Search This Blog

Sunday, May 29, 2016

Intra-forest domain change error "The security database on the server does not have a computer account for this workstation trust relationship"

Previously I had done intra-forest many domain changes for computer accounts, but this time I got a "The security database on the server does not have a computer account for this workstation trust relationship" after trying to change domain from child domain to parent domain.

As I understand this is a change in Windows Server 2012 R2 Active Directory.

So let's start from beggining.
I was migrating user and computer objects from child domain to parent domain in a domain consolidation process. There where no major issues with user migration.

So I tried to migrate computer account with ADMT. At first everything seemed to be ok, but after domain change when logging on to new domain it showed an error "The security database on the server does not have a computer account for this workstation trust relationship".

I found out that new computer object in AD was created but it's properties where not populated.

The root cause of the error was that Service Principal Names (SPNs) for the computer account in new domain were not registered. What happened is that ADMT prestaged the new computer account while the old account was still in place. Then ADMT tried to copy SPNs from old object to new and failed because in Windows Server 2012 R2 AD it is not possible to have to equal SPNs.

This is what I did to resolve the issue.
1. Found out that there is no much benefit if migrating computers with ADMT (except that it was possible to designate target OU where migrated account should be placed).
2. Developed a script which used netdom and consisted of three commands:
- Remove computer from domain
- Delete computer object in old domain;
- Add computer to the new domain.

Saturday, May 28, 2016

Configure SCUP 2011 for multiple user mode

System Center Updates Publisher (SCUP) 2011 is a tool with good intentions but not super cool implementation. For example, it has to be run as administrator.
Another thing is that by default it is installed in single-user mode, this means that if one admin makes customizations to the tool, then other admin doesn't see these customizations.

Follow this steps to configure SCUP in multiple user mode:
1. Find the current location of SCUP database. You can do this by opening SCUP console, go to Options - Advanced, you will see location next to Database File.
2. Close the SCUP console and copy database file to another location. For example, D:\SCUPDB\scupdb.sdf
3. Go to C:\Program Files (x86)\System Center Updates Publisher 2011 and open file Scup2011.exe.config with Notepad
4. Append the text in bold in the file and save the file:

<setting name="SSCEDataFile" serializeAs="String">

5. Open the console, if you get an error, then give full control permissions to the SCUPDB folder directly to that user (not to group).

Automate WSUS clenup in Windows Server 2012 R2

You should run WSUS cleanup regulary to keep the WSUS database healthy.
There is a script available to run WSUS cleanup as scheduled task available here

Unfortunately it doesn't work as expected on Windows Server 2012 R2.
To make it work on Windows Server 2012 R2 you should use follwoing command line:

PowerShell.exe -Command "& {Start-Process PowerShell.exe -ArgumentList '-ExecutionPolicy Bypass -File ""path-to-script\Start-WsusServerCleanup.ps1""' -Verb RunAs}"

Thursday, May 26, 2016

WSUS in Windows Server 2012 R2 doesn't allow self-signed certificates by default

Hi there!

Microsoft has made a change in WSUS in Windows Server 2012 R2 which doesn't allow the use of self-signed certificates by default.
This results with errors in some applications, for example, System Center Updates Publisher (SCUP).

If you go to SCUP console and try to create a self-signed certificate you would get an error saying that "The test connection succeeded. However, no signing certificate was detected for update server".

To remedy this just go to this registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup\
and create a DWORD value
EnableSelfSignedCertificates = 1

More information here 

Wednesday, May 25, 2016

Windows 10 build numbers and current releaseas for all branches

Save this link
You can see Windows 10 build numbers and actual releases for all branches - Current Branch, Current Branch for Business and Long-time Servicing Branch.

Wednesday, May 18, 2016

Windows 7 Service Pack 2 released!

Well Microsoft has not named it a "service pack", but a "convenience rollup update", yet I think we can easily consider it as a service pack, because it contains almost all post SP1 updates.

Check out this article:

Add a signature when replying to emails in Outlook

Just a small tweak which I learned today.
You can add a signature which appears always when replying to emails in Outlook.

To do this open Outlook - New Email - Signature - Signatures and in Replies/forwards field select the desired signature!

Then reply to email and the signature will be there.

Thursday, May 12, 2016

Localhost - not just the address

Today I found out that localhost is not just the address. All addresses in network are local host addresses.
So you can easily ping and get a reply for:

and so on

VMM does not have appropriate permissions to access the resource

All of a sudden our VM hosts started to show a "Host not responding" error in SCVMM 2012 SP1 console.
I had to deal with this somehow because new VMs had to be create.
First, I tried to refresh the host, which gave me error "VMM does not have appropriate permissions to access the resource".

There are many different articles, forum and blog posts about the issue, but none of that helped for me.
Fortunately the SCVMM environment was a small one and I just reinstalled SCVMM. This solved the issue.

But while reinstalling and reconfiguring SCVMM I noticed that Run as account for managing hosts was disabled... I guess this was the problem in the first place. So make sure to check this if you are expierincing the same issue.

Tuesday, May 10, 2016

SCEP definition updates do not install - solved!

Recently I got request to help to solve the issue when SCEP definition updates do not install through SCCM.
So first I checked the basic configuration:
1) That SCCM Client Settings for Endpoint Protection were configured - they were!
2) That there was an antimalware policy in place - there was!
3) That Auto-deploy rule was created and working to deploy SCEP definition updates - it was and it targeted the affected computers!

So I started to inspect client logs, but there was no relevant information, I was a bit confused when I saw that SCCM client even didn't scan for SCEP definition updates.

Then I found out that there was a mainteance windows create for affected computers. And this was the problem. Maintenance window was created with one occurance in the past, so clients never attempted to install these updates, because mainteance window never opened.

After removing the maintenance window most of SCCM clients starteted to install SCEP definition updates, but there were still some "clients at risk" in the SCEP monitoring node in SCCM console.

I connected to a problematic client, and saw that SCEP was red in notification are, it also showed that realtime protection was off. In SCCM client logs folder EndpointProtectionAgent.log showed that SCEP agent version was less than expect so SCEP policy was not applied and so no definitions were being installed. After installing latest SCEP agent version everything started to work as expected!

Tuesday, May 3, 2016

Hyper-V dynamic memory doesn't work with Windows 7

I need to test some stuff with Windows 7, so the easiest way was to create a VM on our Hyper-V server. I configured it to use dynamic memory. But it didn't work...
I discovered that dynamic memory works only with Enterprise and Ultimate editions of Windows 7 but I was using Pro.