Author Archives: cpsaroudakis

Windows 10 roaming profiles cause Edge and other packaged applications to fail loading

The cause of this seems to be that when a user logs out from Windows 10 sets some essential registry keys to read only. When they logon again these keys are in the wrong state and packaged applications including Edge fail to load. But this seems to be on of the causes, while MS has no fix released since version 1511.

The below is a walkthrough for working this out.

Step1

Make sure your WKS has all latest updates.

Connect to your DC and open the group policy editor

Create a WMI filter for Windows 10 and put the following

Namespace (should be already there):            root\CIMv2

Query:   select * from WIN32_OperatingSystem WHERE Version LIKE ‘10.0.%’

You may get the following message, ignore it.

01

Step2

CREATE A GROUP POLICY TO APPLY THIS AS A LOGON SCRIPT

Create a group policy for your domain users called “User-Windows10RoamingProfileFix”. This will be targeted to Windows 10 computers using the WMI filter we created in the previous step.

On the new policy Right Click> Enforced

Right Click > Edit > User Configuration > Policies > Windows Settings > Scripts (Logon/Logoff) >  Double Click on Logon > PowerShell Scripts > Add

02

Click on Browse

Inside the browse popup menu create a new txt file and rename it to

POWERSHELL-SCRIPT-TO-ALLOW-ROAMING-LOGINS.PS1

Make sure you have file extensions on and the file is a ps1 extension (powershell) and not a txt!

Copy paste the following inside the file:

#!PowerShell. De pilo pendet.

 

# https://social.technet.microsoft.com/Forums/en-US/fd436515-6423-4015-9afe-d7e6034909ab/windows-10-threshold-2-edgesearch-issues-for-domain-joined-pcs

#(c) Christian Ullrich

# copied by James Bayley 2016/01/25

function MakeACE() {

# S-1-15-2-1 is WELL_KNOWN_SID_TYPE::WinBuiltinAnyPackageSid, “APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES”.

# The self-documenting NTAccount type results in an object that “cannot be translated”.

$id = New-Object System.Security.Principal.SecurityIdentifier(“S-1-15-2-1”)

New-Object System.Security.AccessControl.RegistryAccessRule($id,

[System.Security.AccessControl.RegistryRights]::FullControl,

[System.Security.AccessControl.InheritanceFlags]::ContainerInherit,

[System.Security.AccessControl.PropagationFlags]::None,

[System.Security.AccessControl.AccessControlType]::Allow)

 

}

 

function GrantRequiredAccess($key) {

$acl = Get-Acl $key

$acl.AddAccessRule((MakeACE))

Set-Acl $key $acl

}

# All Windows 10, since Microsoft apparently managed to break build 10240 as well in December 2015, after having shipped 10586 broken from the start.

#New-EventLog –LogName Application –Source “LogonScript”

#Write-EventLog -LogName Application -Source LogonScript -EntryType Information -EventId 1 -Message “In LoginScript to fix roaming profiles”

if ([Environment]::OSVersion.Version.Major -eq 10) {

# Write-EventLog -LogName Application -Source LongScript -EntryType Information -EventId 1 -Message “Windows 10 detected”

GrantRequiredAccess “HKCU:\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe”

GrantRequiredAccess “HKCU:\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy”

Step3

“ExcludeProfileDirs” Registry Tweak

  1. Continue Editing the above mentioned GPO.
  2. Navigate to: User Configuration > Preferences->Windows Settings->Registry, new registry item. Put the following information

03

The key path is:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon (don’t copy-paste it, navigate yourself to it!!!!)

On the Value data field you should include the following to support Windows 10 version 1703.

AppData\LocalLow;$Recycle.Bin;OneDrive;WorkFolders;AppData\Local\Comms;AppData\Local\ConnectedDevicesPlatform;AppData\Local\Google;AppData\Local\GroupPolicy;AppData\Local\Mozilla;AppData\Local\Packages;AppData\Local\Publishers;AppData\Local\PeerDistRepub;AppData\Local\Temp;AppData\Local\VirtualStore;AppData\Local\Winternals;AppData\Local\Adobe;AppData\Local\Apple;AppData\Local\AppleComputer;AppData\Local\Autodesk;AppData\Local\Chromium;AppData\Local\CrashDumps;AppData\Local\NVIDIA;AppData\Local\NVIDIACorporation;AppData\Local\Skype;AppData\Local\WebEx;AppData\Local\Foxit Reader;AppData\Local\Macromedia;AppData\Local\Microsoft_Corporation;AppData\Local\Real;AppData\Local\DropBox;AppData\Local\Vmware;AppData\Local\Windows Live;AppData\Local\CrashDumps;AppData\Local\Citrix;AppData\Local\Microsoft\AppV;AppData\Local\Microsoft\Credentials;AppData\Local\Microsoft\Feeds;AppData\Local\Microsoft\Feeds Cache;AppData\Local\Microsoft\GameDVR;AppData\Local\Microsoft\Group Policy;AppData\Local\Microsoft\InputPersonalization;AppData\Local\Microsoft\InstallAgent;AppData\Local\Microsoft\Internet Explorer;AppData\Local\Microsoft\Media Player;AppData\Local\Microsoft\OneDrive;AppData\Local\Microsoft\PenWorkspace;AppData\Local\Microsoft\PlayReady;AppData\Local\Microsoft\Vault;AppData\Local\Microsoft\Windows Live;AppData\Local\Microsoft\Windows Sidebar;AppData\Local\Microsoft\WindowsApps;AppData\Local\Microsoft\Windows\UPPS;AppData\Local\Microsoft\Windows\1033;AppData\Local\Microsoft\Windows\ActionCenterCache;AppData\Local\Microsoft\Windows\Application Shortcuts;AppData\Local\Microsoft\Windows\Burn;AppData\Local\Microsoft\Windows\GameExplorer;AppData\Local\Microsoft\Windows\History;AppData\Local\Microsoft\Windows\IECompatCache;AppData\Local\Microsoft\Windows\IECompatUaCache;AppData\Local\Microsoft\Windows\INetCache;AppData\Local\Microsoft\Windows\INetCookies;AppData\Local\Microsoft\Windows\Notifications;AppData\Local\Microsoft\Windows\OfflineFiles;AppData\Local\Microsoft\Windows\PowerShell;AppData\Local\Microsoft\Windows\PRICache;AppData\Local\Microsoft\Windows\Ringtones;AppData\Local\Microsoft\Windows\RoamingTiles;AppData\Local\Microsoft\Windows\Safety;AppData\Local\Microsoft\Windows\SchCache;AppData\Local\Microsoft\Windows\SettingSync;AppData\Local\Microsoft\Windows\Shell;AppData\Local\Microsoft\Windows\WebCache;AppData\Local\Microsoft\Windows\WER;AppData\Local\Microsoft\Windows\Explorer;AppData\Local\Microsoft\CLR_v4.0;AppData\Local\Microsoft\CLR_v4.0_32

