Archive for the ‘Microsoft Server’ Category

WOL not working from new server

When moving things from an old server (that happenes to be running Windows 2008 R2 (64bit)) WOL does not seem to get to anything. It worked on the old server but not on the new one. WTF? First thoughts are something 2008 R2 related or 64bit related. It turns out it probably isn’t any of that. It’s probably the fact that newer servers tend to have multiple NICs and your older hardware only had a simgle NIC. What is going on is that even though the extra NICs aren’t used, as long as they are active (not diabled) then WOL will use one to send it’s packets. Don’t know yet how to reorder the NICs so WOL usues the active one so the simple fix is to diable the NICs that aren’t plugged in to the network. WOL then has to use the active one and it works fine. Jeesh.


No Comments

WSUS breaks after update KB2720211

Another oops by MS…..

Console can’t connect to WSUS.  It errors out and tells you to look at the softwaredistribution.log file. (Where the f… is that???)  It’s in the c:\windows\program files\update servise\logfiles folder of course!  Look at the log and it shows that it can’t connect to susdb and reports Login failed for user ‘NT AUTHORITY\NETWORK SERVICE’ and Cannot open database “SUSDB” requested by the login.


- Applied KB2720211 to a WSUS 3.0 SP2 server thats running on Windows 2008 64 bit server with local SQL db.

-Applied KB2720211 to Windows 2003 server running WSUS 3.0 SP2 and local SQL db.


1. Download the KB2720211 installer for your architecture from Microsoft (
2. Extract WUSSetup.msp from the installer by running the installer with the /extract parameter (example: “WSUS-KB2720211-x64.exe /extract”)
3. With 7-zip, open WUSSetup.msp and extract “PCW_CAB_SUS”.
4. With 7-zip, open “PCW_CAB_SUS” and extract “DbCert”, “DbCertDll”, and “DbCertSql”.
5. Rename those files to “WSUSSignDb.cer”, “WSUSSignDb.dll”, and “WSUSSignDb.sql”, respectively.
6. On your WSUS server, navigate to “C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\SchemaSig” and copy the extracted “WSUSSignDb.cer” and “WSUSSignDb.dll” to it. Make a backup copy of the two existing versions, just in case.
7. On your WSUS server, navigate to “C:\Program Files\Update Services\Database” and copy the extracted “WSUSSignDb.sql” to it. Make a backup copy of any existing versions of the file.
8. Reinstalled 2720211 - it runs successfully this time.

Don’t even have to reboot or restart anything on 2008 R2 server.

You do have to reboot Windows 2003 server before rerunning the update (step 8)

I’ll update this If microsoft every comes up with an official fix.



Redirect new computers from default container in active directory

This is posted lots of other places but this is easier to find:

Run the Redircmp.exe file at a command prompt by using the following syntax, where container-dn is the distinguished name of the organizational unit that will become the default location for newly created computer objects that are created by down-level APIs:
redircmp container-dn container-dn
Redircmp.exe is installed in the %Systemroot%\System32 folder on Windows Server 2003-based or newer computers. For example, to change the default location for a computer that is created with earlier-version APIs such as Net User to the OU=mycomputers container in the CONTOSO.COM domain, use the following syntax:
C:\windows\system32>redircmp ou=mycomputers,DC=contoso,dc=com

No Comments

PXE deployment doesn’t find WDS server

You’ve had your WDS server working for a while now, but suddenly it appears to stop responding to PXE boot requests. There are no error messages anywhere. WTF? What likely has happened is that the WDS server is running on a server that also has DNS running on it and the WDS and DNS services have overlapped ports with DNS overriding WDS. To fix this on a 2008 R2 server do the following: Set the UdpPortPolicy value in HKLM\System\CurrentControlSet\Services\WDSServer\Parameters to 0.

No Comments

SQL 2008 Sillyness

In server 2008 (and probably other versions as well) if you need to add a user or group local to the server as an SQL user, you get the following lovely error: “Error 15401: Windows NT user or group ‘%s’ not found. Check the name again. ” Domain accounts add fine, but not local accounts. Well, SOME local accounts add fine but other ones don’t Now isn’t that silly? Turns out that any predefined local accounts or groups like “administrators” or “system” need to use the domain “BUILTIN” and not the server name as the domain preface. Problem solv-ed.


