Here’s the script for the Blog: Reasons why the error “Enumeration of the files failed” may occur during System State backup

by Mike Rosado, posted June 18, 2010

Open Notepad.exe, copy & paste the script below and save it to a file named GetInvalidImagePathsV2.ps1

###########################################################################
#
# NAME: GetInvalidImagePathsV2.ps1
#
# AUTHOR:      Suhas Rao
# REVISED BY: Mark Stanfill
#
# COMMENT: This script was created to help minimize the time of parsing through the registry searching for invalid ImagePaths
#          under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services keys.
#
#          For more details, search for "Enumeration of the files failed" in a blog posted on:
#          http://blogs.technet.com/b/askcore/
#
#    Disclaimer:
#
#    The sample scripts are not supported under any Microsoft standard support program or service.
#    The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including,
#    without limitation, any implied warranties of merchantability or of fitness for a particular purpose.
#    The entire risk arising out of the use or performance of the sample scripts and documentation remains with you.
#    In no event shall Microsoft, its authors, or anyone else involved in the creation, production,
#    or delivery of the scripts be liable for any damages whatsoever (including, without limitation,
#    damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss)
#    arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.
#
#
# VERSION HISTORY:
# 1.0 - Initial release
# 2.0 - Included searching for spaces in the path
#
###########################################################################

$Verbose = $false;

if (($ARGS.Count -gt 0) -and ($ARGS[0] -ieq "-verbose"))
{
$Verbose = $true;
}

#
# The list of possible reasons for failure
#
$FailureReasons = @{
                    "INVALID_CHARS"      = "The service path contains invalid characters. " +
                                           "Characters < > : `" | ? cannot be used in a file path.";
                    "INVALID_FORMAT"     = "The service path does not have a proper path format. " +
                                           "Only paths beginning with [<Drive>]:\ format are supported.";
                    "DOUBLE_SLASH"       = "The service path contains double inverted slashes. " +
                                           "UNC Network paths or paths containing double inverted slashes are not supported.";
                    "RELATIVE_PATH"      = "The service path is relative. " +
                                           "Only absolute paths are supported.";
                    "FOWARD_SLASH"       = "The service path contains a foward slash. " +
                                           "Only paths containing an inverted slash are supported.";
                    "REPARSE_POINT"      = "The service path contains a reparse point. " +
                                           "Paths containing a reparse point are not supported.";
                    "UNRECOGNIZED_PATH" = "Unable to check the path. " +
                                           "Expecting the ImagePath for the service to be a .dll or .exe";
            "SPACE_IN_PATH"      = "The service path contains spaces, " +
                       "the whole path needs to be enclosed using double quotes";

}

#
# The failure INVALID_CHARS can occur due to the following type of characters
#
$InvalidChars   = @{
                    "*\\*"   = "DOUBLE_SLASH";
                    "*\..\*" = "RELATIVE_PATH";
                    "*\.\*" = "RELATIVE_PATH";
                    "*/*"    = "FOWARD_SLASH"
                   }

#
# Display the service info
#
function PrintServiceInfo([System.Management.ManagementObject] $Service, [string] $Header,
                          [string] $Reason, [string] $Color)
{
    $Name    = $Service.Name
    $Caption = $Service.Caption
    $Path    = $Service.PathName
    $Info    = $FailureReasons.Item($Reason)

    if ($Color -eq "")
    {
        $Color = "White"
    }

    Write-Host "$Header`n" `
               "    Service Name    : $Name`n" `
               "    Service Caption : $Caption`n" `
               "    Registry key    : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\$Name\ImagePath`n" `
               "    Value           : $Path`n" `
               "    Reason          : $Info`n" `
               "`n" `
               -ForeGroundColor "$Color"
}

#
# For verbose mode, print extra info for every path
#
function PrintStatus([Boolean] $IsBadPath)
{
    if ($Verbose -eq $true)
    {
        if ($IsBadPath -eq $true)
        {
            Write-Host "ERROR" -ForeGroundColor Red;
        }
        else
        {
            Write-Host "OK" -ForeGroundColor Green;
        }
    }
}

#
# This is a core function that fetches the service path given the input from registry
# It expects the service path to be a .dll or .exe
#
function GetActualPathFromServiceImagePath([string] $ServiceImagePath)
{
$ActualPathName = $null
$IndexForPath = $null

$ExeIndex = $ServiceImagePath.ToLower().IndexOf(".exe");
$DllIndex = $ServiceImagePath.ToLower().IndexOf(".dll");

    ##
    ## NOTE: Assumption is that the Service Path Always ends in dll or exe
    ##
    if(($ExeIndex -eq -1) -and ($DllIndex -eq -1))
    {
        return $null
    }

    ##
    ## If the path contains both Dll And Exe then we should use the One that Comes First
    ##
    if(($ExeIndex -ne -1) -and ($DllIndex -ne -1))
    {
        if($ExeIndex -gt $DllIndex)
        {
            $IndexForPath = $DllIndex +4;
        }
        else
        {
            $IndexForPath = $ExeIndex +4;
        }
    }
    else
    {
        if($ExeIndex -eq -1)
        {
            $IndexForPath = $DllIndex +4;
        }
        else
        {
            $IndexForPath = $ExeIndex +4;
        }
    }

$ActualPathName = $ServiceImagePath.Substring(0,$IndexForPath)

    $Quote = "`""
    if($ActualPathName.StartsWith($Quote))
    {
        $ActualPathName = $ActualPathName.Remove(0,1);
    }

    if ($ActualPathName.StartsWith("\\?\") -or $ActualPathName.StartsWith("\\.\"))
    {
        $ActualPathName = $ActualPathName.Substring(4);
    }

return $ActualPathName
}

##################################################################################
## Main ##
##################################################################################

$Services         = Get-WmiObject Win32_Service
$BadServices      = $null
$Reasons          = $null
$UnrecognizedPath = 0

for ($i = 0; $i -lt $Services.Count; $i++)
{
    ##
    ## Get the actual Exe Path
    ##
    $ActualPathName = GetActualPathFromServiceImagePath $Services[$i].PathName
    if($ActualPathName -eq $null)
    {
        $Path             = $Services[$i].PathName
        $Name             = $Services[$i].Name
        $UnrecognizedPath = 1;

        PrintServiceInfo $Services[$i] "WARNING:" "UNRECOGNIZED_PATH" "Yellow"
        continue;
    }

########new
#######make sure all paths with spaces have double quotes around them

if ( ($Services[$i].PathName -match "^[^\x22].*\s.*\.exe.*" ) -eq $true)
   {
    $BadServices += ,$Services[$i];
    $Reasons += ,"SPACE_IN_PATH";

PrintStatus($true);
continue;

}

    if ($Verbose -eq $true)
    {
        Write-Host -nonewline "Analyzing path '$ActualPathName' ..."
    }

    ##
    ## Check for Attributes
    ##
    if((Test-Path -IsValid $ActualPathName) -eq $False)
    {
        $BadServices += ,$Services[$i] ;
        $Reasons     += ,"INVALID_CHARS";

        PrintStatus($true);
        continue;
    }

    ##
    ## Check for invalid chars
    ##
    foreach ($Key in $InvalidChars.Keys)
    {
        $Value = $InvalidChars.Item($Key);

        if ($ActualPathName -like $Key)
        {
            $temp = $Key.Replace("*","")

            $BadServices += ,$Services[$i]
            $Reasons     += ,$Value;
        }

}

    ##
    ## The Start string must be in the below specified format
    ##
    if((($ActualPathName -match "^[a-z]:\\") -ne $true))
    {
        $BadServices += ,$Services[$i]
        $Reasons     += ,"INVALID_FORMAT";

        PrintStatus($true);
        continue;
    }

    ##
    ## Check for Reparse points
    ##
    $RootPath = [System.IO.Path]::GetPathRoot($ActualPathName)

    $Path = $ActualPathName
    $DoesPathExist = Test-Path -Path $ActualPathName
    while(($DoesPathExist -eq $true) -and ($Path -ne $RootPath))
    {

$h = [System.IO.File]::GetAttributes($Path);

         if ($h.CompareTo([System.IO.FileAttributes]::ReparsePoint) -ge 0)
         {
            $BadServices += ,$Services[$i]
            $Reasons     += ,"REPARSE_POINT";

            PrintStatus($true);
            break;
         }

         if ($Path.Contains("\") -ne $true)
         {
             break;
         }

         $strPath = $Path.Substring(0,$Path.LastIndexOf("\"));
         $Path    = $strPath
    }

PrintStatus($false);
}

if ($BadServices.Count -gt 0)
{
    echo ""
    echo "Following are the service(s) found to be reporting invalid paths."
    echo ""

    for ($i=0; $i-lt$BadServices.Count; $i++)
    {
        $Count   = $i + 1
        PrintServiceInfo $BadServices[$i] "$Count." $Reasons[$i]
    }

In today’s blog submission, we would like to address some reasons and troubleshooting tips for resolving the error of “Enumeration of the files failed” that can occur during System State backup. This particular error can be experienced on various versions of operating systems. But for the purpose of this blog, we will focus on Windows Vista and Windows Server 2008.

The error is captured in the Application Event Log as such as:

Log Name: Application
Source: Microsoft-Windows-Backup
Date: date
Event ID: 517
Task Category: None
Level: Error
Keywords:
User: user name
Computer: computer name
Description:
Backup started at ' time ' failed with following error code '2155348237' (Enumeration of the files failed.). Please rerun backup once issue is resolved.

A closer inspection of the System Event Log may actually identify a service that is failing to start when the “Enumeration of the files failed” error is received as such:

Log Name: System
Source: Service Control Manager
Date: date
Event ID: 7000
Task Category: None
Level: Error
Keywords:
User: user name
Computer: computer name

Description:
The <servicename> service failed to start due to the following error: The system cannot find the path specified.

Another place where the error may appear is when using the Windows Server Backup tool from a command-line interface (elevated, running as Administrator) as such:

     wbadmin start systemstatebackup -backuptarget:E:
     wbadmin 1.0 - Backup command-line tool
     (C) Copyright 2004 Microsoft Corp.

     Starting System State Backup [date time]
     Retrieving volume information...
     This would backup the system state from volume(s) Local Disk(C:) to E:.
     Do you want to start the backup operation?
     [Y] Yes [N] No y

     Creating the shadow copy of volumes requested for backup.
     Creating the shadow copy of volumes requested for backup.
     Identifying system state files to backup (This may take a few minutes)...
     Found (2862) files
     Found (6420) files
     Found (9828) files

     Summary of backup:
     ------------------
     Backup of system state failed [date time]

Log of files successfully backed up
'C:\Windows\Logs\WindowsServerBackup\SystemStateBackup date time.log'

Log of files for which backup failed
'C:\Windows\Logs\WindowsServerBackup\SystemStateBackup_Error date time.log'

Enumeration of the files failed.
The parameter is incorrect.

* OR *

Enumeration of the files failed.
The process cannot access the file because it is being used by another process.

* OR *

Enumeration of the files failed.
The file name, directory name, or volume label syntax is incorrect.......

Several causes can be attributed to this error condition of “Enumeration of the files failed”. The majority of the times, these causes have a direct correlation to the ImagePath in the registry for a service that is installed. To outline a few we discovered thus far are:

1. An invalid path.
2. Invalid characters in the path.
3. Syntax formatting of the path.
4. A valid path on SAN drives of a Failover Cluster.

1. An invalid path – This can be any of the following that have been seen:

• A path pointing to a local that no longer exists.

• An incomplete path (such as \myservice\myservice.exe).

• A UNC path the service does not understand how to query the folder (such as \\myservice\myservice.exe).

2. Invalid characters in the path – This can be any of the following that have been seen:

• Using dots which some application vendors use (such as C:\myservice\bin\..\myservice.exe).

