Outlook 2010 may start only in safe mode

In this case, users that were using Office 2010 started to complain that their Outlook 2010 begun to start only in safe mode. Incidents opened about this outlook behavior started to grow rapidly. So, the number of opened incidents was very high in small period of time to think about some outlook add-in problem or outlook profile corruption. It was also symptomatic that this Outlook behavior started to occur after rebooting of the user's workstation. Also, it was notified that this Outlook behavior was happening on workstations that were members in first WSUS update group.
There was an update for Outlook 2010 with following KB3114409, that was approved for install on members of the first WSUS update group.
Microsoft has acknowledged this behavior, and removed this update as available update for downloading.
If this update is uninstalled from the affected workstations, Outlook will start normally (not in safe mode). After the confirmation that without this update Outlook runs as should, this update in WSUS was approved for removal.
 

Internet Explorer consumes high memory usage and CPU cycles (not responding)

Couple of weeks ago, colleagues of mine started complaining about not responsive behavior of Internet Explorer 11 when they were using their line of business web application. My response to their complaining was: please reset the Internet Explorer to defaults and reboot your PC, and the problem will be solved. This was a cure in many previous cases of not responsive Internet Explorer behavior. But, in this case this method was not fixing the issue. Number of helpdesk calls and tickets opened were growing, about this Internet Explorer not responsive behavior when users were using their LOB web application.
Here is a screenshot of this high memory consumption and high CPU cycles from Internet Explorer process:


After some investigation, this behavior was typical for users that were working on machines with installed KB3096441 : MS15-106: Cumulative security update for Internet Explorer: October 13, 2015. This behavior was confirmed by Microsoft and hotfix was published with following KB3119070. After installation of this hotfix, Internet Explorer 11 was behaving normally when this LOB web application was used.
Also, this "bad" behavior of Internet Explorer is fixed with KB3104002 MS15-124: Security update for Internet Explorer: December 8, 2015.
 

Create Exchange Address Lists

For quick creation of exchange address lists, EAC or EMC can be used, when only a subset of AD attributes are needed for creating filter (AD container, State or Province, Company, Department, ExchangeAtribute1-15). If these attributes does not meet your needs for creating filter, Exchange Powershell is your friend. New-AddressList contains RecipientFilter parameter for creating advanced queries for filtering recipients. For more info about filterable properties that can be used in RecipientFilter parameter please check the following article : https://technet.microsoft.com/library/bb738157(EXCHG.80).aspx .

For example:
New-AddressList -Name TestList -RecipientFilter {((Alias -ne $null) -and (((Recipienttype -eq 'UserMailbox') -or (Recipienttype -eq 'MailUniversalDistributionGroup') -or (Recipienttype -eq 'MailUniversalSecurityGroup') -or (Recipienttype -eq 'PublicFolder')) -or ((Recipienttype -eq 'MailContact') -and (ExternalEmailAddress -like '*domain.com'))))}
In this example, TestList address list is created with following requirements: Alias is set and recipient types are UserMailbox, UniversalDistributionGruoup, UniversalSecurityGroup, Publicfolder and only Mailcontacts that have domain.com in their External Email Address.
 

Slow User Experience on Every Logon

In this case a colleague of mine was complaining that every time she reboots the workstation with Windows 8.1 x64 installed, and successfully login, she will have to wait for about 10 minutes before the operating system becomes responsive again and the disk utilization for these 10 minutes was 100%.
Process responsible for this high disk utilization was taskhostex.exe. Taskhostex.exe and taskhost.exe are host processes for Windows Tasks. For example, these three tasks are running under taskhostex.exe:



Wininet Cache Task is triggered whenever user is logged on. During my colleague's logon, the disk was heavily utilized by the taskhostex.exe and a file with most disk reads and disk writes operations was WebCacheV01.dat located on C:\users\userprofile\AppData\Local\Microsoft\Windows\WebCache. Starting from Internet Explorer 10, browser cache is stored in this database instead in index.dat as was in previous editions of Internet Explorer.
In this case, my colleague's WebCacheV01.dat was around 3GB (Initial size is around 20-30 MB).
In order to improve my colleague's logon experience, I've killed the taskhostex.exe process (Internet Explorer was already closed), and deleted the contents of  C:\users\userprofile\AppData\Local\Microsoft\Windows\WebCache and rebooted the workstation.
After the reboot, my colleague has logged on successfully with low disk utilization and newly created WebCacheV01.dat database.

