Feb 08

FSRM Quotas aus ‘quota list’ auslesen und importieren

Scripts No Comments »

Untenstehendes Script baut aus einem quotalist.txt File ein bat File zusammen, welches danach auf einem 2003 oder 2008 Fileserver importiert, resp. ausgeführt werden kann. Es werden Templates, individuelle Quotas und Limits gesetzt. Weiter Anpassungen können entsprechend vorgenommen werden.

Als erstes muss das quotalist.txt File generiert werden. Dies erfolgt über dirquota

dirquota quota list > c:\qutalist.txt

Das vbs liest nun die entsprechenden Werte aus dem Textfile aus und baut ein entsprechendes bat File auf.

Set fs=CreateObject("Scripting.FileSystemObject")
Set f=fs.OpenTextFile("C:\quotalist.txt", 1)
set ft=fs.CreateTextFile("C\createQuotas.bat",true)
 
do while f.AtEndOfStream = false
   textline = f.ReadLine
   if InStr(textline,"Quota Path:") then
      QuotaPath = Split(textline)
   end if
   if inStr(textline, "Source Template:") then
      SourceTemplate = Split(textline)
   end if
   if inStr(textline, "Limit:") then
      Limit = Split(textline)
      splitLimit = split(Limit(18), ".")
      ft.WriteLine("dirquota quota add /Path:" & QuotaPath(14) & " /SourceTemplate:""" & sourceTemplate(9) & """ /Limit:" & splitLimit(0) + LCase(Limit(19)) & " /Type:Hard")
   end if
loop
 
f.Close
Set f=Nothing
Set fs=Nothing


Sep 21

IIS/FTP status code descriptions

Security, Windows 1 Comment »

Log File Locations


By default, IIS puts its log files in the following location:

%WINDIR%\System32\Logfiles

This directory contains separate directories for each World Wide Web (WWW) and FTP site. By default, logs are created in the directories daily and are named with the date (for example, exYYMMDD.log). For more information about how to set up logging, click the following article number to view the article in the Microsoft Knowledge Base:

HTTP

1xx – Informational

These status codes indicate a provisional response. The client should be prepared to receive one or more 1xx responses before receiving a regular response.

  • 100 – Continue.
  • 101 – Switching protocols.

2xx – Success

This class of status codes indicates that the server successfully accepted the client request.

  • 200 – OK. The client request has succeeded.
  • 201 – Created.
  • 202 – Accepted.
  • 203 – Non-authoritative information.
  • 204 – No content.
  • 205 – Reset content.
  • 206 – Partial content.
  • 207 – Multi-Status (WebDay).

3xx – Redirection

The client browser must take more action to fulfill the request. For example, the browser may have to request a different page on the server or repeat the request by using a proxy server.

  • 301 – Moved Permanently
  • 302 – Object moved.
  • 304 – Not modified.
  • 307 – Temporary redirect.

4xx – Client Error

An error occurs, and the client appears to be at fault. For example, the client may request a page that does not exist, or the client may not provide valid authentication information.

