Wednesday, January 29, 2014

Books I read: (A lot)

It's been a good month for books.  We went to McKays and I cleaned out a shelf of the discount fiction.  :D

I read: State of Fear (Michael Crichton)
I enjoyed the storyline to this book.  It's a unique idea, and I love fiction books that teach.  A lot of this book is dedicated to Ayn Rand style monologues (ok, Rand-ian is an unfair comparison.. they aren’t 50 pages long. That book was --slow-- omg.) ..ahem, monologues about the science behind Global Warming. In terms of an approachable way to present an opinion about Global Warming, it's fantastic. I'm not qualified to judge the science, so I won't take a position on it either way.

More importantly, a Bing search for "DIY Hypersonic Cavitator" came up empty. That's too bad; those sound like fun pieces of kit.

So then I read: Empire and Honor (W.E.B. Griffin)
I found the preponderance of characters in this book confusing. The action parts of the book were okay, but I just got lost about who was who. This is quite likely a function of my face/people blindness, not any failure on the part of the author.

The good things are it got me to pull out a map and take a look at Argentina, and I wiki'd the Storch. That's a cool little plane.

So then I read: Shadows of Steel (Dale Brown)

I think this is my first Dale Brown novel.  I was sequestered in an Airport and it moved along well enough to keep me distracted.  It's funny how inconvievably future fiction from 1996 is practically fact today. 

So then I read: Rogue Warrior Blood Lies (Richard Marcinko et al.)
This was a fun quick read.  He wasn't as vulgar or as anti-authoritarian as his previous novels.  Unfortunately he wasn't as funny either That's too bad.  I'll still keep reading him, maybe this was an off year?

So then I read: Deep Fire Rising (Du Brul, Jack)
Of all these books, this is the author I'm excited about.  Quasi-educational geology action fiction seems to be a niche that works for me.:D


I wrote a .net App!

I wrote my first .Net application today, and I'm silly proud of myself.

It's a screensaver for shared PCs that automatically logs the user out after a configurable period of inactivity.  Yeah!

I'm not publishing the app publicly yet, as I don't know what I don't know about this sort of thing.  Let me play around with it some more and I'll hang the source up on GitHub.  If you need this sort of thing, leave a comment with your email address or some way to get in touch.

I hope everyone is having a nice winter.

Thursday, January 23, 2014

Fixed: "Could not replicate the directory partition" when promoting the first RODC in an Active Directory Forest.

I was working with a customer today to install their first RODC.  Fun.

Then the DcPromo bombed out with a  Replication Failed error.  That's no fun.

I did some digging and found the cause.  On occasion, the AdPrep /RodcPrep does not set the proper permissions for all of the Directory Service Contexts (partitions). 

To find the actual error, I looked in C:\Windows\System32\Debug\DcPromo.log.  Here is the relevant bit.

01/24/2014 00:06:40 [INFO] Error - Active Directory Domain Services could not replicate the directory partition DC=contoso,DC=com from the remote Active Directory Domain Controller (8453)
01/24/2014 00:06:40 [INFO] EVENTLOG (Error): NTDS General / Internal Processing : 1168
Internal error: An Active Directory Domain Services error has occurred.

Additional Data

Error value (decimal):

Error value (hex):

Internal ID:

The log indicates that my error is for the DC=Contoso,DC=Com Naming context.  I also read one report of this affecting the Schema Partition, so check the log!

To Fix it, fire up ADSIEdit.msc.  I used an Enterprise Admin account, but you might get by with a Domain Admin account if you only need to change a specific domain.

Open Action -> Connect To

For me, I'll connect to the "Default naming Context".  That is my domain partition since I'm on the domain.

 ... and click OK to connect. 
Now click on "Default Naming Context" in the left pane.  In the right pane, Right Click DC=Contoso,DC=Com and select Properties

On the Security Tab of the properties window, scroll through the list of permissions and look for "Enterprise Read-Only Domain Controllers".  This group should be granted the Replicating Directory Service permission.  In my domain this permission was missing.

To Add this permission, click the Add Button.  Type Enterprise Read-Only Domain Controllers in the Object names box and click OK.

Now uncheck all of the default permission boxes for this group and check only the Allow box for "Replicating Directory Changes".  Then click Ok.

Note:  Those "Replicating Directory Changes All" and "Replicating Directory Changes in Filtered Set" boxes look really tempting.  Don't do it!  Resist!  I spun up a shiny new Windows 2008 R2 Forest to verify that the OS default setting is only to allow "Replicating Directory Changes" for this group.

