Wednesday, July 11, 2018

Windows 10 Fall Creators Update 1709 fails to apply (update 1803 I experienced same issue)

I recently had a number of Dell Latitude e7450 laptops that would rollback the installation of 1709. I also had several of the exact same model laptop that installed successfully.
In most cases I would be left with no indication of why it failed. I attempted installation from WSUS, Windows Update Assistant, and Windows Media Creation to USB.

I updated drivers, bios, all applications, removed AV (note had most succeed with AV), repair windows update, rename the softwaredistribution folder, etc, all to no effect.

Only when using the Windows Media Creation tool and then running the update from USB did it give me any workable indication of what was going wrong. (double click setup from the USB drive)

"We couldn't install Windows 10.  We've set your PC back to the way it was right before you started installing.  0x8007042B - 0x3000D  The installation failed in the FIRST_BOOT phase with an error during MIGRATE_DATA operation"

That helps! MS even gives a "click here" for troubleshooting codes that pertain. Unfortunately, none of them are this code.  Google foo gave some info and short time later I was looking at the C:\Windows\Panther\  folder.  In particular the C:\Windows\Panther\NewOs\Panther\setuperr.log.

Almost at the very bottom I found a line stating:
Error WRITE, 0x000000B7 while gathering/applying object: File, C:\Users\username\AppData\Roaming\Microsoft\Windows\Recent [2017_09_1_3177.pdf.lnk]. Will return 0[gle=0x00000002]
Error 183 while applying object C:\Users\username\AppData\Roaming\Microsoft\Windows\Recent [2017_09_1_3177.pdf.lnk]. Shell application requested abort[gle=0x00000002]
Abandoning apply due to error for object: C:\Users\username\AppData\Roaming\Microsoft\Windows\Recent [2017_09_1_3177.pdf.lnk][gle=0x00000002]
Apply failed. Last error: 0x00000000

The recent folder under AppData\Roaming\Microsoft\Windows ended up being the issue for every computer that I had issues updating to 1709 or 1803!

Cleanup profile:
I went to the path in question and dumped the entire recent folder.  Started upgrade again and success!
What a pain, why can't the error descriptions be descriptive and helpful.

Thursday, June 7, 2018

Office 365 - Add Shared Mailbox's Calendar to mobile device

With all the recent changes to Office 365 I found that it's become confusing as to how to easily add a Shared Mailbox OR Room Calendar to a users mobile device.  This works for both Native iOS calendar app or the Outlook for iOS / Android app.

This post goes over the new features
Calendar Sharing in Office 365

Additionally, this post goes over sharing your calendar!
Share your calendar in Outlook on the web for business

And finally, this has instructions for opening a shared mailbox in a seperate window so that you can access the necessary share button which is critical step.
Open and use a shared mailbox in Outlook Web App

Natively, when you create a new Shared or Room mailbox and assign delegates from the O365 Admin portal the new mailboxes / calendars will automatically show up in your Outlook for PC application after a short period.  They do not however automatically show up on your mobile device.  Instead, you must access the Shared / Room mailbox directly and add each user as a delegate which in turn emails an invitation to the users.  The user must then accept the invite from the mobile device which will add it to all of their mobile devices.

  1. First, we've created the Shared mailbox we want and added the "members".  This will automatically add the mailbox / calendar to those users Outlook for PC application. 
  2. Log into OWA with an account that has permission to the Shared Mailbox / Room that was just created.  Click the user account in the top right corner.  Click the "Open another mailbox..." option.

  3. Type in the name of the mailbox / room and ensure it finds it in the list.  If you don't have the proper permissions then you'll get an error "Something went wrong".  It can take some time after assigning permissions to yourself before they properly propagate.
  4. The mailbox will open in a new window.  Open the calendar.
  5. Click the Share button at the top middle.  This will open up the "Share this calendar:Calendar" window.
  6. Search for the person you want to add and give them the proper permission level.  Then click "Share"
  7. This will send an email invitation to the user. They will need to open the email invitation from a mobile device!

  8. From iOS native app the calendar is listed.
  9. Or from the Outlook for iOS / Android
  10. If the user wants to remove the calendar they can click on the i / information option on the right side (iOS) or settings gear (Outlook for iOS / Android) and at the bottom is the remove option.

Hopefully MS will give the option of having these calendars auto deploy to mobile device same or similar to the way it does with outlook for PC in the future.

Thursday, March 29, 2018

Veeam Backup Error Code 32768

Last night we received the following error on a previously working server.

