2012R2 RADIUS Authentication for Dell PowerConnect 8024f

I am not going to re-invent the wheel here. See these two blogs for info on initial setup on the PowerConnect and Radius server.

Daryl Hunter – Network Cowboy “Dell PowerConnect + RADIUS + Windows Server 2008 NPS”

vNetWise Virtual Blatherings and “2008R2 RADIUS Authentication for Dell PowerConnect 6248”

Both of these links do a great job explaining what you need to do on the PowerConnect and the Server. Make sure you at least do the following:

Setup Local Admin
Setup Radius List
Setup Radius servers – Two servers seemed to work however vNetWise mentioned issues in their implementation
Configure Telnet, SSH, HTTP(s)
Configure Radius Clients on Windows Server
Create NPS Network Policy

There are two things that are not mentioned or only mentioned by visitors in the comments.

First, there is a 48 character limit for the Radius key. If the standard 64 characters generated by the server are used, you will get Event 6273, Error 16 “Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.”

Second, you have to setup a connection request policy or the Network Policy Server will refuse the connections with Event 6273, Error 49 “The RADIUS request did not match any configured connection request policy (CRP).”

These are the settings I used to create a our connection request policy:


After both of these changes were implemented, we were able to successfully authenticate with radius.

Hopefully these steps help you in your quest to use radius authenticate on your Dell PowerConnect Switch!

Remember, tips are always appreciated – BTC 17QJoiG7uWvumPjpvECXZgi5GqSPUbYf21

Tagged , , , , , , , , , , , , ,

Disabling Deprecated SSL and TLS versions with Group Policy

While working on a client’s system today, I noticed that some newer sites were pointing to an error that went something like this:

This page can’t be displayed
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to again. If this error persists, it is possible that this site uses an unsupported protocol. Please contact the site administrator.


This was on a site that should not have caused any issues, Southwest Airlines. A quick check showed that SSL3 and TLS 1.0 were both enabled but nothing else. SSLv3 and TLS 1.0 are insecure and with SSLv3 being fully deprecated. A change was needed however their needs required keeping the settings in place and adding TLS 1.1 and TLS 1.2 in as accessible without causing issues to end users.


Enter Group Policy

There are two ways to go about this. One is through Group Policy User Preferences and the other is through hardened Computer Policies. While both accomplish the same goal, they do so in different ways. If you require the users be able to disable or re-enable other versions and you simply want to set defaults, User Preferences will be your recommendation. If you are looking for something more secure and unchangeable, go with computer policies.

User Preferences

If your requirements put your solution as User Preferences, open Group Policy management and either create a new policy or edit an existing policy. Make sure your policy is linked appropriately. Next navigate to User Configuration -> Preferences -> Control Panel Settings -> Internet Settings and Create or Edit an Internet Explorer 10 setting.


Once opened, go to Advanced tab and select the versions you wish to add or subtract.


Apply and perform a group policy update on an end point and user covered by this group policy and verify the settings have been updated. You will notice that the settings have been updated but remember, these are preference and not hard settings. An end user can make adjustments and changes that can not be fully controlled after the setting is applied.


Computer Policies

If you requirements put your solution as Computer Policy, open Group Policy management and either create a new policy or edit an existing policy. Make sure your policy is linked appropriately. Navigate to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Advanced Page and find “Turn off encryption support.” While this name sounds scary, never fear as you are only turning off encryption support as you see fit and ensuring only those protocols that you deem needed are enabled!


Enable the setting if it is not already enabled and then select the combination of security Protocols you wish to use, in this case SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2.


Apply and perform a group policy update on an end point covered by this group policy and verify the settings have been updated.


You will notice that the settings have been updated and can not be changed. This will prevent users from select insecure or unneeded protocols.

Hopefully you are able to use these settings to help enforce security across your organization.

Remember, tips are always appreciated – BTC 17QJoiG7uWvumPjpvECXZgi5GqSPUbYf21

Tagged , , , , , , , , ,

Java Silent Update Part 4 – The Deployment with Script

Last week, I described how to deploy Java via Group Policy.  When this isn’t an option, you will be turning to a deployment program / service or scripting.  In this point, I will go into details on how to script this deployment from a location that is accessible on your network.  Please take this advice and make it your own and fit it to your design needs.