Step4

Continue editing the above group policy for the Applocker part.

Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker > Packaged App Rules > Right Click and create Default rules.

Step5

You should now force the group policy update on the problematic WKS (using gpupdate /force via cmd), log off and log on a few times. We had cases that we had to remove the roaming profile and reissue it again for this to work.

The above workaround is a merge of various articles and blog outputs we found on the web, while trying to solve an issue like this. The solution came after applying all of the above, and not one or the other.

Credits and references go to:

  1. Dr James Bayley’s excellent article https://blog.jamesbayley.com/2016/02/10/fixed-windows-10-roaming-profiles-break-edge-and-other-packaged-applications/
  2. https://social.technet.microsoft.com/Forums/en-US/fd436515-6423-4015-9afe-d7e6034909ab/windows-10-threshold-2-edgesearch-issues-for-domain-joined-pcs?forum=win10itprogeneral
  3. https://partnersupport.microsoft.com/en-us/par_clientsol/forum/par_win/roaming-profile-in-windows-10/173fffe7-6751-4721-a19c-c164a4658b90?auth=1
  4. https://www.youtube.com/watch?v=R4R4QlExLsU

 

 

 

Advertisements

DNS publishing over COSMOTE, is not any more supported?

The past few months COSMOTE, a Greek ISP started providing VDSL access in our country. Right after being very happy about it, we started noticing changes affecting many of our customer services, including proper Domain Name Services data exchange.

The Domain name Service, supports hosting of a domain name zone, servicing clients requesting host A or other records from this DNS, while DNS transfer is a process which enables the Domain Name Zone transfer in a set of prior selected and configured DNS servers.

Our tests, described below, involve both of the above functions.

Test Number Test description Request Initiator Request Receiver Test Outcome
1 Nslookup from a Cosmote Internet fed client to a zone hosted on Cosmote served server Server A Server B Success
2 Nslookup from a Cyta Internet fed client to a zone hosted on Cosmote served server Server C Server B Failure
3 Nslookup from a Cosmote Cell Internet fed server to a Cosmote served server Server BC Server B Failure
4 Nslookup from a Wind Internet fed server to a Cosmote served server Server W Server B Failure
5 Nslookup from a Forthnet Internet fed server to a Cosmote served server Server F Server B Failure
6 Nslookup from a Vodafone Internet fed server to a Cosmote served server Server V Server B Failure

As it appears on Test 3, the mobile network of Cosmote cannot access a zone hosted on a private server internet fed by the terrestrial Cosmote network. That’s weird, but understandable since the merging between the two is only a few months old.

Ok now let’s see what else is “weird” now. Suppose we have the following 4 servers:

SERVER A: is internet fed by Cosmote ADSL

SERVER B: is also internet fed by Cosmote ADSL

SERVER C: is internet fed by Cosmote VDSL

SERVER D: is also internet fed by Cosmote VDSL

A few more tests described below:

Test Number Request Initiator Request Receiver Test Outcome
7 Server A Server B Success
8 Server A Server C Failure
9 Server A Server D Failure
10 Server D Server A Failure
11 Server C Server A Failure
12 Server B Server A Success
13 Server B Server C Failure
14 Server B Server D Failure
15 Server C Server B Failure
16 Server C Server D Success
17 Server D Server C Success
18 Server D Server B Failure

I will make it a bit less confusing for you. VDSL fed servers communicate with each other. ADSL cannot access the VDSLs and vice versa. The weird things is that both the ADSL and VDSLs are provided by the same ISP, which in all our cases is COSMOTE.

We should note, that all the above servers have Business accounts (connex @ Work).

As IT professional we can tolerate with:

  • VPN connections dropping every 3 minutes, with no reason.
  • Cosmote routers having their firmware updated, whenever the provider asks, using their CPL
  • SIP ports being occupied for Cosmote future VOIP usage.

What we cannot tolerate is the DNS protocol and especially when there is no previous notification regarding such a service ban.

I really do wonder, what is next? The SMTP?

Thank you Cosmote for protecting us, but I guess we will protect ourselves and change all our customers to non Cosmote ISPs.

We take as:

Failure: the timeout of DNS query (using nslookup) pointed on a working DNS server (server [ip]) and on an existing well shaped dns zone.