Failed to create VM recovery checkpoint (mode: Veeam application-aware processing) Details: Job failed (''). Error code: '32768'.
Failed to create VM recovery snapshot, VM ID 'f74ddb15-6900-4f62-ad2a-31ed600531f1'.  

Host: Windows Server 2016
VM: Windows Server 2016 - hosting Quickbooks database manager and Azure AD Connect

Several updates had been applied to the server the day prior.  Additionally, AD Connect had been updated to version 1.1.750

Additional error from eventvwr: 
Log Name:      Application
Source:        VSS
Event ID:      8229
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
A VSS writer has rejected an event with error 0x800423f4, The writer experienced a non-transient error.  If the backup process is retried,
the error is likely to reoccur.
. Changes that the writer made to the writer components while handling the event will not be available to the requester. Check the event log for related events from the application hosting the VSS writer. 

Some googling ended up with this hit:

Open the appwiz.cpl, select "Microsoft SQL Server 2012 Express LocalDB" and repair.  This will require a reboot.

We are now able to create checkpoints of the VM again without issue.

Wednesday, November 1, 2017

Chrome Browser - prevent / restrict user sign in

In the past I've always forced my end users to use IE.  This made sense as IE is integrated with Windows and could be heavily managed by GPO and other domain settings.
More and more I found myself personally going to Chrome for tasks since it "worked better".  So, I finally admitted (few years back actually) that maybe it makes sense for me to loosen up a bit and let the end users in on Chrome in the workplace as well.

As with all good things come that pain in the arse with them as well.  Google of course wants users to utilize it's services and logging into the Chrome site helps simplify this.  But in the workplace this may not be a great thing to have end users purposely or accidentally logging into their personal Gmail (or even other company G Suite) accounts.

One would think a simple google search would yield lots of results on how to prevent login to Chrome browser, but for me at least I only found lots of irrelevant junk.  Perhaps I need to work on my googlefoo.

At one time Chrome ADM templates had a settings called "Allow sign-in to chrome" or something to that respect.  Fairly obvious and easy to find.  That has since been removed.

NOW there is a setting in the ADMX labeled "Restrict which users are allowed to sign in to Google Chrome".  This is the new setting that we want.  Found under the following after you add your ADMX template.
Computer Configuration/Administrative Templates/Google/Google Chrome  (also under User Config if that meets your needs better)

Enable the setting, put in a bogus expression (or your organizations matching expression if you utilize Google business apps) and deploy to computers or users depending on your needs.

Users can now attempt to login to Chrome and they are greeted with a lovely "you can't do that"

Funny enough I found that I could go to other Google services, for instance blogspot, and login.  But then once I tried to go away from blogspot to say, gmail, it choked.

Wednesday, November 2, 2016

Powershell - FSMO Roles

Viewing FSMO with Powershell
Get-ADDomainController -Filter * | ForEach-Object {$_.Name; $_.OperationMasterRoles; Write-Host}

Transfering FSMO roles with Powershell
Move-ADDirectoryServerOperationMasterRole -Identity servername -OperationMasterRole InfrastructureMaster, RIDMaster, DomainNamingMaster, PDCEmulator, SchemaMaster

Tuesday, July 19, 2016

WSUS Error: Connection Error after KB3148812 and KB3159706

After getting a WSUS server up to date the console no longer worked.

The error is very uninformative...

Log Name:      System
Source:        Service Control Manager
Date:          7/18/2016 10:39:15 AM
Event ID:      7034
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
The WSUS Service service terminated unexpectedly.  It has done this 3 time(s).

The proper fix for both of these KB's which you SHOULD install:

Also, don't forget that if you are not using SSL for WSUS you should be!

Tuesday, July 5, 2016

Remove iPhone Native apps

With our recent iPhone re-deployment there where several native apps that I wanted to remove.  This is pretty easy to do with Apple Configurator and XenMobile.  This requires the phone to be supervised.  Supervised mode can be set with Apple Configurator or if you sign up for Apple DEP.  Supervising the phone will wipe it.

  1. Ensure Apple Configurator is version 2.x
  2. Click File - New Profile
  3. Restrictions - Configure - Apps tab
  4. Under "Restrict App Usage"
  5. Set to "Do not allow some apps"
  6. Click the plus sign
  7. Type the App name you want to remove and choose it
  8. File - Save - name it and save it
Now you have a profile for the app(s) that will remove them.  You just need to upload this into XenMobile (or other MDM) and apply it to your devices.  Can also be applied straight from Apple Configurator.  I prefer to not use the Configurator to apply ANY configuration and instead push it through MDM.  This allows easier removal of profiles and policies.

