Windows Server eventlog ID 5152 Filtering Platform Packet Drop

After some online searching around EVENT ID 5152 which had started littering my DC’s eventlogs following some additional audit enabling I discovered how to silence these logs from the SECURITY eventlog, leaving them in place for the FIREWALL log instead:


auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable

The 5152 event:

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: XXXX
Event ID: 5152
Task Category: Filtering Platform Packet Drop
Level: Information
Keywords: Audit Failure
User: N/A
Computer: XXXX
Description:
The Windows Filtering Platform has blocked a packet.

Application Information:
Process ID: 0
Application Name: –

Network Information:
Direction: Inbound
Source Address: XXXX
Source Port: 54915
Destination Address: XXXX
Destination Port: 54915
Protocol: 17

Filter Information:
Filter Run-Time ID: 85817
Layer Name: Transport
Layer Run-Time ID: 13
Event Xml:

5152 0 0 12809 0 0x8010000000000000 437620320 Security XXXX
0 – %%14592 XXX 54915 XXXX 54915 17 85817 %%14597 13

Plex Media Server Ubuntu Sources

Thanks to https://www.itzgeek.com/how-tos/linux/ubuntu-how-tos/how-to-install-plex-media-server-on-ubuntu-18-04-ubuntu-16-04-linux-mint-19.html

Using Plex Repository

Import the Plex repository’s GPG key using the curl command.

curl https://downloads.plex.tv/plex-keys/PlexSign.key | sudo apt-key add -

Add the Plex repository to your system using the below command

echo "deb https://downloads.plex.tv/repo/deb public main" | sudo tee /etc/apt/sources.list.d/plexmediaserver.list

Now, update the apt index and install the latest version of the Plex Media Server.

sudo apt update
sudo apt install -y plexmediaserver

Plex Media Server package places repository configuration in /etc/apt/sources.list.d directory. Since we already have the plexmediaserver.list in the repo directory, the installer may ask you below questions. Type Y and press enter.

Configuration file '/etc/apt/sources.list.d/plexmediaserver.list'
 ==> File on system created by you or by a script.
 ==> File also in package provided by package maintainer.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** plexmediaserver.list (Y/I/N/O/D/Z) [default=N] ? Y
Installing new version of config file /etc/apt/sources.list.d/plexmediaserver.list ...

IPv4 Subnet Calculating

Calculating the Netmask Length (also called a prefix):

https://networkengineering.stackexchange.com/questions/7106/how-do-you-calculate-the-prefix-network-subnet-and-host-numbers

Convert the dotted-decimal representation of the netmask to binary. Then, count the number of contiguous 1 bits, starting at the most significant bit in the first octet (i.e. the left-hand-side of the binary number).

255.255.248.0   in binary: 11111111 11111111 11111000 00000000
                           -----------------------------------
                           I counted twenty-one 1s             -------> /21

The prefix of 128.42.5.4 with a 255.255.248.0 netmask is /21.

Calculating the Network Address:

The network address is the logical AND of the respective bits in the binary representation of the IP address and network mask. Align the bits in both addresses, and perform a logical AND on each pair of the respective bits. Then convert the individual octets of the result back to decimal.

Logical AND truth table:

Logical AND
128.42.5.4      in binary: 10000000 00101010 00000101 00000100
255.255.248. 0   in binary: 11111111 11111111 11111000 00000000
                           ----------------------------------- [Logical AND]
                           10000000 00101010 00000000 00000000 ------> 128.42.0.0

As you can see, the network address of 128.42.5.4/21 is 128.42.0.0

Calculating the Broadcast Address:

The broadcast address converts all host bits to 1s…

Remember that our IP address in decimal is:

128.42.5.4      in binary: 10000000 00101010 00000101 00000100

The network mask is:

255.255.248.0   in binary: 11111111 11111111 11111000 00000000

This means our host bits are the last 11 bits of the IP address, because we find the host mask by inverting the network mask:

Host bit mask            : 00000000 00000000 00000hhh hhhhhhhh

To calculate the broadcast address, we force all host bits to be 1s:

128.42.5.4      in binary: 10000000 00101010 00000101 00000100
Host bit mask            : 00000000 00000000 00000hhh hhhhhhhh
                           ----------------------------------- [Force host bits]
                           10000000 00101010 00000111 11111111 ----> 128.42.7.255

Calculating subnets:

You haven’t given enough information to calculate subnets for this network; as a general rule you build subnets by reallocating some of the host bits as network bits for each subnet. Many times there isn’t one right way to subnet a block… depending on your constraints, there could be several valid ways to subnet a block of addresses.