  • 400 – Bad request.
  • 401 – Access denied. IIS defines several different 401 errors that indicate a more specific cause of the error. These specific error codes are displayed in the browser but are not displayed in the IIS log:
    • 401.1 – Logon failed.
    • 401.2 – Logon failed due to server configuration.
    • 401.3 – Unauthorized due to ACL on resource.
    • 401.4 – Authorization failed by filter.
    • 401.5 – Authorization failed by ISAPI/CGI application.
    • 401.7 – Access denied by URL authorization policy on the Web server. This error code is specific to IIS 6.0.
  • 403 – Forbidden. IIS defines several different 403 errors that indicate a more specific cause of the error:
    • 403.1 – Execute access forbidden.
    • 403.2 – Read access forbidden.
    • 403.3 – Write access forbidden.
    • 403.4 – SSL required.
    • 403.5 – SSL 128 required.
    • 403.6 – IP address rejected.
    • 403.7 – Client certificate required.
    • 403.8 – Site access denied.
    • 403.9 – Too many users.
    • 403.10 – Invalid configuration.
    • 403.11 – Password change.
    • 403.12 – Mapper denied access.
    • 403.13 – Client certificate revoked.
    • 403.14 – Directory listing denied.
    • 403.15 – Client Access Licenses exceeded.
    • 403.16 – Client certificate is untrusted or invalid.
    • 403.17 – Client certificate has expired or is not yet valid.
    • 403.18 – Cannot execute requested URL in the current application pool. This error code is specific to IIS 6.0.
    • 403.19 – Cannot execute CGIs for the client in this application pool. This error code is specific to IIS 6.0.
    • 403.20 – Passport logon failed. This error code is specific to IIS 6.0.
  • 404 – Not found.
    • 404.0 – (None) – File or directory not found.
    • 404.1 – Web site not accessible on the requested port.
    • 404.2 – Web service extension lockdown policy prevents this request.
    • 404.3 – MIME map policy prevents this request.
  • 405 – HTTP verb used to access this page is not allowed (method not allowed.)
  • 406 – Client browser does not accept the MIME type of the requested page.
  • 407 – Proxy authentication required.
  • 412 – Precondition failed.
  • 413 – Request entity too large.
  • 414 – Request-URI too long.
  • 415 – Unsupported media type.
  • 416 – Requested range not satisfiable.
  • 417 – Execution failed.
  • 423 – Locked error.

5xx – Server Error

The server cannot complete the request because it encounters an error.

  • 500 – Internal server error.
    • 500.12 – Application is busy restarting on the Web server.
    • 500.13 – Web server is too busy.
    • 500.15 – Direct requests for Global.asa are not allowed.
    • 500.16 – UNC authorization credentials incorrect. This error code is specific to IIS 6.0.
    • 500.18 – URL authorization store cannot be opened. This error code is specific to IIS 6.0.
    • 500.19 – Data for this file is configured improperly in the metabase.
    • 500.100 – Internal ASP error.
  • 501 – Header values specify a configuration that is not implemented.
  • 502 – Web server received an invalid response while acting as a gateway or proxy.
    • 502.1 – CGI application timeout.
    • 502.2 – Error in CGI application.
  • 503 – Service unavailable. This error code is specific to IIS 6.0.
  • 504 – Gateway timeout.
  • 505 – HTTP version not supported.