XenMobile - do this from the Mac with Apple Configurator on it.
  1. Under Configure - Device Policies - Add
  2. More - Custom - Import iOS & Mac OS X Profile
  3. Name it and then browse to the newly created and saved profile.
  4. Assign to the proper delivery policy and you're all set!
Sit back and watch the native app disappear.

How to get the native app back?  Just remove the profile.

Wednesday, May 25, 2016

DHCP Migrate Failover Deployment to Server 2012 R2

Awhile back I wrote a guide to migrate from split scope to failover that is new in Windows 2012.

This guide is intended to move the failover to a new Windows Server 2012 R2.  As you already know you can only have two servers in each failover scope.  So in order to do the migration we'll need to drop a server.  The steps to do this are very easy, but attention needs to be paid to where you execute the commands or you could drop the wrong server.

We'll identify our servers as the following:
  • Win2012-01 - Primary DHCP server moving away from
  • Win2012-02  - Secondary DHCP server moving away from
  • Win2012R2-01 - Primary DHCP server moving to
  • Win2012R2-02 - Secondary DHCP server moving to
I'm assuming you already have your new servers built and DHCP role installed.

Also important to note first! If the static IP address of a DHCP server needs to be changed, you must first delete all DHCP failover relationships that exist on that server, and then recreate the relationships when the new IP address is active. 

First we'll remove DHCP failover from Win2012-02
  1. Get a good backup of DHCP
  2. Log into Win2012-01 and open powershell as administrator (right click run as administrator)
  3. Run Get-DhcpServerv4Failover
    1. This gives us necessary information for removing the failover.  Note this will also tell you which partner it's connected to.
  4. Make note of the Name.  In my case it's TF-192.168
  5. The next command will remove the failover AND the scope from the opposite server.  For instance, I'm running this on Win2012-01, which will leave it's scope and leases intact.  But it will remove the scope and leases from Win2012-02.  Always run the remove command from the server you want to leave intact.
    1. Remove-DhcpServerv4Failover -Name TF-192.168
  6. Note that Win2012-02 no longer has the scope available (refresh the console)
Now let's add Win2012R2-01 into the scope (note I'm leaving my scope name the same, also I'm using hot standby which is indicated by "ServerRole")
  1. This command is run from Win2012-01
  2. Add-DhcpServerv4Failover -ComputerName Win2012-01 -PartnerServer Win2012R2-01 -name TF-192.168 -ScopeId -ServerRole Active -SharedSecret Ican'tTellYou -Force
  3. From the DHCP console we can now confirm that Win2012R2-01 is getting the scope and leases replicated to it (F5)
  4. In addition run Get-DhcpServerv4failover and you should see the new replication partner of Win2012R2-01 listed, ServerRole of Active (meaning Win2012-01 is still the primary), and Mode of hotstandby.
NOTE: Notice that it only replicates over the scope, but not anything below that.  If you set your Options or policies at the server level then this will not move them!  It also won't move your Filters.  

At this point we have DHCP Failover between Win2012-1 (Active) and Win2012R2-01 (Standby)

Now let's drop Win2012-01 out of the failover
  1. This command is run from Win2012R2-01  (Important, otherwise you'll drop the wrong server)
  2. Remove-DhcpServerv4Failover -Name TF-192.168
  3. Confirm in DHCP console that Win2012-01 no longer has any dhcp scopes (refresh)
Now we can add in Win2012R2-02
  1. From Win2012R2-01
  2. Add-DhcpServerv4Failover -ComputerName Win2012R2-01 -PartnerServer Win2012R2-02 -name TF-192.168 -ScopeID -ServerRole Active -SharedSecret Ican'tTellYou -Force

As a final step run your Get-DhcpServerv4Failover and check status.  Also refresh your DHCP consoles and ensure all is happy.  Make sure you configure your Server level options and Policies if needed as well as Conflict Detection Attempts.

Thursday, May 19, 2016

Powershell Moving and Viewing FSMO roles

Recently wanted to move my FSMO roles, but didn't want to use the old method of netdom.  Besides, everything is going powershell so might as well start learning now!