Now the RODC DcPromo is successful.  Fantastic!

This is the part where I say "Back to the salt mines", but that's not quite right.  I'd love to visit a salt mine or any kind of mine thus rendering the spirit of the quip null and void.

"Back to the PowerShell"

Sunday, January 19, 2014

Place I Went: American Science and Surplus (Milwaukee, Wisconsin)

American Science & Surplus
This place is AWESOME!  I had to get to the airport and was time compressed, but OH WOW!  I got a Diffraction Grating and a Prism and a Lab Stand and Litmus paper and a dropper bottle and a cork borer.  The had a (not for sale) canon sight I got to look through too.  The selection of Lab supplies was fantastic!  I could have spent hours there was so much stuff!  I really wanted to get some other things, but there was no way a Sep Funnel or Burette was going to live through the trip back home in my tiny suitcase, even if I checked it. 

I'm excited about the diffraction grating.  This was an awesome place and I'd love to go again.  I'm going to do a science demonstration with the kids where we take light apart and see what the sun is made of (spectroscopy).  I hope they like it.

In the "I almost bought it but I didn't category, they had some big 1" steel balls, 3.5" thrust bearings, Lab Coats, a wooden TREBUCHET, electronics, a bunch of motors and gears, gas masks, parachutes, Insects mounted in resin.  So much cool stuff!  DID I MENTION THE TREBUCHET?

I picked up a business card for the Milwaukee MakerSpace.  If I get a long term gig in Milwaukee I'll have to check them out.  Hanging out in hotels every night gets a little old.

This was a fantastic trip.  Definitely worth weathering the Wisconsin winter.

Wednesday, January 15, 2014

Fixed: ScanState.Exe is not a valid Win32 application on Windows Xp Sp3 x86

I'm working on a project now to forklift upgrade a couple of thousand desktops from Windows XP to Windows 7.  We're using the User State Migration Toolkit (USMT) to grab the user profiles from the old machines and apply them to the new machines.

Problem: When I run the USMT scanstate.exe executable on my shiny new Windows XP SP3 Lab machine, I get the following error

Scanstate.exe is not a valid Win32 application.
That's not good.

The procedure I used to get this copy of the USMT is to download the
Windows Assessment and Deployment Kit (Windows ADK) for Windows 8.1
from run it, and select only the USMT components.  This creates two folders inside
C:\Program Files (x86)\Windows Kits\8.1\Assessment and Deployment Kit\User State Migration Tool  one is for x86, one is for x64. 

My Xp machine is x86 (32-bit), and it doesn't work. 

The solution is to remove the Windows 8.1 ADK and pull down the Windows 8 ADK from  It installs exactly the same way as the 8.0 one, but these binaries work.
You'll find the functioning files in
C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\User State Migration Tool\x86

I asked about this and was told that the Win8.1 ADK does not support XP.  That explains it.

Let's file that under "Information that would have been relevant yesterday."

Tuesday, January 14, 2014

How to lose 176 Pounds (Part 2 of ?):

This week I started a food diary.  It's available here for anyone that is interested.

This meets a few of the heuristics I've defined for this project.

1. Log what you eat. (subtask of eat mindfully)
2. Commit publicly to doing it.
3. Be accountable for your results.

As of Sunday I was at 349 and change.

( I'll spare you the long emo rant on hopelessness I was going to put here. :) )

I'm up in Wisconsin this week.  It's snowing.  It's beautiful. 

I've never seen this much snow.  At home we only ever get an inch or two that melts by noon.


Monday, January 13, 2014

Quickie: Fixed: External Monitor not working with Lenovo W520 on Windows 8

I tried to hook up to a projector on my Lenovo W520 Thinkpad and it didn't work.  That's quite odd, as I've used the external monitor connection in the past.  I asked the Internet and found a solution.

Here's the fix:
  • Reboot and drop into the Bios setup with the blue "ThinkVantage" button.
  • Select Config > Display options
    • Change Graphics Device to "Discrete Graphics".
  • Select Security > Virtualization
    • Change Intel (R) VT-d Feature to "Disabled"
  • Save and Exit. 

When Windows starts it auto-detects the change and installs the correct driver.  Viola! The external monitor now works.  I use Hyper-V on this box, and can confirm that my VMs still work with VT-d disabled.

Special thanks to this guy!


