So I configured my new Sharepoint 2007 farm to use kerberos using Configure Kerberos authentication (Office SharePoint Server) and I ran into some undocumented problems. I got 401 errors when trying to access some Sharepoint urls on the internal network. This was because I configured more than one url binding on an IIS website. Even though i configured both SPN’s on the service account that was running the Sharepoint application, it was not working using IIS 7 and kerberos. Kerberos will only work on one URL in the binding list, which ever you will try to access first. In order to fix this you have to create a new IIS website using the extend web application function in Sharepoint Central Administration. I was not able to figure out if this is an IIS 7 bug or that this is ‘by design’. Configuring multiple SPNs on one service account however, is not a problem.

The second kerberos problem I ran into gave me more trouble to find out what is going wrong. Kerberos constrained delegation from the ISA to the sharepoint site was not working. I was a bit puzzled by this because kerberos logging didn’t have a clear answer. It gave me a Kerberos Pre-Authentication Error. As expected ticking the box on the service account ‘Do not require Kerberos preauthentication’ didn’t gave me a solution.

The problem is that IIS 7 has a new feature called Kernel Mode Authentication. Kernel Mode Authentication uses the SPNs on the computer account, even if the application pool runs on a different service account. This is a problem when you are running a Sharepoint farm with more than one frontend webserver. Since SPNs can only be registered once as you already now.
So even if you are running a Sharepoint Farm on one server, consider it best practise to disable Kernel Mode Authentication, on all sharepoint related websites in IIS that have kerberos authentication enabled, including Office Server Web Services. You can disable Kernel Mode Authentication in the IIS MMC on the website select Authentication -> Windows Integrated Authentication -> Advanced Settings.

• Boot with PXE boot
• Write down the last four MAC digits
• Change the computer name in the ghost console configuration
• Clone the new pc’s with a configuration template (for domain etc)

Especially step 2 and 3 are time consuming… This started me to think about a solution. The easiest way was to ask for a computer name during PXE boot and give that computer name as a parameter to NGCTDOS.exe (which is the Ghost Console client for dos). NGCTDOS then would deliver the computer name to the ghost console.

Nice huh? Except for one thing… there is no such parameter. I asked this question on the Symantec Forum and Nigel Bree (a really great Principal Software Engineer for the Ghost Solution Suite) kindly replied it would be a fairly natural extension.

This started me to think about other ways to get this done, without a pain. I came up with a solution involving ghconfig (which is part of the PXE boot image), change.com (a 19 year old text replacing utility of 737 bytes!) and wbat.exe (a dialog box utility by Horst Schaeffer).

The end result is a dialog box with mouse support, which asks for 15 seconds for a computer name. If no input is given during that period or cancel is pressed, the Ghost Console Client will behave as a normal Ghost Console dos client. If a computer name is entered, the computer name will be set after the ghost image process.

If you also want to speed up your new pc’s deployment process, follow the following steps:

1. Go to the ghost console and pick a Machine configuration. Change the computer name in REPLACE (in capitals). Change other settings to the settings you want on your new pc’s.
   
   Export the configuration, and name the file: ghregupd.reg
2. Download ghost-console-new-pc.zip and unpack the zip file
3. Open the 3Com Boot Image Editor (which is part of the 3Com Boot services on the Ghost install CD)
   
   Edit the sys pxe file that was created by the Ghost Boot Wizard
   
   Place the just unpacked files (from the downloaded zip file) in the root of the boot image. And put ghregupd.reg in the GHOST directory.

You are done.

Please note that if you are now deploying new pc’s the pc’s will appear in the folder New Computers on the Ghost Console initially with their MAC addresses. But after you run a successful task with the following steps:

• Clone
• Execute Command in Ghost Boot Partition: ghconfig.exe /a
• Configuration Refresh
• (Optionally packages, but absolutely not Configuration!)

The computer names will magically appear.

Please note that because Ghost Console is normally in charge of creating or resetting the computer domain account. This means that the new computers are probably not a domain member. You can fix this by running a configuration task with a configuration template afterwards.

Good luck!