IIS HTTP status codes and their causes

  • 200 – Success. This status code indicates that IIS has successfully processed the request.
  • 206 – Partial Content. This indicates that a file has been partially downloaded. It can enable resuming of interrupted downloads, or split a download into multiple concurrent streams.
  • 207 – Multi-Status (WebDAV). This comes before an XML message that can contain several separate response codes, depending on how many sub-requests were made.
  • 301 – Moved Permanently. This and all future requests should be directed to the given URI.
  • 302 – Found. This is frequently represented as “Object Moved” for forms based authentication. The requested resource resides temporarily under a different URI. Because the redirection might be altered occasionally, the client should continue to use the Request-URI for future requests. This response is only cacheable if indicated by a Cache-Control or Expires header field.
  • 304 – Not Modified. The client requests a document that is already in its cache and the document has not been modified since it was cached. The client uses the cached copy of the document, instead of downloading it from the server.
  • 401.1 and 401.2 – Logon failed. The logon attempt is unsuccessful because a user name or a password is not valid, or because there is a problem with the system configuration. For more information about how to resolve this problem, click the following article number to view the article in the Microsoft Knowledge Base:
    907273  (http://support.microsoft.com/kb/907273/ ) Troubleshooting HTTP 401 errors in IIS
  • 401.3 – Unauthorized due to ACL on resource. This indicates a problem with NTFS permissions. This error may occur even if the permissions are correct for the file that you are trying to access. For example, you see this error if the IUSR account does not have access to the C:\Winnt\System32\Inetsrv directory. For more information about how to resolve this problem, click the following article numbers to view the articles in the Microsoft Knowledge Base:
    271071  (http://support.microsoft.com/kb/271071/ ) How to set required NTFS permissions and user rights for an IIS 5.0 Web server
    812614  (http://support.microsoft.com/kb/812614/ ) Default permissions and user rights for IIS 6.0
  • 403 – Forbidden. You can receive this generic 403 status code if the Web site has no default document set, and the site is not set to allow Directory Browsing. For more information about how to resolve this problem, click the following article number to view the article in the Microsoft Knowledge Base:
    320051  (http://support.microsoft.com/kb/320051/ ) How to configure the default document in Internet Information Services
  • 403.1 – Execute access forbidden. The following are two common causes of this error message:
    • You do not have enough Execute permissions. For example, you may receive this error message if you try to access an ASP page in a directory where permissions are set to None, or you try to execute a CGI script in a directory with Scripts Only permissions. To modify the Execute permissions, right-click the directory in Microsoft Management Console (MMC), click Properties, click the Directory tab, and make sure that the Execute Permissions setting is appropriate for the content that you are trying to access.
    • The script mapping for the file type that you are trying to execute is not set up to recognize the verb that you are using (for example, GET or POST). To verify this, right-click the directory in Microsoft Management Console, click Properties, click the Directory tab, click Configuration, and verify that the script mapping for the appropriate file type is set up to allow the verb that you are using.
  • 403.2 – Read access forbidden. Verify that you have set up IIS to allow Read access to the directory. Also, if you are using a default document, verify that the document exists. For additional information about how to resolve this problem, click the article number below to view the article in the Microsoft Knowledge Base:
    247677  (http://support.microsoft.com/kb/247677/EN-US/ ) Error Message: 403.2 Forbidden: Read Access Forbidden
  • 403.3 – Write access forbidden. Verify that the IIS permissions and the NTFS permissions are set up to grant Write access to the directory.For additional information about how to resolve this problem, click the article number below to view the article in the Microsoft Knowledge Base:
    248072  (http://support.microsoft.com/kb/248072/EN-US/ ) Error Message: 403.3 Forbidden: Write Access Forbidden
  • 403.4 – SSL required. Disable the Require secure channel option, or use HTTPS instead of HTTP to access the page.
  • 403.5 – SSL 128 required. Disable the Require 128-bit encryption option, or use a browser that supports 128-bit encryption to view the page.
  • 403.6 – IP address rejected. You have configured the server to deny access to your current IP address. For additional information about how to resolve this problem, click the article number below to view the article in the Microsoft Knowledge Base:
    248043  (http://support.microsoft.com/kb/248043/EN-US/ ) Error Message: 403.6 – Forbidden: IP Address Rejected
  • 403.7 – Client certificate required. You have configured the server to require a certificate for client authentication, but you do not have a valid client certificate installed.
    186812  (http://support.microsoft.com/kb/186812/EN-US/ ) PRB: Error Message: 403.7 Forbidden: Client Certificate Required
  • 403.8 – Site access denied. You have set up a domain name restriction for the domain that you are using to access the server.For additional information about how to resolve this problem, click the article number below to view the article in the Microsoft Knowledge Base:
    248032  (http://support.microsoft.com/kb/248032/EN-US/ ) Error Message: Forbidden: Site Access Denied 403.8
  • 403.9 – Too many users. The number of users who are connected to the server exceeds the connection limit that you have set. For additional information about how to change this limit, click the article number below to view the article in the Microsoft Knowledge Base:
    248074  (http://support.microsoft.com/kb/248074/EN-US/ ) Error Message: Access Forbidden: Too Many Users Are Connected 403.9

    NOTE: Microsoft Windows 2000 Professional and Windows XP Professional automatically impose a 10-connection limit on IIS. You cannot change this limit.

