Posts

Showing posts from 2016

The User Profile Service Failed The Logon

Image
In this case, there was a Windows 8.1 workstation with corrupted Default profile. All domain users with or without previously created profile on that machine were unable to logon with following error message:
"The User Profile Service failed the logon. User profile cannot be loaded." I've logged on to the workstation with local admin account, and opened the Application Event Log, a warning event with id 1509 was logged, from source Microsoft-Windows-User Profiles General with following description:
Windows cannot copy file \\?\C:\Users\Default\AppData\Local\Microsoft\Windows\WER to location \\?\C:\Users\TEMP\AppData\Local\Microsoft\Windows\WER. This error may be caused by network problems or insufficient security rights.
In order to resolve the issue, I've forced permission propagation to all child objects on C:\users\Default:



After successful permission replacement on all child object of C:\Users\Default, domain users were able to successfully log on to the workst…

Error message when adding MPIO Devices

Image
In this case, Window Server 2012 Hyper V failover cluster LUNs were scheduled for storage migration from different vendors. Hyper V hosts were using fiber channel for accessing the SAN LUNs. These Hyper V hosts were using PowerPath as their multipathing software. This software was not recommended for use with the new SAN provider. So, after successful VM storage migration, PowerPath had to be removed, and Hyper V server hosts had to be configured with native MPIO.
After successful uninstallation of  PowerPath, I've tried to add MPIO devices using native MPIO tool, but there was error message "The system cannot find the file specified":


Similar error was prompt, when using the new powershell cmdlet for adding MPIO devices
New-MSDSMSupportedHW.

So, currently Hyper V server hosts were using single path for accessing the SAN LUNs, and obviously something went wrong with "successful" uninstallation of Powerpath. In order to create redundancy for SAN LUN access, I…

Windows Server 2016 Hyper V requirements

Image
Windows Server 2016 Hyper V has introduced great features (for more info, please checkout the official article What's new in Hyper-V on Windows Server 2016 ), but before jumping in and formatting the disk with previous version of Windows Server operating system with Hyper V installed, please make sure that your hardware has the needed requirements. The easiest way is to run systeminfo.exe from command prompt or Powershell, and checkout the Hyper V requirements part from the command output (for example: this is the output from supported hardware):


In my case, I was having one test box HP DL380 G5 with Windows Server 2012 Hyper V role installed, and the output from systeminfo.exe for Hyper V part, looked like this:


For Windows Server 2016 Hyper V role, Second Level Address Translation (SLAT) is requirement, instead recommendation as it was for Windows Server 2012 Hyper V. So, if you don't check these requirements and you try to install Windows Server 2016 Hyper V role, you migh…

Intoducing Windows Server 2016 Free Ebook

Grab a copy of free eBook "Introducing Windows Server 2016" on https://blogs.msdn.microsoft.com/microsoft_press/2016/09/26/free-ebook-introducing-windows-server-2016/ .

This ebook is available in pdf format for standard and mobile readers.

Enjoy!

List MPIO disks active paths

This is a single liner PowerShell for listing active paths on MPIO disk devices:
(gwmi -Namespace root\wmi -Class mpio_disk_info).driveinfo | % {Write-host "Name: $($_.name) Paths: $($_.numberpaths)"}
Tested on Windows Server 2012 R2. This single liner should also work on other Windows Server editions.

And in case if there are multiple servers for checking the active paths on MPIO disk devices, here is the modified single liner (it's presumed that user running the bellow single liner owns the necessary permissions, and there are necessary firewall rules for accessing remote servers):
"server1","server2","server3" | % { write-host $_ -ForegroundColor green  ; (gwmi -ComputerName $_ -Namespace root\wmi -Class mpio_disk_info).driveinfo | % {Write-host "Name: $($_.name) Paths: $($_.numberpaths)"}}
Tested also on Windows Server 2016.

Free Microsoft eBooks Ready For Download

Looking for some great Microsoft eBook for this summer?
Checkout the following link, for this summer reading list.

Feel free to download and share your favorites.

