VMware Converter ‘Unable to Connect to the Network Share’

KB ID 0001583

Problem

I don’t think, Ive ever run the VMware Standalone Converter, without at least one error message or popup complaining about something! Today I was trying to convert a clients old Windows Server 2003 document management server, when trying to deploy the agent this happened;

Unable to connect to the network share ‘{Sever-name-or-IP} \ADMIN$’.

Solution

It’s a pretty descriptive error, can you map a drive to this machine and open a network share manually? Is the ‘server service’ running? In my case the problem was easily diagnosed;

As I wasn’t about to start enabling SMBv1 on the clients Windows 2019 server! So I simply installed the VMware Standalone converter on one of their existing 2008 members servers instead, and ran it from there.

Related Articles, References, Credits, or External Links

SMB1 Is Dead? (Unfortunately Not Yet)

VMware Converter – Unable to Deploy Agent

SMB1 Is Dead? (Unfortunately Not Yet)

KB ID 0001461

Problem

I recently did a migration for an engineering company, about a week later I got an email from them to say, “We have a new Windows 10 PC, and it can’t connect to the ‘N’ Drive?” I asked them to send me a screenshot, the error was;

You can’t connect to the file share because it’s not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack.
Your system requires SMB2 or higher. For more info on resolving this issue, see: https://go.microsoft.com/fwlink/?linkid=852747

Some Googling told me that windows 10 (build 1803) had removed SMB1, and like most people who see this for the first time, I got thePowerShell to turn it on, client was happy end of problem right?

Well yes and no, ‘SMB1 is Bad‘, very bad in fact, enabling SMB1 is a bit like removing the windows from your house because your too hot, yes it solves the problem, but now anyone who wants to jump into your house can do so, at any time of the day!

OK What’s Changed?

With Windows 10 (Build 1803) SMB1 has been completely disabled. If you try and connect to a device/share that’s using it you will see the same error my client did.

However if you have an earlier build of Windows 10, and you simply let it update, (Including the 1803 July Security update), that will continue to work.

I tried to replicate this on my test network, like the client I had a 2008 R2 file server, and connected to it from a new Windows 10 and an old(er) updated Windows 10 machine. Everything worked? In fact to replicate the clients error, I had to manually disable SMB2 and force SMB1? That’s strange I thought, so I checked the clients server;

As you will discover (below) the DWORD highlighted disables SMB2 and forces the server to use SMB1. Now the server does not ship like this, and I doubt very much anyone did this manually, so where did it come from? Well as an educated guess, the software that runs on this server needs SMB1. (They have some older Linux machines and machinery that logs are collected from).

Solution

As Microsoft says;

Warning: We do not recommend that you disable SMBv2 or SMBv3. Disable SMBv2 or SMBv3 only as a temporary troubleshooting measure. Do not leave SMBv2 or SMBv3 disabled.

So the steps I outline below, are so you can actually do some troubleshooting, to see what’s wrong. The third law of engineering states ‘Just because you can do something, does not necessarily mean you should‘ That being said, I appreciate we operate in the real world. If your line of business software needs SMB1 you cant shut down production while the vendor fixes their ‘poorly written, and relying on 30 year old protocol‘ code. Or, what you are connecting to might not be a Windows machine at all! It might be an appliance tha’ts old, with no firmware to update it to SMB2/3, and there’s no budget to replace it.

Windows 10 Enable SMB1

Use the following PowerShell;

[box]

Get-WindowsOptionalFeature -Online –FeatureName smb1protocol
Enable-WindowsOptionalFeature -Online –FeatureName smb1protocol

[/box]

Again this is a temporary fix! As soon as possible disable it again.

[box]

Disable-WindowsOptionalFeature -Online –FeatureName smb1protocol

[/box]

Windows Server (Enabling/Disabling SMB1 & SMB2)

As with most things, SMB status is set in the registry (see above).

Enable or disable SMBv1 on the SMB server;

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Registry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled (No registry key is created)

Enable or disable SMBv2 on the SMB server;

Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Registry entry: SMB2
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled (No registry key is created)

Note:  You must restart the computer after you make these changes.