3. Syntax formatting of the path – This can be any of the following that have been seen:

· This would be a path that includes space and it’s not enclosed by double quotes (such as C:\Program Files (x86)\ my service\bin\myservice.exe).

4. A valid path on SAN drives of a Failover Cluster – This can be any of the following that have been seen:

· This would be any service(s) in which its path is on the passive node of a Failover Cluster pointing to a Physical Disk resource that is owned by another nodes when error is experienced (such as Z:\folder\app\bin\myservice.exe)

TROUBLESHOOTING TIPS:

1. Launch MSINFO32.EXE, then review and closely inspect each of the paths for all the services installed. HINT: Click on the Start Mode column, so that all the Auto services are at the top. This will make it easier to closely inspect each of the paths for the services are in a Stopped state.

2. Another method to locate the paths in the registry, would be to export the entire services key and closely inspect the ImagePath that are pointing to either a local disk or a Physical Disk resource on the SAN owned by one of the nodes in the Failover Cluster.

To do this manually, use this command-line interface (elevated, running as Administrator) as such:

reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v ImagePath > regkeys.txt

Then use Notepad.exe to closely inspect each ImagePath.

3. Most of the time, tracking down this kind problem can be very time consuming. So an easier way of tracking down these invalid ImagePaths would be to us a PowerShell (PoSH) script. This PoSH script will locate potential paths in question that need to be corrected by displaying the following Reasons:

· The service path contains invalid characters. Characters < > : `" | ? cannot be used in a file path.

· The service path does not have a proper path format. Only paths beginning with [<Drive>]:\ format are supported.

· The service path contains a double inverted slashes. UNC Network paths or paths containing a double inverted slashes are not supported.

· The service path is relative. Only absolute paths are supported.

· The service path contains a front slash. Only paths containing an inverted slash are supported.

· The service path contains a reparse point. Paths containing a reparse point are not supported.

· Unable to check the path. Expecting the ImagePath for the service to be a .dll or .exe

· The service path contains spaces, the whole path needs to be enclosed using double quotes

Download the following PoSH script, rename it to GetInvalidPathsv2.ps1 and run it from an elevated PoSH command prompt:

Get Invalid Paths

If the following error is experienced, this is more of a syntax issue which has to do with having a (.\) in front of the script name such as .\GetInvalidPathsv2.ps1

If any of the following errors are experienced, it is because the ExecutionPolicy needs to be set to Unrestricted.

This error is experienced in PoSH v1:

This error is experienced in PoSH v2:

This command works with both PoSH v1 and v2, it needs to be executed in order to allow the script to run:

Set-ExecutionPolicy unrestricted

When the change is made in the ExecutionPolicy, this will allow you to run the script to list the Reasons found as such:

Once .\ GetInvalidPathsv2.ps1 completes running, the following command needs to be executed in order to avoid any potential security risks:

Set-ExecutionPolicy restricted

4. Once all the paths have been identified, launch REGEDIT, drill down to Services and begin changing the ImagePath with a valid path. Some examples of valid paths would be:

             \SystemRoot\system32\drivers\adpu160m.sys
             %SystemRoot%\system32\drivers\adpu160m.sys
             %WinDir%\system32\drivers\adpu160m.sys
             C:\Windows\system32\drivers\adpu160m.sys

5. Now in the case where the path is valid on a SAN shared drive of a Windows Server 2008 Failover Cluster, then the hotfix and steps outlined in KB980794 would need to be followed as such:

980794 System state backup error in Windows Server 2008 and in Windows Vista: "Enumeration of the files failed"

Use one of the hotfixes in this package and create an ExcludedBinaryPaths registry key. To do this, follow these steps:

1. Click Start, type regedit in the Search programs and files box, and then press ENTER.

NOTE: If you are prompted for an administrator password, type the password. If you are
prompted for confirmation, provide confirmation.

2. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemWriter

NOTE: If this registry subkey does not exist, please create it manually.

          3. On the Edit menu, point to New, and then click Multi-String Value.
          4. Type ExcludedBinaryPaths, and then press ENTER.
          5. Right-click ExcludedBinaryPaths, and then click Modify.
          6. In the Value data box, type all binary paths that should be excluded from the system state
               backup operation, and then click OK.

Note The binary paths should be absolute paths. They should not include environment variables (such as %windir%) and should not be enclosed in double or single quotation marks.

6. Exit Registry Editor.

NOTE:

· If you use this method to exclude the service data from the system state backup scope, you have to back up the service data on the shared volume manually.

· If you assign a drive letter to a shared volume that is excluded from the system state backup scope, you have to manually re-enter all the registry keys again by using a new path because the assigned drive letter does not function any longer.

· If the issue “Enumeration of the files failed” is occurring during a System State backup of a shared SAN drive on a Windows Server 2008 R2 Failover Cluster, Microsoft acknowledges this is a problem in the operating system of this product. Microsoft is currently investigating the issue and working to provide a solution. Once a solution is ready for Windows Server 2008 R2, this blog will be updated.

Important: You have to exclude services carefully, because wrong entries can corrupt the system state.

Please feel free to post your comments. Thanks for your time and, as always, we hope the information here has been useful to you.

Author:

Mike Rosado
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support

Catchy title, huh. Perhaps not, but it is really what we want you to do. This will be a pretty short blog to get out some information that is important for you to know as it may help resolve a Hyper-V issue quickly, or, better yet, prevent one from happening at all. Inside Microsoft, we have what we call Supportability Program Managers (SPM). They help drive product quality by looking at the types of issues that come through our Customer Support organization. They also look at issues being reported in technology forum posts. They track trends so we can improve the product. In a conversation I had recently with the Hyper-V SPM, I was made aware of a number of issues that were resolved last quarter by simply installing a hotfix. So, here I am. Help us, help you by spending some time checking out these two online resources:

Hyper-V Update List for Windows Server 2008: http://technet.microsoft.com/en-us/library/dd430893(WS.10).aspx

Hyper-V Update List for Windows Server 2008 R2: http://technet.microsoft.com/en-us/library/ff394763(WS.10).aspx

While not updated on a daily basis, these resources should be the first stop when you run into an issue with Hyper-V. We cannot make every fix for the operating system and its components available via Windows Update. Some may require downloading using a link provided in a KB article.

As always, we hope this has been informative for you.

Chuck Timon
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support

Hello, my name is Manoj Sehgal. I am a Support Escalation Engineer in the Windows group and today’s blog will cover “How to get the bitlocker policies for windows 7 for on Windows Server 2003 as domain functional level”

If you open Group Policy Management Editor from a Windows Server 2008 Server you will only see policies for bitlocker for Windows Vista Only and not for Windows 7.

Microsoft included the bitlocker admx and adml files for Windows 7 in windows server 2008 R2.

Windows Server 2003 reads only adm files and not admx and adml files. So on Windows Server 2003, you cannot configure admx and adml files.

Resolution:

You will have to configure the bitlocker policies from Windows 7 Client machine.

1. First install RSAT tools for Windows 7 on a windows 7 client machine which is already join to your domain.

http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en

2. Then open Group Policy Management Console and create a new policy for bitlocker.

3. Edit the bitlocker policy which will open group policy management editor.

4. Now you can see the Bitlocker Drive encryption Policies for Windows 7 Operating System.

NOTE: Windows 7 machine would need to be used to configure the bitlocker policies for Windows Vista and Windows 7 client machines.

5. Configure the bitlocker policies and now you can save recovery information in AD.

6. If you have Windows Server 2008 and you want to have Bitlocker policies for windows 7, then you need to copy the corresponding admx and adml file for bitlocker.

7. Go to c:\windows\policydefinition folder on Windows Server 2008 R2 machine and then copy the volumeencryption.admx file and corresponding volumeencryption.adml from c:\windows\policydefinition\en-US folder respectively.

8. Go to Windows Server 2008 and then Copy and Replace the existing volumeencryption.admx located at c:\windows\policydefinition folder and volumeencryption.adml located at c:\windows\policydefinition\en-US folder.

For more information on Group Policies for Bitlocker, see my blog below.
http://blogs.technet.com/askcore/archive/2010/02/16/cannot-save-recovery-information-for-Bitlocker-in-windows-7.aspx
Windows 7, Windows Server 2008 R2 and the Group Policy Central Store
http://blogs.technet.com/b/askds/archive/2009/12/09/windows-7-windows-server-2008-r2-and-the-group-policy-central-store.aspx

Manoj Sehgal
Support Escalation Engineer
Microsoft Enterprise Platforms Support

My name is Joseph Conway and I am a Senior Escalation Engineer on the CORE team. Today’s blog entry entails the steps that you as a customer can take when encountering issues with the .Net framework.

The .Net framework ships as both an inbox and standalone installer, depending on the version of the operating system and the version of the framework. Internally, we support the .Net framework through several teams depending on the types of issues being encountered. Occasionally, we will have issues that cross internal support team boundaries that may require multiple engineers running utilities to gain information about the system. This blog is attempts to let you, as a customer know what we typically would run for these issues ahead of time, to speed up the support process for you and the engineers working on your issue.

If you are having issues with .Net framework, we ask that you do the following:

1. Run the Aaron Stebner .Net verification tool for the .Net framework version you are experiencing issues with. The tool is located here: http://blogs.msdn.com/b/astebner/archive/2008/10/13/8999004.aspx . When you run the tool, all you need to do is choose the appropriate drop Framework from the drop down and Choose Verify Now. When the tool is complete, it will return a success or failure based on its results. Figures of the tool before and after being run are below:

2. If the verification of this tool fails, you will need to speak with someone on the developer support team to assist you with your issue. This applies to all versions of the .Net framework that are shipped with standalone installers, or are out of box installations. For information on determining the version of the .Net framework and how it may have been installed, please see: http://support.microsoft.com/kb/318785/en-us

3. If the .Net framework that is failing is an inbox component, such as .Net 3.5.1 on Windows 2008 R2, then there are different steps we would ask for you to take. When the component is an inbox component, we ask that you use Server Manager to remove the component and then re-add the component to the system as seen in the figure below:

4. If the re-addition of the component fails, we ask that you run the following two utilities against your system. These utilities can resolve common servicing issues on a system:

a. At an elevated command prompt, run SFC /SCANNOW

b. Run the CheckSUR utility located here: http://support.microsoft.com/kb/947821

5. If the use of methods 2-3b above do not alleviate the issue or if the inbox component is failing to install, please ask for assistance when you call in from the Windows CORE team.

Hope this helps….

Joseph Conway
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support

Today’s blog is going to cover some issues around customizing default user profiles when deploying Windows. There are a number of resources available on the CopyProfile topic

973289 How to customize the default local user profile for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2
The blog on the Deployment Guys website does a good job of describing the issues around the changes with this functionality.

I wanted to let add some additional points around this topic to help with your deployments:

The Copy Profile button in control panel, system, advanced system settings, Advanced, User Profiles, Settings, is greyed out on accounts to address issues found in the Shell when using this legacy method from NT4 days to overwrite the Default user profile so although this process appeared to work there were issues in Windows that were traced back to this process. Although not blocked in previous operating systems it was considered unsupported and was one of the reasons SP2 was modified to copy the administrator account customizations automatically instead of using the manual method of overwriting the default user profile
Microsoft-Windows-Shell-Setup\CopyProfile setting in unattend.xml is the only supported method for customizing default user
With this change not all customizations persist even when using CopyProfile

Since there are so many settings in the Shell we do not have a list of what persists and what is reset.
In order to determine what will persist we recommend testing of your specific scenario and the settings you are configuring
When a new user logs in many different components in Windows must execute some first run actions to prepare the user account. These first run actions can sometimes reset the customizations that were set prior to running sysprep
For those settings that do not persist you can check group policy to see if there is setting to control it. The Group Policy Settings Reference is a good place to look. There are some also some specific group policies for Start Menu and TaskBar here
If the CopyProfile process does not copy the setting then ultimately you must find some other method to configure the setting.

