The User Profile Service Failed The Logon

In this case, there was a Windows 8.1 workstation with corrupted Default profile. All domain users with or without previously created profile on that machine were unable to logon with following error message:

"The User Profile Service failed the logon. User profile cannot be loaded."

I've logged on to the workstation with local admin account, and opened the Application Event Log, a warning event with id 1509 was logged, from source Microsoft-Windows-User Profiles General with following description:

Windows cannot copy file \\?\C:\Users\Default\AppData\Local\Microsoft\Windows\WER to location \\?\C:\Users\TEMP\AppData\Local\Microsoft\Windows\WER. This error may be caused by network problems or insufficient security rights.

In order to resolve the issue, I've forced permission propagation to all child objects on C:\users\Default:

After successful permission replacement on all child object of C:\Users\Default, domain users were able to successfully log on to the workstation, again.

Error message when adding MPIO Devices

In this case, Window Server 2012 Hyper V failover cluster LUNs were scheduled for storage migration from different vendors. Hyper V hosts were using fiber channel for accessing the SAN LUNs. These Hyper V hosts were using PowerPath as their multipathing software. This software was not recommended for use with the new SAN provider. So, after successful VM storage migration, PowerPath had to be removed, and Hyper V server hosts had to be configured with native MPIO.
After successful uninstallation of  PowerPath, I've tried to add MPIO devices using native MPIO tool, but there was error message "The system cannot find the file specified":

Similar error was prompt, when using the new powershell cmdlet for adding MPIO devices
New-MSDSMSupportedHW.

So, currently Hyper V server hosts were using single path for accessing the SAN LUNs, and obviously something went wrong with "successful" uninstallation of Powerpath. In order to create redundancy for SAN LUN access, I've reinstalled the MPIO feature on all Hyper v hosts.
After successful reinstallation of MPIO feature, I was able to add MPIO devices using native MPIO tool and enabled multiple paths for accessing SAN LUNs from Hyper V server hosts.
 

Windows Server 2016 Hyper V requirements

Windows Server 2016 Hyper V has introduced great features (for more info, please checkout the official article What's new in Hyper-V on Windows Server 2016 ), but before jumping in and formatting the disk with previous version of Windows Server operating system with Hyper V installed, please make sure that your hardware has the needed requirements. The easiest way is to run systeminfo.exe from command prompt or Powershell, and checkout the Hyper V requirements part from the command output (for example: this is the output from supported hardware):

In my case, I was having one test box HP DL380 G5 with Windows Server 2012 Hyper V role installed, and the output from systeminfo.exe for Hyper V part, looked like this:

For Windows Server 2016 Hyper V role, Second Level Address Translation (SLAT) is requirement, instead recommendation as it was for Windows Server 2012 Hyper V. So, if you don't check these requirements and you try to install Windows Server 2016 Hyper V role, you might experience the following error message:

Conclusion: some old hardware boxes might not be able to see the "light" of the new Microsoft Windows Server 2016 with Hyper V role installed.

Intoducing Windows Server 2016 Free Ebook

Grab a copy of free eBook "Introducing Windows Server 2016" on https://blogs.msdn.microsoft.com/microsoft_press/2016/09/26/free-ebook-introducing-windows-server-2016/ .

This ebook is available in pdf format for standard and mobile readers.

Enjoy!

List MPIO disks active paths

This is a single liner PowerShell for listing active paths on MPIO disk devices:

(gwmi -Namespace root\wmi -Class mpio_disk_info).driveinfo | % {Write-host "Name: $($_.name) Paths: $($_.numberpaths)"}

Tested on Windows Server 2012 R2. This single liner should also work on other Windows Server editions.

And in case if there are multiple servers for checking the active paths on MPIO disk devices, here is the modified single liner (it's presumed that user running the bellow single liner owns the necessary permissions, and there are necessary firewall rules for accessing remote servers):

"server1","server2","server3" | % { write-host $_ -ForegroundColor green  ; (gwmi -ComputerName $_ -Namespace root\wmi -Class mpio_disk_info).driveinfo | % {Write-host "Name: $($_.name) Paths: $($_.numberpaths)"}}

Tested also on Windows Server 2016. 