I hope it will help someone debugging slow user's logons ...
 

Internal Storage Enclosure Device Failure on HP DL380 Gen8

In this case, I was experiencing error notification from HP DL380 gen8 server ILO. The error message logged into Integrated Management Log was classified as Critical with following description:
Drive Array Controller Failure (Slot 0)
Also, there was a triggered ILO SMTP alert message with following subject :
(CRITICAL) Internal Storage Enclosure Device Failure

From the following alert there must be something bad happening to the specified HP DL 380 Gen8 server, but he operating system running on that server was running without any problems. Also, there were no errors generated on HP ACU (Array Configuration Utility) on specified server. So, my conclusion was that ILO on that server has generated "false positive" alert. I've decided to reset the ILO. I guess, the easiest way to reset the ILO is using the ILO web interface:
Information->Diagnostics->Reset iLO
After resetting the iLO, the alert was resolved, and there were no open issues with that HP DL 380 gen8 server.

There is published HP customer advisory regarding this issue, suggesting to upgrade iLO and Smart Array Controller Firmware on following link:
http://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c03384383&lang=en-uk
 

Windows 10 Free Upgrade Available in 190 Countries

Windows 10 is now available for download.
For more info, please check Microsoft Windows official blog http://blogs.windows.com/launch/ .

For those who have MSDN subscription, Windows 10 is also available for download:

Happy upgrading :)

BSOD on VM after installation of Hyper V Integration Services

In this case, Windows Server 2003 R2 physical server was converted (captured) into guest VM on Hyper V cluster based on Windows Server 2012 operating system. Physical disk drives were successfully captured into VHDs. Virtual machine has booted successfully, and installation of hyper v integration services was initiated. Installation of integration services, was requesting reboot of the VM. After the restart, the VM was failing to boot with BSOD, and was complaining about WDFLDR.sys.
In order to fix this situation, I've booted the vm into last known good configuration. Checked the following registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wdf01000: There was Group (REG_SZ) value and was having Base for the value data.
Changing the data into WdfLoadGroup :

 
 
And, installing the Hyper V Integration Services has fixed the issues. Installation of Integration services requested for restart, and the VM has rebooted successfully (without BSOD).
 

KB3038314 disables SSL 3.0 in Internet Explorer 11

With latest updates from Microsoft, there is a cumulative security update for Internet Explorer KB3038314 which will disable the SSL 3.0 in Internet Explorer 11. Default settings for Internet Explorer 11 after installing this update will be with disabled SSL 3.0 (without this update the default setting were with SSL 3.0 enabled). This new "behavior" of Internet Explorer 11 is due to a vulnerability in SSL 3.0 that could allow information disclosure published in Microsoft Security Advisory 3009008 https://technet.microsoft.com/en-us/library/security/3009008 .


With SSL 3.0 disabled, you may experience the following error when accessing websites secured with SSL 3.0:



Turn on TLS 1.0,TLS 1.1 and TLS 1.2 in Advanced settings... The error message doesn't suggest to turn on the SSL 3.0 !

And finally, how to find out if SSL 3.0 is in use when accessing https websites ?
I guess, the easiest way is to view the properties of the accessed https webpage. For example:

 

If you need to access secured websites with SSL 3.0, you can override this setting (not recommended). For more info please visit Microsoft Security Advisory 3009008.
 

Source Path Too Long and Volume Shadow Copies

In this case a Windows Server 2008 R2 file server was hosting company's file shares. This Windows File Server was having several disk volumes with file shares and scheduled volume shadow copies. Users with necessary access permissions to file shares were able to restore previous version of files and folders. In this case a user was complaining that he was unable to restore the previous version of file, because Windows Explorer was preventing to do so, with following error message:
The source file names(s) are larger than is supported by the file system. Try moving to a location which has a shorter path name, or try renaming to shorter name(s) before attempting this operation...

The solution provided in the error message "Try moving to a location ..." is not applicable because shadow copies are read only. In order to restore this file from volume shadow copy, I have exposed the volume shadow copy as a directory symbolic link.
Finding the necessary volume shadow copy can be achieved using vssadmin or diskshadow. Because the Windows File Server was having several disk volumes, I wanted to list the shadow copies of the affected volume only. This can be done using vssadmin:
vssadmin list shadows /for=driveletter:
From the output of the command, I've found the needed volume shadow copy (for example: Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1007) . Next, I've created directory symbolic link using mklink :
mklink /D "c:\temp\vss" \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1007\
Now browsing the into c:\temp\vss, I was able to access the "problematic file" from the volume shadow copy and recover the requested version of the file. At the end, I've deleted the created directory symbolic link.