  • 403.12 – Mapper denied access. The page that you want to access requires a client certificate. However, the user ID that is mapped to the client certificate has been denied access to the file. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
    248075  (http://support.microsoft.com/kb/248075/EN-US/ ) Error: HTTP 403.12 – Access Forbidden: Mapper Denied Access
  • 404 – Not found. This error may occur if the file that you are trying to access has been moved or deleted. It can also occur if you try to access a file that has a restricted file name extension after you install the URLScan tool. You will see “Rejected by URLScan” in the w3svc log files after you install the URLScan tool. In this case, you see “Rejected by URLScan” in the log file entry for that request. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    248033  (http://support.microsoft.com/kb/248033/ ) How system administrators can troubleshoot an “HTTP 404 – File not found” error message on a server that is running IIS
    • 404.1 – Web Site not accessible on the requested port. This error indicates that the Web site you are trying to access has an IP address that does not accept requests for the port on which this request came. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
      248034  (http://support.microsoft.com/kb/248034/ ) IIS Error: 404.1 Web Site Not Found
    • 404.2 – Lockdown policy prevents this request. In IIS 6.0, this indicates that the request has been prohibited in the Web Service Extensions list. For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
      328419  (http://support.microsoft.com/kb/328419/ ) How to add and remove Web Service Extension files in IIS 6
      328505  (http://support.microsoft.com/kb/328505/ ) How to list Web Server Extensions and Extension files in IIS 6.0
      328360  (http://support.microsoft.com/kb/328360/ ) How to enable and disable ISAPI extensions and CGI applications in IIS 6.0
    • 404.3 – MIME Map policy prevents this request. This problem occurs if the following conditions are true:
      1. The handler mapping for the requested file name extension is not configured.
      2. The appropriate MIME type is not configured for the Web site or for the application.
  • 405 – Method not allowed. This error can occur when a client sends an HTTP request to the server that is running IIS, and the request contains an HTTP verb that the server does not recognize. To resolve the issue, make sure that the client’s request uses an HTTP verb that is compliant with the HTTP rfc. See the “References” section for information about the HTTP rfc.
  • 500 – Internal server error. You see this error message for many server-side errors. Your event viewer logs may contain more information about why this error occurs. Additionally, you can disable friendly HTTP error messages to receive a detailed description of the error. For more information about how to disable friendly HTTP error messages, click the following article number to view the article in the Microsoft Knowledge Base:
    294807  (http://support.microsoft.com/kb/294807/ ) HOW TO: Disable Internet Explorer 5 ‘Show Friendly HTTP Error Messages’ Feature on the Server Side
  • 500.12 – Application restarting. This indicates that you tried to load an ASP page while IIS was restarting the application. This message should disappear when you refresh the page. If you refresh the page and the message appears again, it may be caused by antivirus software that is scanning your Global.asa file. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
    248013  (http://support.microsoft.com/kb/248013/EN-US/ ) Err Msg: HTTP Error 500-12 Application Restarting
  • 500-100.ASP – ASP error. You receive this error message when you try to load an ASP page that has errors in the code. To obtain more specific information about the error, disable friendly HTTP error messages. By default, this error is only enabled on the default Web site. For more information about how to see this error on non-default Web sites, click the following article number to view the article in the Microsoft Knowledge Base:
    261200  (http://support.microsoft.com/kb/261200/ ) HTTP 500 error message displays instead of ASP error message from 500-100.asp
  • 502 – Bad gateway. You receive this error message when you try to run a CGI script that does not return a valid set of HTTP headers. To resolve the issue, you have to debug the CGI application to determine why it passed invalid HTTP information to IIS.
  • 503 – Service Unavailable. Beginning in IIS 6, the kernel-mode Http.sys component produces an HTTP 503 status. For more information about how to identify and troubleshoot HTTP 503 errors, click the following article number to view the article in the Microsoft Knowledge Base:
    820729  (http://support.microsoft.com/kb/820729/ ) Error logging in HTTP API
  • 500.19. You receive this error when the XML metabase contains invalid configuration information for the content type that you are trying to access. To resolve this issue, remove or correct the invalid configuration. This problem typically indicates a problem in the ScriptMap metabase key.

FTP

1xx – Positive Preliminary Reply

These status codes indicate that an action has started successfully, but the client expects another reply before it continues with a new command.

  • 110 Restart marker reply.
  • 120 Service ready in nnn minutes.
  • 125 Data connection already open; transfer starting.
  • 150 File status okay; about to open data connection.

2xx – Positive Completion Reply

An action has successfully completed. The client can execute a new command.

  • 200 Command okay.
  • 202 Command not implemented, superfluous at this site.
  • 211 System status, or system help reply.
  • 212 Directory status.
  • 213 File status.
  • 214 Help message.
  • 215 NAME system type, where NAME is an official system name from the list in the Assigned Numbers document.
  • 220 Service ready for new user.
  • 221 Service closing control connection. Logged out if appropriate.
  • 225 Data connection open; no transfer in progress.
  • 226 Closing data connection. Requested file action successful (for example, file transfer or file abort).
  • 227 Entering passive mode (h1,h2,h3,h4,p1,p2).
  • 230 User logged in, proceed.
  • 250 Requested file action okay, completed.
  • 257 “PATHNAME” created.