Free Microsoft eBooks Ready For Download

Looking for some great Microsoft eBook for this summer?
Checkout the following link, for this summer reading list.

Feel free to download and share your favorites.

For more info: https://blogs.msdn.microsoft.com/mssmallbiz/2016/07/10/free-thats-right-im-giving-away-millions-of-free-microsoft-ebooks-again-including-windows-10-office-365-office-2016-power-bi-azure-windows-8-1-office-2013-sharepoint-2016-sha/

Have a nice summer time !

KB3161608 & KB3161606 replaced by KB3172605 & KB3172614

KB3172605 (Windows 7 and Windows Server 2008 R2 Sp1) and KB3172614 (Windows 8.1 and Windows Server 2012 R2) are July 2016 update rollups, and are replacing the update rollups from June 2016 (KB3161608 and KB3161606). July 2016 update rollups are fixing the issues that were caused by the June 2016 update rollups (for example: Hyper V and Integration Services issues).
All other updates introduced in June 2016 update rollups are present also into July 2016 update rollups.
So, introduction of new cipher suites to Internet Explorer and Microsoft Egde in Windows introduced in June 2016 update rollups, might break access to some old https enable sites.
This issue can be resolved by uninstalling these update rollups, or in my case adding the following registry key on affected machines (lowering the DHE key length on clients to 512bits, instead using the default 1024bits):

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"ClientMinKeyBitLength"=dword:00000200

After adding the registry key (restart is not necessary), https "oldies" started to open with Internet Explorer.

Happy Patching :)

Microsoft Exchange ECP in English

This is quick one, just in case you're administering Microsoft Exchange 2013 without mailbox in that organization, and you want to open the ECP interface in English (default language is something else than English), at the end of the url add "?mkt=EN-us".

For example: if the URL of the ECP is https://exchange.server.local/ecp, URL for opening ECP on English will look like this: https://exchange.server.local/ecp?mkt=EN-us .
 

Microsoft Exchange excessive log growth on database

In this case, in Microsoft Exchange 2010 organization, there was excessive log files generation for one database. Number of logs generated for the database was 10 times higher than usual daily rate for that database. Besides monitor tools that were monitoring the parameters of the Exchange server and reported this excessive log growth for the database, backup administrators has also noticed that time needed for the backup of this database has also grown.
So, question was why there is excessive log growth for this database ?
For answering this question I've installed ExMon (Exchange Server User Monitor) on server that was having this database mounted.
For downloading Microsoft Exchange Server User Monitor for Microsoft Exchange Server 2000,2003,2007 and 2010 use this link
For downloading Microsoft Exchange Server User Monitor for Microsoft Exchange Server 2013 and 2016 use this link

Running Exchange Server User Monitor has reported a user that has "monopolized" store.exe process cpu usage to 50% and generated huge amount of log data. Disabling this user has normalized logs generated files for the affected database. And the reason for this huge amount of logs generated files for the database was a faulty activesync device registered by this user. Enabling this AD user and disabling activesync access for this user, has also stabilized affected database logs generation.

For more info about ExMon follow this link.

Refreshing ExMon might crash the console and prevent ExMon from running again with following error "Unknown StartTrace error (183)", because the previously started trace is still running. In order to resolve the issue, check the status of running traces and search for "Exchange Event Trace" with "logman query -ets" :

Stop the trace with "logman stop "Exchange Event Trace" -ets ", and ExMon should start successfully.

For more about debugging Microsoft Exchange excessive database logging please check https://blogs.technet.microsoft.com/exchange/2013/04/18/troubleshooting-rapid-growth-in-databases-and-transaction-log-files-in-exchange-server-2007-and-2010/ .
 

