Monthly Archives: April 2012

2008 R2 SP1 kills Remote Desktop Services

Ran into this problem this morning when installing 2008 R2 SP1. Service Pack installs successfully, but cannot login via remote desktop services. Checked the eventlog remotely. found the following in the application log. Event ID 7034 reports which doesn’t help a lot.  Also Event ID: 1000 reports an application error.

Faulting application name: svchost.exe_TermService, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
Faulting module name: rdpcorekmts.dll, version: 6.1.7600.16952, time stamp: 0x4f1f9e66
Exception code: 0xc0000005
Fault offset: 0x000000000000a793
Faulting process id: 0xf80
Faulting application start time: 0x01cd1e4172e7da89
Faulting application path: C:WindowsSystem32svchost.exe
Faulting module path: C:Windowssystem32rdpcorekmts.dll
Report Id: eec16b12-8a34-11e1-8e8c-0050568ac72d

after a quick google I found the following thread

And the following fix.

You need to run this with a user that is an admin on the target system.
Copy psexec and rdpcorekmts.dll (the new version) to a folder.
Create a file named servernames.txt and add the name of the server(s) you want to fi
Create a start.cmd file edit it and add the following:

@echo off
Echo ****************************************************
echo * This process will update and change the file rdpcorekmts. *
echo * If you don’t want to do that, ‘X’ out now                 *
echo ***************************************************

:stop remote desktop services for /f %%i in (servernames.txt) do psexec \%%i net stop “Remote Desktop Services” /y

:Take Ownership for /f %%i in (servernames.txt) do psexec \%%i takeown /F c:windowssystem32rdpcorekmts.dll

:Change permissions to full for /f %%i in (servernames.txt) do psexec \%%i icacls c:windowssystem32rdpcorekmts.dll /grant administrators:F

:Copy in newer version for /f %%i in (servernames.txt) do copy rdpcorekmts.dll \%%ic$windowssystem32

:Change permissions back to read-only for /f %%i in (servernames.txt) do psexec \%%i icacls c:windowssystem32rdpcorekmts.dll /grant administrators:R

:start the service back up for /f %%i in (servernames.txt) do psexec \%%i net start “Remote Desktop Services” /y

echo * Remove the names of the affected servers in the file Servernames *

Echo *Should be all done now. *
echo **************************

pause exit

Doubleclick start.cmd

You should now be able to login to your server.


Sysprep 2008 / 2008 R2

I was looking to sysprep a 2008 server today and I went to the installation DVD and couldn’t find sysprep. A quick google later and a bit of poking around revealed that sysprep is now installed by default on Windwos Server 2008. You can find it at:


The experience is also streamlined considerably. Simply run sysprep.exe above and you are presented with:

Check the “Generalize” checkbox (regenerates system SID), change the Shutdown Options to “Shutdown”, and click OK. The system will go through the sysprep process and shut itself down.

Moving MYOB EXO to a new Server

Make a copy of the existing payroll directory and past it onto the new server and required install location.

Please download the application for the following location – only install payroll from the selection menu. Install it over the top of the folder copied from the old server.

Ensure a share with full read, write privileges is placed over the payroll folder

  1. From the existing workstations re-map the existing setup to the new server payroll directory
  2. From within the mapped drive run the network.exe – this will ensure the linkage and all components are correct
  3. Test the application by launching from the desktop icon created.

Confirm all workstations point to the correct share. You shouldn’t need to reinstall the workstation clients.


Moving or Reinstalling National Online (NAB Online)

To move the National Online software, you will require the following:

  1. National Online installation CD.  If installing to Windows 2003 Server ensure you have Version 8.11+. for 2008 you will need Version 9.2+
  2. Some form of backup medium such as USB Memory Stick, zip disk, blank or network access.

Files to save:

  • C:Program FilesNational Online BankingNATIONAL-ONLINE.GDB – This is the most IMPORTANT file (as it contains your data).
  • C:Program FilesNational Online BankingUPGRADE – back up this folder and all of its contents.
  • C:Program FilesNational Online BankingARCHIVE – back up this folder and all of its contents.
  • C:Program FilesNational Online BankingBackup – back up this folder and all of its contents.

Summary of Steps required to move National Online Software

  1. Save the above files from the existing directory on your computer.
  2. Install National Online on your new computer, using your installation CD.
  3. Once setup is complete click Finish to launch National Online you will then be prompted for your registration ID and password. DO NOTenter reg ID or password.  Press Cancel
  4. Copy all the saved files and folders from earlier to the following location:
    C:Program FilesNational Online Banking (When prompted that the files already exist, select ‘Yes to all’ to replace existing files.).
  5. Launch National Online from the shortcut now on your desktop.
    On launching National Online NAB online should upgrade to the latest version that was installed.

