KB3161608 & KB3161606 replaced by KB3172605 & KB3172614

KB3172605 (Windows 7 and Windows Server 2008 R2 Sp1) and KB3172614 (Windows 8.1 and Windows Server 2012 R2) are July 2016 update rollups, and are replacing the update rollups from June 2016 (KB3161608 and KB3161606). July 2016 update rollups are fixing the issues that were caused by the June 2016 update rollups (for example: Hyper V and Integration Services issues).
All other updates introduced in June 2016 update rollups are present also into July 2016 update rollups.
So, introduction of new cipher suites to Internet Explorer and Microsoft Egde in Windows introduced in June 2016 update rollups, might break access to some old https enable sites.
This issue can be resolved by uninstalling these update rollups, or in my case adding the following registry key on affected machines (lowering the DHE key length on clients to 512bits, instead using the default 1024bits):

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"ClientMinKeyBitLength"=dword:00000200

After adding the registry key (restart is not necessary), https "oldies" started to open with Internet Explorer.

Happy Patching :)

Windows 7 SCCM 2012 R2 clients unable to download content

This is a case where Windows 7 x86 non domain workstations with SCCM 2012 R2 client installed were unable to download content from SCCM server. Network Access Account was properly configured, and the client was using it but was still unable to download content. Anonymous clients were not allowed to connect to distribution point. Here are the error messages from DataTransferService.log:

<![LOG[Job {...} impersonating Network Access Account.]LOG]!>
<![LOG[[CCMHTTP] ERROR: URL=http://servername:80/SMS_DP_SMSPKG$/PackageID, Port=80, Options=224, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE]LOG]!>
<![LOG[Error sending DAV request. HTTP code 401, status 'Unauthorized']LOG]!>
<![LOG[GetDirectoryList_HTTP('http://servername:80/SMS_DP_SMSPKG$/PackageID') failed with code 0x80070005.]LOG]!>

After installing the following hotfix KB2522623, this client has successfully downloaded and installed packages. This hotfix is applicable to Windows Server 2008 R2 SP1 also, so this kind of behavior should be expected for those server 2008 R2 SP1 clients that are members of workgroup or DMZ.
 

Shared Folder Quota Not Accurate

In this case users were complaining that cannot share files in shared folder on Windows Server 2008 R2 file server with quota assigned on that shared folder. The shared folder had hard quota assigned, and according to FSRM (File Server Resource Manager) Quota Management 90% was used. Here is the screenshot showing that only 10MB were available for that folder:

Dir command was running with elevated credentials, and I was gaining same output from dir command when running under SYSTEM account. So, I was suspecting that quota calculation for that folder was not accurate. In order to trigger quota recalculation I was using Dirquota, with following syntax:

dirquota quota scan /path:<Path to folder>

After running this command, FSRM Quota Management was showing that 9X% were free (instead used) and users started to share files without getting notified that are reaching maximum quota limit for that folder.

Quickly archive log files on daily basis

In this case server was creating log files few in a second and by the end of the day there were tons of logs in the folder, and manipulations with those files was painful. So, I decided to make a scheduled task which will archive log files older then one day, and delete them after they were added to the archive. I was using rar as archiving solution, and here is the command for the task:

"C:\Program Files\winrar\rar.exe" a -ag -df -to1d -x*.rar  destinationfolder\archivename- sourcefolder\*.*

• a will add files to archive
• -ag will stamp archive name with current date
• -df will delete files after archiving
• -to1d will process files older than 1 day
• -x*.rar will exclude rar files in archive if any

Archive name will look like: archivename-YYYYMMddhhmmss.rar .

How to find disabled user accounts in AD with attributes for proxy address, phones or sip set

Here are simple ldap queries for finding user accounts using active directory user and computers, which are disabled and have following attributes set:

• Proxy address

(&(&(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=2)(proxyAddresses=*)))

• SIP

(&(&(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=2)(msRTCSIP-PrimaryUserAddress=*)))

• Phone numbers

(&(&(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=2)(|(mobile=*)(telephoneNumber=*))))

Error event 12293 in application log for Security-SPP on KMS server

In my case KMS was activated on windows server 2008 R2, with dns publishing option enabled, and server started to log event 12293 in its application log:

Publishing the Key Management Service (KMS) to DNS in the 'domain.name' domain failed.