But things are much easier done with PowerShell, to see the settings;

[box]Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}[/box]

Note: Above SMB1 is enabled SMB2 is Disabled.

WARNING: To test this properly, I’d suggest converting this server to a VM and testing on a copy, or cloning the server, (if it’s already virtualised), then you can try out some non-destructive testing, to make sure your applications still work. Ideally start by enabling SMB2 and disabling SMB1 to test.

[box]Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB2 -Type DWORD -Value 1 –Force
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 –Force[/box]

Remember to reboot!

 

If your application still works great, ‘you didn’t need SMB1 anyway‘, sit back, light your pipe, and admire your handiwork!

If not, try with both Protocols enabled. (To be fair, security-wise this is just as bad as having SMB1 only, as all the ‘good bits’ in SMB2 can still be bypassed by using SMB1!) But at least (from a user perspective) your new Windows machines will connect via SMB2.

Remember to reboot!

 

Related Articles, References, Credits, or External Links

NA

Deploying a Windows Server 2008 Domain Controller in a Windows 2003 Domain

KB ID 0000239

Problem

Before you can add a Windows Server 2008 Domain Controller to a Windows Server 2003 Domain you need to carry out some preparation, this can be done during working hours, as the process only has a slight performance hit no one will notice there is work going on.

Solution

Before you start, have a good look round your existing domain controllers, get the latest service packs and updates installed. Have a good look through the event logs on the domain controllers, and make sure you domain is happy and replicating, before introducing 2008.

1. First locate the server that holds the FSMO role “schema master”

Locate your FSMO Servers

netdom query /domain:YOURDOMAINNAME fsmo

Note: this is a test network, so all my roles are on the same server – yours will probably be spread out more efficiently.

Prepare the Forest for 2008

2. Go to the schema master server and put in the Server 2008 Install DVD (if it does not have a DVD drive then share then copy the contents of the “support” folder to the schema master).

3. Change to the directory that contains adprep, and issue an “adprep /forestprep” command. (or adrep32 /forestprep on an x32 bit server see below).

4. Read the warning! Make sure your domain controllers comply. Press C {enter} to continue.

Adprep32/ forestprep

5. It will run for a few minutes (Coffee!). When it’s finished it should say that it was successful.

Prepare the Domain for 2008

1. You need to locate the FSMO server that’s holding your Infrastructure Master Role. CLICK HERE.

2. Go to the Infrastructure master server and put in the Server 2008 Install DVD (if it does not have a DVD drive then share then copy the contents of the “support” folder to the schema master).

3. Change to the directory that contains adprep, and issue an “adprep /domainprep” command. (or adrep32 /domainprep on an x32 bit server see below).

Adprep32 /domainprep

Note: This will fail if the domain is not in “Native Mode”

Note: You may also want to run “adprep /domainprep /gpprep” when the above had completed successfully.

Prepare the environment for a 2008 RODC (Read Only Domain Controller)

1. Only really a problem if you want to deploy an RODC. You need to locate the FSMO server that’s holding your Infrastructure Master Role. CLICK HERE.

2. Go to the Infrastructure Master server and put in the Server 2008 Install DVD (if it does not have a DVD drive then share then copy the contents of the “support” folder to the schema master).

3. Change to the directory that contains adprep, and issue an “adprep /rodc” command. (or adrep32 /domainprep on an x32 bit server).

4. Skip to this step.

If you DONT Prepare for Server 2008 you will see the following errors

Seen when adding a 2008 domain controller to a domain with an earlier schema/domain version.

Error 1: To install a domain controller into this Active Directory forest you must first prepare the forest using “adprep /forestprep”. The Adprep utility is available on the Windows Server 2008 R2 installation media in the supportadprep folder.

Error 2: To install a domain controller into this Active Directory domain, you must first prepare the domain using “adprep /domainprep”. The Adprep utility is available on the Windows Server 2008 R2 installation media in the supportadprep folder.