Failed to Initialize Connection Subsystem

After installing KB3021952 MS15-009: Description of the security update for Internet Explorer: February 10, 2015, Cisco AnyConnect Secure Mobility Client was failing to start with following error message :
Failed to Initialize connection subsystem
In order to fix this behavior without uninstalling the KB3040335, vpnui.exe should be set to run in Windows 8 compatibility mode.
Fortunately, with latest published updates from Microsoft which includes KB3032359 Cumulative security update for Internet Explorer: March 10, 2015, will also fix this behavior (problem).
 

Usage logs not deleted on SharePoint 2010

In this case SharePoint 2010 server was running on Windows Server 2008 R2 and was filling up disk space with usage logs. Default location for usage logs is in %programfiles%\common files\Microsoft Shared\Web Server Extensions\14\LOGS. Usage logs were not deleted because they were locked by the SharePoint Timer Service. Restarting the service will release the locks and usage files will be deleted.
Because of this behavior you will also have event id 6398 in Application Log from source SharePoint Foundation with following description:
The Execute method of job definition Microsoft.SharePoint.Administration.SPTimerRecycleJobDefinition  
The timer service was not recycled because the following jobs were still running: Microsoft SharePoint Foundation Usage Data Import

The reason for this behavior is the following update KB2882822.Uninstalling the update will fix the locking usage files issue.
This behavior is also fixed with SharePoint 2010 December 2013 CU KB2849971.
 

Error Event ID 1511 on SharePoint 2010

In this post I'll write about how I've resolved the following error event with id 1511 from User Profile Service source with following description on SharePoint 2010 server :

Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
Several IIS application pools were running with regular domain user account on this SharePoint 2010 server. For some of these application pools identities local profile was not created instead temporary profile was used. Domain user account with temporary profile created for that application pool is logged in the same event id 1511 under user section.
Fixing this behavior is simple, and the point is to create the user's profile before application pool is started. I guess, the easiest way to achieve that, is to start the command prompt under that "problematic" domain user account.
So, after stopping the SharePoint services and IIS, and deleting the temp profile from C:\Users folder, I ran the runas command:
runas /user:domain\apooluser cmd
After typing the correct password for that domain user, command prompt will open under user's context and local profile will be created for that user in C:\Users folder. Reboot the server and error event with 1511 id will not be log since IIS application pool will start and will use the previously created local profile in C:\Users folder.
 

TMG 2010 with HTTPS inspection enabled, unable to access some websites

In this case I'm going to point to two Microsoft KB articles that helped me to resolve the following issue: Microsoft TMG 2010 with HTTPS inspection enabled is used as proxy server and users are reporting that cannot access some https web sites.
Access to those https websites is possible when TMG is not used as a proxy server. Web server certificates are valid and issued by public certification authorities. TMG server also trusts the root certificates of those web server certificates. For testing purposes domain names of those websites were put into destinations exceptions for HTTPS inspection, and users were still unable to access those website. TMG logs were showing the following HTTP Error code when users were accessing those websites:
12030 The connection with the server was terminated abnormally
According from this log the destination web server was terminating the https connection, and reason for that behavior was that TMG server was trying to negotiate the session with destination web server using old protocols. In order to fix that behavior I used the following Microsoft KB articles:

FIX: You cannot access a website that does not support TLS v1.0 when you enable HTTPS inspection and set HTTPSiClientProtocols
FIX: You cannot access a website that is listed on the Destination Exception tab of the HTTPS Outbound Inspection dialog box in Forefront TMG 2010

Note: Before using these fixes please check the requirements for service pack and rollup updates of Microsoft Threat Management Gateway 2010.
 

How to find the latest OS Image from Microsoft Azure Galery

This post is for reference and is intended to simplify the way of finding the latest available operating system image from Azure gallery using PowerShell (I will not get into details how to connect to your azure subscription using PowerShell).
Here is an example of how to get the latest image for Windows Server 2012 R2 Datacenter edition:

$OSImage = (Get-AzureVMImage | where {$_.ImageFamily -like "Windows Server 2012 R2 Datacenter*"} | sort PublishedDate -Descending)[0].ImageName

or Ubuntu Server 14 LTS:

$OSImage = (Get-AzureVMImage | where {$_.ImageFamily -like "Ubuntu Server 14*LTS*"} | sort PublishedDate -Descending)[0].ImageName


The logic in these one liners PowerShell is very simple, the output from Get-AzureVMImage is first filtered by ImageFamily and then sorted descending by PublishedDate. The first listed (latest published) image name is put into $osimage variable. Now, "armed" with latest image of the operating system, you can proceed in creating Azure Virtual Machine.
 