Success: a successful dns query (using nslookup) presenting back all dns records of the requested zone (set q=all/ set q=any)

17/2/17 UPDATE: The above started happening with port 25 (SMTP) randomly.

Msg 8152, Level 16, State 10 String or binary data would be truncated. The statement has been terminated.

It appears that when you want to “insert into” data from an nvarchar(max) field to another nvarchar(max) field, and the table has a lot of data the ms sql query is terminated giving you the error

Msg 8152, Level 16, State 10 String or binary data would be truncated The statement has been terminated.

After narrowing down data fields and understanding which field is the problematic one, and given that the source field is nvarchar(max) and so is the destination, you need to go on troubleshooting this.

Suppose I have the following query:

INSERT INTO ServiceJournal

(PriorityID, TechnicianID, ServiceTaskID, ClientID, ServiceDate, ProblemReportDateTime, EventTypeid, ReminderID, CustomerSiteID, DetailedProblemDescription)

SELECT        3 AS Expr1, Customers.EmployeeResponsibleID, 16 AS Expr2, Customers.CustomerID, GETDATE() AS Expr3, GETDATE() AS Expr4, 2 AS Expr5, 2 AS Expr6, 1 AS Expr7, Customer_Tasks.TaskDescription

FROM            Customer_Tasks INNER JOIN

Customers ON Customer_Tasks.CustomerID = Customers.CustomerID

WHERE        (Customer_Tasks.IsMaintenance = 1)

The field DetailedProblemDescription is the one producing the problem.

I tried creating a new field on the destination table ServiceJournal, called test as nvarchar(max) and changed my query to

INSERT INTO ServiceJournal

(PriorityID, TechnicianID, ServiceTaskID, ClientID, ServiceDate, ProblemReportDateTime, EventTypeid, ReminderID, CustomerSiteID, test)

SELECT        3 AS Expr1, Customers.EmployeeResponsibleID, 16 AS Expr2, Customers.CustomerID, GETDATE() AS Expr3, GETDATE() AS Expr4, 2 AS Expr5, 2 AS Expr6, 1 AS Expr7, Customer_Tasks.TaskDescription

FROM            Customer_Tasks INNER JOIN

Customers ON Customer_Tasks.CustomerID = Customers.CustomerID

WHERE        (Customer_Tasks.IsMaintenance = 1)

The script inserts a number of rows, as it should!

I tried to rename the problematic field to DetailedProblemDescription2 and retry. It does not work.

I backed up the field data to another field and deleted the field. This is where I started losing the table integrity. I had to take the data with an export script, drop and recreate the table (taken from a backup) and restore the data.

Need to mention that concatenating the DetailedProblemDescription field with cast (DetailedProblemDescription as nvarchar(4000)) or other data type, did not work as well.

To make a long story short, I overcame the insert into problem by putting

SET ANSI_WARNINGS  OFF;

 

SET ANSI_WARNINGS  ON;

As long as the “problematic” field characters don’t go over 4000 characters, no problem occurs. I will need to test it with more in the next months.

Have no time to investigate this further, but worth’s writing it down and sharing:)

Till next time!

How to Upgrade or Change OS of PCs with Preinstalled Windows 8.1 & Windows 10

There are times that moving personal computers to corporate environments, without applying a BYOD policy, drive us to replace the preinstalled OS of our computer. For instance there is the need to upgrade our OS from Home to Professional edition in order the computer to join a domain.

For Windows Up to the 8 edition, that was done, by formatting the computer and reinstalling by using the purchased Retail or other license of the desired Windows OS version. The upgrade was a rather hectic process and the older the OS, the more problems you had.

Things are different now with Windows 8.1 and 10!

You purchase a new laptop with a Windows 10 Home OEM license from your local distributor and you get down to upgrade to Professional. Bad luck! You can’t! Even if you totally wipe your HDD and put your legitimate Windows 10 Pro media and install, after the installation you pc will still boot on Windows 10 Home!

Let’s ask the experts….we called Microsoft, as partners and asked! Here’s the story.

Microsoft’s new policy for OEM computers that come with preinstalled Windows 8.1 and Windows 10 is to hardcode the OS Version and License Key within the computer’s chipset! This policy is applied by all computer manufacturing companies, therefore there is no way even by formatting the hard drive to install a different OS or even an alternate Version of the same OS.  Microsoft’s “safety” mechanism will come forth and will install the same OS Version  as the OEM (e.g Home) even if you try to install another Version of the same OS (e.g. Pro) via DVD or USB.  If you try to install a complete different OS (e.g Windows 10) than the OEM (e.g Windows 8.1) then hardcoded OS License Key conflicts with the OS License Key that you installed and renders your OS as not Genuine. The same applies even if you just swap the OEM HDD with a preinstalled HDD that has a different OS version than the OEM.

Fortunately there is a workaround regarding this matter. The following steps show the way.

Let’s assume for this example that you purchased a laptop that came with preinstalled Windows 10 Home and you want to upgrade it to Windows 10 Pro.

By using your newly purchased laptop or a different computer you need to download the MediaCreationTool.exe from HERE .

This tool will guide you to download a Windows 10.iso file that is suitable for your computer.

After you download the ISO file, open it with an ISO editing application (Ultra ISO or a similar).

Then you need to create two files that will allow the new OS to be installed.

For the first file create a .txt file and copy in it the following:

[EditionID]

Professional

[Channel]

OEM

[VL]

0

Save it as EI.cfg .

P.S. In channel type RETAIL if the OS License Key is a retail acquired license.  