So here you are, faced with a problem. You only want to maintain one image, but that image contains a Ghost Console membership certificate, which means if you are going to deploy that image using other Ghost Consoles, clone tasks will fail, because all computers will contact the Ghost Console on which the image is created.

Luckily Ghost Clients can discover a console. This works as follows according to the Symantec Knowledge base:

Ghost Clients find the Console using two methods. First, Method 1 is tried, and if that fails, Method 2 is attempted.

Method 1: Multicast
The client sends a Multicast packet to an address and port number that the Console is expecting. All Consoles register their interest in this traffic by sending IGMP (Internet Group Management Protocol) messages. Properly configured routers and switches pass this traffic to the Console. Ensuring that the routers will pass Multicast traffic is usually all that is necessary to get this method working.

Method 2: WINS
Details of this method are shown below for your interest. However, this method relies on a WINS infrastructure existing and working between the networks in question. Usually, if you can browse a computer in the remote site using My Network Places in Windows Explorer, then this method COULD work.

This means that if your routers are only passing multicast traffic to the VLANs they suppose to, it should work if you delete the pubkey.crt during the mini setup sysprep install of the new clients. You can do this by creating a cmdlines.txt in the i386$oem$ directory. The content of cmdlines.txt could be something like this:

[Commands]
"c:\windowssystem32\wscript.exe c:\sysprep\InSysprep.vbs"

 In that same sysprep directory create a file called InSysprep.vbs with the following content:

Set objFS = CreateObject("Scripting.FileSystemObject")
objFS.DeleteFile "C:\Program Files\Symantec\Ghost\pubkey.crt", True

This will delete the membership with the console during the Sysprep Mini-Setup. Since the ghost client service isn’t started when the Mini-Setup runs, Ghost Client will search for a Ghost Console the first time it will boot up Windows successfully.
In an Ideal world, this would be enough to encourage clients to pick the right console. But I ensure you, when you are ghosting a lot of clients at the same time, some will fallback to the 2th method of server discovery…. WINS…

So what can we do about that? Well, the answer is simple. Use a Firewall.. If you have the luxury of layer 4 Routers use them to block Ghost Client traffic (NOTE: port 1346 and 1347 are switched in stage 2 and 3) between VLANs to Ghost Consoles.

If not, please don’t download the first personal firewall you can find! Use build in Windows tools. IPSec is build into Windows since 2000. The interface is a bit overcomplicated, so I will use ipseccmd to show you how to only allow Ghost Clients that are on subnets you define. Ipseccmd is part of the support tools that can be downloaded from microsoft:

• Windows XP SP2 Support Tools
• Windows 2003 SP1 Support Tools
• Windows 2000 Support Tools

Run the following commands on your ghost consoles after you have installed the Support Tools (or extracted the ipseccmd.exe from the support tools):

ipseccmd.exe -w REG -p "Ghost Console Clients" -r "Block all Ghost Clients on non defined subnets" -f *=0:1345:UDP -f *+0:1347:UDP -f *+0:1347:TCP -n BLOCK -lan
ipseccmd.exe -w REG -p "Ghost Console Clients" -r "Allowed Ghost Clients on based on a subnet" -f 10.1.0.0/255.255.0.0=0:1345:UDP -f 10.1.0.0/255.255.0.0+0:1347:UDP -f 10.1.0.0/255.255.0.0+0:1347:TCP -n PASS -lan
ipseccmd.exe -w REG -p "Ghost Console Clients" -x

The first ipseccmd line blocks all Ghost Client traffic to the console. The Second line needs to be repeated for every subnet you want to allow. In this example only allows clients in the subnet 10.1.0.0/255.255.0.0 to connect to that ghost console… replace it for your allowed subnets…. The last line is there to tell IPSec to enable the rules.

If you screwed up, you can always run:

ipseccmd.exe -w REG -p "Ghost Console Clients" -o -y

To clear and disable the IPSec rules.

