Finding the faulting Printer Driver

We ha just had a case where our print spooler didn’t recover properly after it Crashed.

As we restarted the spooler, the spooler ran for a while and then crashed again.
We did this a couple of times.
As the Print Spooler was pending in our Cluster we could see that the spoolsv.exe process
was jumping up and down in memory usage and that the our E:\Spooler folder was get less objects and at the same time receiving new ones.
After the second time, of trying to restart the spooler service we started to look for the oldest document.
Our FP00160.SHD and FP00160.SPL was a clear candidate for inspection as they where the oldest documents in the print que.
Both files are possible to open in Notepad for inspection.
In the SHD file, if you check the first line it will be filled with cryptic signs but somewhere it will say something like this:
M Y P R I N T E R \ s 0 1 9 \ M Y P R I N T E R
This is the printer you should check out for a faulty driver or maybe update it.
But there is more information available in the SPL file.
From the top of the SPL file:
@PJL SET USERNAME = “username”
@PJL SET JOBNAME = “Microsoft Word – My Document”
Now you can check the Spooler for the printer MYPRINTER and see where the document came from (computer),
and cancel the document in the Spooler if you want.
Hope this helps in troubleshooting and getting you closer to finding the faulty print driver.

The case of high amount of Broadcast traffic

I was looking into a different kind of problem the other day when I had to do a network dump on one of our servers.

As I was watching the network dump scrolling down the my screen I kept noticing all the DHCP Requests that was flying by my screen.
Something wasn’t right.
I contacted our networking department and they had already a case on that subnet with high amounts of Broadcasts. 
I decided to take the first DHCP Request and see what was happening.
I filtered the requests on the EthernetAddress and started looking for a pattern.
After studying the DHCP Request I found that the client requesting didn’t get any answers. And it kept sending request pretty often. 
After looking at the time stamp it sends out an Request and then after 2 seconds, it sends a new one doubling the number of seconds to time out. 
It is sending out in the following patteren: 0 – 2 – 4 – 8  and last 16 seconds before it started the same procedure again. 
Since the EthernetAddress didn’t get any address on our network, no DHCP on our Server scopes, 
I had to get our networking to find the port the MAC was sitting on. 
After they directed me to the correct networking port I could log on to the attached server and check it’s hardware.
When I was studying our Windows 2008 R2 server I couldn’t find any mac address with the getmac command on the server.
What could it be?
After looking into the packet abit more I saw that it had a VendocClassIdentifier called: brcmftsk.
Tried to google it but it didn’t return to many good results.
In the middle of the lunch break, as I was discussing the matter with an college, he tipped me of with an article[1] regarding Broadcom and DHCP.
The author of the article has exactly the same problem as me, but he solved it years before I knew it was a problem 🙂
As it turns out, all our Windows servers are requesting an address for its iSCSI adapter on our network.
This was the default configuration on the iSCSI Adapter and according to the article it had to be turned of manually.
Since we didn’t use iSCSI or DHCP on the server segment we didn’t notice any depletion in the IP Scope or disruption on the iSCSI service.
But after having 200+ servers in the same segment requesting DHCP request for both of their iSCSI adapters, the amount of Broadcasts was questionable.
But how do you turn configure the iSCSI on 200+ servers? It is not manually at least that I know.
The best way of doing it is, doing it properly, install the DroadCom Managed Applications Control Suite and configure it there. 
But not all our servers has this suite installed and that would require extra downtime and planing. 
So our quick and dirty workaround for this issue was to disable the driver on our servers.
The driver service for the iSCSI Adapter is named BXOIS in the registry and is a Kernel loaded driver.
We decided that we should just disable this service and then the driver will be disabled.[3] 
As we have an Active Directory environment, we added this to the default configuration for all our Windows Servers.
After we applied the Group Policy we could se the registry had changed properly.
PS C:\> reg query  HKLM\System\CurrentControlSet\Services\BXOIS
    Start    REG_DWORD    0x4
After rebooting our server the following iSCSI devices was listed like this in Devmgmt.msc
DeviceDriver disabeld
The warnings sign says the following on the driver when you open it:
A driver (service) fir this device has been disabled. An alternate driver may be providing this functionality. (Code 32).
After we deployed this to all our servers we saw that the Broadcasts on our network dramaticly dropped.

DHCP and Failing Dynamic DNS Update

The Case:

We where having an issue with some of our clients not getting updated properly in our DNS.
Our clients somehow had the wrong IP registered in our DNS server.
We knew that our clients was accessing a 802.1x network and spent some time getting authenticated.
Since this is a newly acquired network it had it’s own DHCP server and that DHCP server was enabled to
DDNS update for our clients, we where only experiencing the issue when the clients where successfully
authenticated on 802.1x.

The investigation:

So where to start? Is it the new DHCP that is overwriting the entries after the client successfully authenticated?
Is it the client that is not able to update it’s own records due to DNS No-Refresh intervall on the DNS server?
Is our primary DNS Server that is not able to update the records due to DNS No-Refresh?
Anyways, I started comparing our DHCP Servers DNS Settings.
Both of them where configured identically for the DNS Settings and was using the same DNS Update Credentials.

