Fix for Accessing Windows Vista and Windows 7 Administrative Shares (C$, Admin$, etc) – Client Push

This post isn’t exactly just a Configuration Manager fix for Client Push, however it will help anyone who is trying to connect to an administrative share on a Windows Vista or Windows 7 machine that is having problems with “Access Denied” messages even though you know 100% for a fact that the account you’re using is the right one.

User Account Control Remote Restrictions

Starting with Vista, User Account Control introduced some remote restrictions of administrative accounts. You can click the previous link if you want to read up on it. Suffice it to say, to disable these remote UAC restrictions of accounts that are in the local administrators group, do the following:

  1. Click Start, click Run, type regedit, and then press ENTER.
  2. Locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion
    \Policies\System
  3. If the LocalAccountTokenFilterPolicy registry entry does not exist, follow these steps:
    1. On the Edit menu, point to New, and then click DWORD Value.
    2. Type LocalAccountTokenFilterPolicy, and then press ENTER.
  4. Right-click LocalAccountTokenFilterPolicy, and then click Modify.
  5. In the Value data box, type 1, and then click OK.
  6. Exit Registry Editor.
HomeGroup
If the machine you’re trying to manage happens to be apart of a HomeGroup (introduced in Windows 7) then you may run into some issues. To leave a HomeGroup:
  1. Click Start, Click Control Panel
  2. Click View by Small Icons
  3. Click HomeGroup
  4. Click Leave HomeGroup
Turn on File and Printer Sharing in the Windows Firewall
If you happen to have the Windows Firewall enabled, you’ll need to make sure File nd Printer Sharing is enabled in the firewall settings:
  1. Click Start 
  2. Click Control Panel
  3. Click Category and select Small Icons
  4. Click Windows Firewall
  5. Click Allow a Program or feature through Windows Firewall
  6. Find File and Printer Sharing and enable Home/Work and Public network

By following the above tips, you should now be able to access any administrative shares that you have proper credentials for, and should also get client push working for some machines in which you are getting access denied or invalid network path messages and/or Failed to get token for current process (5) messages in the ccm.log.

Does your Windows 7 Hang at the Welcome Screen for a long time after logon? Potential Fix Here

I’ve had a major issue on my personal machine for sometime now where on logon my machine would hang for minutes (15-30 minutes in some cases) before getting to the desktop. When resuming from sleep, this wasn’t an issue, however on cold boots or restarts this was a big issue.

The fix was http://support.microsoft.com/kb/2526870 which fixes a group policy deadlock condition.

Ports Required to Join a Windows Domain – Managing Windows Machines in a DMZ with SCCM

For those looking for the ports you need open, this is what I use for a Windows 7 and Windows 2008 R2 DC.

LDAP TCP-in – 389
LDAP UDP in – 389
LDAP for Global Catalog TCP in – 3268
NetBIOS name Resolution UDP in – 138
SAM/LSA TCP in – 445
SAM/LSA UDP in – 445
Secure LDAP TCP in –  636
Secure LDAP for Global Catalog TCP in – 3269
W32Time NTP UDP in – 123
RPC – RPC Dynamic
RPC Endpoint Mapper
DNS – TCP and UDP 53
Kerberos V5 UDP in – 88
Netbios Datagram UDP in – 137

Now for the long story (note that the below solution is conceptual and hasn’t been tested in a lab yet. This is just me getting things written down. I’ll update more after we put this in place) –

When managing machines that are behind a firewall, you’ll need to open ports on the firewall to get them joined to a domain. I have an interesting situation coming up next week where we need to manage machines that are in my customer’s DMZ. In the current customer’s environment, the machines in their DMZ are workgroup machines that aren’t joined to a domain.

From an SCCM Perspective, we can manage workgroup machines. However we still need the ports opened through the firewall to manage these machines. In some cases, network administrators don’t want all of their DMZ machines to go through the firewall that separates the DMZ from the internal network. We haven’t determined if that’s a route we want to take, but I personally feel that the more machines you have that can route through the firewall, the more you increase your attack vector.

My proposed solution would be to build up a secondary SCCM server in the DMZ that can only communicate through the firewall. All of the other machines in the DMZ would communicate through that server. That server doesn’t even HAVE to be a secondary site, we could just build one box with an MP and DP (or whatever other site roles you need). The secondary will just allow us to throttle bandwidth if needed.

Below is a diagram that we use for Internet Based Client management, but for managing machines in the DMZ, the process would be the same.

Network Diagram for Internet-Based Servers - Scenario 3 with No SQL Server Replica

So in our case, since there will be less than one hundred machines in the DMZ that need to be managed, we’ll probably put all site roles on one box. We’ll then need to open the ports I referenced above to allow the server to join the domain (note that all site system roles MUST be apart of a domain. They don’t have to be apart of the same domain as the site server, but they do need to be part of a domain.). Once the server is joined to the domain, we’ll need to open either port 80 or port 443 (for HTTPS) outbound to allow for the Software Update Point to communicate through the firewall. The diagram says HTTPS, but we can use HTTP since we’ll be in a mixed mode environment. For native mode environments you’d need to utilize HTTPS. We’ll also need SMB 445 outbound open to allow the site server to communicate with the other site roles in the perimeter network. We’ll also need to create an inbound rule for SQL on port 1433 for the management point to communicate with the SQL DB.