View the current holders:

  1. Thanks to The Scripting Guy - Get-ADDomainController -filter * | Select-Object Name, OperationMasterRoles

Now we can move them

  1. Move-ADDirectoryServerOperationMasterRole -Identity "servername" -OperationMasterRole 0,1,2,3,4 (or use their names)

Wednesday, April 27, 2016

Domain Controller high CPU - Service Host / Security Log

I had been having problems for sometime with our Windows Server 2012 and 2012 R2 domain controllers.  The CPU would spike to 50% and sit there occasionally dropping down to 2% and then shortly after back up to 50%.

The process in question was the Service Host: Local Service (Network Restricted).
The sub processes are:

  • TCP/IP NetBIOS Helper
  • Windows Event Log
  • DHCP Client

It doesn't take a lot of google fu to find the following post:

From this post it indicates that the Windows Security log could be at fault.  I took a look at ours and it was set to overwrite and had a maximum size of 1GB (actually well under the MS maximum size, but still large imo).  A quick test of clearing the log fixed the issue.

Of course the issue started up again a few days later when the log got full and started to overwrite again.  So, I reduced the maximum size of the security log to 10mb (not large enough to hold much of course, but we're just testing at this point).  Once the log started overwriting again no issue.  From this I made the conclusion that the issue isn't just overwriting events, but rather overwriting the events when the log is very large.

  1. Ensured that our SIEM solution was collecting the logs every hour.
  2. Set the maximum log size for the security log to a value that will hold 12 hours of logs and then overwrite.  To determine this value I just had to wait and then check it's properties (for each DC!)
  3. If any logging event success / failures are ever changed I'll need to re-evaluate that the size is still sufficient.
Another solution that I didn't like as much was to throw hardware at the issue, ie add a CPU.

In addition here's a good table of MS recommendations on logging settings

Friday, March 25, 2016

XenApp 6.5 Remote Powershell

Recently I wanted to be able to remotely run a powershell script against my XenApp 6.5 farm to be able to manipulate the logon mode.  This can easily be done with Powershell from the hosts themselves, but I ran into issues when running it from workstations or in my case a monitoring service.

Goal: Remotely run a powershell script from a monitoring service to disable logons if a specific failure occured.  In addition, query the server what what the servers are currently set to.

  1. XenApp AppCenter / DSC installed on remote machine
  2. Patch DSCXAMx650W006 installed on remote machine
  3. CitrixXenAppCommandsRemoting Service set to Automatic and Running on at least one server in the farm.
  4. Port 2513 open
Note: if a XA server is installed in Session host mode then it will have the Command Remoting service disabled.

Once you have AppCenter installed and the patch installed you should be set.  Open Powershell up (I prefer to use ISE)

First we need to add the Citrix snappin.  Add-PSSnapin Citrix*
For the command we'll need two components to make it work.
  1. -Computername parameter, this is going to be the XA Server that has the XenApp Command Remoting Service enabled and running on it.  
  2. -Servername parameter, this is going to be the XA Server that you want information on.  If you do not include this parameter then it will return information on all servers in the farm.

Let's say I want to find out all information for a single server in my farm.  In this instance XAADM is my data collect that has the Commands Remoting service running on it and XA01 is the server I want information on.  In this instance we could run the following:

Get-XAServer -ComputerName XAADM -ServerName XA01

Great, now we can use this to disable logons on a server remotely.

Set-XAServerLogonMode -ComputerName $Comp -LogOnMode $LogonMode -ServerName $Server

  • AllowLogOns
  • ProhibitNewLogOnsUntilRestart
  • ProhibitNewLogOns
  • ProhibitLogOns

or to get a list of LogonMode status:
$(Get-XAServer -ComputerName XAADM -ServerName XA01).LogonMode

Errors and causes:
Citrix XenApp Commands Remoting Service:
Get-XAServer : Could not connect to net.tcp://s-xa01:2513/Citrix/XenAppCommandsRemoting. The connection attempt lasted for a time span of
00:00:01.0010632. TCP error code 10061: No connection could be made because the target machine actively refused it x.x.x.x:2513.
At line:1 char:3
+ $(Get-XAServer -ComputerName S-XA01).LogonMode
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-XAServer], EndpointNotFoundException
    + FullyQualifiedErrorId : System.ServiceModel.EndpointNotFoundException,Citrix.XenApp.Commands.GetServerCmdlet

This error indicated that the "CitrixXenAppCommandsRemoting" service was not running on the specified "Servername"

Citrix Remoting:
Get-XAServer : Citrix commands must be executed at the Citrix server or using remoting. Make sure that your user account is a Citrix
administrator and that the IMA service is started.
At line:1 char:1
+ Get-XAServer
+ ~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Get-XAServer], InvalidOperationException
    + FullyQualifiedErrorId : ImaInteropError,Citrix.XenApp.Commands.GetServerCmdlet

Command was issued using -servername which works if proper remoting is setup with certificate, This can be challenging to setup, instead use -computername to target the remoting service along with -servername to target the server needed.  IE Get-XAServer -Computername XAwithRemotingService -Servername XAwantinginfofrom

Tuesday, December 15, 2015

Files not showing up "timely" for some users with DFS-R

Recently we started having a strange issue where users wouldn't be able to see files, but other users could.