If the clients on the same subnet as the console and they are not suppose to be connecting the Ghost Console, the first and second line are different because they need to disable multicast discovery:

ipseccmd.exe -w REG -p "Ghost Console Clients" -r "Block all Ghost Clients on non defined subnets" -f *+0:1345:UDP -f *+0:1347:UDP -f *+0:1347:TCP -n BLOCK -lan
ipseccmd.exe -w REG -p "Ghost Console Clients" -r "Allowed Ghost Clients on based on a subnet" -f 10.1.0.0/255.255.0.0+0:1345:UDP -f 10.1.0.0/255.255.0.0+0:1347:UDP -f 10.1.0.0/255.255.0.0+0:1347:TCP -n PASS -lan

Good luck!

So you finally download, unpacked and updated your Broadcom BCM57xx or Intel Pro 100/1000 NDIS2 drivers using Ghost Boot Wizard but Ghost doesn’t suggest / autoselect your just updated drivers like it does with the default shipped ones! What’s that all about?

In order to detect networkcards, Symantec ghost needs to know on a per driver bases the PCI device IDs. PCI device IDs are normally stored in inf that are packed with the drivers. Those inf files tells Windows for which device the drivers are and how to install them. I have extracted the PCI device IDs from the inf’s and formatted them into the Ghost file format.

If you updated the BCM57XX driver go to the directory: C:Documents And SettingsAll UsersApplication DataSymantecGhostTemplateBCM57XX (some directories might be hidden) or if you added a template replace the last directory by the template name of the template you added.

Edit the mcassist.cfg and replace all the PCI-TAG lines with the following lines: (these are based on the Broadcom BCM57XX 9.81 driver:

PCI-TAG = 14e4 1600 : Broadcom BCM5750A1$
PCI-TAG = 14e4 1601 : Broadcom BCM5750A1M$
PCI-TAG = 14e4 1644 : Broadcom BCM5700$
PCI-TAG = 14e4 1645 : Broadcom BCM5701$
PCI-TAG = 14e4 1646 : Broadcom BCM5702$
PCI-TAG = 14e4 1647 : Broadcom BCM5703$
PCI-TAG = 14e4 1648 : Broadcom BCM5704$
PCI-TAG = 14e4 1653 : Broadcom BCM5705$
PCI-TAG = 14e4 1654 : Broadcom BCM5705A2$
PCI-TAG = 14e4 1658 : Broadcom BCM5750$
PCI-TAG = 14e4 1659 : Broadcom BCM5750A1$
PCI-TAG = 14e4 165D : Broadcom BCM5705M$
PCI-TAG = 14e4 165E : Broadcom BCM5705MA2$
PCI-TAG = 14e4 1668 : Broadcom BCM5714$
PCI-TAG = 14e4 1669 : Broadcom BCM5714S$
PCI-TAG = 14e4 166A : Broadcom BCM5780$
PCI-TAG = 14e4 166B : Broadcom BCM5714S$
PCI-TAG = 14e4 166e : Broadcom BCM5705F$
PCI-TAG = 14e4 1672 : Broadcom BCM5750A1M$
PCI-TAG = 14e4 1673 : Broadcom BCM5750A1DMOBILE$
PCI-TAG = 14e4 1676 : Broadcom BCM5750$
PCI-TAG = 14e4 1677 : Broadcom BCM5750A1$
PCI-TAG = 14e4 1677 : Broadcom BCM5750$
PCI-TAG = 14e4 1678 : Broadcom BCM5714$
PCI-TAG = 14e4 1679 : Broadcom BCM5714S$
PCI-TAG = 14e4 167A : Broadcom BCM5750A1$
PCI-TAG = 14e4 167B : Broadcom BCM5750A1$
PCI-TAG = 14e4 167C : Broadcom BCM5750A1$
PCI-TAG = 14e4 167D : Broadcom BCM5750$
PCI-TAG = 14e4 167E : Broadcom BCM5750A1F$
PCI-TAG = 14e4 167F : Broadcom BCM5750A1F$
PCI-TAG = 14e4 1693 : Broadcom BCM5750A1M$
PCI-TAG = 14e4 1696 : Broadcom BCM5705A2$
PCI-TAG = 14e4 169A : Broadcom BCM5750A1$
PCI-TAG = 14e4 169B : Broadcom BCM5750A1$
PCI-TAG = 14e4 169c : Broadcom BCM5788$
PCI-TAG = 14e4 169d : Broadcom BCM5789$
PCI-TAG = 14e4 16a6 : Broadcom BCM5702$
PCI-TAG = 14e4 16a7 : Broadcom BCM5703$
PCI-TAG = 14e4 16A8 : Broadcom BCM5704S$
PCI-TAG = 14e4 16C6 : Broadcom BCM5702$
PCI-TAG = 14e4 16C7 : Broadcom BCM5703$
PCI-TAG = 14e4 16DD : Broadcom BCM5789$
PCI-TAG = 14e4 16F7 : Broadcom BCM5750A1$
PCI-TAG = 14e4 16FD : Broadcom BCM5750A1M$
PCI-TAG = 14e4 16FF : Broadcom BCM5750B0M$
PCI-TAG = 14e4 170D : Broadcom BCM5901$
PCI-TAG = 14e4 170E : Broadcom BCM5901$