Info:0x80072338

This server didn't register its SRV dns record. In same domain there was already another KMS server, and reason for this event and behavior was that this new kms server didn't have the permission to update already existing _VLMCS srv record. Resolution for this kind behavior was to add permission for _vlmcs dns record for the newly activated KMS server. There is also microsoft KB for this event http://support.microsoft.com/kb/2553863 .

Unable to reboot remote system

In my case remote workstation was XP and a user was unable to connect using remote desktop client, after disconnecting from the same computer couple of minutes ago. I have decided to initiate reboot of the client workstation using:

shutdown /f /r /m \\computername,

but the machine was hung up, and I tried to initiate same command again but the response was :

A system shutdown is in progress.(1115)

 

After waiting few more minutes the client workstation was not rebooted.

Because there was no one around the client machine to see what's happening on the monitor, and the user desperately needed to establish remote connection to the client workstation I have decided to kill the winlogon process. Using PSKill from PSTools suite I have executed:

pskill -t \\computername winlogon

and the remote workstation was rebooted. Note that killing winlogon process is nearly the same as pulling the plug on the machine.

Installing Windows Server 2008 R2 on HP DL 360 G4

Installing Windows Server 2008 R2 on HP DL 360 G4p is not supported, but Windows 2008 Server x64 is on the list of supported operating systems, so using the information in this post is at your own risk. If you try to install the OS using SmartStart, Windows Server 2008 R2 will not be on the list of operating systems that can be installed, but this does not prevent you to install Windows Server 2008 R2 from installation CD of this operating system and after successful OS installation to install latest PSP (Proliant Support Pack). But, if you try to install PSP there will be critical message: iLO Management Controller Driver is missing.

Installation for “HP Insight Management Agents for Windows Server 2003/2008 x64 Editions” requires one or more of the following that is not currently installed or in the install set:

- HP ProLiant Advanced System Management Controller Driver for Windows

- HP ProLiant iLO Advanced and Enhanced System Management Controller Driver for Windows

- HP ProLiant iLO 2 Management Controller Driver for Windows

- HP ProLiant iLO 3 Management Controller Driver for Windows

- HP ProLiant 100-Series Management Controller Driver for Windows

You can download HP ProLiant ILO Advanced controller driver for Windows Server 2008 x64 editions and run the setup using compatibility mode (Windows Server 2008 Service Pack 1). After installing iLO Management Controller Driver successfully and SNMP feature, you will be able to install latest PSP without errors.

How to turn off IPv6 router discovery?

My recommendation for servers and workstations that do not need "Stateless Autoconfiguration" is to turn off Router Discovery. You can turn of Router Discovery using netsh. For example, if you want to turn off Router Discovery on Local Area Connection you can type in the following statement from elevated command prompt:

netsh int ipv6 set int "Local Area Connection" routerdiscovery=disabled

To check other interface parameters including Router Discovery type in:

netsh int ipv6 show int "Local Area Connection"

And you'll have to receive something like this:

The 'Microsoft.Jet.OLEDB.4.0' provider is not registered on the local machine

In my case the server hosting the web application was IIS 7.5, and this application was trying to collect some data from excel spreadsheet, but there was an exception message:

The 'Microsoft.Jet.OLEDB.4.0' provider is not registered on the local machine.

In order to fix this error I have opened advanced setting of the IIS application pool of affected web application and changed the property of "Enable 32-bit Applications" to True.

 After changing this property, problem has been successfully solved.

How to remove service pack (SP1) backup files on Windows 7 or Windows Server 2008 R2

If you're running out of space on your (virtual) machine with installed Windows Server 2008 R2 and you have installed SP1, and after some time you decide that everything is working fine with installed service pack, you have an option to remove service pack backup created files. One possible way to do that is using DISM :

DISM.exe /online /Cleanup-Image /spsuperseded

More on SP1 about deployment, removal and uninstall on http://technet.microsoft.com/en-us/library/ff817650(WS.10).aspx .