Network shares might become inaccessible after installation of KB3161949

In this case, access to internal network shares for external users was granted over Cisco ASA as a published solution. After installation of KB3161949 on Window Server 2012 R2, that was hosting those network shares, the network shares become inaccessible to these external users. The error message that external users were experiencing by the Cisco ASA portal was "Error contacting host":

Even though the description of this KB is "MS16-077 Description of the security update for WPAD: June 14, 2016", there is a change by this KB affecting the network shares access.
The first change listed in the KB article is hardening the NETBIOS communication outside of the local subnet, affecting the SMB over NETBIOS to stop working outside of the local subnet (in my case Cisco ASA for publishing network share access was relying on).
Resolving the issue for these external users, and enabling access to internal shares same way as before installation of this KB, was either by uninstalling the KB or enabling the following key in registry:

SUBKEY: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
Value Name: AllowNBToInternet
Type: Dword
Value: 1

After creation of AllowNBToInternet and setting the value to 1, and rebooting the server, external users were able to connect to network shares again, hosted on Windows Server 2012 R2 and published by Cisco ASA.
 

Event ID 4769 Audit failure with Failure Code 0xC

In this case there was a two way forest trust between two forests. Forest 1 was containing single domain1, Forest 2 was containing several domain trees. Also, there was a external trust between Domain 1 and domain B.

Users from both forest we're able to login successfully on workstations that were also members in both forests. But, when users from domain B were trying to access resources (file share \\server1.domain1.local\fileshare) in Domain1, there was a credential prompt requesting for valid username and password. On domain controllers in Domain1 Audit failure was logged with following details:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Task Category: Kerberos Service Ticket Operations
Level:         Information
Keywords:      Audit Failure

Description:
A Kerberos service ticket was requested.

Account Information:
 Account Name:  user@domainB.local
 Account Domain:  domainB.local
 Logon GUID:  {00000000-0000-0000-0000-000000000000}

Service Information:
 Service Name:  cifs/server1.domain1.local
 Service ID:  NULL SID

Network Information:
 Client Address:  ::ffff:a.b.c.d
 Client Port:  49783

Additional Information:
 Ticket Options:  0x40810000
 Ticket Encryption Type: 0xffffffff
 Failure Code:  0xc
 Transited Services: -

From https://technet.microsoft.com/en-us/library/bb463166.aspx Failure code 0xC is KDC_ERR_POLICY.

I have successfully resolved this issue by enabling name suffix Domainb using Trust properties, Name Suffix Routing tab in Forest 1. After enabling Domainb in Name suffix routing tab, users from DomainB were successfully accessing resources in Domain1 using Kerberos without any credential prompt.
 

Free ebook : Windows 10 IT Pro Essentials: Top 10 Tools

This book is for all IT Pros. Even experienced IT Pros might find some interesting topics and some new ways for achieving their daily tasks.

Grab a copy of free eBook: Windows 10 IT Pro Essentials: Top 10 Tools .

Searching for AD users with missing email address

In this case, I was searching for AD users with populated proxyaddresses property, but with missing email address from specific domain. For example: a user was having following email addresses: user@domain-a.com and user@domain-c.com, but was missing the user@domain-b.com. I wrote a singleliner PowerShell for listing those users:

Get-ADUser -LDAPFilter "(&(proxyAddresses=*)(!proxyAddresses=smtp:*domain-b.com))" -Properties * | ? {$_.enabled -eq $true } | ft name,proxyaddresses -AutoSize -Wrap

Also, there was one more condition that users with missing email address have to be enabled.

I hope that this singleliner Powershell will help you in a quest for missing email addresses.
 

Finding and removing emails from exchange mailboxes

In this case security office has sent notification, that potentially malicious email that bypassed antimalware protection has to be removed from user's mailboxes. In order to find out who has received the specified email (the sender of the malicious email was provided in the escalation information from the security office), in case of multirole exchange servers, I've checked the message tracking logs using following syntax:

Get-ExchangeServer | Get-MessageTrackingLog -start (Get-date).AddDays(-1) -End (Get-date)  -ResultSize unlimited -eventid deliver -Sender "malicioussender@domain.some"

Fortunately, the number of users that have received the specified email message were few. Knowing the affected users, removing the email message from their mailbox can be done using Search-Mailbox cmdlet. For running the Search-Mailbox cmdlet, the user running this cmdlet must be a member of Discovery Management role group.
For example, to search the affected mailbox for the message with sender "malicioussender@domain.some" and send the results log to some auditor's mailbox (messages are not removed from the affected mailbox):