If you updated the Intel Pro 100 driver go to the directory: C:Documents And SettingsAll UsersApplication DataSymantecGhostTemplateIntel Pro 100 (some directories might be hidden) or if you added a template replace the last directory by the template name of the template you added.

Edit the mcassist.cfg and replace all the PCI-TAG lines with the following lines: (these are based on the Intel Prodos 11.2 driver:

PCI-TAG = 8086 1037 : Intel(R) PRO/100 Adapter$
PCI-TAG = 8086 103C : Intel(R) PRO/100 Adapter$
PCI-TAG = 8086 103D : Intel(R) PRO/100 Adapter$
PCI-TAG = 8086 103E : Intel(R) PRO/100 Adapter$
PCI-TAG = 8086 2459 : Intel(R) PRO/100 Adapter$
PCI-TAG = 8086 245D : Intel(R) PRO/100 Adapter$
PCI-TAG = 8086 1059 : Intel(R) PRO/100 Adapter$
PCI-TAG = 8086 1050 : Intel(R) PRO/100 Adapter$
PCI-TAG = 8086 1051 : Intel(R) PRO/100 Adapter$
PCI-TAG = 8086 1052 : Intel(R) PRO/100 Adapter$
PCI-TAG = 8086 1053 : Intel(R) PRO/100 Adapter$
PCI-TAG = 8086 1054 : Intel(R) PRO/100 Adapter$
PCI-TAG = 8086 1055 : Intel(R) PRO/100 Adapter$
PCI-TAG = 8086 1056 : Intel(R) PRO/100 Adapter$
PCI-TAG = 8086 1057 : Intel(R) PRO/100 Adapter$
PCI-TAG = 8086 1064 : Intel(R) PRO/100 Adapter$
PCI-TAG = 8086 1065 : Intel(R) PRO/100 Adapter$
PCI-TAG = 8086 1066 : Intel(R) PRO/100 Adapter$
PCI-TAG = 8086 1067 : Intel(R) PRO/100 Adapter$
PCI-TAG = 8086 1068 : Intel(R) PRO/100 Adapter$
PCI-TAG = 8086 1069 : Intel(R) PRO/100 Adapter$
PCI-TAG = 8086 106A : Intel(R) PRO/100 Adapter$
PCI-TAG = 8086 106B : Intel(R) PRO/100 Adapter$
PCI-TAG = 8086 27DC : Intel(R) PRO/100 Adapter$
PCI-TAG = 8086 1091 : Intel(R) PRO/100 Adapter$
PCI-TAG = 8086 1092 : Intel(R) PRO/100 Adapter$
PCI-TAG = 8086 1093 : Intel(R) PRO/100 Adapter$
PCI-TAG = 8086 1094 : Intel(R) PRO/100 Adapter$
PCI-TAG = 8086 1095 : Intel(R) PRO/100 Adapter$
PCI-TAG = 8086 1029 : Intel(R) PRO/100 M Mobile Connection$
PCI-TAG = 8086 1059 : Intel(R) PRO/100 M Mobile Connection$
PCI-TAG = 8086 1031 : Intel(R) PRO/100 VE Network Connection$
PCI-TAG = 8086 1032 : Intel(R) PRO/100 VE Network Connection$
PCI-TAG = 8086 1033 : Intel(R) PRO/100 VE Network Connection$
PCI-TAG = 8086 1034 : Intel(R) PRO/100 VE Network Connection$
PCI-TAG = 8086 1035 : Intel(R) PRO/100 VE Network Connection$
PCI-TAG = 8086 1036 : Intel(R) PRO/100 VE Network Connection$
PCI-TAG = 8086 1038 : Intel(R) PRO/100 VE Network Connection$
PCI-TAG = 8086 1039 : Intel(R) PRO/100 VE Network Connection$
PCI-TAG = 8086 103A : Intel(R) PRO/100 VE Network Connection$
PCI-TAG = 8086 103B : Intel(R) PRO/100 VM Network Connection$
PCI-TAG = 8086 1229 : Intel(R) 82557 Based Adapter$
PCI-TAG = 8086 2449 : Intel(R) PRO/100E Adapter$