No Comments

Restoring Exchange 2003 from a remote Backupexec 9.1 server

So this seems like it should be a fairly straight forward task.  I mean there are a ton of BE backups going on every day and a ton of exchange backups in those.  And I seriously doubt that all of the backups are running from the exchange server (unless it an SBS - but that’s a totally different animal).  But documantation and gotchas are seriously lacking here.  So, follow the bellow exactly!  Do not skip anything otherwise you will go directly to jail and will owe $200.
1)  Install the base OS.
 a) Do a parallel install or scratch install to a folder that is NOT c:\windows on the server to be restored

 2)Install the BE remote agent on the exhcnage server and make sure it is running!
 IMPORTANT!  Don’t forget this - bad things happen!

3) Restore the remote server OS from the BE server.
 Only include the C:, D: volumes and system state. Do NOT include the exchange stores.
 Before restarting, edit the Boot.ini to add back the parallel install.  IMPORTANT because it’s likely the restore will munch one or more of the drivers

4) If the server does not restart, it’s probably the video driver.
 restart in safe mode, then reinstall the correct video driver - even if it says it’s already there.

5) Once successfully restarted, start the Exchange store.
 Make sure the stores are dismounted
 In the store properties, check the setting to allow restore.

6) restore the exchange store from BE.

7) there may be misc stuff to cleanup but it should be mostly good to go.
what can happen???

If you forget to install or don’t have the remote agent running on the remote server, BE will restore the system state to the local server!  No shit!
It won’t tell you it did that - it will only fail on the volume restores but say the system state was successful.  If you see something like that - DO NOT REBOOT!�
Immediately restore the local system state from BE.  If you screwed that up, then you’ll need to do a parallel OS install.�
You will need to remove (or rename the existing MSSQL$dackupexec instance and make sure when you install BE, you install to a different directory.
Unless you want to recatalog the tape (yikes!) copy all of the *.ui1 files from the backupexec/nt/catalog folder to the new install.
Then, you will need to service pack the OS up to the level the orginal server was.  Then restore in Directory Restore mode and restore the system state.  Oh, and you have to restore the entier C: volume along with the system state to get your registry and SAM back.  Otherwise it will fail to restore with a cryptic error (eventhough it lets you select only the system state - how lmae is that??)


No Comments

MDT 2008 Lite Touch fails with wierd network errors - sometimes
You may not put two and two together but they last time you updated MDT (because MS told you you needed to… (yeah so much for trusting MS)) you actually broke it.  Now you get a Network Timeout (or a wierd access denied error) in Windows PE 2.1 when it’s trying to launch the Lite touch scripts.  Oh, and another thing about launching LiteTouch, don’t have a Windows boot CD (or any CD in the CD drive.  For some wierd reason WPEInit will see that and fail to launch the LiteTouch Script. (no I havn’t figured out why yet)

You get the following error message in MDT 2008 Lite Touch Deployment even though you have the correct nic drivers in Windows PE and the correct bootstrap.ini settings. “A connection to the deployment share \\Server\Distribution$ could not be made. The Deployment will not proceed”  upon further investigation you find out that you get an access denied error when you try to list the \\server\distribuiton$\ directory.  BUT! if you do a Net Use mapping to the folder, it works just fine!  WTF?  AND, it works on some models of computer but not on others.  More WTF?

A network initializion timeout issue in wpeinit.exe in Windows PE 2.1 causes MDT 2008 Lite Touch Deployments to fail.

Give WIndows PE 2.1 a few more seconds by editing startnet.cmd on your LiteTouch_x86.wim (or iso) to look like below.  (It’s in the windows/system32 directory) (Use Imagex /mountrw LiteTouch.wim 1 d:\image to mount the WIM) (Don’t forget to ImageX /Unmount d:\image when you’re done)


wpeutil InitializeNetwork
ping localhost or Pause (or any other command that does nothing but takes a few seconds to complete)

If you want the Deployment Workbench to include the updated startnet.cmd every time you update the Deployment Point just follow the below steps

Configure MDT to use the updated startnet.cmd

  1. Create a folder named ExtraFiles\Windows\System32 in the distribution share and copy the updated startnet.cmd to it.
  2. In the Deployment Workbench, right-click the Deployment Point and select Properties.
  3. In the Windows PE Tab, in the Extra directory to add textbox, type in D:\ExtraFiles
  4. Click OK
  5. Regenerate the WIM files and don’t forget to rebuild the Boot images in WDS otherwise your changes won’t take effect.