The locations in question resided in a share with DFS-R setup.  Only one of the folder targets was enabled so all users are looking at the same share.  We could even confirm with DFS tab that they where pointed at the same locations, yet User1 couldn't see the file and User2 could see it.  Navigating to the exact path of the share would then display that the file did in fact exist.  Only the DFS path showed the issue.

No issues being reported with DFS-R or AD (both running Server 2012).
Taking a step back I recalled that we had fairly recently added a new DC to the environment (Windows Server 2012 R2).

After a quick look at DFS Namespaces I realized that the new DC had not been added as a namespace server.

Preliminary reports look promising that the missing namespace server was the cause for this anomaly.  Note to self, always add new DC to namespace servers!

Wednesday, October 28, 2015

XenApp - Auto Restored printers / Lynx... / XPS Document Writer

Gradually over the past year I've seen an issue where strange printers appear for user, sometimes more than 100 of them, making it hard for them to find the proper printer they want. Many of them have Document Writer in there name, but some are more mysterious with names starting with lynx* and even other names.

Some quick digging on the server and you can quickly see that it's somehow related to the Microsoft XPS Document Writer being autocreated from the clients machine. Here we only auto create the users default printers, but this one (known this for a long time) still creates even when it's not the default.

 Looking in the users registry its pretty easy to track some of the settings back to HKCU\Software\Citrix\PrinterProperties as well as a few other locations.

Once I began looking I found that the mysterious printers effected most of my users, not just one or two. Looking around on the internet I found this: 

Makes sense... I did find that I could eliminate the issue without all of his steps though.

  1. Prevent XPS document writer from auto creating.
    1. Open AppCenter (XenApp 6.5) and go to my policies
    2. Make or modify existing user policy (make sure it filters to all users or use unfiltered policy)
    3. Printer driver mapping and compatibility - Microsoft XPS Document Writer - Deny (spelling of driver name must be exact) 

  1. Next we need to remove the junk registry setting for all users.
    1. Open GPO and make a new policy that applies to your XenApp servers
    2. Apply the loopback policy with merge - Computer Configuration - Policies - Administrative Templates - System - Group Policy
      1. Mode Merge
    3. Create preference to remove registry settings - User Configuration - Preferences - Windows Settings - Registry
      1. New Registry item
        1. Set to delete
        2. enter hive of HKEY_Current_User
        3. enter path Software\Citrix\PrinterProperties\Microsoft XPS Document Writer
    4. Update GPO on each XA server and test.

Note: I found that this took a long while to completely clear out since many of my users are part time.  I just had to sit back and be patient for everything to complete.  I did do some manual attaching to registry profiles and cleaning to help along the process for users that rarely work.

Tuesday, May 5, 2015

The source file name(s) are larger than is supported by the file system.

The source file name(s) are larger than is supported by the file system.  Try moving to a location which has a shorter path name, or try renaming to shorter name(s) before attempting this operation.

Recently I found that some operations in a backup maintenance job where failing because a file it was trying to remove was failing due to the filenames/path length.

I did the typical options available none of which worked:
  • Attempt to rename it via cmd prompt
  • Attempt to rename it via cmd prompt using the short name.  It contained several special characters and I never could figure out which one it was complaining about.
  • Attempt to rename the directories containing it.  Even using a single letter for each directory didn't reduce it enough.

In the end a simple command did the trick to get the path short enough.
  • Navigate into the directory in question
  • subst M: . (notice the period there indicating current directory)
  • del filename (or rename filename newfilename)
  • subst M: /D

Monday, April 27, 2015

8193 Volume Shadow Copy Service error - Access is denied

Log Name:      Application
Source:        VSS
Event ID:      8193
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      servername
Volume Shadow Copy Service error: Unexpected error calling routine RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...).  hr = 0x80070005, Access is denied.
   Initializing Writer
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {3e927ae5-5139-42ad-bd99-6e467a3941eb}

This was occurring on my DHCP servers.  Apparently permissions to a key are removed when the DHCP role is installed.