The diskshadow command, a hidden gem

Good morning.  In case you haven’t guessed it already I typically write these posts in the morning.  As I write this now it is 6:30AM.  Today I wanted to share a command line utility I just recently discovered.  It has been part of Windows for quite some time though.  At least since Windows Server 2008.  The utility is called diskshadow.  This utility allows direct interaction with VSS (Volume Shadow Copy Service).  You can find the Microsoft technet article here.  In this article I will go over how I used it to troubleshoot a recent issue with VSS.

I was recently troubleshooting a VSS where the snapshot was failing on release.  As is typical, my customer was using a 3rd party backup software.  I wanted to test outside of the backup software, so we installed the Windows Server Backup feature and tried that.  Unfortunately the symptoms were identical.  After quite a bit of digging I ran across the diskshadow utility.  With that utility I received a different error which led me down the path of discovering the problem.  It turned out that the backup software’s filter driver was stepping on VSS and causing the failure.  After removing the backup software, VSS worked without issue.

So how is the diskshadow command used?  It can be used to create a snapshot, mount an existing snapshot, restore a snapshot and several other things.  Below I will cover the commands to take a VSS snapshot, as that is the functionality I find most useful.  To take a snapshot of the C: drive and test the majority of the VSS writers there are just 3 commands that need to be run.

  1. diskshadow (This starts the command and puts you at a diskshadow prompt.  This is similar to ntdsutil and nslookup.)
  2. add volume c: (This adds the C: drive to the snapshot.  You could substitute another drive letter if you want to test a specific writer.  The command can also be repeated with other drive letters to include them in the snapshot.)
  3. create (This starts the snapshot process with VSS.  It is important to note that the create command by itself will create a non-persistent snapshot.  That is the snapshot will be removed on exit from the diskshadow utility.  A persistent snapshot can be created with additional parameters.)

This utility is considerably faster when troubleshooting VSS, taking only about 1-2 minutes to take a snapshot or fail.  It also removes the requirement for a USB drive to temporarily store a backup.  For these reasons I will be using whenever troubleshooting VSS in the future.

I hope you found this article informative.  If you have anything to add or just want to leave a comment, please do so below.

 

Advertisements

The Network Location Awareness service

Good morning.  I wanted to share an issue I see on a regular basis.  This has to do with the NLA (Network Location Awareness) service.  For those that are not aware of this service it is responsible for determining the type and safety of the network(s) the computer is connected to.  There are 3 network classifications that are used.

  • Public – The NLA determines the computer is directly connected to the Internet or is on an unsafe network.  This is also the default profile assigned to a network adapter until one of the other profiles can be determined.
  • Private – The NLA determines the computer is isolated from the Internet by a NAT (Network Address Translation) device or router.
  • Domain – The NLA determines that the computer is connected to a domain.  It does this by attempting to contact a domain controller.  More specifically it performs a DNS (Domain Name System) query for a SRV (Service) record.  It will then make a connection to the domain controller.  If this is all successful, the domain profile is set.

So what is the purpose of the NLA and setting a network profile?  The primary purpose is for the Windows firewall.  Other applications and services can also access this data though.

Now that the NLA service is sufficiently explained, on to the common issue with it.  The NLA service by default is set to Automatic for its startup type.  Normally this works fine and the NLA properly detects the network.  There are some situations though where the service fails to set the profile correctly on startup.  I typically see this on domain controllers in a domain with just one domain controller.  This means that the network stack and DNS server service have to fully initialize and start before the NLA queries the network.  If they do not then the NLA is not able to contact a domain controller and assumes the computer is connected to a private or public network.

Regardless of the reason why the NLA is failing at startup the solution is fairly simple.  I have seen a 100% fix rate with simply setting the service startup type to Automatic (Delayed Start).  Doing this forces the NLA service to wait until all Automatic services have started, giving DNS enough time to start.  I have seen this little trick work with other services when they are having trouble at startup.

I hope you found this article informative.  If I missed anything or you just want to comment, please feel free to do so below.

How to re-deploy VPN in 2016 Essentials in legacy mode.

This is the third article in a series of articles covering VPN in Windows Essentials.  In the first article I covered an issue with VPN and DHCP.  In the second article I covered how to re-deploy VPN with PowerShell in 2016 Essentials.  In this article I will cover how to re-deploy VPN in legacy mode.