Error 3: You will not be able to install a read-only domain controller in this domain because the “adprep /rodcprep” was not yet run.

Install the New Windows Server 2008 Domain Controller

I’m assuming you have a new server built with Windows Server 2008 / 2008 R2 installed on it, and that you have applied all the necessary service packs and updates to it. It should also be joined to the domain (as a member server) and preferably have a static IP address.

1. Whilst logged on with administrative access > Start > In the Search/Run > type dcpromo {enter}

2. Next.

3. Read the warnings > Next.

4. We are adding a new DC in an existing domain > Next.

5. Confirm the domain name is correct > Next.

6. Check again > Next.

7. If your domain has multiple sites > Then select the site that this DC will be deployed into > Next.

8. The first 2008 Domain controller, should be a global catalog server, and the promotion will install and configure DNS as well > Next.

9. If you have a flat single domain with AD integrated DNS zones this is OK > Simply click Yes > Next.

10. Accept the defaults, (unless you want to host these in a different location) > Next.

11. Enter a recovery mode password. NEVER FORGET, or lose this password, you will need it, if you ever need to restore active directory by booting to directory restore mode.

12. Review the settings > Next.

13. Active directory will install, you can tick the box to reboot when finished if that,s OK (It will need a reboot anyway).

14. When completed simply click finish.

15. If you did not select reboot above then you will be asked to do so now.

 

Related Articles, References, Credits, or External Links

NA

Cisco ASA – Allowing Domain Trusts, and Authentication

KB ID 0000973 

Problem

I cringed this morning when I was asked about this, last time I had to get a client to authenticate to a domain through a firewall, it was ‘entertaining’. The problem is Windows loves to use RPC, which likes to use random ports, so to make it work you either had to open TCP ports 49152 and 65535 (Yes I’m Serious). Or you had to registry hack all your domain controllers and specify individual ports for RPC as per MS KB 224196, then allow those ports. I have a client that’s got a separate domain in their DMZ and I need to setup a trust with their internal domain, so I started writing the firewall config. Then when I asked the ‘Do you want to open all these ports or simply lock RPC down on all the domain controllers?’ Question, my colleague found ‘dcerpc’ inspection.

Dcerpc has been available since at least ASA version 7.2, I had never heard of it! Cisco Says;

DCERPC is a protocol widely used by Microsoft distributed client and server applications that allows software clients to execute programs on a server remotely.

DCERPC inspection maps inspection for native TCP communication between a server called the Endpoint Mapper (EPM) and client on the well-known TCP port 135. Map and lookup operations of the EPM are supported for clients. Client and server can be located in any security zone. The embedded server IP address and port number are received from the applicable EPM response messages. Because a client can attempt multiple connections to the server port returned by EPM, creation of multiple pinholes is allowed

Heres how to do it with the following topology;

Note: Setting up a ‘Trust’ or allowing a client to ‘Authenticate’ requires the same configuration, but below I will use the IP of the Domain controller, rather than the IP of the client.

Solution

I’m assuming you ALREADY have access-lists from your internal network, and from your DMZ, you may need to replace the names of the ACL’s I use below with your own, ‘show run access-group’ will tell you.

1. There are a myriad of ports, (both TCP and UDP) that you are required to open, those being;

So connect to the ASA, Go to enable mode, then global configuration mode, and add the ACL’s to open the ports above. BE AWARE the last line enables ICMP/ping (just for testing you can remove it later and you will need to have ICMP inspection on for it to work).