Check Microsoft Exchange Services

In this post I would like to share one liner PowerShell, which I'm using in my Exchange test lab environment to check if all Microsoft Exchange services set to start automatically are running, and if not to start them:
"exserver1","exserver2" | % { get-wmiobject win32_service -computername $_ -filter "startmode = 'auto' and state != 'running' and name like 'MSExchange%'" |  % {write-host $_.PSComputername, $_.name; $_.startservice() | out-null }}

In my case there are two exchange servers exserver1 and exserver2, but you can change them to reflect your environment.
I'm also sharing this one liner PowerShell with my students when I'm teaching Microsoft Exchange courses to easily check MS Exchange services on their lab virtual machines. Sometimes not all necessary MSExchange services are started when the lab virtual machines boots up, and there might be problems during student's testing of lab scenarios. This one liner PowerShell is very simple way to avoid that situation.
 

Updated SCCM 2012 R2 clients version in Admin Console

In this case I was manually updating SCCM R2 clients on some Windows based servers with latest rollup update, but the newly (updated) SCCM client version for those servers was not refreshed (reported) in SCCM 2012 R2 Admin console. The reason for this behavior was that the SCCM client versions are reported by heartbeat discovery. Default value for heartbeat discovery is 7 days.

In order to make SCCM clients to report client version as soon as possible there are two options:
  • Lowering the default value of 7 days for heartbeat discovery, or
  • Manually trigger Discovery Data Collection Cycle action from client
Update the collection membership and new version of SCCM client will be shown in SCCM admin console.
 

Hyper V VMs revert to snapshot

I'm writing this post because I would like to share my experience of teaching MOC 20341B Core Solutions of Microsoft Exchange Server 2013 with my fellows MCTs. After each module there is a lab in which students can practice with virtual machines reverted to initially created snapshot. Also, after teaching each module I'm reverting VMs to their initial state, before starting to teach the next module.
In order to simplify this task of reverting VMs to their initial state, I wrote quick single liner powershell in which I'm reverting VMs that are running and their name contains 20341B:

Get-VM | ? { $_.state -eq 'Running' -and $_.name -like '*20341B*' } | % { Write-host $_.name ; Get-VMSnapshot $_.name | Restore-VMSnapshot -Confirm:$false }

This single liner powershell can be improved and adjusted to your needs, for example revert VMs on all student's Hyper V hosts ...
 

Windows 8.1 x86 unable to boot

In this case a friend of mine was complaining that his pc was unable to boot to Windows 8.1 x86 OS, because it was stuck in endless loop of automatic repair and restart. Automatic repair was unable to fix windows booting problem.
Since Automatic Repair was unable to fix the booting problem, I've entered into command prompt (Troubleshoot->Advanced Options-> Command Prompt) and tried to fix the problem using bootrec.exe. I ran the bootrec.exe with /Fixmbr and /Fixboot options, but none of them have succeeded to fix the booting problem.
Diskpart was showing all the partitions on the disk that should be present, and configured as should.

Because bootrec.exe didn't fix the booting problem, I've tried to run bootsect with following options :
bootsect /nt60 C:
And finally the Windows 8.1 x86 booting problem was successfully solved.

For more info about these utilities check Microsoft articles bootsect, bootrec, diskpart .
 

DHCP Server on Windows Server 2012 R2

In this post I'll write about error (warning) events I have experienced during replacement of DHCP server from Windows Server 2003 to Windows Server 2012 R2.
 
For DHCP database migration I was using netsh dhcp server export (import) option. Running Netsh dhcp server import command on Windows Server 2012 R2 has added the running command user account into HKLM\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl which produced Warning Events into Application Event log from VSS source with event id 8230:
Log Name:      Application
Source:        VSS
Date:          Date
Event ID:      8230
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      Computer Name
Description:
Volume Shadow Copy Service error: Failed resolving account account name with status 1376. Check connection to domain controller and VssAccessControl registry key. 
Deleting this user account from HKLM\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl has resolved these warning events, and these warning events were not logged into application event log any more.
 