  1. First we must clear the configuration. Launch a PowerShell session as administrator.
  2. Run Uninstall-RemoteAccess.  Hit enter when prompted.
  3. Install the RRAS (Routing and Remote Access Service) console by running the following command: Install-WindowsFeature RSAT-RemoteAccess-Mgmt
  4. Run rrasmgmt.msc to launch the RRAS console.
  5. Right-click on the server name and choose “Configure and Enable Routing and Remote Access”
    RRAS 1
  6. Click Next.
  7. Ensure the Custom configuration radio button is selected and click Next.
    RRAS 2
  8. Check the box for VPN and click Next.
    RRAS 3
  9. Click Finish to complete the initial configuration.  You will get a popup indicating a policy was created.  Click OK to continue.
    RRAS 4
  10. When prompted to start the service, click Start service.
  11. RRAS is now running, but there are two more required steps to complete the configuration.  Right-click the server name and choose Properties.
    RRAS 5
  12. Click on the Security tab.  At the bottom of the screen, choose the correct certificate and click Apply.  Click Yes to restart RRAS.
    RRAS certificate
  13. Click the IPv4 tab.  Click the radio button for Static address pool and click the Add button.  Fill in the start IP address and end IP address and click OK twice.
    RRAS static pool
  14. Restart the RRAS service.

At this point RRAS should be configured properly.  Optionally you can disable the unused protocols in RRAS.  To do so right-click on Ports and click Properties.
RRAS ports

Only SSTP is used in Essentials by default, so the other protocols can be removed/minimized.  Highlight IKEv2 and click Configure.  Change the maximum ports to 0 (zero) and click OK.  Click Yes on the popup.  Repeat this with L2TP and GRE.  For PPTP you cannot reduce to zero, but you can reduce to 1 (one).  I also like to reduce the number of ports to match the number of IP addresses in the static pool.  This is to ensure that all connections get a valid IP address.  So I limited the ports to 20 for SSTP.  When complete it should look something like below.
RRAS ports limited

I hope you found this article informative.  If you have anything to add or just want to comment, please do so below.

How to re-deploy VPN in 2016 Essentials with PowerShell

In my previous article I discussed an issue I see commonly with VPN in Essentials.  In that article I gave the fix for all versions of Essentials except 2016.  In this article I will cover the fix for 2016 Essentials.

As stated previously, 2016 Essentials uses PowerShell to configure the VPN.  Here is what the default configuration looks like:

RemoteAccess Default

If you try to manage it in the RRAS (Routing and Remote Access Server) console, you will see this:

legacy mode

The message would imply that you could turn on legacy mode.   This is true, but to turn on legacy mode requires clearing the configuration from RRAS.  Clearing the configuration must be done with PowerShell.  Re-deploying the VPN can be done with both PowerShell and the RRAS console.  Below are the PowerShell commands.

  1. Launch a PowerShell session as administrator.
  2. Run Uninstall-RemoteAccess.  Hit enter when prompted
  3. Run Install-RemoteAccess -VpnType Vpn -IPAddressRange 192.168.16.100,192.168.16.120
    Change the ip addresses to match the range you want to use.  In the command above the start IP address is 192.168.16.100 and the end IP is 192.168.16.120.
  4. It may be necessary to modify the SSL certificate.  To check this run Get-RemoteAccess.  If the SSL certificate matches the one installed by the Essentials anywhere wizard, then you are done.  If not, please proceed to the next step.
  5. Run Set-Location Cert:\LocalMachine\My; Get-ChildItem | Subject,Thumbprint
    You should see output similar to the following:
    certificate 1
  6. Make note of the Thumbprint for the certificate that was created in the anywhere access wizard.
  7. Next assign the certificate to the VPN with the following command:
    Get-ChildItem | ? Thumbprint -eq “C39ED8D5ADC2F73A05A909BE9C4692B43B963FB2” | Set-RemoteAccess
  8. Finally verify the correct certificate is assigned to the VPN with the command:
    Get-RemoteAccess
    RemoteAccess fixed

Clients should be able to connect and access resources via the VPN now.

I hope you found this article informative.  If you have any suggestions or comments please leave them below.

