Search This Blog

Friday, December 27, 2019

DPM 2012 R2 and Windows Server 2016 - not supported, but works

One customer who, was still using DPM 2012 R2 asked me if it supported Windows Server 2016. (yes, they still use DPM 2012, but due to financial aspects, it is not possible to upgrade yet).

Microsoft says that it is not supported and never will be, but I decided to test this out.

When we tried to push the agent, initially we got error:

Error 303: The protection agent operation failed on server.
Error details: The RPC server is unavailable (0x800706BA)

But this error was solved by turning of Windows Firewall for the moment of agent installation. After that agent install succeeded.
We restarted the server and also the backups succeeded. 

So, the bottom line is that although not supported DPM 2012 R2 can backup Windows Server 2016. 

Tuesday, December 24, 2019

Delegate just the wipe permissions in Microsoft Intune (solved "An error occured while GET")

Microsoft Intune supports granular permission delegation with RBAC.
If you want to delegate just the Wipe permissions, the you need to:

  1. Open the Intune Management portal
  2. Click Tenant Administration - Roles - All roles - Create
  3. The in the Permissions section add these 
    1. Managed Devices - Read
    2. Remote Tasks - Wipe
  4. Once completed go to the newly created role and click the Assignments section and assign the role to a user or preferably to group.
Also, the accounts, which will be delegated Wipe permissions, need to have Intune licence assigned.

Keep in mind that if you won't grant the Managed Devices read permissions the you will get error "An error occurred while GET" and you will not be able to wipe the devices:

Friday, November 29, 2019

SCCM client does not appear in console. Failed to receive buffer from server with err=0x80090304

If you happen to be in situation when seemingly your SCCM client is working fine, but does not appear in SCCM console, then check CcmNotificationAgent.log
If you see these lines:

Failed to receive buffer from server with err=0x80090304.
Failed to signin bgb client with error = 80090304.

The probably there is conflict with client GUIDs. And you can resolve it with following actions on SCCM client:

  1. net stop ccmexec
  2. certutil –delstore SMS SMS
  3. Rename c:\windows\SMSCFG.INI TO c:\windows\SMSCFG.INI.old
  4. net start ccmexec

Thursday, November 21, 2019

Fix "The Active Directory Domain Controllers required to find the selected objects in the following domains are not available" error in AD trust scenario


If you have set up an Active Directory forest trust but you cannot browse users in trusted domain because of error "The Active Directory Domain Controllers required to find the selected objects in the following domains are not available", then most likely you have not configured networks ports correctly.

Usually when I configure AD trusts, I take this article to allow necessary firewall ports.

In addition to ports mentioned in this article we also had to open TCP port 135 to be able to browse users in trusted forest.
I don't know exactly but I suspect that this was due to fact that trusted forest was still using Windows Server 2003 Forest functional level.

Saturday, October 12, 2019

SCCM Task Sequence: Error 8007274d = No connection could be made because the target machine actively refused it.

I had a strange error during Task Sequence deployment the other day. Application install failed with error: "Socket 'connect' failed: 8007274d" and then followed by "Failed to get information for MP: MPName 80072efd"

The issue was strange because OS install had been successful and apps deployed as SCCM packages also installed successfully.

Error 8007274d translates to "No connection could be made because the target machine actively refused it", this lead to a feeling that network was fine, but the issue was with TS ir SCCM config.

The issue was solved by adding MP name to SCCM installation step during Task Sequence. After that, all the applications installed successfully in Task Sequence:

Wednesday, February 20, 2019

SQL Server Standard cannot be used with cluster of more than 2 nodes

I was asked to help to count the licences for Microsoft based server environment.
So the customer had a four-node SQL Server Enterprise failover cluster and wanted to upgrade. At first I thought that they should definitely use SQL Server Standard as it is much cheaper, but then I found out that SQL Server Standard can only be used in a two-node failover cluster, so they had to use SQL Server Enterprise as four node cluster  was necessary.

Full feature SQL Server edition comparison is here 

Sunday, February 17, 2019

(Solved) RegTask: Failed to refresh site code. Error: 0x8000ffff in ClientIDManagerStartup.log

A few days ago I faced interesting issue with SCCM client installation in internet-based client management (IBCM) setup.

It was working fine, but somehow new client installations did not complete successfully. SCCM client installed successfully, but could not register.

So I opened ClientIDManagerStartup.log on client and saw following error

RegTask: Failed to refresh site code. Error: 0x8000ffff 

After some troubleshooting, we found that Certificate Authority CA certificate recently was renewed and this caused issues because Management Point was still using certificate which was issued before CA certificate was renewed and client certificate was issued after CA certificate renewal. 
The root cause of this was that Authority Information Access (AIA) was not configured correctly - it had not been published it internet. 
We changed AIA configuration, reissued certificates and clients could register to SCCM again.

Saturday, February 16, 2019

How to restore deleted user in Azure AD

One of my colleagues had accidentally deleted an Azure AD user and I had to restore to.

In fact this was an easy thing to do. Follow these steps:

  1. Go to Azure Portal -> Azure Active Directory -> Users -> Deleted users
  2. Select the deleted user and then click Restore User:

Furthermore if you want to find out who deleted the user, check Audit logs section in the same pane.

Deleted users are retained for 30 days and then they are permanently deleted. After these 30 days have passed neither you or Microsoft support can restore the user.

To my knowing there is no way to change the 30 day period.

Saturday, February 9, 2019

(Solved) OnSearchComplete - Failed to end search job. Error = 0x8024401c in WUAHandler.log

Mostly there are two explanations for error 0x8024401c in WUAHandler.log in SCCM - there are either problems in WSUS or there are some proxy misconfigurations.

In our case it was proxy, the proxy admins were introducing new proxy server and it was causing the issue.
So to solve the issue

  • Check proxy logs, that it is not blocking access to WSUS
  • Configure bypass to WSUS server
  • On client side check that proxy settings are correct, go to Control Panel -> Internet Options -> Connections -> LAN Settings
  • Use command netsh winhttp show proxy to check system proxy settings

Restart SMS Agent Host service after configurations have been changed, so SCCM client could use the new proxy settings.

Windows Server 2019 Standard and Datacenter feature comparison

As with previous Windows Server releases the major difference between Standard and Datacenter editions is with licensing. Standard allows to run 2 VMs, Datacenter unlimited number of VMs. And pricing usually is that Datacenter is approximately 5 times more expensive.

Here are differences in features. In addition to all Standard edition features, Datacenter includes:

  1. Shielded VM support and Host Guardin Service - to protect from stealing VMs by your virtualization admins
  2. Network Controller - to automate network configurations
  3. Storage Replica - to replicate entire storage LUNs
  4. Storage Spaces Direct 

Whole feature list is here:

Saturday, February 2, 2019

Should I disable User / Computer group policy sections for GPOs?

So the question is should I disable User or Computer sections in GPOs if they are not used. Many people believe that this will speed up GPO processing.

As it turns out if appropriate section is not used then disabling it will not speed up GPO processing.

Also, take into consideration this sentence from the article:

"For what it’s worth, don’t combine User and Computer policies into the same GPO. Split them out, link them to the appropriate OU’s, and for Pete’s sake, please avoid loopback whenever possible."

Tuesday, January 29, 2019

Tuesday, January 22, 2019

(FIXED) Office 365 ProPlus apps do not start, error "The application was unable to start correctly (0xc0000361)"

Most of the companies already have implemented or at least are considering some application whitelisting solution. In Microsoft world if you cannot afford Windows Enterprise then Software Restriction Policies (SRP) is a good alternative.

If you implement SRP and use Office 365 ProPlus, then there there is a good chance that you will get error "The application was unable to start correctly (0xc0000361)" for Office apps after implementing SRPs.

To solve this you have to change configuration in SRP - in enforcement options you will need to select to apply SRPs to all software files except DLLs

After this change and group policy update and reboot on client side, Office apps will start correctly.

Saturday, January 19, 2019

Static Public IP addresses can now be configured for Azure VPN Gateways

A while a ago it was not possible to use static public IP addresses for Azure Virtual Network Gateways. It meant to two things:

  • Gateway address would not actually change if it was not deleted
  • If gateway was deleted and recreated, then you would need to use different public IP address
The second scenario could happen if, for example, you needed to change gateway type from Policy-based to Route-based.

Now there is an option to use static public IP addresses for Azure VNET Gateways.

This option is available for new VpnGw1AZ, VpnGw2AZ and VpnGw3AZ SKUs.

FIXED: Cannot connect to Azure with Point-to-Site VPN, Error 0x800704c9

As a part of setting up an Azure environment, I enabled Point-to-Site VPN for the Virtual Network Gateway. I had this done previously so I though this will going to an easy process.

So, configured certificate authentication, downloaded VPN client, installed it, but upon connecting I got error 0x800704c9, the whole error text was "The remote computer refused the network connection. (Error 0x800704c9)".

I clicked properties, viewed the log file but it didn't help too much.
Then I tried connecting to the port 443 (as I had SSTP VPN) to virtual network gateway and the connection was successful. 
Finally, I had the magic idea to connect from different computer, and this did the trick. The problems I was experiencing were on Windows 7 and they were gone when connecting from Windows 10 v1803 machine.

Thursday, January 17, 2019

Do NOT install latest ASR Provider (5.1.3900.0) on SCVMM 2016

I would advise not to install latest Azure Site Recovery Provider version (5.1.3900.0) on SCVMM 2016 servers.

This is how it went for me.
At first, in Azure Portal I saw that an update was available for ASR Provider. As this previously had not caused any issues I downloaded and wanted to install.

But it didn't go so good this time. SCVMM service stopped during install as usual, but after ASR Provider install finished, it didn't start.
When trying to start it manually I got message:

"The System Center Virtual Machine Manager Service on Local Computer started and then stopped. Some services stop automatically if they are not in use by other services or programs"

C:\ProgramData\ASRLogs and C:\ProgramData\VMMLogs didn't say anything useful.
So after some time of unsuccessfull troubleshooting I uninstalled ASR Provider and boom - the SCVMM service started successfully.

Installed ASR Provider v5.1.3900.0, again SCVMM service couldn't start.

So I installed previous ASR Provider version (5.1.3800.0) and everything works as it should.

I will wait for next ASR Provider release obviously :)

Windows Server 2012 R2 Mainstream support has ended

Today I had a call with Microsoft Support about an issue with Windows Server 2012 R2, almost instantly I got response that Windows Server 2012 R2 mainstream support has ended and they won't be able to help.

It turns out that mainstream support for Windows Server 2012 R2 ended in October 2018.

Time passes by so quickly :)

Tuesday, January 15, 2019

(Solved) Domain controller blue screens with error 0xc00002e2

In a infrastructure consolidation project I had to move domain controller from one Windows Server 2012 R2 Hyper-V host to another.

I thought that this will gonna be an easy task.. but it wasn't.

We shut down the VM, exported it and imported in destination Hyper-V host. This is where fun began. The domain controller didn't boot up and bluescreened with error 0xc00002e2.

Some blogs on internet said that probably there are problems AD database, and it needs to be repaired.

In my case the situation was a bit easier. This is what we did:

  1. Booted up the DC in DSRM - Directory Services Restore Mode. Yes, you will need DRSM password for this.
  2. Found out that D: disk was not available (this was the disk where AD database was residing)
  3. Went to Disk Management and found that D: disk is offline
  4. Brought the disk online
  5. Restarted the domain controller and it started up successfully.
The bottom line is that error 0xc00002e2 on domain controller indicates that there are problems with AD database.

Monday, January 14, 2019

Cloudyn activation error "The specified API key is not a top level enrollment key" solved

Cloudyn or Azure Cost Management is a tool which helps to analyze Azure costs.
Usually activating it is pretty easy - just go to Azure portal, select "Cost Management + Billing", select Cloudyn and click "Go to Cloudyn"

If you are using Azure Enterprise subscription, then you need API Access Key which can be generated from portal.

Once you have it, enter it during Cloudyn activation.

If you receive "The specified API key is not a top level enrollment key" during activation, then it means that the account which was used to generate API Access Key does not have full admin permissions in portal.

If there is an Enrollment section in portal, then it means you have full admin there.

Saturday, January 12, 2019

Hyper-V Live Migration does not work, how to fix error 0x8007052E

If you have a Hyper-V cluster and Live Migration does not work and you are receiving error "Failed to register cluster name in the local user groups: The user name or password is incorrect. (0x8007052E). Hyper-V will retry the operation." in Hyper-V-High-Availability event log, then most likely you will need to reset Failover Cluster AD account password (sometimes als called CNO - Cluster Name Object).

To reset CNO password:

  1. Open Failover Cluster console.
  2. In the left pane click Cluster Name
  3. In the "Cluster Core Resources" section select server name resource, right-click it and select Take Offline. VMs will not stop.
  4. The on server name resource choose More Actions -> Repair, this will reset CNO password
  5. Bring online server name resource.
Live Migration should work again now.

While troubleshooting the problem you can generate cluster log with Get-ClusterLog Powershell command, which will generate a text based log file C:\Windows\Cluster\Reports\cluster.log.
During live migration we would see there that CLUSTERNAME$ account cannot authentication because of wrong password.