Many of the settings that are lost are related to the Start Menu and the Taskbar
- At times Microsoft Customer Service and Support (CSS)is asked if there is a way to script changes to these but as this blog outlines there is limited programmatic access to them. Additional CSS does not help with authoring scripts.
- There are supported methods for adding additional icons using steps outlined in this blog but it is difficult to remove icons without some type of custom scripting
The CopyProfile code copies the profile based on modified time.
- If you have multiple accounts on the computer it is possible that some account other than the one that was customized may be copied. So to ensure that the customizations are copied from the correct account we recommend that the computer only have the local administrator account and customizations be configured in this account
- You cannot use a domain account either because the CopyProfile process occurs later in the specialize phase and by then Sysprep has unjoined the machine from the domain and the profile is deleted
- To check to see if the CopyProfile worked and what account it copied you can review the Windows\Panther\UnattendGC\Setupact.log and search for CopyProfile
- For more information on this see the following KB article: http://support.microsoft.com/kb/2101557
Use of CopyProfile in reference build
- When installing the OS initially do not specify CopyProfile=true in the autounattend.xml. Used during reference build can problems with themes, Aero, and other unknown issues
- It should only be specified in the answer file you supply to sysprep.exe when creating a custom image
Use of CopyProfile with ConfigMgr
- Since ConfigMgr runs in the system context when building an image it is not possible to use it to copy customizations to default user
- One option is to use Microsoft Deployment Toolkit 2010 to build your reference image and then deploy that image with ConfigMgr
Use of CopyProfile with Terminal Servers
- We would recommend using group policy to lock down or configure desktops vs using CopyProfile to configure user profiles.

How you use CopyProfile depends on how the image is created and how it is deployed. Some of the common scenarios are listed below

Manual build of image (not recommended)

If you are building the image manually you should follow these basic steps

Install Windows. Note: Do not specify CopyProfile in unattend.xml
Login as administrator. Note: Make sure other accounts do not exist
Customize your settings
Create c:\windows\system32\sysprep\unattend.xml that contains at minimum the entry for Microsoft-Windows-Shell-Setup\CopyProfile and set it to true. Sysprep by default looks for unattend.xml in the sysprep folder
Run %windir%\system32\sysprep\sysprep.exe /generalize /oobe /shutdown

If you use ConfigMgr to deploy this image you do not need to do anything special in ConfigMgr to deploy it to get CopyProfile to work. So you do not need to modify any unattend settings in the task sequence

Use MDT 2010 to build the image and to deploy the image

Note: I would recommend that if you are using MDT 2010 to upgrade to MDT 2010 Update 1 because there have been a number of fixes in the sysprep and capture task sequence. You must always re-created your sysprep and capture task sequence after installing update 1 in order to get these fixes.

Because MDT runs setup.exe to apply an image (instead of just using imagex to apply it) the following outlines the steps required

In MDT 2010 Update 1 create a task sequence "Deploy Windows" to install Windows
In MDT 2010 Update 1 create a task sequence based on the Sysprep and Capture Task. For more information on this see this blog
Boot the Lite Touch image and choose the "Deploy Windows" Task Sequence. If prompted by lite touch wizard say NO to prompt to capture image
After Windows is installed and you login as administrator make the changes to the shell you desire. Note: Microsoft would generally recommend that changes to the profile be done via automated fashion and not manually. See http://blogs.technet.com/b/deploymentguys/archive/2009/10/29/configuring-default-user-settings-full-update-for-windows-7-and-windows-server-2008-r2.aspx for more information.
Map network drive to the MDT 2010 Update 1 DeploymentShare$.
Run Scripts\Litetouch.wsf
Run the Sysprep and capture task sequence. Note if you may run into issue with multiple connections you are likely still running MDT 2010. See this blog. This issue is resolved in MDT 2010 Update 1
Import the captured image from DeploymentShare$\captures\image.wim.
Create a task sequence "Deploy customized Windows image" to deploy the custom image you just imported
In properties of the task sequence choose OS info tab
Click edit unattend.xml
Modify Microsoft-Windows-Shell-Setup under the Specialize phase and change CopyProfile to true
Click File, exit, and save changes
Boot lite touch image and choose the "Deploy customized Windows image" task sequence
To test create a new user and login as the user. Look for the changes you made. Note not all changes are carried over in this process. If a setting is not carried over you must find alternative means to make the change. Use group policy, scripts, or other means

Note: If you use MDT 2010 to capture the image it does not capture the Windows\Panther folder so if you were to deploy it manually using imagex, WDS, or some other manner then CopyProfile would not execute. It would be better to manually capture the image using imagex if you are not going to deploy it with MDT

Use MDT 2010 to build the image and capture it then use ConfigMgr to deploy the image

Follow steps 1-7 above to create and capture your image
Create a CopyProfile.xml in Windows System Image Manger that contains at least the following
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="specialize">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="<a href="http://schemas.microsoft.com/WMIConfig/2002/State"">http://schemas.microsoft.com/WMIConfig/2002/State"</a> xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance"">http://www.w3.org/2001/XMLSchema-instance"</a>>
<CopyProfile>true</CopyProfile>
</component>
</settings>
<cpi:offlineImage cpi:source="catalog:c:\flat\install_windows 7 enterprise.clg" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>

Note: I would not recommend copying/pasting the example since you need to account for different architectures.
Create a package in ConfigMgr that contains the copyprofile.xml file created in Step 2.
Import the image into ConfigMgr
In the ConfigMgr console modify the “Use an unattended or sysprep answer file for custom installation” property in the Apply Operating system task. Specify the package created in Step 3 and the file created in Step 2.

If you use the ConfigMgr capture media to capture the image instead of MDT 2010 you should follow steps 2-5.

The benefit of specifying the unattend.xml in this manner is that the file is located outside the image and is easy to update or change.

Hopefully this helps to explain more around this issue and if a specific customization is not copied as part of the CopyProfile process I would encourage readers of this blog to post the exact setting that was lost. We would also need exact steps on how the setting was configured so we can evaluate the impact of this issue

Scott McArthur
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support

Hello, my name is Manoj Sehgal. I am a Support Escalation Engineer in the Windows group and today’s blog will cover “How to use Hash of TPM from AD to reset your TPM password”.

As per Best Practices for Bitlocker we configure a Group Policy for TPM to backup information in AD DS.

Note: See links at the end to configure the Group Policy for TPM and Bitlocker.

By design, we save hash of the TPM password in AD and not the actual TPM password.

Consider the below scenarios:

Scenario 1:

Customer rolls out machines using SCCM. SCCM creates a random password for “TPM Owner Password” as part of enabling bitlocker (MDT does this also).

Scenario 2:

If the user enabled Bitlocker and specified a “TPM Owner password”. In this instance you could see scenario where you fired that person and need to give the laptop to his replacement. If you do not have the TPM password, you will only able to clear the TPM to factory defaults and then when you restart your computer, it will prompt you for 48 digit bitlocker recovery key.
This password is saved in AD (msTPM-OwnerInformation) attribute as hash value. By default only domain admins can read this attribute.

At some point the domain admin needs to make a change in TPM.MSC. In order to do this you must supply the TPM “Owner password” otherwise the TPM chip is cleared so you would lose all data on the TPM chip.

Backing up the TPM owner information for a computer allows administrators to locally and remotely configure the TPM security hardware on that computer. As an example, an administrator might want to reset the TPM to factory defaults when decommissioning or repurposing computers.

In order to reset the TPM Owner Password, follow the below steps:

Resolution:

1. Open notepad and copy the below information.

<?xml version="1.0" encoding="UTF-8"?>

<ownerAuth>JLi2ycvjzYgYaDq5zQ094U/FxAs=</ownerAuth>

2. Get the hash information from ms-TPMOwnerInformation attribute and replace the hash information between the <ownerAuth>……</ownerAuth>

3. Save the file as whatevername.tpm.

4. Open TPM Administration Console (tpm.msc) and Click on Change Owner Password.

5. Select “I have the Owner Password File” and point it to .tpm file which you got in Step 2.

6. Now you can successfully change the TPM password.

For more information on Group Policies for Bitlocker, see my blog below.
http://blogs.technet.com/askcore/archive/2010/02/16/cannot-save-recovery-information-for-Bitlocker-in-windows-7.aspx

Bitlocker Policies for Windows 7 on Windows Server 2003 or Windows Server 2008

http://blogs.technet.com/b/askcore/archive/2010/07/02/bitlocker-policies-for-windows-7-on-windows-server-2003-or-windows-server-2008.aspx

Manoj Sehgal
Support Escalation Engineer
Microsoft Enterprise Platforms Support

My name is Tanner Slayton and I am a Sr. Support Escalation Engineer for Microsoft on the Windows Core Team. I am writing today to shed some light on a common Bitlocker problem that we see.

* While you can accomplish most tasks via the Bitlocker Control Panel Applet, I am going to be using the manage-bde commands from an elevated command prompt.

Specific operations or actions will cause Bitlocker to go into Recovery Mode and ask you to enter the 48-digit Recovery Key. This can be caused by several things, and a complete list can be viewed here , but today I am going to go over the most common issues.

Scenario # 1: When you are using a Laptop or Desktop computer and do not have the BIOS Boot order with the OS HDD listed as the first boot device. The reason for this is the boot device makes up part of the system measurement used by Bitlocker and this must remain consistent to validate the system status and unlock BitLocker. (I.e. if you have the DVD-ROM drive listed first and had a bootable media inserted, this can cause the system measurement to change.) Some firmware will also treat PXE network boot as a change in boot order – even when the user does not choose network boot. Changing from a wireless to wired network can trigger a recovery event. Putting the HDD first in boot order generally eliminates these issues.

Resolution:

o Suspend Bitlocker drive encryption by typing "manage-bde -protectors -disable c:” from an elevated command prompt.

o Go into the BIOS and change the Boot Order so the OS HDD is first in the list.

o By default from most hardware vendors, the HDD is not the first boot device.

o If you have a laptop with a docking station, make sure that it is plugged into the docking station, in order to make sure that the external devices presented by the docking station are present in BIOS.

o Boot into the Operating System and run "manage-bde -protectors -enable c:"

Scenario # 2: When you are either deploying a new system or encrypting the drive for the first time. You might pause the Bitlocker encryption process, in order to speed up the performance or while performing other tasks, so that encryption can run later or you need more than the 6 GB worth of free space to continue deploying the system. When you run "manage-bde -pause c:" you are pausing the drive encryption of C:, but not the Bitlocker protectors on the system.

You might say to yourself, if I run "manage-bde -status c:" I see that the protection is off on that drive. The reason you see this is that the protection for the drive is not yet completed, but the clear text key still exists.

Volume C: []
[OS Volume]
    Size:                 37.17 GB
    BitLocker Version:    Windows 7
    Conversion Status:    Encryption Paused
    Percentage Encrypted: 3%
    Encryption Method:    AES 128 with Diffuser
    Protection Status:    Protection Off <--- Where it shows "Protection Off"
    Lock Status:          Unlocked
    Identification Field: None

Resolution:

o When you need to pause the encryption, whether for performance or drive space reasons, you need to run "manage-bde -pause c:"

o After encryption has been paused, you will want to run "manage-bde -protectors -disable c:"

o Once you have completed your tasks and wish to start the encryption process again you can run "manage-bde -resume c:"

o Once the encryption is complete, or if you have completed your tasks, you will then want to run "manage-bde -protectors -enable c:"

Scenario # 3: The BIOS / TPM firmware are out of date on the systems.