An error has occurred 0x8007….

This article is for those that don’t know that 0x80070002 is “The system cannot find the file specified.” or that 0x80070020 is “The process cannot access the file because it is being used by another process”.  It seems impossible to memorize all the error codes in Windows and what they mean.  Thankfully there is no need to do this, as there is a utility built into Windows to decode them.

To find out what an error code means launch a command window and run this command slui 0x2a <error code>.  For instance slui 0x2a 0x80070002.  You will get a popup similar to the following:

slui 0x2a

You will need to Show details.  The description is the error code text.

I hope you found this article informative.  If you have anything to add please do so in the comments below.

The case of the missing domain controller…

I wanted to talk about an issue today that I see with a great deal of regularity.  Statically setting an external or public DNS (Domain Name System) server in the DNS client settings of a machine that is joined to an Active Directory domain.

external-dns-server

In the above picture we have the Active Directory domain controller as the Preferred DNS server.  However we also have one of the Google public DNS servers as the Alternate DNS server.  At first look, it appears this might be a good idea.  If the Active Directory domain controller goes down, this PC can still resolve names on the Internet. However there is a significant disadvantage to setting up the DNS client in this way.  To understand this disadvantage, we must first understand how the DNS name resolution process works in Windows.

When a Windows system, either client or server, needs to resolve a name it goes through the following process.*

  1. The client checks to see if the name queried is its own.
  2. The client queries the DNS client resolver cache.  Any entries from the hosts file are preloaded to the resolver cache.
  3. Domain Name System (DNS) servers are queried.
  4. If the name is still not resolved, the NetBIOS name resolution sequence is used.

*I have omitted WINS from the process as it is rarely used anymore.

Let’s dive a little deeper into bullet point two.  There are two important takeaways for the DNS client cache.  The first is the time limit a record or lack thereof is cached.  This is typically referred to as TTL (Time To Live).  A positive answer is cached for its TTL or 24 hours whichever is less.  A negative response, that is when the record does not exist or cannot be found, is cached for 5 minutes.  The second takeaway is that clearing the cache can only be achieved by restating the DNS client service, running ipconfig /flushdns or restarting the client.

Now on to bullet point three and our example above.  The Windows DNS client will use the Preferred DNS server first.  If that server fails to respond, even just for a second, the Windows DNS client will switch over to the Alternate DNS server.  The Windows DNS client will not switch back to the Preferred DNS server unless the alternate fails to respond.  In the case of a public DNS server this is unlikely to happen.  If the Windows DNS client does get “stuck” on the alternate server there are three ways to get it to switch back; restart the DNS client service, restart the computer, or modify the DNS client configuration.

So now we have a better understanding of how DNS name resolution and the Windows DNS client work.  Let’s go over why public DNS servers should not be used.  In most environments there will be DNS timeouts on occasion.  As we now understand a DNS timeout can cause the DNS client to switch to the next DNS server in the list.  If the DNS client switches to a public DNS server then queries for internal resources, such as domain controller service records, or other systems on the LAN (Local Area Network), will fail.  So the bottom line here is that using an external DNS server in the DNS client settings can and usually will cause unpredictable behavior.

One final thought.  The default configuration of the Microsoft DNS server will allow Internet names to be resolved.  This is accomplished using root hints.  If a public DNS server must be used for Internet queries, then a DNS forwarder can be added in the DNS server configuration.

I hope you found this article informative.  If you have anything to add or see something that needs a correction, please leave a comment below.

 

 

 

 

 

 

 

 

 

 

Why are my computers not showing up on the Network in Windows explorer?

I ran across an interesting issue this morning.  I had a customer who was not able to browse for computers on most of his workstations and servers.  The problem seemed to start within the last two weeks.

I checked the workstation, DNS client, network list, and network location awareness services.  They were all running.  The problem turned out to be the Function Discovery Resource Publication service.  This service was not started and was set to manual.  Without this service the computer will not advertise itself and will not be able to discover other computers on the network.

So if no computers are showing in Network in Windows Explorer check the Function Discovery Resource Publication service and verify it is running.  I would also recommend setting it to Automatic start so that everything works correctly after a reboot.

I hope this article has been informative.  If you have anything to add, please use the comments section below.