Once we’ve done all that, we’ll need to setup the appropriate rights to allow for site system installation on our server.

Client Configuration (thanks to Chris Stauffer for these tips)

In our scenario, we will be able to map to the MP’s client share to install ccmsetup.exe. We can use the ccmsetup.exe /MP:servername /logon SMSSITECODE=XYZ. We’ll likely also need to make some adjustments to the LMHosts and Hosts file.

Note that these tips should work if you have the firewall rules enabled for your clients to communicate through the firewall which would be port 80 or any custom port you’ve allowed SCCM to use.

LMHOSTS file:

Add the SMS information to a LMHOSTS file, which you can copy to each client. Use the following as a guide (WS03DC01 is the SMS server name):

192.168.1.61 ws03dc01                        #PRE
192.168.1.61 “SMS_SLP            \0x1A” #PRE
192.168.1.61 “SMS_MP              \0x1A” #PRE
192.168.1.61 “SMS_NLB             \0x1A” #PRE
# “12345678901234567890”
(note that there are 20 characters between the quote marks on each line, and the last line is just to help with spacing – it is not needed)

HOSTS file:

Add the SMS information to a HOSTS file, which you can copy to each client. Use the following as a guide (WS03DC01 is the SMS server name):

192.168.1.61 ws03dc01.domain.lcl ws03dc01

Summary

Build a server in the DMZ
Open the following inbound ports on the firewall to allow the server in DMZ to join the domain

LDAP TCP-in – 389
LDAP UDP in – 389
LDAP for Global Catalog TCP in – 3268
NetBIOS name Resolution UDP in – 138
SAM/LSA TCP in – 445
SAM/LSA UDP in – 445
Secure LDAP TCP in –  636
Secure LDAP for Global Catalog TCP in – 3269
W32Time NTP UDP in – 123
RPC – RPC Dynamic
RPC Endpoint Mapper
DNS – TCP and UDP 53
Kerberos V5 UDP in – 88
Netbios Datagram UDP in – 137

Open the following outbound ports on the firewall to allow SMB and HTTP traffic

SMB TCP/UDP – 445
HTTP TCP – 80

Open the following inbound port on the firewall to allow SQL Traffic from the MP

SQL TCP – 1433

Give rights for the site server on the intranet to the site system server in the DMZ so the site systems can install on the server.

Setup Site Roles (DP, MP, SUP)

Setup a test client and make changes to LMHOSTS and HOSTS file (if needed, not sure if necessary yet).

Install SCCM client with ccmsetup.exe /MP:servername /logon SMSSITECODE=XYZ

Some may say to use an FSP. I don’t know that it’s necessary. These client installs will be done manually, and i’d rather look at the client logs.

We’ll see how well this works this week. I’ll post an update by end of week.

Windows 7 System Image Recovery: How to Deal with error 0x80042412

So tonight my hard drive in my home theater PC decided it was a good time to crash during a movie the girlfriend and I were watching. I heard a whirr, some nasty scratching, and a few minutes later the screen just went blank. After taking the machine apart, the drive wouldn’t power up, it was clearly dead.

So like a good computer user, I have all of my systems backing up to a Windows 2008 R2 server (this previously was a WHS box, but I wasn’t too impressed with WHS and it’s streaming performance, especially when the drive extender was running and migrating data to the other drives). The drive in the HTPC was a 400GB Western Digital that was about 5 years old. I didn’t feel like going out and buying a drive, so I wanted to use an old 74GB Western Digital Raptor (probably a little overkill for an HTPC, and probably a little loud, but so what, it was available).

So the next step was to pop in my Windows 7 DVD and initiate the system recovery, which by the way if you’re using a 32 bit OS you must use a 32 bit DVD, and if you’re using a 64 bit OS, you must use a 64 Bit DVD. When I did the recovery, I looked towards my network and went through the wizard. Everything went well until it came time to lay the OS down on the drive. That was when I got an error, and a box that brought up some steps to try and had an error code of 0x80042412

This error message equates to the size of the disk being recovered to as smaller than the original disk. If you have access to the VHD and another Windows 7 PC, you can utilize disk management to mount the vhd and shrink the volume. I was able to do this, to an extent, but unfortunately there was unmovable data in the vhd so I could only shrink the vhd down to 200GB (down from 400 GB). I still needed this to be at 74 GB. Unfortunately, I didn’t want to waste the time screwing with it any longer, and since it’s just an HTPC there isn’t any data on the drive, just an install of Boxee and some codecs.

Related External Links