If you updated the Intel Pro 1000 driver go to the directory: C:Documents And SettingsAll UsersApplication DataSymantecGhostTemplateIntel Pro 1000 (some directories might be hidden) or if you added a template replace the last directory by the template name of the template you added.

Edit the mcassist.cfg and replace all the PCI-TAG lines with the following lines: (these are based on the Intel Prodos 11.2 driver:

PCI-TAG = 8086 1000 : Intel Pro 1000$
PCI-TAG = 8086 1001 : Intel Pro 1000$
PCI-TAG = 8086 1004 : Intel Pro 1000$
PCI-TAG = 8086 1008 : Intel Pro 1000$
PCI-TAG = 8086 1009 : Intel Pro 1000$
PCI-TAG = 8086 100C : Intel Pro 1000$
PCI-TAG = 8086 100D : Intel Pro 1000$
PCI-TAG = 8086 100E : Intel Pro 1000$
PCI-TAG = 8086 100F : Intel Pro 1000$
PCI-TAG = 8086 1010 : Intel Pro 1000$
PCI-TAG = 8086 1011 : Intel Pro 1000$
PCI-TAG = 8086 1012 : Intel Pro 1000$
PCI-TAG = 8086 1013 : Intel Pro 1000$
PCI-TAG = 8086 1015 : Intel Pro 1000$
PCI-TAG = 8086 1016 : Intel Pro 1000$
PCI-TAG = 8086 1017 : Intel Pro 1000$
PCI-TAG = 8086 1018 : Intel Pro 1000$
PCI-TAG = 8086 1019 : Intel Pro 1000$
PCI-TAG = 8086 101D : Intel Pro 1000$
PCI-TAG = 8086 101E : Intel Pro 1000$
PCI-TAG = 8086 1013 : Intel Pro 1000$
PCI-TAG = 8086 1018 : Intel Pro 1000$
PCI-TAG = 8086 1019 : Intel Pro 1000$
PCI-TAG = 8086 101D : Intel Pro 1000$
PCI-TAG = 8086 101E : Intel Pro 1000$
PCI-TAG = 8086 1026 : Intel Pro 1000$
PCI-TAG = 8086 1027 : Intel Pro 1000$
PCI-TAG = 8086 1028 : Intel Pro 1000$
PCI-TAG = 8086 1049 : Intel Pro 1000$
PCI-TAG = 8086 104A : Intel Pro 1000$
PCI-TAG = 8086 104B : Intel Pro 1000$
PCI-TAG = 8086 104C : Intel Pro 1000$
PCI-TAG = 8086 104D : Intel Pro 1000$
PCI-TAG = 8086 105E : Intel Pro 1000$
PCI-TAG = 8086 105F : Intel Pro 1000$
PCI-TAG = 8086 1060 : Intel Pro 1000$
PCI-TAG = 8086 1075 : Intel Pro 1000$
PCI-TAG = 8086 1076 : Intel Pro 1000$
PCI-TAG = 8086 1077 : Intel Pro 1000$
PCI-TAG = 8086 1078 : Intel Pro 1000$
PCI-TAG = 8086 1079 : Intel Pro 1000$
PCI-TAG = 8086 107A : Intel Pro 1000$
PCI-TAG = 8086 107B : Intel Pro 1000$
PCI-TAG = 8086 107C : Intel Pro 1000$
PCI-TAG = 8086 107D : Intel Pro 1000$
PCI-TAG = 8086 107E : Intel Pro 1000$
PCI-TAG = 8086 107F : Intel Pro 1000$
PCI-TAG = 8086 108A : Intel Pro 1000$
PCI-TAG = 8086 108B : Intel Pro 1000$
PCI-TAG = 8086 108C : Intel Pro 1000$
PCI-TAG = 8086 1097 : Intel Pro 1000$
PCI-TAG = 8086 1098 : Intel Pro 1000$
PCI-TAG = 8086 109A : Intel Pro 1000$
PCI-TAG = 8086 10A4 : Intel Pro 1000$
PCI-TAG = 8086 10B5 : Intel Pro 1000$
PCI-TAG = 8086 10B9 : Intel Pro 1000$
PCI-TAG = 8086 10BA : Intel Pro 1000$
PCI-TAG = 8086 10BB : Intel Pro 1000$
PCI-TAG = 8086 10BC : Intel Pro 1000$
PCI-TAG = 8086 10C4 : Intel Pro 1000$
PCI-TAG = 8086 10C5 : Intel Pro 1000$