Resolution:

o Suspend Bitlocker drive encryption “manage-bde –protectors –disable c:”

o Update the BIOS on the system

o If there is a TPM Firmware update, please follow the vendor installation instructions.

o Reboot the Operating System and run “manage-bde –protectors –enable c:”

Scenario # 4: When you are installing additional language packs onto the system, and selecting the option to apply the language settings to all users and system accounts. This causes a locale change in the BCD (Boot Configuration Database), which Bitlocker with TPM interprets as a boot attack.

Resolution:

o Suspend Bitlocker drive encryption “manage-bde –protectors –disable c:”

o Add language packs to the system and make any language settings.

o Resume Bitlocker drive encryption “manage-bde –protectors –enable c:”

Scenario # 5: When you create or modify any of the partitions that reside on the O/S drive.

Resolution:

o Suspend Bitlocker drive encryption “manage-bde –protectors –disable c:”

o Shrink, expand, or create any partitions on the drive.

o Resume Bitlocker drive encryption “manage-bde –protectors –enable c:”

I want to thank you for your time today and hope that this information was helpful.

Tanner Slayton
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support

Technorati Tags: bitlocker,TPM

Hello, my name is Manoj Sehgal. I am a Support Escalation Engineer in the Windows group and today’s blog will cover “How to Prevent Local Administrators from turning OFF bitlocker”.

In an organization, some users are part of the local administrator group so that they can install some applications. By default members of local admin group have rights to Turn OFF or Suspend bitlocker.

If we want to prevent local admins not to turn OFF or Suspend bitlocker, we can achieve this easily by implementing the below 2 steps.

Configure a GPO to remove the Bitlocker Icon from Control Panel.
Configure Application Control Policies (Applocker) to block manage-bde.exe.

Step 1: How to remove Bitlocker Icon from Control Panel

1. We will need to create a User Group Policy to disable bitlocker icon from Control Panel.

2. Open Group Policy Management Editor and expand User configuration.

3. Under Administrative Templates à Click Control Panel.

4. Click on Hide Specified Control Panel items and Enable this policy (see below).

Figure 1: Group Policy Editor to configure the Policy

5. Click on Show “List of disallowed Control Panel Items”.

6. Add the Canonical Name for Bitlocker which is Microsoft.BitLockerDriveEncryption

See link below to get Canonical Names of Control Panel Items.

http://msdn.microsoft.com/en-us/library/ee330741(v=VS.85).aspx

Figure 2: Enable the “Hide Specified Control Panel Items” Policy.

Figure 3: Add Value as Microsoft.BitLockerDriveEncryption

7. After you have created the group policy, on the client machine, run gpupdate /force.

8. The above steps will remove Bitlocker Drive Encryption Icon from Control Panel.

Step 2: How to use Application Control Policies (Applocker) to block manage-bde

1. If we want to use Application Locker, we have to make sure that Application Identity Service is running on the client machine.

We can also use a Group Policy object (GPO) setting that configures the Application Identity service Startup type to Automatic. For information about using Group Policy, see Planning and Deploying Group Policy (http://go.microsoft.com/fwlink/?LinkId=143689).

2. Open Service control panel and start the Application Identity Service.

3. On the computer, open the local security policy (secpol.msc).

In the console tree, double-click Application Control Policies, and then double-click AppLocker.

5. Expand Application Control Policies and Right click on Executable rules.

6. Create a New Rule to Deny access to manage-bde.exe to all users.

Figure 4: Applocker rule to Deny Access to manage-bde

7. See the figure 6, 7 and 8 to create the rule and enforce it.

Figure 5: Deny Properties with the Path for manage-bde.

Figure 6: Path to manage-bde.exe

Figure 8: Enforcement of the policy.

8. Enforce the rules and then we are set with the policy.

9. On the client machine, run gpupdate /force.

10. Now if you open a command prompt and try to run manage-bde.exe you will get access denied and it will say that this policy is controlled by GPO.

If you open Windows Explorer, you can still Turn ON BitLocker or Manage BitLocker.

To disable this setting, please make the below Registry Change on the computer.

For Operating System Drives:

Open registry and browse to

[HKEY_CLASSES_ROOT\Drive\shell\encrypt-bde-elev

Change the "AppliesTo"="None"

For USB drives and Fixed Data drives, do as mentioned below:

[HKEY_CLASSES_ROOT\Drive\shell\encrypt-bde

“AppliesTo”=None.

For more information on Group Policies for Bitlocker, see my blogs below.

Cannot Save Recovery Information for Bitlocker in Windows 7
http://blogs.technet.com/askcore/archive/2010/02/16/cannot-save-recovery-information-for-Bitlocker-in-windows-7.aspx

Bitlocker Policies for Windows 7 on Windows Server 2003 or Windows Server 2008
http://blogs.technet.com/b/askcore/archive/2010/07/02/bitlocker-policies-for-windows-7-on-windows-server-2003-or-windows-server-2008.aspx

How to backup recovery information in AD after Bitlocker is turned ON in Windows 7
http://blogs.technet.com/b/askcore/archive/2010/04/06/how-to-backup-recovery-information-in-ad-after-bitlocker-is-turned-on-in-windows-7.aspx

Manoj Sehgal
Support Escalation Engineer
Microsoft Enterprise Platforms Support

I know what you are thinking, “How hard can it be to work with cluster file shares?”. I would be willing to bet a lot of you have been working with File Server clusters since NT 4.0 days. If you are still working with them today in Windows Server 2008 R2, you know things have changed. In this blog, I hope to give you some insight into a piece of functionality both within Failover Cluster and Explorer that may alter the way you work with file shares in your organization. It may even help finally solve a mystery that has been plaguing some of you for a while now.

I will be working with a 2-Node Windows Server 2008 R2 Failover Cluster (Figure 1).

Figure 1

In the cluster, I created a highly available File Server (CONTOSO-FS1). I created a series of folders, using the Explorer interface, on the storage in the File Server resource group (Figure 2).

Figure 2

I use the folders to make shares highly available in the CONTOSO-FS1 File Server resource group.

There are three main ways to provision shares in a Failover Cluster using built-in GUI tools.

1. Failover Cluster Management snap-in

2. Share and Storage Manager snap-in

3. Explorer interface

In the Failover Cluster Management interface, the Add a shared folder function is available in the Actions pane (Figure 3).

Figure 3

In the Share and Storage Management interface, the Provision Share function is available in the Actions pane (Figure 4).

Figure 4

In Explorer, you simply Right-Click on the folder and Share with users (or nobody to stop sharing) (Figure 5).

Figure 5

The end result using any of these three methodologies is shared folders appearing in the Failover Cluster Manager snap-in in the CONTOSO-FS1 resource group (Figure 6).

Figure 6

A similar display can be seen in Share and Storage Manager (Figure 7).

Figure 7

Inspecting the cluster registry hive, we can see the shares defined under the appropriate File Server Resource (FileServer-(CONTOSO-FS1)(Contoso-FS1 (Disk)) (Figure 8).

Figure 8

At this point you may be thinking, “So what Chuck. This isn’t rocket science. We know all this stuff.” And, you may be right. Setting up the shares is the easy part, and we provide you with several methods with which to accomplish this, but what happens when you no longer want to share ‘stuff’ anymore? This is where it could get a little interesting.

If you do not want to share a folder anymore, there are correct ways to do this. In the Failover Cluster Management interface, Right-Click on the shared folder and select Stop Sharing (Figure 9).

Figure 9

In the Share and Storage Manager interface. Right-Click on the share and select Stop Sharing (Figure 10).

Figure 10

Finally, in the Explorer interface, Right-Click on the folder and select Share with Nobody (Figure 11).

Figure 11

The unexpected behavior occurs in the Explorer interface if instead of choosing to stop sharing by executing the process in Figure 11, the user chooses to Delete the folder (Figure 12). There could be unintended consequences for that action.

Figure 12

In Explorer, when the folder is selected for deletion, a pop-up Confirmation window is displayed. An example of one is shown in Figure 13.

Figure 13

If Yes is selected, the folder is deleted. In the Failover Cluster Management interface, however, the shared folder that was just deleted in Explorer is still displayed and appears to be Online (Figure 14).

Figure 14

Even the cluster registry hive will show the share present under the File Server resource (Figure 15).

Figure 15

Note: In previous versions of clustering, the cluster service maintained cluster file share information in the registry key HKLM\System\CurrrentControlSet\Services\LanmanServer\Shares.

Here is the punch line – the next time the File Server Resource is cycled Offline and then back Online again (like during a Failover of the resource group to another node in the cluster), an Error (Event ID 1588) will be registered in the System Event Log (Figure 16). The error indicates that the share that cannot be found also cannot be brought Online by the File Server resource.

Figure 16

The cluster log reports a problem as well but it is only a Warning (Figure 17).

00000944.00000688::2010/08/07-18:05:31.183 WARN [RES] File Server <FileServer-(CONTOSO-FS1)(Contoso-FS1 (Disk))>: Failed in NetShareGetInfo(CONTOSO-FS1, Pictures), status 2310. Tolerating...

00000944.00000b04::2010/08/07-18:06:31.185 WARN [RES] File Server <FileServer-(CONTOSO-FS1)(Contoso-FS1 (Disk))>: Failed in NetShareGetInfo(CONTOSO-FS1, Pictures), status 2310. Tolerating...

00000944.00000590::2010/08/07-18:07:31.190 WARN [RES] File Server <FileServer-(CONTOSO-FS1)(Contoso-FS1 (Disk))>: Failed in NetShareGetInfo(CONTOSO-FS1, Pictures), status 2310. Tolerating...

00000944.00000830::2010/08/07-18:08:31.194 WARN [RES] File Server <FileServer-(CONTOSO-FS1)(Contoso-FS1 (Disk))>: Failed in NetShareGetInfo(CONTOSO-FS1, Pictures), status 2310. Tolerating...

00000944.00000b48::2010/08/07-18:09:31.197 WARN [RES] File Server <FileServer-(CONTOSO-FS1)(Contoso-FS1 (Disk))>: Failed in NetShareGetInfo(CONTOSO-FS1, Pictures), status 2310. Tolerating...

Figure 17

Decoding Status 2310 (Figure 18)

Figure 18

These errors in the System Event Log do not prevent the File Server resource from coming Online and bringing all the other valid shared folders Online (except if it were the last shared folder associated with the File Server resource. See the ‘bonus material’ at the end of the blog). However, I think you can quickly see that the process of deleting shared folders instead of just stopping them from being shared can, over time, accumulate orphaned entries in the cluster registry hive and the Event ID 1588 Error messages will continue to be registered for each of the ‘orphaned’ shares.

One way this behavior manifests itself is if a shared folder is created in Failover Cluster Manager or Share and Storage Manager, and is then deleted in Explorer. The Event ID 1588 is registered because the cluster registry hive is not ‘cleaned’ up properly. If the folder is shared in Explorer and then subsequently deleted in Explorer, a different pop-up Warning is displayed (Figure 19).

Figure 19

If folders are not deleted but instead are just stopped from being shared, then the cluster is cleaned up properly and the error should not be registered. If the pop-up in Figure 19 is displayed (as opposed to the pop-up shown in Figure 13), then the share will be properly removed from the Failover Cluster and the cluster registry hive will be properly cleaned up.

Another scenario where we could see an Event ID 1588 registered, but not be the result of the cluster registry hive not being cleaned up properly, would be where the System account had been removed from the default security setting for a folder that was shared in a Failover Cluster.

Bonus Material:

What happens if the final shared folder that is associated with a File Server Resource is deleted? At the first LooksAlive\IsAlive check, the File Server resource will fail. A failover will be initiated, but in the end, the File Server Resource will remain in a Failed state. An Event ID 1587 (Figure 20) could be registered along with the customary Event ID 1069 reporting a cluster resource failure.