After deciding what works best for you environment, you will be able to put everything together. We created a filed called INSTALL.CMD and used this for the task. We then combined the commands from previous posts into this file in the following configuration:

@echo off

taskkill /F /IM iexplorer.exe

taskkill /F /IM iexplore.exe

taskkill /F /IM firefox.exe

taskkill /F /IM chrome.exe

taskkill /F /IM javaw.exe

taskkill /F /IM jqs.exe

taskkill /F /IM jusched.exe

REM Uninstall Java

wmic product where "name like 'java%% 6%%'" call uninstall /nointeractive

wmic product where "name like 'java%% 7%%'" call uninstall /nointeractive

wmic product where "name like 'java%% 8%%'" call uninstall /nointeractive

REM Install JRE x86

msiexec.exe /QN /i "\\server\share\Java\jre1_8_0_65\x86\jre1.8.0_65.msi" TRANSFORMS="\\server\share\Java\jre1_8_0_65\x86\KD_Custom.mst" REBOOT=ReallySuppress

if not errorlevel 0 goto failed

REM Install JRE x64

msiexec.exe /QN /i "\\server\share\Java\jre1_8_0_65\x64\jre1.8.0_65.msi" TRANSFORMS="\\server\share\Java\jre1_8_0_65\x64\KD_Custom.mst" REBOOT=ReallySuppress

if not errorlevel 0 goto failed

REM Return the exit code to Deployment Software

exit /B %EXIT_CODE%


echo %computername% errored on %date% at %time%>>"\\server\Share\Java\failedinstalls.txt"

exit /B %EXIT_CODE%

Stepping though the script:

Kill tasks that use Java
Uninstall previous version
Install current versions
Send codes back to deployment software

For all of this, you need to make sure that your method of deployment has access to the shared location. You will also want to make sure that the correct files are all living next to each other just as mentioned in previous posts.

Once tested in your environment, you should be able to use your favorite method of deployment to successfully upgrade to the newest version of Java. Please share and comment if you were able to use this information in a successful deployment!

Tips are also appreciated – BTC 1zALFY18ky39ne63Q9SMNFhzJZS6CARFH

Tagged , , , , , , , , ,

DNS EnableLogFileRollover Update via Regedit instead of Powershell

Today we had a remote site report that two computers had limited to no connectivity.  The issue lead to the site’s DHCP / DNS server.  DHCP was no longer authorized and the DNS server would not come up.  After DHCP was re-authorized, DNS still had issues.  The server happened to the a server core install which added a further wrinkle to troubleshooting.

Once firewall rules were in order, we were able to gather two errors:

Event 2204, DNS-Server_Service - The registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\EnableLogFileRollover contains an invalid value or could not be read. The DNS server cannot start. You must change this value to valid data or delete it and then attempt to restart the DNS service.


Event 3152, DNS-Server_Service - The DNS server was unable to open file c:\windows\system32\logfiles\dns\dns.log for write.  Most likely the file is a zone file that is already open.  Close the zone file and re-initiate zone write.

Research into the issue pointed to making a change with PowerShell.  This site describes fixing the same issue with PowerShell.


However the powershell cmdlets did not work.  A quick check with Microsoft showed the command should have been working.




To enable the Rollover function and allow the service to start up successfully, use the following setting:

DWORD32 - EnableLogFileRollover
Value - 1


In our case, the entry did not exist.  Adding the entry allowed for DNS to successfully load and resolved all of out issues.

Hopefully this information is helpful for those that are looking to resolve a similar issue.

Tips are appreciated – BTC 16hAUEAYn5reugvNcWBXLbp7za89hTx9jA

Tagged , , , , , , , , , , , , ,

Java Silent Update Part 3 – The Deployment with GPO

Last week, I described how to prepare for deployment of Java to an organization. With those pieces, we were able to deploy the software silently in several different ways. In this post, I will go into the details on how we deployed software with Group Policy.

First stop would be to upload the files to a location. We deployed to a smaller organization and simply used the location \\TheDomain\NETLOGON and created a folder for Java with a folder under that for versions and an additional folder for both x86 and x64. This may be overkill for your needs but helps with separation and troubleshooting in the future.  This also gives you the ability to add another version prior to removing a previous version, which is discussed at the end of this post.

Example Folder Layout

Example Folder Layout

Once the folders are created, upload the .MSI, .MST, and .CFG files for each installation to the appropriate locations.

Example File Layout

Example File Layout

Once uploaded, Navigate to Control Panel –> System and Security –> Administrative Tools –> Group Policy Management and navigate to a test Organizational Unit. Right click on the OU and select “Create a GPO in this domain, and Link it here…”

Create GPO

Create GPO

Name the new GPO and leave Source Starter GPO as none.

Name GPO

Once created, right click on the GPO and select “Edit”

Java GPO Edit

Next, navigate to Computer Configuration –> Policies –> Software Settings –> Software installation. Once there, right click in the right pane and select New –> Package…

Package Creation

A window will appear and you will be able to select the MSI package for Java.

Select Java MSI

Select Java MSI

At Deploy Software, select Advanced and push OK.

Deploy Software

Deploy Software

There will be a short pause while the MSI info is read into the system. A properties box will appear with much of the needed info already filled in. The setting to edit are on the Deployment and Modifications tabs. First, add a check in Deployment for “Uninstall this application when it falls out of the scope of management.”

Deployment Tab Options

Deployment Tab Options

Next, go to the Modifications tab and click Add. Navigate to the MST file and click OK to open.

Select MST

Select MST

Select OK one more time and you have selected this version of Java.

Now that you have done this for one architecture, do the same for the other (x86 or x64)

Once completed for both architectures, wait or force replication between all sites.  Once replicated, a forced test can be accomplished by running the following from a computer within the test OU:

gpupdate /force

Once ran, a reboot will be required.  If everything was successful, the software (s) should install prior to allowing users to login. Once successfully tested, apply this GPO to other OUs by right clicking on OU within Group Policy Management and selecting “Link an Existing GPO…”

Link Existing GPO

Link Existing GPO

A popup gives you an option to select the newly created Java GPO.

Select GPO to Link

Now that you have deployed the software, what happens next week when either Java releases a new version or you are ready to move to the next supported version?

To start, leave the original GPO in place until you are ready to replace that version in production.  This will prevent the software from being “Upgraded” which can cause issues.  It also ensures that you don’t push the next versions directly to production when it should be tested first.

Assuming you have tested and deployed a new version, we can now navigate to the old version.  We did not upgrade any elements so there should be no dependencies to cause issues.  You are also protected if the computer goes to a different OU that has a different version as it will uninstall since we selected the “Uninstall this application when it falls out of the scope of management.”  To uninstall, right click and edit the desired version’s GPO.  Navigate to the software to be uninstall by going to Computer Configuration –> Policies –> Software Settings –> Software installation.  From there, right click and choose All Tasks –> Remove.

Software to uninstall

Software to uninstall

A pop up is displayed, select “Immediately uninstall the software from users and computers”

Immediately Uninstall

Immediately Uninstall

Once the policy has replicated to all sites, again force a Group Policy to update on the endpoint and restart.  The software should uninstall prior to login.

A few words of advice and caution.

First, this will work if you are using a Direct Access VPN, computer authenticated wireless LAN or wired LAN.  Direct Access VPN works best with Windows 8.1 or better.

Second, deploying through GPO can cause slowness upon startup for users.  This is hardly noticed upon a modern LAN but can be significant on older WLANs or on slower Direct Access VPN connections.

Third, try to avoid upgrading from version to version within the same GPO.  I discovered that the version that was upgraded from did not uninstall.

Fourth, this deployment style works well but do not provide easily accessible reporting nor a way to remove all previous versions.  You can use WMIC commands to remove software BUT you are not able to easily remove and deploy all in one place.

Lastly, I can’t stress how important testing is before large scale deployments.  Testing will help prevent end user complaints as well as extra time for IT staff.

Thanks for viewing and stay tuned from a scripted version that can accomplish a remove of ALL previous versions prior to installation of new version.  Please comment if you have questions, comments, or requests!

Tips are appreciated – BTC 1NTuVYMcGUMSYZ6tkhg7qMEr7XP2fcQJjL

Tagged , , , ,