Should you have any problems during the installation, or on completion you do not get to your ‘Login and Password’, call theNational Online Helpdesk on 1300 652 565. they are very helpful.

Installing HP Universal Driver on Terminal Services and Citrix.

The HP Universal driver when installed using the GUI can be very clunky, the notifications are a pain, and you probably just want to install the driver and not a printer.

Install the driver from the command line to avoid the notifications

start /wait install.exe /q /h /dm /npf

and to delete the printer with powershell use:

gwmi win32_printer | where {$ -like “HP Universal*”} | % {$_.delete()}


determining what is chewing your bandwidth

ip cef
interface dialer1
ip route-cache flow

show ip cache flow

ip flow-top-talkers
top 10
sort by bytes
cache-timeout 10000

show ip flow top-talkers

slappa#show ip flow top-talkers

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Vi2 BV1 06 01BB CBBF 6362
BV1 Di0* 11 E644 FF29 703
Vi2 BV1 06 01BB CB37 310
Vi2 BV1 11 FF29 E644 302
BV1 Di0* 06 CBC7 60F9 280
BV1 Di0* 11 E644 C8D5 270
BV1 Di0* 11 E644 60F9 222
BV1 Di0* 11 E644 B70D 222
BV1 Di0* 11 E644 DCE1 222
BV1 Di0* 11 E644 A1BD 222
10 of 10 top talkers shown. 40 flows processed.


How IPSEC Works

How IPSec Works


IPSec involves many component technologies and encryption methods. Yet IPSec’s operation can be broken down into five main steps. The five steps are summarized as follows:

Step 1 Interesting traffic initiates the IPSec process—Traffic is deemed interesting when the IPSec security policy configured in the IPSec peers starts the IKE process.
Step 2 IKE phase one—IKE authenticates IPSec peers and negotiates IKE SAs during this phase, setting up a secure channel for negotiating IPSec SAs in phase two.
Step 3 IKE phase two—IKE negotiates IPSec SA parameters and sets up matching IPSec SAs in the peers.
Step 4 Data transfer—Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA database.
Step 5 IPSec tunnel termination—IPSec SAs terminate through deletion or by timing out.

This five-step process is shown in Figure 1-15.

Figure 1-15 The Five Steps of IPSec

Step 1: Defining Interesting Traffic

Determining what type of traffic is deemed interesting is part of formulating a security policy for use of a VPN. The policy is then implemented in the configuration interface for each particular IPSec peer. For example, in Cisco routers and PIX Firewalls, access lists are used to determine the traffic to encrypt. The access lists are assigned to a crypto policy such that permit statements indicate that the selected traffic must be encrypted, and deny statements can be used to indicate that the selected traffic must be sent unencrypted. With the Cisco Secure VPN Client, you use menu windows to select connections to be secured by IPSec. When interesting traffic is generated or transits the IPSec client, the client initiates the next step in the process, negotiating an IKE phase one exchange.

Step 1 is shown in Figure 1-16.

Figure 1-16 Defining Interesting Traffic

Step 2: IKE Phase One

The basic purpose of IKE phase one is to authenticate the IPSec peers and to set up a secure channel between the peers to enable IKE exchanges. IKE phase one performs the following functions:

  • Authenticates and protects the identities of the IPSec peers
  • Negotiates a matching IKE SA policy between peers to protect the IKE exchange
  • Performs an authenticated Diffie-Hellman exchange with the end result of having matching shared secret keys
  • Sets up a secure tunnel to negotiate IKE phase two parameters

IKE phase one occurs in two modes:

  • Main mode
  • Aggressive mode

Main Mode

Main mode has three two-way exchanges between the initiator and receiver.

  • First exchange—The algorithms and hashes used to secure the IKE communications are agreed upon in matching IKE SAs in each peer.
  • Second exchange—This exchange uses a Diffie-Hellman exchange to generate shared secret keying material used to generate shared secret keys and to pass nonces, which are random numbers sent to the other party, signed, and returned to prove their identity.
  • Third exchange—This exchange verifies the other side’s identity. The identity value is the IPSec peer’s IP address in encrypted form. The main outcome of main mode is matching IKE SAs between peers to provide a protected pipe for subsequent protected ISAKMP exchanges between the IKE peers. The IKE SA specifies values for the IKE exchange: the authentication method used, the encryption and hash algorithms, the Diffie-Hellman group used, the lifetime of the IKE SA in seconds or kilobytes, and the shared secret key values for the encryption algorithms. The IKE SA in each peer is bidirectional.