Figure 20

The cluster log entry will be different from the previous entry (Figure 17) as shown in the highlighted section below (Figure 21). This time it is not a Warning but an Error ([ERR]) that is seen in the cluster log.

00000720.00000a70::2010/08/10-22:25:13.616 INFO [RES] File Server <FileServer-(CONTOSO-FS1)(Contoso-FS1 (Disk))>: Shares 'are being scoped to virtual name CONTOSO-FS1

00000720.00000a70::2010/08/10-22:25:13.616 DBG [RHS] Resource FileServer-(CONTOSO-FS1)(Contoso-FS1 (Disk)) called SetResourceStatus: checkpoint 2. Old state OnlinePending, new state OnlinePending

00000720.00000a70::2010/08/10-22:25:13.616 WARN [RES] File Server <FileServer-(CONTOSO-FS1)(Contoso-FS1 (Disk))>: Failed to open path e:\Documents. Error: 2. Maybe a reparse point...

00000720.00000a70::2010/08/10-22:25:13.616 ERR [RES] File Server <FileServer-(CONTOSO-FS1)(Contoso-FS1 (Disk))>: Failed to open path e:\Documents with reparse flag. Error: 2.

00000720.00000a70::2010/08/10-22:25:13.616 ERR [RES] File Server <FileServer-(CONTOSO-FS1)(Contoso-FS1 (Disk))>: Failed to online a single share among 1 shares.

00000720.00000a70::2010/08/10-22:25:13.616 DBG [RHS] Resource FileServer-(CONTOSO-FS1)(Contoso-FS1 (Disk)) called SetResourceStatus: checkpoint 2. Old state OnlinePending, new state Failed

00000720.00000a70::2010/08/10-22:25:13.616 ERR [RHS] Online for resource FileServer-(CONTOSO-FS1)(Contoso-FS1 (Disk)) failed.

I hope this information has been helpful and perhaps solved a few mysteries out there.

Thanks for your attention and come back.

Chuck Timon
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support

Quite a while back I wrote a blog on a new functionality in Windows Server 2008 Failover Clusters called ‘file share scoping’ (http://blogs.technet.com/b/askcore/archive/2009/01/09/file-share-scoping-in-windows-server-2008-failover-clusters.aspx). I was informed recently that our Networking Support Team refers to this blog frequently when working with customers who are migrating to Windows Server 2008 Failover Clusters and discover that CNAME (Canonical Names) records in DNS, that had been in-place to support their Windows Server 2003 File Server clusters, no longer work with Windows Server 2008 Failover Clusters. Users keep asking if there is a way to disable this functionality or if it can be changed by adding a registry key or something. At this time, there is no disabling this behavior and our Product Team has been made aware of the feedback we have been receiving on this. No official plans have been announced with respect to making any changes in future releases of the Operating System.

While we wait and see what the future holds, I have been asked to write a short blog on how users can better work within the constraints of this functionality. In a File Server Resource Group you typically have a Client Access Point (CAP), a File Server Resource, a Physical Disk resource and some Shared Folders (Figure 1).

Figure 1

Suppose, in a Windows Server 2003 cluster environment, there were several CNAME records created in DNS that pointed to the same File Server Cluster so users from various organizations within a company could access their data files. For example, suppose we had CNAME records for OPS-FS1, Academics-FS1 and Executive-FS1. After completing a migration to a Windows Server 2008 R2 File Server cluster, these CNAME records no longer work and end users can no longer access their data. How can we fix that?

To remedy the situation, create additional CAPs in the File Server Resource group that contains the shared folders that contain the data the users need to access. To do this will require stepping outside of the normal wizard-based process that was used to create the original highly available File Server resource group and instead use the procedures described in KB 947050.

Start by selecting the File Server resource group and in the Right-hand Actions pane select Add a resource (Figure 2).

Figure 2

From the list of available resources, select Client Access Point (Figure 3).

Figure 3

Provide the requested information and complete the wizard. Do this for all required Client Access Points. When completed, bring all the CAPs Online. Here is my result (Figure 4).

Figure 4

At this point, decide which shared folders need to be available to users when each Client Access Point connection is made. Then, create the shared folders in the correct context. Figure 5 shows the selections available when executing the Add shared folder action in the Actions pane.

Figure 5

As an example, in my 2-Node cluster, all folders shown in Figure 1 were shared in the context of CONTOSO-FS1. After adding the additional Client Access Points that were needed, a decision was made that the Academics share was needed in the Academics-FS1 context, the Executive and Archive folders were needed in the Executive-FS1 context and finally the Operations folder was needed in the OPS-FS1 context. When sharing folders in multiple contexts, the display can start getting a little cluttered (Figure 6).

Figure 6

When all File Server resources are Online, all shared folders associated with those resources are displayed. If a multiple File Server resources are associated with the same shared folder, multiple entries are displayed (Figure 6). This is in addition to the administrative share for the associated physical disk resource.

To help clarify some of the confusion, modify the Description on the Sharing tab for the Property page of the shared folder to reflect its associated File Server resource (Figure 7).

Figure 7

This provides some organization to what can be a cluttered display (Figure 8).

Figure 8

Additional administrative overhead is incurred here as well because multiple Access Control List (ACLs) entries must be maintained on the same set of folders. Depending on the tools used to migrate the data to a windows Server 2008 Failover cluster, that information could already be present on the storage and not be an issue.

I hope this helps provide a solution for you organization. See you next time.

Chuck Timon
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support

It is time once again to delve into the fascinating world of NTFS! So far I’ve outlined how files become more complex as they grow, the different metafiles found in the MFT, and then the different parts of Windows storage that results in the infamous 2TB size limitation.

Today I want to list out most the different attribute types that a file can have. Think of these as the building blocks for the file itself. No file will have every attribute type. In fact most just have a few.

$STANDARD_INFORMATION – General information about the file. Creationtime, LastModificationTime, LastChangeTime, and LastAccessTime are all stored here.

NOTE: Even if the updates to LastAccessTime are disabled, the old time will still be stored here.

FileAttributes are also stored here. Do not confuse FileAttributes with the file’s attribute types. FileAttributes are just flags and can mark the file as being...

Read-only	Archive
Hidden	Compressed
System	Encrypted

There are more flags but these are the really common ones.

So when you make changes to the file in this part of the UI, you are actually changing the FileAttributes flag of the $STANDARD_INFORMATION attribute type.

Also, this attribute holds a SecurityID. Do not confuse this with a security descriptor. Those are stored elsewhere. The SecurityID is used to help locate the correct security descriptor for the file in question.

$ATTRIBUTE_LIST – This attribute type keeps a list of all of the file’s attribute types. But it only exists if at least ONE of the attribute types is nonresident. So if you have a file with five attribute types and one is nonresident, an $ATTRIBUTE_LIST will be added to the file.

To get a good visual of how the $ATTRIBUTE_LIST is used, refer to my blog on file growth.

http://blogs.technet.com/askcore/archive/2009/10/16/the-four-stages-of-ntfs-file-growth.aspx

But basically, the $ATTRIBUTE_LIST will tell you at what FRS (file record segment) you will find each of the file’s attribute types. For attribute types that are resident, it will just point back to its own FRS.

$FILE_NAME - This is where we store the file name. No, really. In addition there are also fields for Creationtime, LastModificationTime, LastChangeTime, and LastAccessTime. These are not updated as often as their counterparts in the $STANDARD_INFORMATION attribute type.

This is also where we keep track of what directory the file belongs to. So if the parent directory incorrectly removes the still active file from its index, running CHKDSK will have enough information about where the file should live to be able to recover this ‘orphaned file’.

$VOLUME_VERSION – This attribute type contains volume information, or at least it used to. It hasn’t been used in a very long time. It only existed in early versions of Windows NT. I’m only including it in the list to be complete.

$OBJECT_ID – This is an attribute that holds an ID. This ID is used by the Distributed Link Tracking Service. An example of how it is used would be found in shortcuts. Make a shortcut on your desktop that points to a file. Then move that file. The shortcut will still function because it is using a way to tack the source file other than just the path and file name.

Not all files will have an $OBJECT_ID attribute. In fact, it isn’t until an actual ID is to be assigned that the attribute is added to the file.

For more information about the Distributed Link Tracking Service please use the following MSDN link.

http://msdn.microsoft.com/en-us/library/aa363997%28VS.85%29.aspx

$SECURITY_DESCRIPTOR – This is where security information for the file used to be stored. In newer versions of NTFS, Microsoft moved to storing all security information in a single file called $SECURE. One of the main benefits of this was that files that had the same security on them didn’t need to store that information in each individual file.

$VOLUME_NAME – This attribute exists in only one file in each NTFS volume...the $Volume file. This is one of the metafiles I listed in my blog NTFS Metafiles.

http://blogs.technet.com/askcore/archive/2009/12/30/ntfs-metafiles.aspx

It is in this file, in this attribute that the name or ‘label’ of the file is found.

My volume is here is called Dave. The default name of a volume is New Volume.

$VOLUME_INFORMATION – Also only found in the $Volume metafile, this attribute contains version information for NTFS and a field for volume flags such at the ‘dirty bit’.

$DATA – When we think of a file, we typically just think of the data that is in it. The $DATA attribute is where that data is located. This attribute is normally only found in files...not directories.

$INDEX_ROOT – A directory will have an index that contains information about the files associated with that directory. If there are only a few index entries, they will all be found in the $INDEX_ROOT attribute. Once there are too many entries, they are moved to an $INDEX_ALLOCATION attribute. These index entries form a ‘b-tree’.

The layout of indexes is somewhat complex and I will probably do a separate blog for them. For this list, I’m trying to keep it simple.

$INDEX_ALLOCATION – See $INDEX_ROOT

$BITMAP – The $BITMAP attribute is also part of the index structure. It keeps track of what parts of the index are allocated and which are free to be reused. It also provides a similar function to the $MFT file.

Do not confuse this attribute with the $BITMAP metafile.

$SYMBOLIC_LINK – Symbolic links, reparse points and hard links are commonly misunderstood. The $SYMBOLIC_LINK attribute is currently not in use. The MKLINK utility allows you to create symbolic links but it does so by creating a $REPARSE_POINT attribute.

$REPARSE_POINT – This attribute is used when a symbolic link or mount point is created. There will be a ReparseTag in the attribute that tells us what type of reparse point is being used.

There are other attribute types but for the most part they are obscure or obsolete. This list covers the ones people are likely to care about.