For more info: https://blogs.msdn.microsoft.com/mssmallbiz/2016/07/10/free-thats-right-im-giving-away-millions-of-free-microsoft-ebooks-again-including-windows-10-office-365-office-2016-power-bi-azure-windows-8-1-office-2013-sharepoint-2016-sha/

Have a nice summer time !

KB3161608 & KB3161606 replaced by KB3172605 & KB3172614

KB3172605 (Windows 7 and Windows Server 2008 R2 Sp1) and KB3172614 (Windows 8.1 and Windows Server 2012 R2) are July 2016 update rollups, and are replacing the update rollups from June 2016 (KB3161608 and KB3161606). July 2016 update rollups are fixing the issues that were caused by the June 2016 update rollups (for example: Hyper V and Integration Services issues).
All other updates introduced in June 2016 update rollups are present also into July 2016 update rollups.
So, introduction of new cipher suites to Internet Explorer and Microsoft Egde in Windows introduced in June 2016 update rollups, might break access to some old https enable sites.
This issue can be resolved by uninstalling these update rollups, or in my case adding the following registry key on affected machines (lowering the DHE key length on clients to 512bits, instead using the default 1024bits):

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
&q…

Microsoft Exchange ECP in English

This is quick one, just in case you're administering Microsoft Exchange 2013 without mailbox in that organization, and you want to open the ECP interface in English (default language is something else than English), at the end of the url add "?mkt=EN-us".

For example: if the URL of the ECP is https://exchange.server.local/ecp, URL for opening ECP on English will look like this: https://exchange.server.local/ecp?mkt=EN-us .

Microsoft Exchange excessive log growth on database

Image
In this case, in Microsoft Exchange 2010 organization, there was excessive log files generation for one database. Number of logs generated for the database was 10 times higher than usual daily rate for that database. Besides monitor tools that were monitoring the parameters of the Exchange server and reported this excessive log growth for the database, backup administrators has also noticed that time needed for the backup of this database has also grown.
So, question was why there is excessive log growth for this database ?
For answering this question I've installed ExMon (Exchange Server User Monitor) on server that was having this database mounted.
For downloading Microsoft Exchange Server User Monitor for Microsoft Exchange Server 2000,2003,2007 and 2010 use this link
For downloading Microsoft Exchange Server User Monitor for Microsoft Exchange Server 2013 and 2016 use this link

Running Exchange Server User Monitor has reported a user that has "monopolized" store.ex…

Network shares might become inaccessible after installation of KB3161949

Image
In this case, access to internal network shares for external users was granted over Cisco ASA as a published solution. After installation of KB3161949 on Window Server 2012 R2, that was hosting those network shares, the network shares become inaccessible to these external users. The error message that external users were experiencing by the Cisco ASA portal was "Error contacting host":


Even though the description of this KB is "MS16-077 Description of the security update for WPAD: June 14, 2016", there is a change by this KB affecting the network shares access.
The first change listed in the KB article is hardening the NETBIOS communication outside of the local subnet, affecting the SMB over NETBIOS to stop working outside of the local subnet (in my case Cisco ASA for publishing network share access was relying on).
Resolving the issue for these external users, and enabling access to internal shares same way as before installation of this KB, was either by unins…

Event ID 4769 Audit failure with Failure Code 0xC

Image
In this case there was a two way forest trust between two forests. Forest 1 was containing single domain1, Forest 2 was containing several domain trees. Also, there was a external trust between Domain 1 and domain B.


Users from both forest we're able to login successfully on workstations that were also members in both forests. But, when users from domain B were trying to access resources (file share \\server1.domain1.local\fileshare) in Domain1, there was a credential prompt requesting for valid username and password. On domain controllers in Domain1 Audit failure was logged with following details:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Task Category: Kerberos Service Ticket Operations
Level:         Information
Keywords:      Audit Failure

Description:
A Kerberos service ticket was requested.