Let’s assume we will break 128.42.0.0/21 into 4 subnets that must hold at least 100 hosts each…

subnetting

In this example, we know that you need at least a /25 prefix to contain 100 hosts; I chose a /24 because it falls on an octet boundary. Notice that the network address for each subnet borrows host bits from the parent network block.

Finding the required subnet masklength or netmask:

How did I know that I need at least a /25 masklength for 100 hosts? Calculate the prefix by backing into the number of host bits required to contain 100 hosts. One needs 7 host bits to contain 100 hosts. Officially this is calculated with:

Host bits = Log2(Number-of-hosts) = Log2(100) = 6.643

Since IPv4 addresses are 32 bits wide, and we are using the host bits (i.e. least significant bits), simply subtract 7 from 32 to calculate the minimum subnet prefix for each subnet… 32 – 7 = 25.

The lazy way to break 128.42.0.0/21 into four equal subnets:

Since we only want four subnets from the whole 128.42.0.0/21 block, we could use /23 subnets. I chose /23 because we need 4 subnets… i.e. an extra two bits added to the netmask.

This is an equally-valid answer to the constraint, using /23 subnets of 128.42.0.0/21…

subnetting, 2nd option

Calculating the host number:

This is what we’ve already done above… just reuse the host mask from the work we did when we calculated the broadcast address of 128.42.5.4/21… This time I’ll use 1s instead of h, because we need to perform a logical AND on the network address again.

128.42.5.4      in binary: 10000000 00101010 00000101 00000100
Host bit mask            : 00000000 00000000 00000111 11111111
                           ----------------------------------- [Logical AND]
                           00000000 00000000 00000101 00000100 -----> 0.0.5.4

Calculating the maximum possible number of hosts in a subnet:

To find the maximum number of hosts, look at the number of binary bits in the host number above. The easiest way to do this is to subtract the netmask length from 32 (number of bits in an IPv4 address). This gives you the number of host bits in the address. At that point…

Maximum Number of hosts = 2**(32 – netmask_length) – 2

The reason we subtract 2 above is because the all-ones and all-zeros host numbers are reserved. The all-zeros host number is the network number; the all-ones host number is the broadcast address.

Using the example subnet of 128.42.0.0/21 above, the number of hosts is…

Maximum Number of hosts = 2**(32 – 21) – 2 = 2048 – 2 = 2046

Finding the maximum netmask (minimum hostmask) which contains two IP addresses:

Suppose someone gives us two IP addresses and expects us to find the longest netmask which contains both of them; for example, what if we had:

  • 128.42.5.17
  • 128.42.5.67

The easiest thing to do is to convert both to binary and look for the longest string of network-bits from the left-hand side of the address.

128.42.5.17     in binary: 10000000 00101010 00000101 00010001
128.42.5.67     in binary: 10000000 00101010 00000101 01000011
                           ^                           ^     ^
                           |                           |     |
                           +--------- Network ---------+Host-+
                             (All bits are the same)    Bits

In this case the maximum netmask (minimum hostmask) would be /25

NOTE: If you try starting from the right-hand side, don’t get tricked just because you find one matching column of bits; there could be unmatched bits beyond those matching bits. Honestly, the safest thing to do is to start from the left-hand side.

Powershell : Useful Commands

Get members of a group:

get-adgroupmember -identity <GROUPNAME>

Get a list of user’s “PasswordLastSet” field has a date greater than 31/01/2000 along with their usernames and email addresses:

get-aduser -filter * -Properties PasswordLastSet | where {$_.passwordLastSet -ge [DateTime] "01/31/2000 00:01 AM"} | Select-Object Name, PasswordLastSet, SamAccountName, EmailAddress

Compare two CSV files for differences:

$refCSV = import-csv .\Source.csv 
$compCSV = import-csv .\Reference.csv 
compare-object -referenceobject $refCSV -DifferenceObject $compCSV | foreach { $_.InputObject}

Iterate over a text file of usernames (one per line) and query AD for some values, printing the useraccount’s containing OU in a easily readable form and output to results.csv:

$usersaffected = "c:\tmp\listofusernames.txt"
$output = foreach ($line in get-content $usersaffected) {get-aduser $line -Properties * | Select @{l='OU';e={$_.DistinguishedName.split(',')[1].split('=')[1]}},"whenCreated", "emailaddress", "passwordLastSet", "distinguishedName"}
$output | export-csv -path c:\tmp\results.csv

Remote Desktop CredSSP Failure

Temporary reprieve for affected clients:

 

REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2

 

Revert via this command once all remote connections are patched:

REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 1

PowerShell : Editing File Properties

Whilst writing a script which included a recycler section to ensure files older than 14 days were removed from a directory I needed a way to test the code. I then came across the set-itemproperty cmdlet which was just what I needed.

First i explored the cmdlet via:

get-help get-itemproperty

and

get-help get-itemproperty -examples

This then led me to run the commands

$folder = "C:\tmp\test"
get-itemproperty $folder | format-list -property *
PSPath : Microsoft.PowerShell.Core\FileSystem::C:\tmp\test
PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\tmp
PSChildName : test
PSDrive : C
PSProvider : Microsoft.PowerShell.Core\FileSystem
Mode : d-----
BaseName : test
Target : {}
LinkType :
Name : test
FullName : C:\tmp\test
Parent : tmp
Exists : True
Root : C:\
Extension :
CreationTime : 6/21/2018 11:30:13 AM
CreationTimeUtc : 6/21/2018 10:30:13 AM
LastAccessTime : 6/21/2018 11:30:13 AM
LastAccessTimeUtc : 6/21/2018 10:30:13 AM
LastWriteTime : 6/21/2018 11:30:13 AM
LastWriteTimeUtc : 6/21/2018 10:30:13 AM
Attributes : Directory

I wanted to set the creation and modified dates back in time to test my recyler one-liner, I acheieved this by first setting a variable to be a datetime object in the past (US date format so that’s the 31st January 2018):

$olddate = [datetime]"1/31/2018"

I then assigned this datetime value to the properties of the folder I wanted via the commands:

Set-ItemProperty $folder -Name CreationTime -Value $olddate
Set-ItemProperty $folder -Name LastWriteTime -Value $olddate

This worked a treat. I could then use this command to delete the folder and it’s contents if it was older than 14 days (credit to https://www.thomasmaurer.ch/2010/12/powershell-delete-files-older-than/ for this one):

$Daysback = "-14"
$CurrentDate = Get-Date
$DatetoDelete = $CurrentDate.AddDays($Daysback)
Get-ChildItem C:\tmp | Where-Object { $_.LastWriteTime -lt $DatetoDelete } | Remove-Item -recurse -force

SCCM DP Package Transfer Errors

The Problem

After a DNS change on one of our Distribution Points within SCCM 2012 R2 I decided to remove the old DP entry and recreate it. Removing the DP was easy enough, drop the roles and then delete the server from Administration > Servers and Site System Roles then wait 24 hours for synchronisation to remove the content from the DP.

I then created a new DP in SCCM under the new DNS name and monitored the package transfer via Monitoring > Distribution Point Group Status > All Site Distribution Points. The results looked bad, every package was failing to transfer.

The Investigation

I then reviewed the PkgXferMgr.log file at \\<<SCCM PRI SITE>\SMS_ES1\Logs\ which contained the errors:

Failed to get object class $$<SMS_PACKAGE_TRANSFER_MANAGER><06-14-2018 06:26:25.828-60><thread=9112 (0x2398)>
~ExecStaticMethod failed (80041002) SMS_DistributionPoint, AddFile $$<SMS_PACKAGE_TRANSFER_MANAGER><06-14-2018 06:26:25.828-60><thread=9112 (0x2398)>
CSendFileAction::AddFile failed; 0x80041002 $$<SMS_PACKAGE_TRANSFER_MANAGER><06-14-2018 06:26:25.828-60><thread=9112 (0x2398)>
Failed to add the file bcmnfcscr7-x64.cat in content 01C39B5C-4DA1-4A0E-A328-3FD2AC9F500F. Error 0x80041002 $$<SMS_PACKAGE_TRANSFER_MANAGER><06-14-2018 06:26:25.828-60><thread=9112 (0x2398)>
CSendFileAction::AddFileMetaData failed; 0x80041002 $$<SMS_PACKAGE_TRANSFER_MANAGER><06-14-2018 06:26:25.828-60><thread=9112 (0x2398)>
CSendFileAction::SendFiles failed; 0x80041002 $$<SMS_PACKAGE_TRANSFER_MANAGER><06-14-2018 06:26:25.828-60><thread=9112 (0x2398)>
CSendFileAction::SendContent failed; 0x80041002 $$<SMS_PACKAGE_TRANSFER_MANAGER><06-14-2018 06:26:25.828-60><thread=9112 (0x2398)>
~ Sending failed. Failure count = 24, Restart time = 14/06/2018 06:56:25 GMT Daylight Time $$<SMS_PACKAGE_TRANSFER_MANAGER><06-14-2018 06:26:25.828-60><thread=9112 (0x2398)>
Failed to get object class $$<SMS_PACKAGE_TRANSFER_MANAGER><06-14-2018 06:26:25.812-60><thread=5008 (0x1390)>
~ExecStaticMethod failed (80041002) SMS_DistributionPoint, AddFile $$<SMS_PACKAGE_TRANSFER_MANAGER><06-14-2018 06:26:25.859-60><thread=5008 (0x1390)>
CSendFileAction::AddFile failed; 0x80041002 $$<SMS_PACKAGE_TRANSFER_MANAGER><06-14-2018 06:26:25.859-60><thread=5008 (0x1390)>
Failed to add the file dptf_cpu.cat in content 08D125AE-8841-4C08-90AA-0D6B091B5C39. Error 0x80041002 $$<SMS_PACKAGE_TRANSFER_MANAGER><06-14-2018 06:26:25.859-60><thread=5008 (0x1390)>
CSendFileAction::AddFileMetaData failed; 0x80041002 $$<SMS_PACKAGE_TRANSFER_MANAGER><06-14-2018 06:26:25.859-60><thread=5008 (0x1390)>
CSendFileAction::SendFiles failed; 0x80041002 $$<SMS_PACKAGE_TRANSFER_MANAGER><06-14-2018 06:26:25.859-60><thread=5008 (0x1390)>
CSendFileAction::SendContent failed; 0x80041002 $$<SMS_PACKAGE_TRANSFER_MANAGER><06-14-2018 06:26:25.859-60><thread=5008 (0x1390)>
~ Sending failed. Failure count = 24, Restart time = 14/06/2018 06:56:25 GMT Daylight Time $$<SMS_PACKAGE_TRANSFER_MANAGER><06-14-2018 06:26:25.859-60><thread=5008 (0x1390)>

Inspecting the D:\ drive on the DP suggested the packages were actually being copied, there was plenty of capacity free on the taregt disk D:\ and it’s used storage was increasing through the synch process.

I did some searching online and came across a blog which described the error I received exactly:

http://www.christopherkibble.com/sccm-2012-dp-errors-sendfiles-failed

Following this blog restored my DP’s synchronisation functionality! What follows is a copy and paste job for reference.

The Solution

On the affected distribution point:

  1. Backup the registry
  2. elevated command prompt:
    cd c:\windows\system32\wbem
    for %F in (*.dll) do regsvr32 /s %F
    mofcomp -check AuditRsop.mof
  3. Review the output of the mofcomp command, if it looks like it’ll compile continue else address any issues:
    mofcomp -AuditRsop.mof
  4. Locate the SMS_DP$ share directory
    cd SMS_DP$\sms\bin
    for %F in (*.dll) do regsvr32 /s %F
    mofcomp -check smsdpprov.mof
  5. Review the output of the mofcomp command, if it looks like it’ll compile continue else address any issues:
    mofcomp smsdpprov.mof
  6. Reboot the DP
  7. Monitor the distribution status from the SCCM console (Monitoring > Distribution Point Group Status > All Site Distribution Points)

Windows Commands : Safeboot

Safe Mode:

bcdedit /set {default} safeboot minimal

Safe Mode with Networking:

bcdedit /set {default} safeboot network

Safe Mode with Command Prompt:

bcdedit /set {default} safeboot minimal
bcdedit /set {default} safebootalternateshell yes

To Remove either use msconfig to return to a normal boot or:

bcdedit /deletevalue {default} safeboot

Powershell Get-ADComputer

The following Powershell commmand uses the Get-ADComputer cmdlet to query AD and return a CSV with the headers “OU”,”Name” & “OperatingSystem”.
It was designed to return this information to marry up with GPO controlled policies against the OUs so I could plan servicing schedules.

Note the “-Properties *” to ensure the OperatingSystem value is available and the “-NoTypeInformation” to drop the header row of the CSV file and leave the column headers as the first row.

Get-ADComputer -Filter * -property * -SearchBase "OU=XXX, DC=XXX, DC=XXX, DC=XXX, DC=XXX" | Select @{l='OU';e={$_.DistinguishedName.split(',')[1].split('=')[1]}},"Name", "OperatingSystem" | export-csv -Path C:\SomeDir\SomeFile.csv -NoTypeInformation