) = "running" Then Set srvcOutParam = srvcInstance.ExecMethod_("stopservice")
If srvcOutParam.ReturnValue <> 0 Then Wscript.Echo "The NTFRS service failed to stop with a return value of: " & srvcOutParam.ReturnValue

Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
For k = 1 to 150
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
If LCase(srvcInstance.status) = "ok" Then Exit For
wscript.sleep (k * 100)
End If

Set ADInfo = CreateObject("AdSystemInfo")
strDNSDomain = ADInfo.DomainDNSName
strSysvol = WshShell.RegRead("HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\Sysvol")
strSysvol = Left(strSysvol, Len(strSysvol)-7)
strSysvolRoot = strSysvol & "\domain"
strSysvolStage = strSysvol & "\staging\domain"
intPrimary = 1

WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\" & strDNSDomain & "\Replica Set Command", "Create", "REG_SZ"
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\" & strDNSDomain & "\Replica Set Name", strDNSDomain, "REG_SZ"
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\" & strDNSDomain & "\Replica Set Type", "Domain", "REG_SZ"
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\" & strDNSDomain & "\Replica Set Primary", intPrimary, "REG_DWORD"
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\" & strDNSDomain & "\Replica Set Root", strSysvolRoot, "REG_SZ"
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\" & strDNSDomain & "\Replica Set Stage", strSysvolStage, "REG_SZ"

WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol\SysVol Information is Committed", 1, "REG_DWORD"

wscript.echo "Starting FRS service"
Set srvcInstance = objWMINameSpace.get("Win32_Service='NTFRS'")
Set srvcOutParam = srvcInstance.ExecMethod_("startservice")
If srvcOutParam.ReturnValue <> 0 Then Wscript.Echo "The NTFRS service failed to start with a return value of: " & srvcOutParam.ReturnValue
wscript.echo "Script has completed"

Sub DelADobj(strGUID)
If Err.Number <> 0 Then Err.Clear
Set objADRepSet = GetObject("LDAP://LOCALHOST/")
If Err.Number <> 0 Then
WScript.Echo "Could not bind to GUID=" & Left(strGUID,23) & "-" & Right(strGUID, 12)
WScript.Echo "Failed with error: " & Err.Number
WScript.Echo "Not deleting any AD Objects"
Exit Sub
End If
Set objADRepSet = GetObject("LDAP://LOCALHOST/" & objADRepSet.distinguishedName)
If Err.Number <> 0 Then
WScript.Echo "Could not bind to nTFRSMember object with DN= " & objADRepSet.distinguishedName
WScript.Echo "Failed with error: " & Err.Number
WScript.Echo "Not deleting any AD Objects"
Exit Sub
End If
If objADRepSet.fRSMemberReferenceBL <> "" Then
Set objADSubscriber = GetObject("LDAP://LOCALHOST/" & objADRepSet.fRSMemberReferenceBL)
If Err.Number = 0 Then
WScript.Echo "Could not bind to nTFRSSubscriber object with DN= " & objADSubscriber.distinguishedName
WScript.Echo "Failed with error: " & Err.Number
WScript.Echo "Not deleting nTFRSSubscriber object from AD"
End If
WScript.Echo "No member reference to nTFRSSubscriber object"
End If
If Err.Number <> 0 Then
WScript.Echo "Failed to delete nTFRSSubscriber object with error: " & Err.Number
End If
IF Err.Number <> 0 Then
WScript.Echo "Failed to delete nTFRSMember object with error: " & Err.Number
End If

End Sub


Wednesday, June 3, 2009

IAS event ID :2 (A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider)

Client connection to network using 802.1 Implementation fails with event ID 2 (IAS) (authentication EAP-Type = Smart Card or other certificate )

We have a 2003 server as IAS
We have deployed 802.1 implementation for clients
Authentication method is EAP (using certificate)
When client is plugged to the switch on specific port, access to network is denied and on IAS server we get the following event.

Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 6/1/2009
Time: 11:15:02 AM
User: N/A
Computer: xxx-xxx
User host/ was denied access.
Fully-Qualified-User-Name = Domain\computername$
NAS-IP-Address =
NAS-Identifier =
Called-Station-Identifier = 00-17-5A-6A-7E-94
Calling-Station-Identifier = 00-11-43-4D-03-9E
Client-Friendly-Name = xx-xx-xx
Client-IP-Address =
NAS-Port-Type = Ethernet
NAS-Port = 50020
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name = 802.1x
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
Reason-Code = 295
Reason = A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.

For more information, see Help and Support Center at
0000: 12 01 0b 80 ...€

Since the event talks about the trusted root certificate, we checked the root CA cert in the trusted root store of client and IAS server.
Root CA certificates were present on both location
We took the serial number and thump print of certificate and matched it with actual root CA certificate and found they are same.

I checked the resultant set of policy (start >run rsop.msc) and found that the auto enrollment policy for certificates are disabled.
Checked the following registry path in IAS server


It was empty with no certificates
We checked on the client and found we have certificates of root CA present in the same location.
Because “auto enrollment” policy was enabled for clients.
We found a KB
We followed method 2 in the KB

Method 2: Import a certificate by using Certutil.exe

Certutil.exe is a command-line utility for managing a Windows CA. In Windows Server 2003, you can use Certutil.exe to publish certificates to Active Directory. Certutil.exe is installed with Windows Server 2003. It is also available as part of the Microsoft Windows Server 2003 Administration Tools Pack. To download this tools pack, visit the following Microsoft Web site:


To import a CA certificate into the Enterprise NTAuth store, follow these steps:
1. Export the certificate of the CA to a .cer file. The following file formats are supported:

o DER encoded binary X.509 (.cer)
o Base-64 encoded X.509 (.cer)

2. At a command prompt, type the following command, and then press ENTER:

certutil -dspublish -f filename NTAuthCA

The contents of the NTAuth store are cached in the following registry location:
This registry key should be automatically updated to reflect the certificates that are published to the NTAuth store in the Active Directory configuration container. This behavior occurs when Group Policy settings are updated and when the client-side extension that is responsible for autoenrollment executes. In certain scenarios, such as Active Directory replication latency or when the Do not enroll certificates automatically policy setting is enabled, the registry is not updated. In such scenarios, you can run the following command manually to insert the certificate into the registry location:

certutil -enterprise -addstore NTAuth CA_CertFilename.cer

After this we were able to see the certificate populated in the NTAuthCA registry location.
However other stores were empty
Hence we enabled “auto enrollment” on IAS server using group policy and then ran gpupdate/force
After refreshing policies for couple of times, we were able to get the policy applied on IAS server
We checked the registry location and all the stores has certificate populated.


We got certificates for following stores

CA,Disallowed, NTAuth, Root, Trust, Trusted Publisher

Tried connecting client and this time the access was granted for user.
On ISA we have information which states that as following

Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 1
Date: 6/2/2009
Time: 5:25:38 PM
User: N/A
Computer: computername
User host/ was granted access.
Fully-Qualified-User-Name = domain\computername$
NAS-IP-Address =
NAS-Identifier =
Client-Friendly-Name = xxx-xxx
Client-IP-Address =
Calling-Station-Identifier = 00-11-43-4D-03-9E
NAS-Port-Type = Ethernet
NAS-Port = 50020
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name = 802.1x
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate

For more information, see Help and Support Center at
0000: 00 00 00 00 ....


Issue resolved !!!!!