Account Information:
 Account Name:  user@domainB.local
 Account Domain:  domainB.local
 Logon GUID:  {00000000-0000-0000-0000-000000000000}

Service Information:
 …

Free ebook : Windows 10 IT Pro Essentials: Top 10 Tools

This book is for all IT Pros. Even experienced IT Pros might find some interesting topics and some new ways for achieving their daily tasks.

Grab a copy of free eBook: Windows 10 IT Pro Essentials: Top 10 Tools .

Searching for AD users with missing email address

In this case, I was searching for AD users with populated proxyaddresses property, but with missing email address from specific domain. For example: a user was having following email addresses: user@domain-a.com and user@domain-c.com, but was missing the user@domain-b.com. I wrote a singleliner PowerShell for listing those users:

Get-ADUser -LDAPFilter "(&(proxyAddresses=*)(!proxyAddresses=smtp:*domain-b.com))" -Properties * | ? {$_.enabled -eq $true } | ft name,proxyaddresses -AutoSize -Wrap Also, there was one more condition that users with missing email address have to be enabled.

I hope that this singleliner Powershell will help you in a quest for missing email addresses.

Finding and removing emails from exchange mailboxes

In this case security office has sent notification, that potentially malicious email that bypassed antimalware protection has to be removed from user's mailboxes. In order to find out who has received the specified email (the sender of the malicious email was provided in the escalation information from the security office), in case of multirole exchange servers, I've checked the message tracking logs using following syntax:

Get-ExchangeServer | Get-MessageTrackingLog -start (Get-date).AddDays(-1) -End (Get-date)  -ResultSize unlimited -eventid deliver -Sender "malicioussender@domain.some"
Fortunately, the number of users that have received the specified email message were few. Knowing the affected users, removing the email message from their mailbox can be done using Search-Mailbox cmdlet. For running the Search-Mailbox cmdlet, the user running this cmdlet must be a member of Discovery Management role group.
For example, to search the affected mailbox for the messa…

Failed to run task sequence with following error 0x80070570

Image
In this case, during operating system deployment using SCCM 2012 r2 task sequence, I have experienced error 0x80070570 on some machines:


From the MSDN, descriptive information for the error (0x570) 1392 is: "The file or directory is corrupt and unreadable."

This task sequence job was to deploy new operating system using wipe and load scenario. In order to fix this issue and allow the task sequence to finish it's job, I've entered into debug mode using F8 and used diskpart. Since, the operating system deployment scenario was wipe and load, I didn't care much about the data stored on disk. So, here is the syntax for disk cleaning:
diskpart -> list disk -> select disk 0 -> clean -> exit After cleaning the disk, the task sequence has successfully installed the required operating system.

Finding scripts in GPOs

For this case I wrote a simple PowerShell easy to read script for finding GPOs with scripts and their links to OUs. The script requires domain administrator credential for enumerating GPOs machine startup folder. For populating $dc and $dom variables the script requires online domain controller and domain name. Then the script will start to enumerate policies folders searching for files with vbs,bat, and vbe extensions. It will also filter out with regex the gpo guid found between the curly brackets "{}"in the full file path. Using the gpo guid the script will resolve the gpo name and OUs where that gpo is linked. At the end the script will output the data.

$dc = Read-Host "Online DC (example:dc1)"
$dom = Read-Host "Domain name (example:domain.com)"

dir \\$dc\SYSVOL\$dom\Policies -Include *.vbs,*.bat,*.vbe -Recurse | select -ExpandProperty Fullname | Select-String -Pattern "(?<=\{).*?(?=\})"  | % {

    $id=$_.matches[0].value
    $gpo=get-gp…

Exchange Powershell in Multi Domain Environment

This is quick one, if you're using Exchange PowerShell for managing environment where exchange recipients are located across multiple domains in forest, you might be wondering why by default you will not be able to manage recipient objects that are located in different domains. The reason for this behavior is that by default, you will be able to manage objects that are located in the domain where Exchange servers are located.
In order to change this behavior, for example to manage recipient objects located across forest Set-AdServerSettings cmdlet is your friend:
Set-AdServerSettings -ViewEntireForest $true One thing to notice is that, the change of this view scope is only limited to current open session.