No Comments

Default Permissions For Roaming Profile and Folder Redirection Folders

Here are the recommended default permissions for the Profiles and Redirected folders folders so that new users automatically get their folders created for them when logging on for the first time:

Roaming profile parent folder:

Creator Owner = Full Control, Subfolders and Files Only
Domain Users = List Folder/Read Data, Create Folders/Append Data - This Folder Only
System =  Full Control, This Folder, Subfolders and Files

And don’t forget to change the GPO for the local computer (not the server) to add the Administrators security group to the roaming user profile share.  It’s in Computer/Administrative Templates/System/User Profiles/Add the Administrators security group to roaming user profiles  - Enable it.

Redirected Folders Parent:

Creator Owner = Full Control, Subfolders and Files Only
Domain Users = List Folder/Read Data, Create Folders/Append Data - This Folder Only
System =  Full Control, This Folder, Subfolders and Files
Admistrators =  Full Control, This Folder, Subfolders and Files

No Comments

Enterprise PKI without enterprise edition of 2003 server.

My, my aren’t we getting advanced???  You have decided to implement an enterprise wide Public Key Infrastructure to start securing your network.  Despite what you read from Microsoft (and all of the articles blindly based on Microsoft blather), you do not need Server 2003 enterprise edition to get this to work at the machine level.  Only if you want to do it at the user level do you need the Enterprise edition.  So, how do you go about setting it up?

If your network is comprised of only one domain, it’s pretty simple.  Just install certificate services on a server in your primary LAN selecting the enterprise root CA role.  You can install certificate services on any other servers that you need to selecting the subordinate enterprise CA role and pointing them at the first server you setup.  typically you would install a subordinate CA on LANs that are at remote locations to help reduce WAN traffic and enhance reliability if a WAN link goes down.  Things get a little more involved when your network is comprised of a root domain and one or more trusted child domains.  Basically, you start out the same - installing the Enterprise Root CA in the root domain and installing a subordinate enterprise CA in each child domain, BUT there are a couple of little tidbits you need to do to make it work.  First, you need to log on to the server in the child domain as the administrator of the root domain (otherwise known as the enterprise administrator) otherwise you won’t have the option to install the cert services as a subordinate enterprise CA.  Second, even though it does not indicate you need to, reboot the server right away otherwise all sorts of wierd mesages pop up in your event logs and the CA doesn’t issue certs.  Third, you will find that the CA still isn’t issuing certs but there are no error messages anywhere!!!  (another WTF - MS is good at making you ask that aren’t they?)  The problem is that the computers in the child domains are not allowed to request certs from the enterprise CA by default.  To fix that, go to the root domain server, open up AD sites and services, in the menu go to view then check Show Services Node, then expand the services node and go to Public Key Services, then Certificate Templates.  The template you are looking for is called Machine (even though the certificate you issued is called Computer - it’s actually the same one).  Right click, properties, security, add the Domain computers group from each of the child domains and change their permission from read to Enroll.  Oh, and fourth - sometimes the cert service doesn’t startup right on server start, you can probably fiddle with dependancies but a simple stop/start of the service after the server is done rebooting works too.

So what good is a computer (machine) certificate you ask?  One hint - 802.11x and ipsec.  Well actually that’s two hints and definately a topic for another post.


No Comments

New clients won’t sync to WSUS with SP1

Ok, you’ve had WSUS 3.0 running smoothly for some months now (finally!)  But now, you add a new computer to your domain and try to get it to sync up with your WSUS server to install the bazillion updates it needs but it doesn’t find any updates.  Your WSUS 3.0 comsole lists the new computer but says “Not yet reported” for it’s status.  You try running wuauclt /detectnow on the new computer but still no joy.  Now you put your clever brain to work and start digging through the logs and you find “WARNING: SyncUpdates failure, error =  0×8024400D” near the bottom of the WindowsUpdate.log file.  You think you’re onto something!  But what???  You find all kinds of misleading posts all over googledom.  Here is likely what is going on:  Microsoft (suprise, suprise) put their foot in it again.  They issued a screwed up MS Office 2003 SP1 re-release in the June, 2008 updates.  To fix the problem, find that update and change it from Declined to Not Approved.  How did I know it was Declined???  It was an inspired guess.  Magically everyone starts reporting in and updating.  Go figure.



1 Comment