After you are done editing the files, restart the Ghost Console. Now your Intel or Broadcom chipbased networkcard are getting recognized again!

Furthermore, Tom Shinder response when users have problems with VPN after applying the tutorial to there production environment:

LOL!

Now you know whyI usually don’t waste time “hardening” the ISA firewall. It really doesn’t need if if you correctly configure firewall and System Policy. But there are some kind of psychological mollification that takes place when people “harden” the box, so I let them knock themselves out going to town on their system hardening

Ouch, hardening is more than betting on one horse.

SCW is a great tool in addition to hardening your ISA. And any productive isa configuration can be more secured with Security Configuration Wizard, because:

• You can save more resources by disabling services (and you could mitigate more on windows updates)
• You can define authentication protocols that Windows server is using
• Services that do not run on the server can be attacked in any way if the ISA Services stops for any particular reason

Please keep in mind the following things when running SCW on a ISA 2004 and a VPN configuration:

Make sure that Remote access/VPN server is selected

If you authenticate user against Active directory I advice you to enable dns-client, dns-registration client, Microsoft-network client

If you are using L2TP please enable IPSEC service! (This is NOT default by SCW) When you are configuring authentication, please take to following in consideration…

Please select both if you value your security of your server

Although VPN will authenticate users on the domain without this setting for some reason it’s save to do set it

Please select clocks are synchronized, because this makes a better kerberos protocol a bit better

In this screenshot I’ve disabled the use of LM-hashes (which is a very good thing). Furthermore, I’ve set NTLMv2 as default, and set NTLMv1 to fallback if NTLMv2 cannot be used.

The authentication protocol that is used by RRAS is MS-Chap (v2). Because MS-Chap (v2) authenticates by design with active directory with NTLMv1 you cannot disable NTLMv1 here. The only way to do is by apply the following hotfix: KB893318. I haven’t tested it, but with this hotfix you can uncheck the second checkbox aswell.

I am sorry for the Dutch screenshots and the poor quality… But I hope you have a working VPN configuration after you played with SCW.

SyncUserFolders can automatically create (new) user folders (sets rights, creates shares, and can execute a script on creation). Furthermore, SyncUserFolders can automatically archive user folders when a user is deleted. All at lightning speed…
Because SyncUserFolders is fully configurable by a single XML file, it only takes a few minutes to set it up and never have to worry about creating user folders and archive the folders of deleted users. Everyone who has a little bit of IT knowledge only have to look at the examples and the comments in the XML files. And adjust it to what ever fits your needs.

Please try it, I’ve spend a long time perfecting and making it more and more robust.

Download (15kb)

I did such a migration and I used this vbscript, which I found on a newsgroup. This vbscript uninstall the Netware Client without any complaints. I modified the script so it will work on Windows 2000 and Windows XP and it works well for version 4.83 and 4.9 of the Novell Netware Client.

You can download the zip file here.