Search-Mailbox -Identity "user@affected.maibox" -SearchQuery 'From: "malicioussender@domain.some"' -TargetMailbox "auditor@mailbox.domain" -TargetFolder "SearchUsersLogs" -LogOnly -LogLevel Full

In order to delete the message from the affected mailbox, Search-Mailbox has DeleteContent parameter. For using the DeleteContent parameter, user running the search-mailbox cmdlet, also has to have the Mailbox Import Export management role assigned.
For assigning Mailbox Import Export Role to a Role Group, please follow the TechNet article https://technet.microsoft.com/en-us/library/ee633452(v=exchg.141).aspx .

Now, it's time to remove the messages from affected mailbox, and copy them auditor's mailbox:

Search-Mailbox -Identity "user@affected.maibox" -SearchQuery 'From: "malicioussender@domain.some"' -TargetMailbox "auditor@mailbox.domain" -TargetFolder "SearchUsersLogs" -DeleteContent

Messages were successfully deleted from affected mailbox, and copied to a auditor's mailbox.
 

Failed to run task sequence with following error 0x80070570

In this case, during operating system deployment using SCCM 2012 r2 task sequence, I have experienced error 0x80070570 on some machines:

From the MSDN, descriptive information for the error (0x570) 1392 is: "The file or directory is corrupt and unreadable."

This task sequence job was to deploy new operating system using wipe and load scenario. In order to fix this issue and allow the task sequence to finish it's job, I've entered into debug mode using F8 and used diskpart. Since, the operating system deployment scenario was wipe and load, I didn't care much about the data stored on disk. So, here is the syntax for disk cleaning:

diskpart -> list disk -> select disk 0 -> clean -> exit

After cleaning the disk, the task sequence has successfully installed the required operating system.
 

Finding scripts in GPOs

For this case I wrote a simple PowerShell easy to read script for finding GPOs with scripts and their links to OUs. The script requires domain administrator credential for enumerating GPOs machine startup folder. For populating $dc and $dom variables the script requires online domain controller and domain name. Then the script will start to enumerate policies folders searching for files with vbs,bat, and vbe extensions. It will also filter out with regex the gpo guid found between the curly brackets "{}"in the full file path. Using the gpo guid the script will resolve the gpo name and OUs where that gpo is linked. At the end the script will output the data.

$dc = Read-Host "Online DC (example:dc1)"
$dom = Read-Host "Domain name (example:domain.com)"

dir \\$dc\SYSVOL\$dom\Policies -Include *.vbs,*.bat,*.vbe -Recurse | select -ExpandProperty Fullname | Select-String -Pattern "(?<=\{).*?(?=\})"  | % {

    $id=$_.matches[0].value
    $gpo=get-gpo -guid $id
    $ou =Get-ADOrganizationalUnit -LDAPFilter "(gPLink=*$id*)"

    Write-host $_
    Write-Host "GPOName=" -ForegroundColor Red -NoNewline
    Write-host $gpo.DisplayName -NoNewline
    Write-Host "`tStatus=" -ForegroundColor Yellow -NoNewline
    Write-host $gpo.GpoStatus
    Write-Host "OUlinks=" -ForegroundColor Green -NoNewline
    Write-host $ou.Name
    Write-Host " "

}


Feel free to customize or modify the script to satisfy your needs.
 

Exchange Powershell in Multi Domain Environment

This is quick one, if you're using Exchange PowerShell for managing environment where exchange recipients are located across multiple domains in forest, you might be wondering why by default you will not be able to manage recipient objects that are located in different domains. The reason for this behavior is that by default, you will be able to manage objects that are located in the domain where Exchange servers are located.
In order to change this behavior, for example to manage recipient objects located across forest Set-AdServerSettings cmdlet is your friend:

Set-AdServerSettings -ViewEntireForest $true

One thing to notice is that, the change of this view scope is only limited to current open session.