Robert Mitchell
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support
“Demystifying NTFS as much as I’m allowed”

Hello, my name is Scott McArthur. I am a Senior Support Escalation Engineer in the Windows group and today’s blog will cover a common question we get involving product keys. Many times you may have a product key but you need to find out what type of key it is. We will use the VAMT 2.0 tool to accomplish this task. VAMT 2.0 can decode the following types of keys:

MAK keys
KMS keys
Retail keys
OEM keys

To determine what type of key you have do the following:

1. Download the Volume Activation Management Tool (VAMT) 2.0 and install it

2. Click Start, All Programs, VAMT 2.0, Volume Activation Management Tool 2.0

3. Click the Product Keys option

Figure 1. VAMT 2.0

4. Enter your Product Key then click Verify.

5. VAMT 2.0 will connect to the internet and verify what type of key you have. For example(I removed my product keys)

Figure 2. VAMT Product Key Output

The following describes the column headings
Key Type: CSVLK, MAK, Retail, OemCoa, etc… Note: CSVLK is a KMS host key
Edition: The editions (Standard, Enterprise, etc…) the key is valid for
Description: More detailed description of the key
Remaining Activations: This column is only valid for MAK keys

Some Common Keys

Windows 7 Home Premium OEM Key
Key Type: OemCoa
Edition: HomePremium
Description: Windows 7 Home Premium OEM:COA

Windows 7 Ultimate Retail Key
Key Type: Retail
Edition: Ultimate
Description: Windows 7 Ultimate Retail

Windows 7 MAK key
Key Type: Mak
Edition: Enterprise;EnterpriseN;EnterpriseE;Professional;ProfessionalN;ProfessionalE
Description: Windows 7 All Volume Editions Volume:MAK

Windows 7 KMS Host Key
Key Type: Csvlk
Edition: Enterprise;EnterpriseN;EnterpriseE;Professional;ProfessionalN;ProfessionalE
Description: Windows 7 All Volume Editions Volume:CSVLK

Windows Server 2008 R2 MAK_B
Key Type: Mak
Edition: ServerStandard;ServerEnterprise
Description: Server 2008 R2 Std and Ent Volume:MAK (MAK_B)

Windows Server 2008 R2 KMS_C
Key Type: Csvlk
Edition: ServerDatacenter;ServerEnterpriseIA64;ServerEnterprise;ServerStandard;ServerWeb;ServerHPC
Description: Server 2008 R2 DC and IA64 Volume:CSVLK (KMS_C)

Windows Server 2008 R2 KMS_B
Key Type: Csvlk
Edition: ServerStandard;ServerEnterprise;ServerWeb;ServerHPC
Description: Server 2008 R2 Std and Ent Volume:CSVLK (KMS_B)

Entering all your keys into VAMT 2.0 is a good way to save your productkeys and be able to reference them easily. VAMT 2.0 is a powerful tool that you can use for many other activation functions. For more information on VAMT 2.0 click Help to see the included helpfile.

Scott McArthur
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support

I am sure many of you are aware that Microsoft provides several options for our customers in terms of support services. The Support website provides information about our support offerings. We have Consumer support, Professional support and various levels of Premier Support. There are even several Self Support options available. These solutions are primarily focused on break-fix scenarios. What if you do not have something that is broken that needs fixing but instead would like some help implementing one of Microsoft’s technologies? We can help with that as well. This kind of help can be provided via Advisory type services.

If you are a small company, of even just an individual, and usually obtain support on a pay-per-incident basis, it is difficult to obtain advisory services. This is where Pro Advisory services can assist. Microsoft now offers Professional Advisory Services that is paid for on an hourly basis without having to have a Premier contract or having to work through Microsoft Consulting Services. The service is still in pilot, and only covers specific scenarios, but more are being added all the time. Each group has their own supported scenarios, and there are too many to list here. Here is a list of what the CORE Team has to offer at this point:

2276908 Windows Server 2008 R2 - RDWeb Access and RemoteApp Configuration (http://support.microsoft.com/kb/2276908)

2276905 Windows Server 2008 R2 - Microsoft VDI Configuration (http://support.microsoft.com/kb/2276905)

2276880 Windows 2008 Session Broker Load Balancing (http://support.microsoft.com/kb/227688)

2276874 Windows Server 2008 R2 RD Web Single Sign On (http://support.microsoft.com/kb/2276874)

2275811 TS Web Access And RemoteApp Configuration (http://support.microsoft.com/kb/2275811)

2275629 Windows Server 2003 Server Print Queue Migration (http://support.microsoft.com/kb/2275629)

2253278 Windows Server 2008 R2 RD Connection Broker (http://support.microsoft.com/kb/2253278)

2253250 Windows Server 2008 R2 Hyper-V Installation (http://support.microsoft.com/kb/2253250)

982909 Windows Server 2003 Server Cluster Disaster Recovery Planning (http://support.microsoft.com/kb/982909)

982908 Windows Server 2008 or Windows Server 2008 R2 Failover Cluster Disaster Recovery Planning (http://support.microsoft.com/kb/982908)

982872 Windows Server 2008 R2 RD Web Single Sign On (http://support.microsoft.com/kb/982872)

980643 Windows 2008 R2 Cluster Installation with Hyper-V (http://support.microsoft.com/kb/980643)

980459 Windows 2008 R2 Cluster Installation (http://support.microsoft.com/kb/980459)

979130 Windows 7 Deployment Activation Guidance (http://support.microsoft.com/kb/979130)

979129 Demonstration of Microsoft Deployment Toolkit With Q&A (http://support.microsoft.com/kb/979129)

978867 Windows 7 Deployment Question and Answer (http://support.microsoft.com/kb/978867)

974386 Platform Application Compatibility (http://support.microsoft.com/kb/974386)

What can you expect from Microsoft Professional Advisory services? The process is pretty straightforward:

1. Expect to be contacted by a Support Engineer who specializes in the technology area you are interested in.

2. The Support Engineer will review the Professional Advisory Services offering with you as it applies to the scenario you selected to ensure you both understand the scope of the work involved before an official support incident is created and work can begin.

3. The Support Engineer will carefully track the time involved in providing the solution so you will not be overcharged.

4. Once the work has been completed, and both you and the Support Engineer agree the solution has been provided, a summary will be provided and the case will be closed.

If you are interested in seeing other thecnology offerings that are available, navigate to http://support.microsoft.com and search on the keyword ‘kbProAdvisory’ and you will be able to browse the current offerings.

Hope this helps.

Chuck Timon
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support

GUID Partition Table or GPT is a standard that’s been around for a while but is still not completely understood by the masses. So I wanted to do a quick blog to address some of the common questions we hear from day to day.

Previously in my blog entitled Understanding the 2 TB Limit in Windows Storage I briefly mentioned using GPT disks to bypass one of the common 2 TB limitations. If you haven’t already read that blog, you might want to review it before continuing….I’ll wait.

Welcome back. One of the things that tend to trip people up on this subject is terminology. So let’s address that first.

People will hear about GPT disks and think that it is just the next in a line of progression like this…

Basic disks >> Dynamic disks >> GPT disks

While this logic is understandable, it is incorrect as GPT disks can be either Basic or Dynamic. Let’s take a look at the Microsoft Windows storage stack (simplified).

The determination of whether a disk is Basic or Dynamic is made at the Volume Manager level, while the determination of whether a disk is MBR or GPT is made at the Partition Manager level. So a disk can be any of the following combinations…

· MBR and Basic

· MBR and Dynamic

· GPT and Basic

· GPT and Dynamic

To understand this, you must first understand the subtle differentiation between partitions and volumes. This can be difficult to visualize as they are often the same thing. The way I keep it straight is I use the following rules…

· If it is just a box – It is a partition

· If it contains a single file system – It is a volume

As this would qualify as a completely different subject, I’ll cover that in a later blog. For now, just understand that there is a difference between partitions and volumes.

For the sake of discussion I will display hard drives as a collection of sectors on a number line. It will start with sector 0 and end with the last sector of the drive. Using this logic, examples of MBR disks and GPT disks would look like this.

MBR Style (basic)-

Sector zero will house the Master Boot Record (MBR), which contains the partition table. The partition table will tell us where the partition will start and how big it is. Once the partition is formatted a volume is created. The volume starts at the first boot sector and ends at the last boot sector (aka backup boot sector).

GPT Style (basic)-

Sector zero will house the Protective MBR. This structure is only present to identify the disk as GPT and protect the new partition array from legacy disk utilities that are not GPT-aware.

Instead of having a four line partition table, there is a 32 sector partition array. This allows us to have more partitions as well as much larger partitions. Also, there is a backup Partition Array out at the end of the drive. This gives us partition information redundancy that MBR disks just don’t have.

The MS Reserved Partition marks off an area of the disk for Windows to use to store metadata that is not part of the file system. Previously this metadata was stored in unprotected regions of the disk.

The volume is just like it was before. It starts at the first boot sector and ends at the last.

Keep in mind that in using GPT we are just changing how we define the box, not the contents of the box. Assuming that you are using NTFS, the file system is the same in both examples. I can’t stress this enough. There is no difference in NTFS between MBR and GPT. In fact if you create a GPT disk smaller than 2 TB in size, a clever person could change the box with a sector editor, turn it into an MBR disk, and never alter the volume itself. NTFS is blissfully unaware of what type box it lives in.

NOTE: I recommend that you do NOT use a sector editor, ever. Doing so without a full understanding of how on-disk structures function can cause data loss.

GPT Style (dynamic) -

The big change for a dynamic disk is the location of the LDM database. This metadata was stored at the end of the drive on an MBR disk. On a GPT disk, we carve out part of the MS Reserved Partition and store the LDM database there. This puts it in a protected region and moves it into an area of the disk that is easier to get to. Previously the LDM was stored after the disk’s geometric size boundary.

That’s the basics for how GPT disks work. They bring us the following changes

· More partitions possible

· Larger partitions possible

· Partition data now has redundancy

· Metadata now stored in a protected region

All this while not changing how the file system operates

Robert Mitchell

Senior Support Escalation Engineer

Microsoft Enterprise Platforms Support

Want to know more about Microsoft storage? Check out my other blogs...

http://blogs.technet.com/askcore/archive/2010/02/18/understanding-the-2-tb-limit-in-windows-storage.aspx

http://blogs.technet.com/askcore/archive/2009/10/16/the-four-stages-of-ntfs-file-growth.aspx

http://blogs.technet.com/askcore/archive/2009/12/30/ntfs-metafiles.aspx

http://blogs.technet.com/b/askcore/archive/2010/08/25/ntfs-file-attributes.aspx

Hello, my name is Manoj Sehgal. I am a Senior Support Escalation Engineer in the Windows group and today’s blog will cover “How to use Bitlocker Data Recovery Agent (DRA) to unlock Bitlocker Protected Drives

In Windows 7, we have option to unlock devices using Bitlocker DRA if you have a PKI Infrastructure in place.

What is a Data Recovery Agent?

Data recovery agents are individuals whose public key infrastructure (PKI) certificates have been used to create a BitLocker key protector, so those individuals can use their credentials to unlock BitLocker-protected drives. Data recovery agents can be used to recover BitLocker-protected operating system drives, fixed data drives, and removable data drives. However, when used to recover operating system drives, the operating system drive must be mounted on another computer as a data drive for the data recovery agent to be able to unlock the drive. Data recovery agents are added to the drive when it is encrypted and can be updated after encryption occurs.

When do we use Bitlocker DRA?

In Windows 7, we introduced feature of Bitlocker DRA which can be used to unlock fixed data drives and removable data drives.

Generally when we encrypt the USB flash Drives or fixed data drive, we give a password to unlock the drive. By using a file based certificate we get an additional protector for the drive and we can use it to unlock the drive.

When you connect to a Windows 7 client machine and Open Control Panel –> Bitlocker Drive Encryption, you will see all your Data drives.

Open Certificate Manager on the client computer.

Expand Personal and click Certificates. Right Click on Certificates and Select All Tasks and then select Request New certificate.

Under the Certificate Templates, select Bitlocker DRA certificate template.

If you do not have the bitlocker DRA template, you can copy the Key Recovery Agent template and then add Bitlocker Drive Encryption and Bitlocker Drive Recovery Agent from the application policies.

Install the certificate on the computer.

Export the Certificate.

Save the certificate to a location on your computer.

Now we can use a Group Policy to apply the certificate to all machines in the OU.

Open Group Policy Management Console and then add the bitlocker DRA.

Expand Computer Configuration –> Windows Settings –> Security Settings –> Public Key Policies –> Bitlocker Drive Encryption.

Right click on Bitlocker Drive Encryption and then click Add Data Recovery Agent.

Note:

If a user wants to add additional Bitlocker DRA for his drive, he can add it by using the local security policies.

Open Group Policy Management Editor (gpedit.msc) on Windows 7 client machine.
Expand Computer Configuration –> Windows Settings –> Security Settings –> Public Key Policies –> Bitlocker Drive Encryption.
Right click on Bitlocker Drive Encryption and then click Add Data Recovery Agent

Click Browse Folders and then select the exported certificate (.DER) file which we exported above.

After adding the DRA, go to windows 7 client machine.

After Adding the certificate, run ‘gpupdate /force’ on the client machine.

On Windows 7 client machine, open an elevated command prompt and use the following commands:

To get the protectors, run:

All Key Protectors

    Numerical Password:
      ID: {FB4FF4B1-AAA3-4BB6-937E-80E7241CA2F2}
      Password:
        526108-505340-456258-529034-347050-022297-147796-530310
    Password:
      ID: {96C170CF-65AF-42A7-BEF8-0AD21667C02B}
    Smart Card (Certificate Based):
      ID: {7BBF31F5-DEBD-4C24-B76F-012855B4EF39}
      Certificate Thumbprint:
        09141e2c459016b5c51754503956c1d62efeee62
    Data Recovery Agent (Certificate Based):
      ID: {E1749014-6760-4501-9A48-58152A587279}
      Certificate Thumbprint:
        1e66a3476615d9a1e51f56aec49024bb34b8a688

To lock the drive, use:

C:>manage-bde -lock f:
BitLocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
Volume F: is now locked

To unlock the device, using the certificate thumbprint, use:

C:\>manage-bde -unlock f: -cert -ct 1e66a3476615d9a1e51f56aec49024bb34b8a688
BitLocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
The certificate successfully unlocked volume F:.

I hope the above information would be useful to everyone. Thanks for your time to read the above information.

More Information:

http://blogs.technet.com/b/bitlocker/

Manoj Sehgal
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support

Today’s blog is going to cover an issue we have seen a couple of times now with customers utilizing Microsoft Deployment Toolkit (MDT) to Deploy Windows although it can happen with any deployment tool out there.

Issue:

During deployment of Windows or even after Windows is deployed you see an Open File – Security Warning prompt when a .EXE runs

Here is example of the type of prompt you may see

Figure 1. Open File – Security Warning

In one example a customer was getting prompts for multiple .EXE’S that run in the notification area or what many call the systray. The .EXE’S included igfxtray.exe, apmsgfwd.exe, apntex.exe, apoint.exe, gfxui.exe, hidfind.exe, hkcmd.exe, igfxpers.exe.

Cause:

The issue is that when you download an .EXE, .ZIP, or .CAB Internet Explorer saves the Zone Identifier. This goes back to a feature that first appeared in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 and the feature works the same in later operating systems.

For more information see the following KB

883260 Description of how the Attachment Manager works in Windows XP Service Pack 2

You can see this by running the following command on the .EXE (requires Vista and later)

Dir /r setup.exe

For example

11/03/2010 11:12 AM 948,760 Setup.exe

26 Setup.exe:Zone.Identifier:$DATA

You can see the Zone.Identifier NTFS stream in the file. This is what is causing the prompt to occur. You can also use the Streams tool to view the additional NTFS streams in a file

Resolution:

There are a number of solutions to this issue. It is important that you locate ALL the .EXE’S in question. Many times packages you download may include additional .ZIP’S or .CAB’s inside of them

Solution #1

Download an .MSI of the driver/application instead of a .ZIP or .EXE.

Solution #2

Right click the .EXE, click properties, and then click the “unblock” option

Solution #3

Download the Streams utility and remove the Zone.Identifier NTFS data stream

Streams /d setup.exe

Additional Information

In theory you could use the streams tool to scan your entire C:\DeploymentShare\Out-of-Box Drivers directory to locate any files that contain streams.

Streams.exe /s C:\DeploymentShare\Out-of-Box Drivers

Scott McArthur
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support

Today’s blog posting is based on documentation written for our activation specialists to answer some of the most common questions for customers that are new to our current activation technologies. Depending on the size of your organization and your familiarity with our current technologies, activation can be a very simple or complex discussion. These are some common starting points that we wanted to share to help get you started.

Discussing Volume Activation in a Conversation (Introduction)

Q: What is KMS?

A: KMS stands for Key Management Service and is one of two types of volume license activation methods available for our current operating systems. With this design, you will choose 1 or more machines to activate all of your other machines. Once the chosen machine(s) activate with Microsoft’s licensing servers, they are automatically turned into KMS Hosts. KMS is slightly different in that the KMS host always remains activated after it talks with the Microsoft licensing servers. Once activated, the KMS host does not connect back to Microsoft again. However, any machines that activate with the KMS host will only get 180 days at a time. We refer to these machines as KMS clients. But, don’t worry because all of the KMS clients will regularly contact the KMS host and ask for more time, so they won’t go into notification mode.

Q: What is MAK?

A: MAK stands for Multiple Activation Key and is the second of two types of volume license activation methods available for our current operating systems. MAK allows you to use a single key on multiple machines. Each of these machines activates with Microsoft’s licensing servers individually and are then licensed for the full lifecycle of the machine.

Note – Windows 7 Ultimate is not a volume licensed product, so you don’t want to confuse multiple activations for Ultimate with a MAK

Q: What do you consider your ‘current operating systems’

A: This term is loosely used to describe operating systems based on the same architecture. In this case, we’re referring to Windows Vista, Windows Server 2008, Windows 7 and Windows 2008 R2. These are the only operating systems that are capable of using MAK and KMS based activation at this time.

Q: How do I know what I have available to me?

A: MAK and KMS keys are issues based on your volume license agreement with Microsoft. Depending on the SKUs (editions) of Windows that you have licenses for, you may have several keys available to you. To see what keys have been issued, log into your account on Microsoft’s Volume Licensing website (http://www.microsoft.com/licensing/existing-customers/manage-my-agreements.aspx). Once logged in, you will see a table of product keys available. Make note of the column that shows if a particular key is MAK or KMS.

Note - If a key says KMS, it is a KMS host key and not a KMS client key. This is not the key used to activate your KMS clients!!

Q: I see both keys on the volume website, so I guess I have both options. Now what?

A: Now you need to get a count of the machines that you have available. In order to use KMS, you must have at least 5 servers running a current operating system or a total of 25 servers and clients running current operating systems. If you don’t have that many machines, the answer is pretty easy – use MAK. If you do, then we need to talk about your environment some more.

Discussing Volume Activation in a Conversation – Common Questions (MAK)

Q: I don’t have enough machines to use KMS, so I’ll use MAK. What do I do now?

A: Once you have installed your machines, they will automatically think they’re KMS clients. This is because Microsoft has included KMS client keys by default in volume license media. So, if you’re going to use your MAK, you need to type it in and activate the machine. You can do this via the GUI or via a command line. We also have tools to do this in bulk such as VAMT (Volume Activation Management Tool). If you are deploying an image, you can include the key in the image as well, but now we’re starting to get away from the subject.

Q: What is required to activate MAK?

A: All you need is an internet connection and your MAK key. From there, you can either use the GUI or command line to activate the machine. You need to make sure you’re using the right MAK or it won’t work. For example, your Windows Vista key won’t work with a Windows 7 machine. If you get an error that the product key is invalid, check to make sure you’re running a compatible OS and then check your VLSC site to determine if you have the correct key. You can go to start and type “winver” in the search to show what version you have.

To use the GUI, go to the control panel, click on ‘System and Security’ and then ‘System’. This will open the system dialog box. Look at the bottom and you’ll see “Windows activation”. Click on the blue highlighted text “Change product key”. This will open the Windows Activation wizard which will guide you through changing your key and activating over the internet:

If you want to use the command line, it’s just as easy. Open an elevated command prompt and type these two commands. Wait for confirmation in between running each command:

slmgr /ipk xxxxx-xxxxx-xxxxx-xxxxx-xxxxx

slmgr /ato

The first command is used to install the MAK onto the machine. Once installed, the second command will tell the machine to connect to Microsoft’s servers and activate the machine.

If everything says successful, you’re done. The machine is now fully activated.

Discussing Volume Activation in a Conversation – Common Questions (KMS)

Q: I’d like to implement a KMS design. What do I need to have?

A: This can be a tricky question because KMS has default settings which will work for 99% of customers, but can also be customized for very specific purposes. We’ll focus on the defaults in this section. The first thing you need to implement KMS is a machine that will be designated the KMS host. You’ll want to choose a machine that is readily accessible by all of your clients and has reasonably high uptime. Most companies choose to use a domain controller or a management/reporting server for their KMS host. KMS requires very little resources and is generally has no noticeable impact on performance.

Once you’ve designated your KMS host, you’ll need to activate it with Microsoft. The steps to activate the KMS host are the same as those for activating a MAK. You can use the GUI or command line. If necessary, you can also use phone based activation if you don’t have an internet connection. As with MAK, your KMS key(s) will be listed on your VLSC web site. You may notice that you have several keys to choose from depending on your sales agreement.

Once the KMS host activates successfully, it will create an SRV (service) record in your DNS server so that the KMS clients will know how to find it. From there, the KMS host sits and waits until the KMS clients start to request activation. You can force the KMS clients to activate manually or wait a few hours and it should start happening automatically.

During the time period where the first clients are communicating with the KMS host, you will receive a response from the KMS host saying “insufficient client count”. This will occur until enough KMS clients have tried to activate. If you’ll recall from above, you need at least 5 servers or a combination of 25 servers and clients before a KMS host will begin to activate KMS clients successfully.

Q: How to I choose which KMS key I want to use?

A: Don’t forget that we mentioned earlier that the KMS key on your VLSC site is only to be used on the KMS host. You don’t use it for all of the other machines. This is a common mistake, so you want to make sure only a few people have access to them. Don’t share the KMS key with anyone other than the administrator that is in charge of the KMS host. You only need 1 KMS key per KMS host at any time for Windows.

The way you choose the KMS key is by determining what versions of the OS you’re going to want to activate. KMS keys are built on a hierarchy, meaning that some keys can activate a lot of different versions of the OS and others and only activate 1 or 2. The primary point to remember here is that the higher level the key is, the more it can activate. For example, a Windows 7 key can also activate Windows Vista. In the same context, a Server Group key can activate a client and multiple SKUs of the server operating systems depending on its level. The highest possible key at the time of this writing is a Window Server 2008 R2 Server Group C key. It will activate every edition of the OS we have.

Here’s a quick chart to help:

Discussing Volume Activation in a Conversation – Additional Topics

Q: Does Microsoft monitor all activations? ie – is activation now the same as software metering?

A: It depends on the type of activation you’re using. With MAK activation, each machine contacts a Microsoft licensing server individually, so each time a new machine activates, we deduct 1 count from your MAK. Each MAK that you own is tied to a specific count of machines based on what you purchased. If you think there has been a problem where you activated too many machines, you need to contact Microsoft support and speak with a licensing specialist who can assist you with the process.

With KMS activation, Microsoft places the majority of the infrastructure in your hands. Microsoft only keeps a count of the number of KMS hosts that you’ve activated, but does not gather information on the number of machines those KMS hosts have activated themselves. Each KMS host that you configure also doesn’t keep track of a full history of the machines it’s activated. The KMS host will also only keep a maximum history of the last 50 KMS clients as well. This means that you shouldn’t rely on your KMS host to keep track of all the machines you’ve activated for licensing purposes. You also need to make sure that you take measures to prevent your KMS keys from accidently getting in the wrong hands or exposing your KMS host to the internet. Microsoft’s intention with providing a KMS solution is not to be a big brother, but instead to give you the ability to run your business without having to expend a significant amount of time on activation. In general, KMS is a “set it, forget it” system once you’ve got it set up for your environment. If you accidently use your KMS key on multiple machines and need to get a new one or reset it, contact Microsoft support and speak with a licensing specialist who can assist you with the process..

To put it more simply, volume activation is not equivalent to software metering. You are still responsible for making sure that you are compliant with your licenses. Don’t rely on your MAK count or KMS server event logs to determine how many licenses you have used.

Q: How does KMS know what machines to activate? How do I make sure I don’t accidently activate the wrong machines?

A: KMS is purely a network based service. Think of it more like DHCP than Active Directory. It has no built in security boundary, so you must take precautions to prevent unknown machines from being able to find it. By default, KMS clients will automatically seek out a KMS host. They do this by querying their DNS server for a specific type of SRV record. If they find that SRV record, they’ll go straight over to the KMS host and ask to be activated. This means that you want to make sure that either you’ve secured your DNS server so that internal addresses cannot be resolved or that you’ve secured your network. The most effective way to make sure that only machines you own can contact the KMS host is to implement IPSec (http://technet.microsoft.com/en-us/network/bb531150.aspx) in your environment. By using IPSec to secure communications between all of the servers and clients in your network, unknown machines won’t be able to reach them even if you accidently expose the record.

An alternative method is to prevent the KMS host from automatically creating its SRV record and then configuring each of the KMS clients with static information on the KMS host location. However, this would cause a great deal of overhead and doesn’t actually secure the KMS host. It would still respond if someone were to know where it was.

Kevin Ledman

Senior Support Escalation Engineer

Microsoft Enterprise Platforms Support

Cluster shared Volumes (CSV) is a new feature implemented in Windows Server 2008 R2 to assist with new scale-up\out scenarios. CSV provides a scalable fault tolerant solution for clustered applications that require NTFS file system access from anywhere in the cluster. In Windows Server 2008 R2, CSV is only supported for use by the Hyper-V role.

The purpose of this blog is to provide some basic troubleshooting steps that can be executed to address CSV volumes that show a Redirected Access status in Failover Cluster Manager. It is not my intention to cover the Cluster Shared Volumes feature. For more information on Cluster Shared Volumes consult TechNet.

Before diving into some troubleshooting techniques that can be used to resolve Redirected Access issues on Cluster Shared Volumes, let’s list some of the basic requirements for CSV as this may help resolve other issues not specifically related to Redirected Access.

Disks that will be used in the CSV namespace must be MBR or GPT with an NTFS partition.
The drive letter for the system disk must be the same on all nodes in the cluster.
The NTLM protocol must be enabled on all nodes in the cluster.
Only the in-box cluster “Physical Disk” resource type can be added to the CSV namespace. No third party storage resource types are supported.
Pass-through disk configurations cannot be used in the CSV namespace.
All networks enabled for cluster communications must have Client for Microsoft Networks and File and Printer Sharing for Microsoft Networks protocols enabled.
All nodes in the cluster must share the same IP subnets between them as CSV network traffic cannot be routed. For multi-site clusters, this means stretched VLANs must be used.

Let’s start off by looking at the CSV namespace in a Failover Cluster when all things appear to be ‘normal.’ In Figure 1, all CSV volumes show Online in the Failover Cluster Management interface.

Figure 1

Looking at a CSV volume from the perspective of a highly available Virtual Machine group (Figure 2), the Virtual Machine is Online on one node of the cluster (R2-NODE1), while the CSV volume hosting the Virtual Machine files is Online on another node (R2-NODE2) thus demonstrating how CSV completely disassociates the Virtual Machine resources (Virtual Machine; Virtual Machine Configuration) from the storage hosting them.

Figure 2

When all things are working normally (no backups in progress, etc…) in a Failover Cluster with respect to CSV, the vast majority of all storage I/O is Direct I/O meaning each node hosting a virtual machine(s) is writing directly (via Fibre Channel, iSCSI, or SAS connectivity) to the CSV volume supporting the files associated with the virtual machine(s). A CSV volume showing a Redirected Access status indicates that all I/O to that volume, from the perspective of a particular node in the cluster, is being redirected over the CSV network to another node in the cluster which still has direct access to the storage supporting the CSV volume. This is, for all intents and purposes, a ‘recovery’ mode. This functionality prevents the loss of all connectivity to storage. Instead, all storage related I/O is redirected over the CSV network. This is very powerful technology as it prevents a total loss of connectivity thereby allowing virtual machine workloads to continue functioning. This provides the cluster administrator an opportunity to evaluate the situation and live migrate workloads to other nodes in the cluster not experiencing connectivity issues. All this happens behind the scenes without users knowing what is going on. The end result may be slower performance (depending on the speed of the network interconnect, for example, 10 GB vs. I GB) since we are no longer using direct, local, block level access to storage. We are, instead, using remote file system access via the network using SMB.

There are basically four reasons a CSV volume may be in a Redirected Access mode.

The user intentionally places the CSV Volume in Redirected Access mode.
There is a storage connectivity failure for a node in which case all I\O is redirected over a cluster network designated for CSV traffic to another node.
A backup of a CSV volume is in progress or failed.
An incompatible filter driver is installed on the node.

Lets’ take a look at a CSV volume in Redirected Access mode (Figure 3).

Figure 3

When a CSV volume is placed in Redirected Access mode, a Warning message (Event ID 5136) is registered in the System Event log. (Figure 4).

Figure 4

For additional information on event messages that pertain specifically to Cluster Shared Volumes please consult TechNet.

Let’s look at each one of the four reasons I mentioned and propose some troubleshooting steps that can help resolve the issue.

1. User intentionally places a CSV volume in Redirected Access mode: Users are able to manually place a CSV volume in Redirected Access mode by simply selecting a CSV volume, Right-Click on the resource, select More Actions and then select Turn on redirected access for this Cluster shared volume (Figure 5).

Figure 5

Therefore, the first troubleshooting step should be to try turning off Redirected Access mode in the Failover Cluster Management interface.

2. There is a storage connectivity issue: When a node loses connectivity to attached storage that is supporting a CSV volume, the cluster implements a recovery mode by redirecting storage I\O to another node in the cluster over a network that CSV can use. The status of the cluster Physical Disk resource associated with the CSV volume is Redirected Access and all storage I\O for the associated virtual machine(s) being hosted on that volume is redirected over the network to another node in the cluster that has direct access to the CSV volume. This is by far the number one reason CSV volumes are placed in Redirected Access mode. Troubleshoot this as you would any other loss of storage connectivity on a server. Involve the storage vendor as needed. Since this is a cluster, the cluster validation process can also be used as part of the troubleshooting process to test storage connectivity.

3. A backup of a CSV volume fails: When a backup is initiated on a CSV volume, the volume is placed in Redirected Access mode. The type of backup being executed determines how long a CSV volume stays in redirected mode. If a software backup is being executed, the CSV volume remains in redirected mode until the backup completes. If hardware snapshots are being used as part of the backup process, the amount of time a CSV volume stays in redirected mode will be very short. For a backup scenario, the CSV volume status is slightly modified. The status actually shows as Backup in progress, Redirected Access (Figure 6) to allow you to better understand why the volume was placed in Redirected Access mode. When the backup application completes the backup of the volume, the cluster must be properly notified so the volume can be brought out of redirected mode.

Figure 6

A couple of things can happen here. Before proceeding down this road, ensure a backup is really not in progress. The first thing that needs to be considered is that the backup completes but the application did not properly notify the cluster that it completed so the volume can be brought out of redirected mode. The proper call that needs to be made by the backup application is ClusterClearBackupStateForSharedVolume which is documented on MSDN. If that is the case, you should be able to clear the Backup in progress, Redirected Access status by simulating a failure on the CSV volume using the cluster PowerShell cmdlet Test-ClusterResourceFailure. Using the CSV volume shown in Figure 6, an example would be –

Test-ClusterResourceFailure “35 GB Disk”

If this clears the redirected status, then the backup application vendor needs to be notified so they can fix their application.

The second consideration concerns a backup that fails, but the application did not properly notify the cluster of the failure so the cluster still thinks the backup is in progress. If a backup fails, and the failure occurs before a snapshot of the volume being backed up is created, then the status of the CSV volume should be reset by itself after a 30 minute time delay. If, however, during the backup, a software snapshot was actually created (assuming the application creates software snapshots as part of the backup process), then we need to use a slightly different approach.

To determine if any volume shadow copies exist on a CSV volume, use the vssadmin command line utility and run vssadmin list shadows (Figure 7).

Figure 7

Figure 7 shows there is a shadow copy that exists on the CSV volume that is in Redirected Access mode. Use the vssadmin utility to delete the shadow copy (Figure 8). Once that completes, the CSV volume should come Online normally. If not, change the Coordinator node by moving the volume to another node in the cluster and verify the volume comes Online.

Figure 8

4. An incompatible filter driver is installed in the cluster: The last item in the list has to do with filter drivers introduced by third party application(s) that may be running on a cluster node and are incompatible with CSV. When these filter drivers are detected by the cluster, the CSV volume is placed in redirected mode to help prevent potential data corruption on a CSV volume. When this occurs an Event ID 5125[EC4] Warning message is registered in the System Event Log. Here is a sample message –

17416 06/23/2010 04:18:12 AM Warning <node_name> 5125 Microsoft-Windows-FailoverClusterin Cluster Shared Vol NT AUTHORITY\SYSTEM Cluster Shared Volume 'Volume2' ('Cluster Disk 6') has identified one or more active filter drivers on this device stack that could interfere with CSV operations. I/O access will be redirected to the storage device over the network through another Cluster node. This may result in degraded performance. Please contact the filter driver vendor to verify interoperability with Cluster Shared Volumes. Active filter drivers found: <filter_driver_1>,<filter_driver_2>,<filter_driver_3>

The cluster log will record warning messages similar to these –

7c8:088.06/10[06:26:07.394](000000) WARN [DCM] filter <filter_name> found at unsafe altitude <altitude_numeric>
7c8:088.06/10[06:26:07.394](000000) WARN [DCM] filter <filter_name> found at unsafe altitude <altitude_numeric>
7c8:088.06/10[06:26:07.394](000000) WARN [DCM] filter <filter_name> found at unsafe altitude <altitude_numeric>

Event ID 5125 is specific to a file system filter driver. If, instead, an incompatible volume filter driver were detected, an Event ID 5126 would be registered. For more information on the difference between file and volume filter drivers, consult MSDN.

Note: Specific filter driver names and altitudes have been intentionally left out. The information can be decoded by downloading the ‘File System Minifilter Allocated Altitudes’ spreadsheet posted on the Windows Hardware Developer Central public website.

Additionally, the fltmc.exe command line utility can be run to enumerate filter drivers. An example is shown in Figure 9.

Figure 9

Once the Third Party filter driver has been identified, the application should be removed and\or the vendor contacted to report the problem. Problems involving Third Party filter drivers are rarely seen but still need to be considered.

Hopefully, I have provided information here that will get you started down the right path to resolving issues that involve CSV volumes running in a Redirected Access mode.

Thanks!

Chuck Timon
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support

PS script for blog: Enumeration of the files failed

Reasons why the error Enumeration of the files failed may occur during System State backup

Help us, help you.

Bitlocker Policies for Windows 7 on Windows Server 2003 or Windows Server 2008

Are you opening up a .NET case with Microsoft?

Customizing Default users profile using CopyProfile

How to use Hash of TPM from AD to reset your TPM password

Issues Resulting in Bitlocker Recovery Mode and Their Resolution

How to Prevent Local Administrator from Turning OFF bitlocker

Working with File Shares in Windows Server 2008 (R2) Failover Clusters

Using Multiple Client Access Points (CAP) in a Windows Server 2008 (R2) Failover Cluster

NTFS File Attributes

How To Verify or Check your KMS/MAK Product Key

Microsoft Professional Advisory Services

GPT in Windows

MBR Style (basic)-

GPT Style (basic)-

GPT Style (dynamic) -

How to use Bitlocker Data Recovery Agent to unlock Bitlocker Protected Drives

Open File Security Warning Prompt during Deployment

General activation concepts

Troubleshooting ‘Redirected Access’ on a Cluster Shared Volume (CSV)

We want to hear from you.