For the second file create a .txt and copy in it the following:

[PID]

VALUE= type_in_your_windows_license_key

Save it twice, one as PID.txt and one as PID.cfg

Copy the three files (EI.cfg, PID.txt and PID.cfg) to the Sources folder of the iso file that you downloaded.

Recompile or save the .iso file and either burn it into a bootable DVD or create a bootable USB stick.

Restart the computer and boot either from your media.

Complete formatting the HDD and enjoy your new upgraded OS.

Cheers, till next time!

Written and tested by Creative People TeamAndreas Lavazos and Chrysostomos Psaroudakis

How to create Microsoft HyperV cluster

Prerequisites

We will need:

  • An ISCSI enabled Network Attached storage, like QNAP.
  • 2 PC/Server with equal number of NICs (4+ NICs needed) /RAM and CPU type
  • A working active directory domain on Windows 2012 R2

For proper HyperV operation you will need n+1 NICs where n is the number of vms hosted on the hypervisor.

For the cluster we are about to build we need 3 NICs on each node of the cluster, plus n NICs for the n number of VMs we are about to host.

Make a good sketch of your solution, in order to have nic ips/configuration handy at all times during the installation or troubleshooting.

Drawing1

On the sketch above you will identify that each of the nodes (node03/node04) have 3 nics configured (the rest NICs are virtual switched on the HyperV and therefore have no part on this sketch)

  • 1x NIC for each node connected to network switch (that’s the interface we will use for joining the pc/server on our domain. On our scenario NODE03 has the ip 10.124.10.3 and NODE04 10.124.10.4.
  • 1x NIC for each node connected to the RSO/NAS (directly or via switch). On our scenario NODE03 has the ip 172.16.0.1 and NODE04 172.16.0.2.
  • 1x NIC for each node connected to each other (no need for a cross cable if auto mdix is applicable on your NICs-it’s a standard nowadays. We call this the heartbeat cable, where each cluster node gets the status of its partner node. On our scenario NODE03 has the ip 192.168.1.1 and NODE04 192.168.1.2.

Join all on the same domain

Ensure all nodes (hyper –V servers ) and Qnap are joined to the same Active Directory Domain.

Organise and name your nodes NICs

Configure Network cards NICs for Failover Cluster: Rename all Network cards and make names identical on both servers in order to save yourself from auto moving questions of resources. Be very cautious on identifying the physical location of each NIC.

a. Rename all Network cards

00

b. Rename the Domain Network NIC as Production and deselect unnecessary protocols and features

IPv6 is up to the installers hand to enable or disable. Proceed according to your internal network specs.

01

IPv6 should be unchecked.

Make sure Register this connection’s address in DNS is checked,

02.jpg

Check option “Register this connection’s addresses in DNS”.

At WINS tab Enable NetBIOS over TCP/IP option.

03

c. Configure the RSO NICs as RSO and deselect unnecessary protocols and features

IPv6 was deselected on our scenario in order to avoid IPv6 communication failures.

d. Configure the HeartbeatNICs as Heartbeat and deselect unnecessary protocols and features

Uncheck IPv6

01

Watch it now! Put the heartbeat ips with no Gateways, no DNS servers.

04

Make sure Register this connection’s address in DNS is NOT checked,

05

and make sure NetBIOS over TCP/IP is NOT checked!

06

Your Heartbeat NIC properties should look like this

045

e. Set the Network Priority (arrange binding order)

Navigate to Advanced Settings, though Network and Internet ->Network connections.

Open your network connections and click Advanced>Advanced Settings

07

Arrange the adapter binding order as follows:

  1. Production
  2. Storage
  3. Heartbeat

This is very importart to how each node responds and reacts to network requests. If you ommit this step latencies in cluster behaviour related to network access or interoperability with other network resources may occur.

08

Configure NAS/RSO

We assume you have already configured your Raid. (Best results we have achieved on COTs systems are Raid 10 and Raid 6). On our scenario we used a QNAP with 5 HDD RAID6 array.

a. Configure Shared Storage (iSCSI Target)

Fire up your ISCSI configuration wizard and enable iSCSI target service on its 3260 default port.

Enable iSCSI Target Service at port 3260

09

Through iSCSI Storage’s Configuration Wizard,

Select to create iSCSI Target with a mapped LUN(Logical Unit Number).

Create a new iSCSI target with a mapped LUN

10

VERY IMPORTANT!

“Target Name” and “Target Alias” should be Quorum.

Clustering access to iSCSI target from multiple initiators must be “Enabled”.

Name it Quorum. That’s the most important shared storage resource of the cluster since the cluster configuration is exchanged between nodes through it.

Make sure you check the Enable clustering access to the iSCSI target from multiple initiators in order to avoid data corruption, occuring on simitaneously iSCSI connections and prepare this part of the storage for CSVFS.

11

Don’t use chap authentication, unless needed.12

Don’t use more than 1GB for the Quorum, since you will never exceed it.

Allocate space from your storage pool.

For performance purposes we select “Allocate space from a storage pool as an iSCSI LUN”. On the other hand the disk space is pre-allocated making it your Cluster storage more secure in cases of rapid data deployment in the rest of its free disk space.

131415

Proceed making the above steps again 2 times. Each for the following names:

  1. ClusterDisk1, with allocated space as prefered
  2. ClusterDisk2, with allocated space as prefered

You need at least one Cluster Disk, in case you need more resources prepare more.

At the iSCSI target list you will see the iSCSI targets you just created.

16

Quorum and Cluster Disks should appear as “Ready” after the initialization of the iSCSI storage.

After finishing with our NAS configuration, we proceed with NODES.

b. Connect to iSCSI targets from both Nodes

Both Nodes must be connected to our Storage using iSCSI Initiator (though Server management Tools).