3xx – Positive Intermediate Reply

The command was successful, but the server needs additional information from the client to complete processing the request.

  • 331 User name okay, need password.
  • 332 Need account for login.
  • 350 Requested file action pending further information.

4xx – Transient Negative Completion Reply

The command was not successful, but the error is temporary. If the client retries the command, it may succeed.

  • 421 Service not available, closing control connection. This may be a reply to any command if the service knows it must shut down.
  • 425 Cannot open data connection.
  • 426 Connection closed; transfer aborted.
  • 450 Requested file action not taken. File unavailable (for example, file busy).
  • 451 Requested action aborted: Local error in processing.
  • 452 Requested action not taken. Insufficient storage space in system.

5xx – Permanent Negative Completion Reply

The command was not successful, and the error is permanent. If the client retries the command, it receives the same error.

  • 500 Syntax error, command unrecognized. This may include errors such as command line too long.
  • 501 Syntax error in parameters or arguments.
  • 502 Command not implemented.
  • 503 Bad sequence of commands.
  • 504 Command not implemented for that parameter.
  • 530 Not logged in.
  • 532 Need account for storing files.
  • 550 Requested action not taken. File unavailable (for example, file not found, no access).
  • 551 Requested action aborted: Page type unknown.
  • 552 Requested file action aborted. Exceeded storage allocation (for current directory or dataset).
  • 553 Requested action not taken. File name not allowed.

Common FTP Status Codes and Their Causes

  • 150 – FTP uses two ports: 21 for sending commands, and 20 for sending data. A status code of 150 indicates that the server is about to open a new connection on port 20 to send some data.
  • 226 – The command opens a data connection on port 20 to perform an action, such as transferring a file. This action successfully completes, and the data connection is closed.
  • 230 – This status code appears after the client sends the correct password. It indicates that the user has successfully logged on.
  • 331 – You see this status code after the client sends a user name. This same status code appears regardless of whether the user name that is provided is a valid account on the system.
  • 426 – The command opens a data connection to perform an action, but that action is canceled, and the data connection is closed.
  • 530 – This status code indicates that the user cannot log on because the user name and password combination is not valid. If you use a user account to log on, you may have mistyped the user name or password, or you may have chosen to allow only Anonymous access. If you log on with the Anonymous account, you may have configured IIS to deny Anonymous access.
  • 550 – The command is not executed because the specified file is not available. For example, this status code occurs when you try to GET a file that does not exist, or when you try to PUT a file in a directory for which you do not have Write access.

 

Link:

http://support.microsoft.com/default.aspx?scid=kb;en-us;318380



Jul 28

Global Catalog vs. Infrastructure Master

Active Directory, Windows 1 Comment »

Frage: Darf der Infrastruktur-Master auf einem Domänencontroller laufen, der auch Global Catalog Server ist?

Antwort: Eine übliche Antwort hierauf beruht auf einem falsch verstandenen Gerücht. Hiernach dürfe der Infrastruktur-Master (IM) nur dann auf einem Global Catalog Server (GC) laufen, wenn jeder Domänencontroller (DC) im gesamten Forest ein Global Catalog Server sei. Dieses Gerücht beruht allerdings auf missverständlichen Formulierungen.

Die Aufgabe des Infrastruktur-Masters besteht darin, Objekte der eigenen Domäne mit Objekten anderer Domänen im gleichen Forest zu vergleichen und mögliche Unterschiede (insbesondere domänenübergreifende Gruppenmitgliedschaften) zu korrigieren. Wenn nun der Server, der die IM-Rolle hält, gleichzeitig Globaler Katalog ist, wird er niemals einen Unterschied feststellen, weil er ja bereits eine Teilkopie jedes Objekts im ganzen Forest hat. Daher wird der IM in diesem Fall in seiner eigenen Domäne niemals eine Änderung an solchen Objekten durchführen. Wenn allerdings jeder DC innerhalb der Domäne auch GC ist, hat der IM schlicht nichts zu tun, denn jeder GC kennt ohnehin alle Objekte anderer Domänen. Wenn man sich nun also ansieht, was der IM zu tun hat, wird es klar, dass die IM-Rolle auf einem GC laufen darf, wenn es sich um ein Einzeldomänen-Netzwerk handelt (denn dann gibt es keine anderen Domänen, von denen Objekte repliziert werden). Ebenso klar ist, dass die IM-Rolle auf einem GC laufen darf, wenn der Forest aus mehreren Domänen besteht, aber jeder DC in der eigenen Domäne auch GC ist (kein Bedarf an Objektvergleichen, weil der GC sowieso “alles” weiss).