Windows 8 Pin Logon for Domain Joined Machines

Windows 8 Pin Logon is a new feature in Windows 8 that lets you log on and unlock a Windows PC with a PIN, the same way you unlock a phone.

It's enabled by default for workgroup machines, but disabled by default for domain joined machines.  You can use group policy or edit the registry to re-enable this feature.

Enabling Windows 8 Pin Logon on a domain joined PC via Group Policy

Note:  This is a Computer setting and the GPO will need to be applied to the OU containing the Computer Account.

Note: If you don't have this setting in your group policy editor, you may need to install newer versions of the .ADMX Administrative Templates.

The setting is located under Computer Configuration\Administrative Templates\System\Logon > "Turn on Pin Sign-In"


Enabling Windows 8 Pin Logon on a domain joined PC via the Registry

To enable this via the registry create the following value.
 Value Type: REG_DWORD
 Value Name: AllowDomainPINLogon
 Value Data:1

A restart is required for the settings to take effect.  Unfortunately, I have not found a knob that lets you control the minimum complexity or length of the PIN.  Yet.

To configure the PIN login, open the start menu and search for "Create or Change a PIN" under the settings menu.


Wednesday, January 8, 2014

Learning System Center 2012 R2

My apologies for the radio silence.  I'm currently heads-down and slogging through Microsoft System Center.  This is an interesting beast.  The key to learning it seems to be that you have to dive right into the middle of it.  There is no logical starting point.  It is a multi-headed Hydra like Office with more than a half-dozen moving parts inside it.

So far I'm touching
  • SC Operations Manager (monitoring) 
  • SC Configuration manager (Deployment and Maintenance)  
  • SC Orchestrator (Automation)
  • SC Service Desk (Change Management & Ticketing)

This is no small task to learn.

I read the MS Press Introducing Microsoft System Center 2012 R2 Technical Overview book and it wasn't a lot of help.  It has a big cloud emphasis, but not a lot of "To do X, you need Y".  The ebook is free at O'Reilly Publishing

Back to the salt mines

Tuesday, January 7, 2014

Bitcoin Phishing Attack

This morning I stumbled across a particularly good bitcoin related phishing attack. 

Hello David…

I just did what you advised me to do but the problem remains the same : importing the private key is not working…. drives me nuts!
Last time I checked ( [link removed] ) there was still 30.28020001 BTC ! But no way my bitcoinqt client loads the key so I am stuck with those BTCs.

Thanks for offering your help with this. Here is my wallet.dat with the password [link removed]. If you need anything else let me know.
If you can load the key please send the BTCs to [address removed]

This would help me so much. Thanks David!


I'm going to wager that either the wallet or one of the links drops some wallet-grabbing malware on your PC.  Very sneaky Mr. Phisher, very sneaky. 


Saturday, January 4, 2014

Fixing the Front convenience lights on a 2002 Dodge Grand Caravan.

Front convenience lights in a 2002 Dodge Grand Caravan.

These are the Driver and Passenger lights for the people in the front seats.  Changing the bulbs is non-intuitive.  You have to pry on the front edge of the clear lens to get the lens off.  It's tight, and when it pops off you'll swear you broke it.  Once the lens is off the bulb is in a plastic holder that unscrews counter-clockwise.  For my love's van the problem was that the plastic of the bulb holder had melted.  That's bad.

I trimmed the plastic with a needle file to get to working, and I'll grab a spare next time I get up to Pull-a-Part.

It works.  This makes wife happy.

Crap, it's going to be -14 in Wisconsin tomorrow.  Nothing in my entire experience living in Tennessee has prepared me for that low a temperature.  Frack.


Changing the Idle air control valve on a 1999 Audi A8 Quattro.

Ebay Part, $40.  3 bolts (11mm wrench) 1 electrical connector.  Right on top of the engine, in front of the blower behind the intake manifold.  After installing I cleared the codes, but my error code came back almost immediately.  That's an annoyance.  I found another cracked hose.  Fixed, and cleared the codes.  Viola, no more check engine light.  Sweet.

Lesson Learned:  This car is CRAZY sensitive to vacuum leaks and reports them as the P1509 code.  Quintuple-check for leaks before dropping money on a new part

Changing Rear Shocks on a 2002 Grand Caravan

I PROMISE the auto repair spurt is almost over.  _Promise!_

This morning I finished the suspension work on my sweetie's van by changing the rear shocks.  The old ones were OEM and rusting to absolute nothingness.