From your server manager, select tools iSCSI initiator. A message will come up informing you that the iSCSI initiator service will start automatically next time windows loads.

17

On the discovery tab hit Discover portal

18

Be rather cautious to put the ip of the RSO belong to the nodes RSO network, eg. on our example 172.16.0.xxx

19

Discovery should find the IP address and Port of your iSCSI target (make sure your cluster nodes RSO nics and iSCSI RSO are on the same switch or VLAN.

20

Following that, though Targets tab, you should be able to see your disks (including Quorum) as “Inactive”.

Proceed connecting them. Go back on the targets tab, hit refresh and when the list is populated hit connect.

21

Do the above on both nodes

c. Initialize disks

On the first node open Disk Management console. Right click on each of the new hard disks appearing and select online.

22

Initialize the disk2324

and create a new simple volume25

Assign the drive letter Q for Quorum, we don’t care what you put on the rest.

26

Format it as NTFS and name it Quorum

27

Proceed with the same process for ClusterDisk1 and 2, put whatever drive letter you like. At the end of the process you will see the below.

Launch disk management on the second node and “online” the already made HDDs.

28

HYPER-V installation on both Nodes

Though Manage Tab, select ”Add Roles and Features”.

29

From Server Roles, select the Hyper-V role and proceed.

30

Include management tools and proceed adding the feature.

31

Create Virtual Switch (Production) on both Nodes

32

On your Hyper-V Manager console select the Virtual Switch Manager action on the right.

3334

Create a New Virtual Network Switch. Type: EXTERNAL. Make sure you don’t select ANY of your RSO or Heartbeat NICS!

35

Name the Virtual switch, assign appropriate NIC and check the option “Allow management operating system to share this network adapter”.

Do the same on both nodes.

Install Failover Cluster Roles Features on both Nodes

Through the “Add Roles and Features” we proceed to “Features.

3638

Select the “Failover Clustering” and proceed.

37

Do the same on both nodes.

Validate the cluster configuration

Pick up one of the two Nodes and run the Cluster Validation configuration tool.

Next steps shown below will be performed to validate cluster’s failover configuration.

39404142

Since all nodes are “Validated” we can proceed creating the Failover Cluster.

43

Create the Hyper-V Failover Cluster

4445

We proceed to create cluster through Failover Cluster Manager.

Make sure all required servers have been selected (separated by a comma “,”).

4647

Provide the cluster name, revise that addresses are correct for each network that is part of the Failover Cluster.

48

4950

Your Cluster has completed, revise again summary.

Rename Cluster Networks for easy understanding and mapping to the physical node NICs.

5152

Through Failover Cluster Manager, we configure networks’ names and communication permissions.

Specifically, at Heartbeat network we ONLY allow cluster network communication.

At production Network, we allow cluster network communication AND also allow clients to connect through.

At Storage network we DO NOT allow any cluster network communications.

Also through the above steps, we have the chance to check one again that subnets have been assigned correctly.

5354555657

Enable Cluster Shared Volumes

586260

Following cluster’s networks configuration, we are ready to ADD storage disks to our cluster.

Through Failover cluster manager -> Storage -> Disks, we should see our Cluster Disks marked as “AVAILABLE STORAGE”. Selecting one by one we proceed adding them to “Cluster Shared Volumes”.

WE DO NOT TAKE ANY ACTION ON QUORUM DISK!

59

At the end of process all added disks should be marked as “Assigned to Cluster Shared Volume”.

Create a VM and Configure for High Availability or make an Existing VM Highly Available

Test the Failover Cluster by shutting down the node having the VM resources. If you see VMs moving to other node you are ready to start serving clients. Further tests should be made regarding the VMs functionality.

Written and tested by Creative People Team, Costantinos Koptis, Andreas Lavazos and Chrysostomos Psaroudakis

DEFENCO ACRITAS Mini Heli UAV

DEFENCO ACRITAS Mini Heli UAV, featuring CBRNE sensors from NCSR Demokritos, IR and Day Hitachi Lens cams, FPV, Auto Pilot. Prototype for #ACRITAS project.#UAV#Helicopter#CBRNE#BorderSecurity. Special thanks to our partners Defenco, SATWAYS, Demokritos, KEMEA, NOA, EMC, HAI, University of Aegean#CreativePeople.gr

Walkthrough Εγκατάστασης Intel Ethernet Card σε Server 2012 – 2012 R2

Σε πολλές περιπτώσεις θα δείτε ότι είναι αδύνατη η εγκατάσταση Ethernet Καρτών κατασκευή της Intel ή Intel –Gigabit σε Η/Υ με λειτουργικό Windows Server 2012 / 2012 R2.

Η εγκατάσταση των driver σταματάει επειδή το software του driver δεν μπορεί να εντοπίσει Ethernet κάρτες της Intel.  Τo πρόβλημα υφίσταται διότι το πρόγραμμα εγκατάστασης της Intel προσπαθεί αυτόματα να εγκαταστήσει τον driver, ενώ θα έπρεπε να αφήσει το λειτουργικό σύστημα να αναλάβει την διαδικασία της εγκατάστασης. Επίσης έχει προστεθεί μια λίστα εξαιρουμένων συσκευών προς εγκατάσταση, που οδηγεί στο πάγωμα της εγκατάστασης των οδηγών.

Ο λόγος που γίνεται αυτό δεν είναι γνωστός και λογικά γίνεται στο να αποτρέψει χειριστές να εγκαθιστούν οδηγούς που ενδεχομένως να μην λειτουργούν σε ορισμένα setup.