Domäne A

•A-DC1 (GC + IM)
•A-DC2 (GC)
•A-DC3 (muss GC sein!)

Domäne B

•B-DC1 (GC)
•B-DC2 (IM)
•B-DC3 bis B-DCx (GC oder nicht spielt hier keine Rolle)

In der ersten Domäne muss der IM keine Informationen aus anderen Domänen abrufen, weil der GC “alles” bereits kennt. Die andere Domäne hat den IM auf einem Nicht-GC, also ruft der IM Informationen aus den anderen Domänen ab und repliziert sie bei Bedarf auf die anderen DCs.

Um es also kurz zu machen:

Der Infrastruktur-Master darf nicht auf einem Global Catalog Server laufen, wenn alle folgenden Voraussetzungen gegeben sind:

•es gibt mehrere Domänen im Forest und
•es gibt Domänencontroller in derselben Domäne, die nicht Global Catalog Server sind.

Der Infrastruktur-Master darf auf einem Global Catalog Server laufen, wenn mindestens eine der folgenden Voraussetzungen gegeben ist:

•es gibt nur eine Domäne im Forest und/oder
•jeder Domänencontroller in derselben Domäne ist auch Global Catalog Server

Links:
http://support.microsoft.com/kb/223346/EN-US/
http://support.microsoft.com/?id=248047

Quelle: http://www.faq-o-matic.net

Jan 05

DFS – FQDN als Rückgabewert

Active Directory, Windows No Comments »

Standardmässig gibt DFS auf Anfragen nur NetBIOS Namen zurück. Dies funktioniert ganz ordentlich, solange man sich nicht in einem anderen Forest, Domain etc befindet….
Sobald von ausserhalb der Domaine ein Zugriff auf DFS Ressourcen erfolgt, landet man im Nirvana.

Als unschöner Workaraound könnten die DFS Server beim lokalen DNS eingetragen werden. Oder die DNS-Suffix aller Clients werden mit den Präfixen erweitert.

Das Ganze kann aber auch direkt im DFS umkonfiguriert werden. Folgender RegKey muss auf allen DFS Servern hinzugefügt werden, welche Namespaces hosten:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dfs
Value Name: DfsDnsConfig
Data Type: REG_DWORD
Value Data: 1

Sind nun schon Namespaces vorhanden, müssen diese inkl. den Targets komplett neu eingerichtet werden. Am einfachsten mit dfsutil.exe arbeiten, Targets exportieren, Export File mit FQDN Namen umschreiben und in die neu konfigurierten Namespaces wieder importieren.

Link:
http://support.microsoft.com/kb/244380/en-us

Dez 30

Explorer Maintenance Policies bei jedem Boot neu laden

GPO, Security, Windows No Comments »

Die Internet Explorer Maintenance Group wird von den Clients als Template angeschaut und somit nur beim ersten Login des User gezogen (und natürlich bei jeder Änderung von dem GPO)
Werden nun Änderungen von den Usern durchgeführt (Proxy, Trusted Sites, local Sites, Startpage, IE-Settings etc…), stimmen danach die Parameter nicht mehr und werden bis zu einer Änderung der Explorer Maintenance GPO auch nicht mehr gesetzt.

Dies kann mittels der Policy “Internet Explorer Maintenance Policy Processing” unter Computer Configuration\Administrative Templates\System\Group Policy umgangen werden, damit das Template bei jedem Boot neu geladen wird. Zusätzlich ist noch SlowLink Detection und Background Processing einstellbar.

Weitere Infos:
http://support.microsoft.com/kb/306915/en-us

Previous Entries