Another issue during this DCHP replacement "project" is that during installation of DHCP role, the installation process will change permissions on following registry key HKLM\SYSTEM\CurrentControlSet\Services\VSS\Diag . This registry key has block inheritance enabled and before installation of DHCP service role SDDL for this registry key looks like this:
 
Sddl : O:SYG:SYD:PAI(A;CIIO;RC;;;OW)(A;;KA;;;SY)(A;CIIO;GA;;;SY)(A;;CCDCLCSWRPSDRC;;;LS)(A;CIIO;GA;;;LS)(A;CIIO;GA;;;NS
       )(A;;CCDCLCSWRPSDRC;;;NS)(A;;KA;;;BA)(A;CIIO;GA;;;BA)(A;;KR;;;BU)(A;CIIO;GR;;;BU)(A;CIIO;GA;;;BO)(A;;CCDCLCSWRPS
       DRC;;;BO)

 
From D part of the sddl string D:PAI can be confirmed that block inheritance is enabled, and also Network Service has permission on this registry key from following entries (A;CIIO;GA;;;NS)(A;;CCDCLCSWRPSDRC;;;NS).
 
After DHCP role installation in permission entries for HKLM\SYSTEM\CurrentControlSet\Services\VSS\Diag, permission for DHCP server can be found represented as (A;CI;CCDCLCSW;;;S-1-5-80-3273805168-4048181553-3172130058-210131473-390205191). Also, the other permissions are not the same as before, but are inherited from the parent HKLM\SYSTEM\CurrentControlSet\Services\VSS, and the sddl now look like this:

Sddl : O:SYG:SYD:AI(A;CI;CCDCLCSW;;;S-1-5-80-3273805168-4048181553-3172130058-210131473-390205191)(A;ID;KR;;;AU)(A;CIIOID;GR;;;AU)(A;ID;CCDCLCSWRPSDRC;;;SO)(A;CIIOID;SDGWGR;;;SO)(A;ID;KA;;;BA)(A;CIIOID;GA;;;BA)(A;ID;KA;;;SY)(A;CIIOID;GA;;;SY)(A;CIIOID;GA;;;CO)(A;ID;KR;;;AC)(A;CIIOID;GR;;;AC)
 
From D part of the sddl (D:AI) can be confirmed that permissions are inherited, and Network Service does not have any permission. This situation will result in generating error event with id 8193 from VSS source in Application event log:
Log Name:      Application
Source:        VSS
Date:          Date
Event ID:      8193
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      computer name
Description:
Volume Shadow Copy Service error: Unexpected error calling routine RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...).  hr = 0x80070005, Access is denied.
This behavior was also noted with Windows Server 2008 R2 and published in following Microsoft article http://support.microsoft.com/kb/2298620 .
In order to resolve this situation I've delegated Network Service permissions as were before installation of DHCP server role, and the error event 8193 from VSS was not logged any more.
Here is GUI overview of the Network Service permissions for HKLM\SYSTEM\CurrentControlSet\Services\VSS\Diag:
 

 
For more info about sddl check MSDN https://msdn.microsoft.com/en-us/library/aa379567(v=vs.85).aspx .
 

Windows 10 media briefing Jan 2015

Microsoft has announced Windows 10 media briefing for January 21, 2015 9:00AM PT or 6:00PM CET. Next preview version of Windows 10 should be available soon after the event.
For more info about this event check Windows Blog or http://news.microsoft.com/windows10story/
 

How to find out all locked out accounts in Active Directory using Powershell

This one liner PowerShell for reference, is intended to show how to find out all locked out accounts in Active Directory using Search-ADAccount with LockedOut parameter (ActiveDirectory module is required):
Search-ADAccount -LockedOut
The output from this cmdlet will list all the locked out accounts. Furthermore, if you want to unlock all those accounts, the output of the Search-ADAccount can be piped to Unlock-ADAccount cmdlet (permission for unlocking ad accounts is required) for example:
Search-ADAccount -LockedOut | Unlock-ADAccount

For more info about these powerful cmdlets please check TechNet: Search-ADAccount and Unlock-ADAccount .
 

How to check EMBG (Unique Master Citizen Number) using regex

In this post, I will share my implementation of how to check if some number looks like EMBG or Unique Master Citizen Number. For those of yo...