Σφάλμα Εγκατάστασης Κάρτας Intel

01

Για να μπορέσει να πραγματοποιηθεί η εγκατάσταση χρειάζεται να προβούμε σε πολλαπλές ενέργειες  που θα εξαναγκάσουν την διαδικασία εγκατάστασης να ολοκληρωθεί.

Παρουσιάζουμε παρακάτω, αναλυτικά τα βήματα που πρέπει να ακολουθηθούν.

Απενεργοποίηση Driver Signing & Ενεργοποίηση Test Mode

Εκτελείτε το Command Prompt με δικαιώματα Διαχειριστή και δίνεται τις εξής εντολές.

bcdedit -set loadoptions DISABLE_INTEGRITY_CHECKS

bcdedit -set TESTSIGNING ON

Εφόσον εκτελεστούν οι εντολές κάνετε επανεκκίνηση τον Η/Υ.

Πλέον το λειτουργικό επιτρέπει την εγκατάσταση μη εγκεκριμένους οδηγούς συσκευών.

Προετοιμασία Custom Driver προς εγκατάσταση.

Αρχικά θα πρέπει να κάνετε download τον driver της συσκευής σας από το site του κατασκευαστή, εκτός και αν τον έχετε ήδη.

Στην συνέχεια κάνετε εξαγωγή τα αρχεία του driver κάπου στον Η/Υ. Στην περίπτωση του παραδείγματος ο οδηγός αφορά την κάρτα Intel 82579V Gigabit NIC και η εξαγωγή έγινε στο C:\temp\Intel_LAN_V17.1.50.0_Win8_Beta\PRO1000\Winx64\NDIS63.

Θα πρέπει να ανοιχθούν και να επεξεργαστούν όλα τα αρχεία .inf που περιέχουν τα hardware IDs της συσκευής.

Οπότε αρχικά θα πρέπει να βρούμε τα IDs της συσκευής, πηγαίνοντας στον Device Manager και επιλέγοντας την συσκευή που δυσλειτουργεί. Στο tab λεπτομέρειες  επιλέγουμε το Hardware IDS

Device Manager –> Details–>Hardware ID

Στην προκείμενη περίπτωση θα χρησιμοποιηθεί το ‘VEN_8086&DEV_1503’. Στο δικό σας σύστημα πιθανότατα να είναι διαφορετικά τα IDs.

02

Έχοντας πλέον και τον Vendor Και τα Hardware IDs μπορούμε να αναζητήσουμε στο φάκελο που εξάγαμε τον driver προηγουμένως , τα αρχεία που εμπεριέχουν τα συγκεκριμένα Hardware IDs.

Σε Powershell δώστε την ακόλουθη εντολή εφόσον έχετε πρώτα πλοηγηθεί στο φάκελο που έγινε η εξαγωγή του driver.

Get-Children –recurce | Select-String –pattern “το Hardware ID” | group path | select name

03

Η εντολή αυτή θα μας επιστρέψει όλα τα .inf αρχεία σε όλο τον φάκελο και υπό φακέλους του οδηγού που αφορούν το συγκεκριμένο Hardware ID.

Εδώ μπορούμε να διαχωρίσουμε λίγο τα ζητούμενα αρχεία μιας και αν γνωρίζουμε την έκδοση του λειτουργικού μας, αν είναι 32bit ή 64bit.  Στην περίπτωση του παραδείγματος το λειτουργικό είναι 64bit οπότε θα επικεντρωθούμε στους φακέλους Winx64.

04

Στον παρακάτω πίνακα αναγράφονται οι συσχετίσεις των εκδόσεων του οδηγού με τα λειτουργικά συστήματα.

Version Desktop OS Server OS
NDIS 6.0 Vista *
NDIS 6.1 Vista SP 1 Server 2008
NDIS 6.2 Windows 7 Server 2008 R2
NDIS 6.3 Windows 8 Server 2012
NDIS 6.4 Windows 8.1 Server 2012 R2

Βάσει των παραπάνω ο ζητούμενη έκδοση για το παράδειγμα μας είναι η NDIS63.

05

Οπότε η αναζήτηση μας περιορίζεται μόνο σε ένα αρχείο, το e1c63x64.inf .

Στο παρακάτω πλαίσιο έχουμε αναγράψει της αλλαγές που πρέπει να γίνουν και αν ενσωματωθούν στο αρχείο e1c63x64.inf έτσι ώστε να ολοκληρωθεί η εγκατάσταση του οδηγού.

;**  Unless otherwise agreed by Intel in writing, you may not remove or      **

;**  alter this notice or any other notice embedded in Materials by Intel    **

;**  or Intel’s suppliers or licensors in any way.                           **

;******************************************************************************

;

;******************************************************************************

; e1c63x64.INF (Intel 64 bit extension Platform Only,

; Windows 8 64 bit extension)

;

; Intel(R) Gigabit Network connections

;******************************************************************************

;

[Version]

Signature   = “$Windows NT$”

Class       = Net

ClassGUID   = {4d36e972-e325-11ce-bfc1-08002be10318}

Provider    = %Intel%

CatalogFile = e1c63x64.cat

DriverVer   = 03/29/2012,12.1.10.0

[Manufacturer]

%Intel%     = Intel, NTamd64.6.2, NTamd64.6.2.1

[ControlFlags]

;ExcludeFromSelect = \

;    PCI\VEN_8086&DEV_1502,\

;    PCI\VEN_8086&DEV_1503

[Intel]

[Intel.NTamd64.6.2.1]

; DisplayName                   Section              DeviceID

; ———–                   ——-              ——–

%E1502NC.DeviceDesc%            = E1502.6.2.1,       PCI\VEN_8086&DEV_1502

%E1502NC.DeviceDesc%            = E1502.6.2.1,       PCI\VEN_8086&DEV_1502&SUBSYS_00011179