PS C:\> Get-DhcpServerv4DnsSetting -ComputerName dns01.contoso.com
  DynamicUpdates             : Always
  DeleteDnsRROnLeaseExpiry   : True
  UpdateDnsRRForOlderClients : True
  DnsSuffix                  :
  DisableDnsPtrRRUpdate      : False
  NameProtection             : False

After checking all the scopes on the server, we could see that all the scopes had the same settings as our primary settings on the DHCP Server.
Here is a PowerShell Script to list all the scopes in a table with their DNS Settings (not perfect but gives you an overview,):

$srv = "."
$scopelist = Get-DHCPServerv4Scope -computername $srv
foreach ($item in $scopelist) {
Write-host $item.Name , $item.ScopeId.IPAddressToString
Get-DHCPServerv4DNSsetting -ComputerName $srv -ScopeId $item.Scoped.IPAddressToString | Format-Table

Well everything seamed to be as it should be.. but why didn’t our primary DNS Server update the latest DHCP Lease in DNS with the proper IP?
I decided to check out the DCHPLogs.. And check our client’s name. After opening the logfile I could see straigt away a bunch of error messages
related to DNS Updates.
The log file was filled up with ID 30 and ID 31 entries. They look something like this:
31,07/16/14,11:16:00,DNS Update Failed,,AP30f7.0d92.5ea1,,,0,6,,,
30,07/16/14,11:16:00,DNS Update Request,,AP30f7.0d92.5ea1,,,0,6,,,

After counting all the 31 Events in Notepad++ we had to many failed updates (aprox 60000 a day).
All kinds of clients failed to get updated. But also all kinds of clients succeed also. What could be doing this?

Discussing with Microsoft, we decided to increase the Que limit for DDNS updates on the DHCP server. [1]
Since we have Windows 2008 R2 DNS and DHCP Servers we increased the DynamicDNSQueueLength to 65536 as described in the article[2].

This didn’t actually help, as our que is still too big. So I stared to investigate what records are failing
and I was a bit surprised, but apparently we have a lot of units that have “invalid FQDN hostnames” reporting to the DHCP Server. 
As our DHCP Server is set to update “DynamicUpdates : Always and UpdateDnsRRForOlderClients : True” it will update any type of client
that is reporting it’s hostname to our DHCP server. The invalid FQDN’s was like this: AP30f7.0d92.5ea1.
It is two letters (AP) followed by an MAC address for our Cisco accesspoints. One of the issues with this is the use of “.” in the hostname.
If we where to allow the update to happen, we have to create the 0d92.5ea1 Zone in our DNS server and then the DHCP server will create
a record for AP30f7 inside that Zone. But we have to create a Zone for every Access Point because the last 9 characters is uniq to every Access Point.

So that is not an option. So how can we fix this or reduce the problem?
There is three ways of doing this:
1. Either we rename all our Access Points to a fitting standard
2. We adjust our settings for our DHCP Server globally
3. We adjust just the Scopes in question.

Our network admin wasn’t too glad about renaming several thousands of access points. So I decided to explore the other options.
If we are adjusting the DHCP DNS Update settings, what settings should we have?
Should we just adjust the scope settings or could we do it globally on the DHCP Server?

To figure our this I had to read up [3][4] on the DHCP protocol and how clients send information to the DHCP Server to do or not do DDNS.
In article “Using DNS with DHCP” [4] there is a nice schema of how it looks when the client is communicating with the DHCP Server:

DHCP and DNS Update interaction
DHCP and DNS Update interaction

This is when the client it self is updating the record via DDNS and not when the DHCP Server is doing it.
The setting in the DHCP Server is then “Dynamic Updates: OnClientRequest” which is default settings DDNS Updates from DHCP.
But ours has this set to “Always” and we also have the option “UpdateDNSRRForOlderClients: TRUE” also.

This means that all clients that are getting a lease from our DHCP Server will be updated in our DNS Server by our DHCP server.

So how does this work, DHCP has four steps that it goes through to give a lease and in an default DHCP setup decide if the client
or the DHCP server should do the DNS Update. Shown in the picture:

DHCP Message Exchange
DHCP Message Exchange

First the client does an DHCPDiscover and send the Hostname (ID 12) in the packet.
It then receives an packet from the DHCP Server with an IP Address, Subnet,DNSServer and other DHCPOptions in the DHCPOffer packet from the DHCP Server.
Then the Client sends a DHCPREQUEST packet, this packet contains RequestIP (ID 50), HostName (ID 12) and it may send FQDN (ID 81).
This last option is optional to send for the clients, but all the Windows XP/2003 and newer clients sends it.
The DHCPACK packet is the returned from the DHCP Server and it contains the DHCP DNS Settings in the FQDN Field (ID 81).
If the DNS Settings are default the client will update it self to the DNS Server.

So why is our Access Point not having a FQDN when we are looking in the DHCP Scope and in our logs?
As I was inspecting the packet dump from one of the Access Points i noted that the Access Points didn’t send
the option FQDN (ID 81) in the DHCPREQUEST packet to the DHCP server. So this client is actually not requesting to
be Updated in our DNS, but our DHCP Server still does it.

So this means we either adjust the Scope or set the settings globally on the DHCP Server.
If we change the settings to DynamicUpdates: OnClientRequest and set the option UpdateDNSRRForOlderClients: False.
We will avoid updates requests from clients that are trying to update to an non existing Zone on our DNS Server.


So we have experienced two things in this scenario.
1. Having a good naming standard for all your devices will help a lot and not get you into unexpected trouble like this.
2. Configuring the DHCP server to update everything to DNS might sound like a good idea, but only if you have done point 1 properly.

We have adjusted our DHCP Server globally to have the DynamicUpdates: OnClientRequest and UpdateDNSRRForFolderClients: False.
This is done at the root level of the IPv4 Settings, but you have to check all the scopes after as if it has been changed from the standard config.
The setting will not propegate to the Scopes. You can check with the earlier Powershell script,
and if the settings are inconsistent, it is easy to rewrite it so it sets the correct settings on the scopes that are not following the global config.
The DHCPServer module in Powershell is available in Windows 2012 and newer OSes. So for the Powershell script to work you have to have this OS.

Hope you feel this was worth your time reading and that you enjoyed it.


[3]Windows Server 2008 TCP/IP Protocols and Services