I backed the van up on ramps, and access was pretty good.  I was able to use an impact wrench for the bottom bolts and a breaker bar on the top one.  You don't have to remove the wheels to do this project, but you do need ramps or jack stands so you can move around underneath the car.  Each shock is mounted at the top with one bolt to the chassis of the van.  The other end is held with a nut and bolt to the front of the rear axle.  An 18mm wrench fits both bolts, and you also need another 18mm wrench or socket to hold the nut.

The hardest part of installing the new shocks is compressing them to the correct length.  A tapered punch helps to line up the bolt hole if it's being fidgety.

With all the suspension work done, I took the van off to Firestone for an alignment.  It drives a lot better now.  I'm slightly annoyed because the Camber?  The

Thursday, January 2, 2014

Changing DNS suffix search order from the command line

Quickie: To change the dns suffix search order from the command line, run the following
reg add HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters /v SearchList /t REG_SZ /f /d,

ipconfig /registerdns

If you have to change it on 37 machines, make a list of machines in machines.txt and run this...

for /F %i in (machines.txt) do reg add \\%i\HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters /v SearchList /t REG_SZ /f /d,

for /F %i in (machines.txt) do psexec \\%i c:\windows\system32\ipconfig.exe /registerdns

Options for Automating per-location printer deployment

I had an interesting chat with a customer last week.  They have a large number (400+) of stores with Windows XP and Windows 7 workstations.  These workstations are all joined to Active Directory, but the users have historically logged in with shared local accounts.  That's kind of a fiddly configuration, but hey.. it works for them.

Anyway, they are switching all their users to login with AD accounts.  Yeah!  Unfortunately they are getting a lot of helpdesk calls from the users because their network printers aren't being mapped automatically.  Booh!

So we talked through a few solutions.

The "Right" ® ™ solution is to push the printers through group policy from AD.  I did not particularly relish the thought of creating 400 discrete group policies





Another solution would be to User State Migration Tool the printer over.  Well, that would be a solution if the USMT supported network printers on WinXp.  So that's a "no."

A third solution is a logon script, and I think that's what he's leaning towards doing.  Their OU structure is what really makes this work.  It starts with the domain at the top, then "Locations", then the 4 digit store numbers, then an OU for workstations where the Computer accounts live.  What is great about this solution is that one logon script can look at the OU information to determine which store the machine is in, and then map the per-user printer settings accordingly.  Nice!  One script vs. 400+ GPOs?  That isn't a hard question.

Here is the sample script I cooked up for him.

' This code is provided as a sample, and not guaranteed
' or supported any way.
' This determines the OU of a workstation, and maps one

or more network printers based on the OU information.

Set objSysInfo = CreateObject("ADSystemInfo")
strComputer = objSysInfo.ComputerName

Set objComputer = GetObject("LDAP://" & strComputer)

arrOUs = Split(objComputer.Parent, ",")

'Uncommenting this command will print the full
' workstation OU path
' wscript.Echo "Machine path is " + objComputer.Parent

'arrOUs is an array created from the LDAP path split up
'by commas. i.e. on a machine in Location A01 it may contain
'arrOUs(0) = LDAP://OU=Workstations
'arrOUs(1) = OU=A01    < This is the one you care about
'arrOUs(2) = OU=Locations
'arrOUs(3) = DC=YourDomain
'arrOUs(4) = DC=com

'This command chooses which array element is the
OU containing the Location name
strOUName = arrOUs(1)

'Uncommenting this command will print the OU name
' wscript.Echo "The OU Name is " + strOUName

'This takes the OU= part off and puts it in a new variable

arrMainOU = Split(strOUName, "=")
strLocationName = arrMainOU(1)

'Uncommenting this command will print the Location name
' wscript.Echo "The Location Name is " + strLocationName

' Now a large case statement executes to create the
printers based on the Location name.

Set WshNetwork = CreateObject("WScript.Network")

Select Case strLocationName

    Case "A001"
        PrinterPath = "\\Server\Printer1"
        PrinterDriver = "PrinterDriver"
        ' See note in
regarding the PrinterDriver attribute.
        WshNetwork.AddWindowsPrinterConnection PrinterPath, PrinterDriver

        WshNetwork.SetDefaultPrinter "\\Server\Printer1"
    Case "A002"
        PrinterPath = "\\Server\Printer2"
        PrinterDriver = "PrinterDriver"
        WshNetwork.AddWindowsPrinterConnection PrinterPath, PrinterDriver

        WshNetwork.SetDefaultPrinter "\\Server\Printer2"
    Case "A003"
        PrinterPath = "\\Server\Printer3"
        PrinterDriver = "PrinterDriver"
        WshNetwork.AddWindowsPrinterConnection PrinterPath, PrinterDriver

        WshNetwork.SetDefaultPrinter "\\Server\Printer3"       
End Select

Full Disclosure: this contains code shamelessly stolen from:
Hey Scripting Guy - "Identifying a Workstation’s OU (wscript)" from
Mapping a network printer via logon script.