%E1502NC.DeviceDesc%            = E1502.6.2.1,       PCI\VEN_8086&DEV_1502&SUBSYS_00021179

%E1502NC.DeviceDesc%            = E1502.6.2.1,       PCI\VEN_8086&DEV_1502&SUBSYS_80001025

%E1503NC.DeviceDesc%            = E1503.6.2.1,       PCI\VEN_8086&DEV_1503

%E1503NC.DeviceDesc%            = E1503.6.2.1,       PCI\VEN_8086&DEV_1503&SUBSYS_00011179

%E1503NC.DeviceDesc%            = E1503.6.2.1,       PCI\VEN_8086&DEV_1503&SUBSYS_00021179

%E1503NC.DeviceDesc%            = E1503.6.2.1,       PCI\VEN_8086&DEV_1503&SUBSYS_80001025

%E1503NC.DeviceDesc%            = E1503.6.2.1,       PCI\VEN_8086&DEV_1503&SUBSYS_04911025

 

[Intel.NTamd64.6.2]

; DisplayName                   Section        DeviceID

; ———–                   ——-        ——–

%E1502NC.DeviceDesc%            = E1502,       PCI\VEN_8086&DEV_1502

%E1502NC.DeviceDesc%            = E1502,       PCI\VEN_8086&DEV_1502&SUBSYS_00011179

%E1502NC.DeviceDesc%            = E1502,       PCI\VEN_8086&DEV_1502&SUBSYS_00021179

%E1502NC.DeviceDesc%            = E1502,       PCI\VEN_8086&DEV_1502&SUBSYS_80001025

%E1503NC.DeviceDesc%            = E1503.6.2.1,       PCI\VEN_8086&DEV_1503

%E1503NC.DeviceDesc%            = E1503.6.2.1,       PCI\VEN_8086&DEV_1503&SUBSYS_00011179

%E1503NC.DeviceDesc%            = E1503.6.2.1,       PCI\VEN_8086&DEV_1503&SUBSYS_00021179

%E1503NC.DeviceDesc%            = E1503.6.2.1,       PCI\VEN_8086&DEV_1503&SUBSYS_80001025

%E1503NC.DeviceDesc%            = E1503.6.2.1,       PCI\VEN_8086&DEV_1503&SUBSYS_04911025

;===============================================================================

;                WINDOWS 8 for 64-bit EXTENDED PLATFORMS

;

;===============================================================================

Ουσιαστικά διαγράφεται τις 3 γραμμές στο [ControlFlags] και στα version παρακάτω προσθέστε τα hardware IDs σας και αποθηκεύετε το αρχείο inf.

Εγκατάσταση Driver

Στην συνέχεια εκτελείτε το setup του οδηγού, το οποίο θα ολοκληρωθεί αυτή την φορά.

06

Ενεργοποίηση Driver Signing & Απενεργοποίηση Test Mode

Αφού ολοκληρωθεί η εγκατάσταση θα πρέπει να επαναφέρουμε τις ρυθμίσεις των Driver Signing & test mode.

Εκτελείτε το Command Prompt με δικαιώματα Διαχειριστή και δίνεται τις εξής εντολές.

bcdedit -set loadoptions ENABLE_INTEGRITY_CHECKS

bcdedit -set TESTSIGNING OFF

Written and executed by Andreas Lavazos@CreativePeople

Copyright Creative People ©2016

 

BOOTMGR is missing!

Recently we encountered a weird case which had to do with Windows Server 2012 R2 booting. After having a “few” updates required for our Hyper-V and Backed Up we restarted the server.

Upon rebooting, BOOTMGR seemed to be damaged and we couldn’t get it run. For some reason (which was revealed later) the backup overwrote \windows\BOOT, due to faulty assignment of sata cables on the motherboard.

Thus, we tried out a few ways to recover boot files needed to get it back on the road again with the less possible collateral damages.

We tried 3 ways. All of them will be described below, apart from repair from CD/.iso tried already, which didn’t help…

For all below actions, you will have to boot from the equivalent OS CD / .iso and enter Command Prompt from the REPAIR list.

1st attempt

C:

C:\ Bootrec.exe /rebuildbcd

This command will search for Windows installations not included in the Boot Configuration Data and then ask you if you’d like to add one or more to it.

If you are lucky (not like us) you will get the below message:

Successfully scanned Windows installations.

Total identified Windows installations:1

[1] D:\Windows Add installation to boot list? Yes<Y>/No<N>/All<A>:

If so, you obviously type Y or Yes and then reboot your PC… problem solved!

On the other hand of course, you could choose “N” or NO and move on to try the rest possible solutions we describe below^^!

2nd attempt

The idea of the second attempt was to check whether the partition containing BOOT was there, and if so we could use  Robocopy command along withBootrec and Atrrib to replace/plant the BOOT files at the correct location. Again there we go…

C: DISKPART

DISKPART> list disk  [ this command will list down every disk on your system]

BOOT Is usually located at “0” Disk

DISKPART>list partition [ this commands lists down the partitions of the selected disk, now you choose the boot partition, usually the smallest in size]

DISKPART>select partition 1,2, etc

DISKPART>active

Now we have to copy all missing files to the selected BOOT particion, command Robocopy will help us on that. “D:” will stand for our CD-rom /.iso mount folder in this case.

D:

Robocopy  D:\  C:\ Bootmgr

Robocopy  D:\  C:\Boot  /s

At this point you should check that files are correctly copied using the below command

Dir C:\  /ah

If Bootmgr and Boot folder show up in the list, you did well!