Aggressive Mode

In the aggressive mode, fewer exchanges are done and with fewer packets. In the first exchange, almost everything is squeezed into the proposed IKE SA values, the Diffie-Hellman public key, a nonce that the other party signs, and an identity packet, which can be used to verify the initiator’s identity through a third party. The receiver sends everything back that is needed to complete the exchange. The only thing left is for the initiator to confirm the exchange. The weakness of using the aggressive mode is that both sides have exchanged information before there is a secure channel. Therefore, it is possible to sniff the wire and discover who formed the new SA. However, aggressive mode is faster than main mode.

Step 2 is shown in Figure 1-17.

Figure 1-17 IKE Phase One

Step 3: IKE Phase Two

The purpose of IKE phase two is to negotiate IPSec SAs to set up the IPSec tunnel. IKE phase two performs the following functions:

  • Negotiates IPSec SA parameters protected by an existing IKE SA
  • Establishes IPSec security associations
  • Periodically renegotiates IPSec SAs to ensure security
  • Optionally performs an additional Diffie-Hellman exchange

IKE phase 2 has one mode, called quick mode. Quick mode occurs after IKE has established the secure tunnel in phase one. It negotiates a shared IPSec policy, derives shared secret keying material used for the IPSec security algorithms, and establishes IPSec SAs. Quick mode exchanges nonces that provide replay protection. The nonces are used to generate new shared secret key material and prevent replay attacks from generating bogus SAs.

Quick mode is also used to renegotiate a new IPSec SA when the IPSec SA lifetime expires. Base quick mode is used to refresh the keying material used to create the shared secret key based on the keying material derived from the Diffie-Hellman exchange in phase one.

Perfect Forward Secrecy

If perfect forward secrecy (PFS) is specified in the IPSec policy, a new Diffie-Hellman exchange is performed with each quick mode, providing keying material that has greater entropy (key material life) and thereby greater resistance to cryptographic attacks. Each Diffie-Hellman exchange requires large exponentiations, thereby increasing CPU use and exacting a performance cost.

Step 4: IPSec Encrypted Tunnel

After IKE phase two is complete and quick mode has established IPSec SAs, information is exchanged by an IPSec tunnel. Packets are encrypted and decrypted using the encryption specified in the IPSec SA. This IPSec encrypted tunnel can be seen in Figure 1-18.

Figure 1-18 IPSec Encrypted Tunnel

Step 5: Tunnel Termination

IPSec SAs terminate through deletion or by timing out. An SA can time out when a specified number of seconds have elapsed or when a specified number of bytes have passed through the tunnel. When the SAs terminate, the keys are also discarded. When subsequent IPSec SAs are needed for a flow, IKE performs a new phase two and, if necessary, a new phase one negotiation. A successful negotiation results in new SAs and new keys. New SAs can be established before the existing SAs expire so that a given flow can continue uninterrupted. This can be seen in Figure 1-19.

Figure 1-19 Tunnel Termination

Cisco License Activation

This new system will start becoming a bother when upgrading from IP Base to another feature license. This will require the following steps:

  1. The order of a Product Authorization Key (PAK) from Cisco
  2. The Unique Device Identifier (UDI) from the Router/Switch
  3. Entered this information into the Cisco Licensing Portal
  4. Taking the information from the Portal and installing the license onto the Switch/Router

The installation of the license file can be done using the *.lic file that you receive from the Portal using the Command line interface or the Cisco License Manager software. Using the command line:

Switch#license install tftp://x.x.x.x/license.lic

Alternatively one can use the call-home feature and the PAK Number, this however would mean that you have an internet connection to the Router/Switch and you feel comfortable that you won’t have the *.lic file when things go wrong as the Switch/Router installs this directly from the License Portal:

Switch#license call-home install PAK PAK-NUMBER
CCO Username: abcdef
CCO Password:
Follow the prompts to install the license

Configure Netflow's on Cisco Routers

To configure a Cisco Router to send netflows enter the following commands

ip flow-export source vlan1

ip flow-export version 5

ip flow-export destination 2055

Now Set the interface you want to receive net-flows for

interface dialer1

ip flow egress

ip flow ingress

ip route-cache flow

You can use solarwinds netflow analyser to collect the netflow data.