Hope this helps someone.

If you have questions like this, Post a comment!  I like fun challenges like this.


Wednesday, January 1, 2014

Impulse Kickstarter Purchase: Tikker

I bought an awesome watch today.  It's called the Tikker.  The Tikker tells time and includes a multi-year countdown timer.  You calculate your expected lifetime from actuary tables and program the tikker.  It gives you the current date and time, and your remaining projected lifespan.

I know it seems kind of morbid, but how awesome is this?  What else could remind you of the value of your time like this?

This pleases me.


Awesome resource: Free Auto Repair Manuals

I have a box of Haynes manuals. I've bought one for every car I've ever owned, except the Audi.  I'd buy that one too if they'd write one.  I've even bought a couple for my friends and family's cars.  I love these books.

Unfortunately I have _no idea_ where that box is.  I misplaced it in the move last year and can't find it.  Crap.

I found an alternative resource, and I like it almost as much as the Haynes manuals.  there is a company that publishes the "Auto Repair Reference Center" online.  This is a subscription service that a huge number of Libraries provide to their patrons.  I found a forum post where a chap was kind enough to share his link to it and a working library card number (pl249412345678).

I dug a little further and my library has access to a different service by Chilton.  Fantastic!

These are fantastic for those one-off jobs for friends so I don't have to buy a book.

Thanks Internet!

Surprise Project: How to replace the alternator on a 2004 Hummer H2

This morning I put new struts in the minivan.  While I was out test driving it I stopped for gas at my local shell station.  There was a Hummer H2 there with the hood open, and a very forlorn looking chap sitting next to it.  The car was stuffed with presents, dogs, and kids so I asked if they needed any help.

As it turns out they were coming home from Christmas Vacation in Georgia, on the way to Kentucky.  They'd broken down, and were desperately calling around to find a shop that could tow and fix the car.  It's relevant to mention here that this was at 4:45 in the afternoon on New Year's day in a very small town that doesn't have a red light, much less an auto repair shop.

We talked about what it was doing and it sounded like it was probably the alternator.  The chap's wife said they had found someone to tow it for $500,, but that was just the TOW, not to fix it.  Ouch.

I offered to pull the alternator and take the fellow to get it tested.  They were ecstatic.

Tools required:  3/8" drive socket set, 5/8" wrench, flathead screwdriver, prybar

The replacement was really easy.  Remove a battery cable.  Remove the vanity cover over the intake manifold (1 bolt)(Red Arrow).  Remove the plastic air intake (two worm clamps)(Green Arrows).  Remove the electrical connector and charging cable  on the Alternator.  (One bolt)(Blue Arrows).  Remove two bolts that hold the alternator in place.(Yellow Arrows)  Then pry the alternator up and out.

View from Driver's Side of Engine

Looking down at front of alternator

Passenger's side view of engine
Back side of idler pulley

The fiddly bit was getting to the idler pulley to loosen the serpentine belt.  To do that you had to remove the plastic air intake.  To do THAT you had to get to the two clamps that held it on and you couldn't reach the intake manifold end clamp until you got the plastic manifold cover off.  Annoying.
The MAF sensor insisted on coming out with the air intake too, so I had to undo that electrical connector.  Blarg.  Once you had that big plastic behemoth out of the way the job is easy.  Slip a 5/8" wrench on the big bolt on the front of the idler and lift up.  The belt will slip right off. 

Two more tips:  First, bring something to stand on.  This truck is high.  I'm over six feet and couldn't reach in easily.  Second, when you get the old alternator out you should tap/hammer/squeeze/pry/finagle the little metal sleeves under the alternator a little bit to make room for the new one to fit in.  The bolts squeeze these into place to hold the alternator tightly.  That makes getting the new one in very snug.

The job took less than an hour with another half hour for the run to the parts store.  I only got a few pictures, but the folks were ecstatic to be back on their way.  Hopefully this post will help someone else.  Sadly I neglected to get their names.  Good luck, whoever you guys were.