Otherwise… you should repeat process.

Finally execute the below list of commands to update the BCD file

C:

bcdedit  /store  c:\boot\bcd  /set  {default}  device  partition=c:

bcdedit  /store  c:\boot\bcd  /set  {default}  osdevice  partition=c:

bcdedit  /store  c:\boot\bcd  /set  {bootmgr}  device  partition=c:

bcdedit  /store  c:\boot\bcd  /set  {memdiag}  device  partition=c:

BCDBoot c:\windows

Bootrec  /fixMBR  [ fixing Master Boot Record]

Exit

Now your server should be up and running!!

*If not… we suggest a final attempt to fix this before re-installing!!

3rd attempt

The third idea, was to “force” a manual repair of the damaged/missing partition directly from CD/.iso.

So…

We boot from CD/iso and get to cmd from the repair options.

C:\

Bootrec.exe  /fixmbr

Bootrec.exe /fixboot

Bootrec.exe /rebuildBCD

Bootrec.exe /nt60  ALL /force

*REGARDLESS if the above commands have a positive or negative reply you proceed**

X:

X:\sources\recovery\StartRep.exe

The repair process will run and probably will return a message that problem can’t be repaired.

Repeat the process few times regardless the negative replies of the system (it took us 3 tries to get it work) and after the restart your system will be up and running!

Exchange 2003 failing to start, Restoring while keeping latest mailbox store. Using eseutil /r /i

I came up -just now- with a failing to boot VM running an Exchange 2003.

Thank God:
I had Backup of the VM
Had Seperated Exchange Mailboxes from system and had put them to another attached vhd.

When I tried to attach the system vhd to the host, failure was coming up…don’t even remember the exact error message since I was rather frustrated! Fortunately the mailbox vhd was attached succesfully, somehow luckily! So mailboxes are intact!

Restored both vhds from backup-while keeping in mind, that if I replace the mailbox vhd users will lose -at least- one day of mails (don’t even want to think about it).

Therefore I kept the mailbox vhd as present, while restoring the system vhd from the previous night’s backup.

Booted the VM and all services came up…with no problem…Come on, be a sport, can’t be that easy!

Well after launching Exchange system manager Mailbox store and Public Folder store were unable to be mounted!

Ok…fingers crossed and we fire up the restore process.

Navigate to your logs folder (there where the e00xxx files are in, x:\mdbdata\)

Copy in x:\mdbdata the
eseutil.exe
and
ese.dll

that you will find in c:\program files\Exchsrvr\bin

These files need to be in the same folder with the logs (just to make the process easier, while not loosing time with paths).

Fire up command prompt and type

x:\mdbdata\eseutil /r /i

and hit enter.

/i switch will ignore mismatched/missing database attachments

The process of regeneration of Exchange databases will start and you may monitor it by refreshing your application log.

Be patient, the more e00 logs you have in, the more time it will take.

After eseutil has finished its job go ahead and manually mount your Mailbox and Public Folder store.

Till next time:) Goodnight!

see more on http://www.creativepeople.gr

host yy.com [XXX.XXX.XXX.XXX] said: 550-Verification failed for 550-No such person at this address” 550 Sender verify failed (in reply to RCPT TO command)

Well that’s something you don’t see every day! Definitely worth mentioning and writing done, since I may refer to this story to my IT grandchildren…..

A customer of ours, suppose xx.com sends an email to yy.com

The user username@xx.com gets a non-deliverable email from our on-premises Mail server (NDR) containing the following text:

host yy.com [XXX.XXX.XXX.XXX] said:

    550-Verification failed for <username@xx.com> 550-No such person at this

    address” 550 Sender verify failed (in reply to RCPT TO command)

 

550 Sender verify failed (in reply to RCPT TO command)!!!!

Launched telnet from my pc (different external ip from the xx.com customer) and got through the smtp commands emulating an email submission to the yy.com email server

Start>Run

Cmd <clrf>

Telnet <clrf>

Set localecho <clrf>

O “mailserver.yy.com” 25 <clrf>

Ehlo local.domain.name <clrf> 

Mail from:myemailaddress@creativepeople.gr <clrf>

Rcpt to:username@yy.com <clrf>

DATA <clrf>

Subject:”Your message subject” .<clrf>

“your message” <clrf>

 <clrf>. <clrf>

 

Bingo Message delivered. Ok what’s the problem?

I login to my customer’s server and do the same (of course I changed myemailaddress@creativepeople.gr with username@xx.com). No luck! Sender Verify failed!!!

I checked SPF records, I checked blacklisting….nothing, everythings clean!

But after a closer look on DNS lookups, we found out that the yy.com recipient has dns/web/email hosting to the ip 72.52.232.144 (resolving it….host.giganetworks.com)

OUPS!

Apparently my client xx.com has only web hosting on the same provider and its www Host A record resolves back to the same IP!!!! No DNS, no email service is provided for the xx.com, at least, that’s what I was aware of (after making the necessary changes in the ISP’s CPANEL)

WOW!!! What is happening is rather simple….

The xx.com mail server begins negotiation with the yy.com mail server. The exchange the ehlos/helos and when the xx.com claims to be the sender of username@xx.com the yy.com mail server stops the submission since he THINKS thank the xx.com is spoofing the xx.com.

Apparently the mail fails and no submission takes place.

How we resolved this:

Simply mailed the ISP explained what we found and forced them to be secondary dns on our Primary dns servers for the xx.com domain, threating them that I will remove the domain and hosting same day….

Case closed, but will be remembered.

%d bloggers like this: