Tuesday, June 26, 2007

The local policy of this system does not permit you to logon interactively on Citrix Metaframe Server after adding Windows 2003 DC to domain

Today we added our first Windows 2003 DC to Windows 2000 domain. After the AD replication completed successfully, users who used to login to the domain via citrix started receiving a message upon logging into the server:

The local policy of this system does not permit you to logon interactively

After digging through a lot of blog posts and MS Knowledgebase article everything pointed to the Local Security settings of the Citrix Machine not having appropriate permissions. Apparently this was not a problem before in Windows 2000 ad.

So I went into AD, threw the citrix server in it's own OU. Created a new GPO. Under GPO setttings

Go to
Computer Configuration => Windows Settings => Security Settings =>Local Policies=>User Rights Assignment

Under User Rights Assignment Look for following setting:

If Using Win2k3 - Allow Login to Terminal Server
If Using Win2K - Log on Locally

Double click on above policy and assign the appropriate group permission

After you have assigned the permission, make sure that the group that you assigned the permission to has the rights to Read and Apply Group Policy for that GPO

If you do the first and not the second the problem will still exist.

Also make sure to refresh the Group policy by going to DOS Prompt and giving following commands

If Win2K : secedit /refreshpolicy machine_policy /force
If Win2k3: gpupdate /force

Reboot the Terminal or Citrix Server.

this resolved the problem for me.

Monday, June 25, 2007

Windows 2003 SP2 throws printer offline

After I installed Windows 2003 SP2 on one of my client's Windows 2003 Server which was also a print server the printer queue went offline.
I would restart the Print spooler service on the Server and the printer would stay online only for 1 job, and it would go offline immediately after 1 job.
After researching for over an hour I found out that apparent SP2 has some changes in the way SNMP is handling printer queues.
It now dows multiple SNMP threads for the printer queues instead of 1 round robin.
To resolve this, check if your printer's SNMP is working properly.
For a workaround, in the Printers and Faxes folder
File => Server Properties
Go to the Ports tab
Click the port that is going offline
Configure Port
Uncheck "SNMP Status Enable"

PS: This is a workaround only, after I have found out a permanent fix to the situation I will post it here.

This will turn off SNMP querying and set the printer to always Online.

Saturday, June 23, 2007

How to shut down a remote server from DOS

In Windows 2003 there is a shutdown command that can be used to shutdown the computer whether it is local or remote computer. There are often times when the remote server can not be reached via Terminal services ( Remote Desktop) and needs to be forced a restart using another tool. The shutdown command built into Windows 2003 is a handy tool and has worked for me in those situations more than a few times.

For all parameters for the command go to the DOS prompt and type:

Shutdown /?

If you are looking to give a remote computer/server a quick restart type this command, replace computername with the Name of the computer that you want to restart.

shutdown /r /m \\computername /t seconds /f {force shutdown, no warning}

Monday, June 18, 2007

Event ID 7023 on Windows 2000 Server

Problem: I had a problem on one of the Windows 2000 Server which was a member server. Everytime on bootup there would be a service/driver failure error.

In the application log the following error was being reported:

Event ID 7023
The Kerberos Key Distribution Center service terminated with the following error:
The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation.


Kerberos Key Distribution is a service that should only be running on DC. Since this is not a DC, microsoft recommends that startup type of this service be disabled.

Please see this MS Knowledgebase article for more info.


Tuesday, June 12, 2007

Black Screen when connecting with Remote Desktop

When connecting to terminal server behind a firewall some of the users who were connecting over a DSL or a Cable connection they would receive a black screen upon connection.

Usually the problem is with the MTU settings.  One can adjust the setting using Dr. TCP which is a free download from http://www.dslreports.com/drtcp. This will let you adjust your MTU settings on the network adapter of the PC that you are using to connect to the terminal server. Adjusting MTU setting to 1400 did the trick for me.
But this became a nuisance as we had several users connecting to the Terminal server using the remote desktop.
After much investigation I found out that I can change the MTU settings on the WAN interface of our firewall. In our case we were using Watchguard Firebox.
In order to make the changes on the Watchguard firebox. Follow these particular tweak settings to permanently adjust the MTU settings.
nstruction is as follow.

!!! As a configuration hack, and not a GUI feature, we do not support this and will not be responsible for problems caused by this or a invalid configuration setting added manually. Keep in mind, changing MTU size may fix speed for the services that use the bigger size, but mess things up for other things that prefer 1500.

1) Save you Firebox config to a file and open it in a text editor

2) Find the following lines:

scripts.startup.00 here0

3) Insert the following between them:

ifconfig eth0 mtu XXXX
ifconfig eth1 mtu XXXX
ifconfig eth2 mtu XXXX

The ''XXXX'' will be the MTU size you want on that interface card. eth0 is external, 1 is trusted and 2 optional. So if you wanted a MTU size of 1500 for external but 4096 on the other interfaces you would do as follows:

ifconfig eth0 mtu 1500
ifconfig eth1 mtu 4096
ifconfig eth2 mtu 4096

The lines should now appear as:

scripts.startup.00 here0
ifconfig eth0 mtu 1500
ifconfig eth1 mtu 4096
ifconfigeth2 mtu 4096

Once this is done, save this text edited file and reopen it in Policy manager and save it to the Firebox.

Monday, June 11, 2007

Redirection of Folders in Group Policy not working

We redirect users MY Documents folder from their workstation to a server location. Recently we moved the location of the share on 1 server to another server. After the moving of the files the redirection stopped working and would show errors in the workstation event viewer.

The MY Documents folder was not being redirected to the new server share. We checked the security for the new share and NTFS permissions and nothing seemed to give a clue as to what was going on. After googling the problem, could not come up with any specific solution.

One thing I noticed was that on the AD server running Group Policies, the server was running Windows 2000 Server SP3.
I upgraded the server to Windows 2000 SP4.

This resulted in resolution of the problem.

Apparently this is an issue in SP3 resolved in Sp4.

owa 440 login timeout

Problems with OWA. When a user logs into OWA session or to the Remote Workplace website there is an error message

"owa 440 login timeout"

I ran into this problem with one of my clients using SBS 2K3 server for exchange and sharepoint services.

It turned out that someone had changed the password for either the IUSR_ or IWAM_ in the AD and the old password was still being used in the IIS. Basically you have to sync the passwords between the AD and IIS for the above 2 users. Before you follow the steps listed below make sure to go into AD and check that these user accounts are not locked out and also make sure Password Never Expires and Cannot change password checkboxes are checked.

Anyways to resolve this issue follow these steps listed below:

1) Open AD Users & Computers. Expand the Users OU, right-click on the IUSR_ account and select 'Reset password' Reset the password to anything you want (however, it can't be blank).

2) Open this User Account's properties and verify that the account is not locked out :^) Also, make sure that 'Password never expires' and 'User cannot change password' are selected.

3) Repeat steps 1 & 2 for the IWAM_ account. Close AD Users & Computers.

4) Open Internet Information Services (Start | Administrative Tools)

5) Expand | Web Sites

6) Right-click on 'Default Web Site' and select Properties.

7) Go to the 'Directory Security' tab and click the Edit button under 'Authentication & Access Control'

8) Enter the new password for the IUSR_ account and click OK.

9) Enter the password again to confirm and click OK.

10) Click OK.

11) Open a command prompt and enter iisreset

12) At the command prompt, enter the following commands:
cd c:\inetpub\adminscripts
adsutil SET w3svc/WAMUserPass (Where = the password you entered for the IWAM_ account in AD Users & Computers)
c:\windows\system32\cscript.exe "c:\inetpub\adminscripts\synciwam.vbs" -v