[box]


Type help or '?' for a list of available commands.
PetesASA> enable
Password:**********
PetesASA# configure terminal
PetesASA(config)#access-list outbound permit tcp host 192.168.1.10 host 172.16.1.10 eq 135
PetesASA(config)#access-list outbound permit tcp host 192.168.1.10 host 172.16.1.10 eq 464
PetesASA(config)#access-list outbound permit udp host 192.168.1.10 host 172.16.1.10 eq 464
PetesASA(config)#access-list outbound permit tcp host 192.168.1.10 host 172.16.1.10 eq 389
PetesASA(config)#access-list outbound permit udp host 192.168.1.10 host 172.16.1.10 eq 389
PetesASA(config)#access-list outbound permit tcp host 192.168.1.10 host 172.16.1.10 eq 636
PetesASA(config)#access-list outbound permit tcp host 192.168.1.10 host 172.16.1.10 eq 3268
PetesASA(config)#access-list outbound permit tcp host 192.168.1.10 host 172.16.1.10 eq 3269
PetesASA(config)#access-list outbound permit tcp host 192.168.1.10 host 172.16.1.10 eq 53
PetesASA(config)#access-list outbound permit udp host 192.168.1.10 host 172.16.1.10 eq 53
PetesASA(config)#access-list outbound permit tcp host 192.168.1.10 host 172.16.1.10 eq 88
PetesASA(config)#access-list outbound permit udp host 192.168.1.10 host 172.16.1.10 eq 88
PetesASA(config)#access-list outbound permit tcp host 192.168.1.10 host 172.16.1.10 eq 445
PetesASA(config)#access-list outbound permit icmp host 192.168.1.10 host 172.16.1.10

[/box]

2. Then we need to allow the traffic from the other direction, again here my ACL is called ‘DMZ’, check and change yours accordingly.

[box]PetesASA(config)#access-list DMZ permit tcp host 172.16.1.10 host 192.168.1.10 eq 135
PetesASA(config)#access-list DMZ permit tcp host 172.16.1.10 host 192.168.1.10 eq 464
PetesASA(config)#access-list DMZ permit udp host 172.16.1.10 host 192.168.1.10 eq 464
PetesASA(config)#access-list DMZ permit tcp host 172.16.1.10 host 192.168.1.10 eq 389
PetesASA(config)#access-list DMZ permit udp host 172.16.1.10 host 192.168.1.10 eq 389
PetesASA(config)#access-list DMZ permit tcp host 172.16.1.10 host 192.168.1.10 eq 636
PetesASA(config)#access-list DMZ permit tcp host 172.16.1.10 host 192.168.1.10 eq 3268
PetesASA(config)#access-list DMZ permit tcp host 172.16.1.10 host 192.168.1.10 eq 3269
PetesASA(config)#access-list DMZ permit tcp host 172.16.1.10 host 192.168.1.10 eq 53
PetesASA(config)#access-list DMZ permit udp host 172.16.1.10 host 192.168.1.10 eq 53
PetesASA(config)#access-list DMZ permit tcp host 172.16.1.10 host 192.168.1.10 eq 88
PetesASA(config)#access-list DMZ permit udp host 172.16.1.10 host 192.168.1.10 eq 88
PetesASA(config)#access-list DMZ permit tcp host 172.16.1.10 host 192.168.1.10 eq 445
PetesASA(config)#access-list DMZ permit icmp host 172.16.1.10 host 192.168.1.10[/box]

3. Now create a class-map and set it to inspect TCP port 135.

[box]PetesASA(config)# class-map CM-DCERPC
PetesASA(config-cmap)# match port tcp eq 135[/box]

4. Then create a policy-map to use that class map to perform dcerpc inspection.

[box]PetesASA(config-cmap)# policy-map PM-DCERPC
PetesASA(config-pmap)# class CM-DCERPC
PetesASA(config-pmap-c)# inspect dcerpc
PetesASA(config-pmap-c)# exit [/box]

5. Finally apply the policy-map to the interfaces with a service-policy.

[box]PetesASA(config)# service-policy PM-DCERPC interface inside
PetesASA(config)# service-policy PM-DCERPC interface DMZ[/box]

6. Give it a test, make sure the machines can ping each other, and you may at this point want to remove the ICMP lines from the ACL. Once you are happy, save the changes.

[box]PetesASA# write mem
Building configuration…
Cryptochecksum: 4d7f7ccd 5c55a9e1 6ced12c4 46728bc7
[OK]
PetesASA#[/box]

 

Related Articles, References, Credits, or External Links

NA