WSUS breaks after update KB2720211

Another oops by MS…..

Console can’t connect to WSUS.  It errors out and tells you to look at the softwaredistribution.log file. (Where the f… is that???)  It’s in the c:\windows\program files\update servise\logfiles folder of course!  Look at the log and it shows that it can’t connect to susdb and reports Login failed for user ‘NT AUTHORITY\NETWORK SERVICE’ and Cannot open database “SUSDB” requested by the login.


- Applied KB2720211 to a WSUS 3.0 SP2 server thats running on Windows 2008 64 bit server with local SQL db.

-Applied KB2720211 to Windows 2003 server running WSUS 3.0 SP2 and local SQL db.


1. Download the KB2720211 installer for your architecture from Microsoft (
2. Extract WUSSetup.msp from the installer by running the installer with the /extract parameter (example: “WSUS-KB2720211-x64.exe /extract”)
3. With 7-zip, open WUSSetup.msp and extract “PCW_CAB_SUS”.
4. With 7-zip, open “PCW_CAB_SUS” and extract “DbCert”, “DbCertDll”, and “DbCertSql”.
5. Rename those files to “WSUSSignDb.cer”, “WSUSSignDb.dll”, and “WSUSSignDb.sql”, respectively.
6. On your WSUS server, navigate to “C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\SchemaSig” and copy the extracted “WSUSSignDb.cer” and “WSUSSignDb.dll” to it. Make a backup copy of the two existing versions, just in case.
7. On your WSUS server, navigate to “C:\Program Files\Update Services\Database” and copy the extracted “WSUSSignDb.sql” to it. Make a backup copy of any existing versions of the file.
8. Reinstalled 2720211 - it runs successfully this time.

Don’t even have to reboot or restart anything on 2008 R2 server.

You do have to reboot Windows 2003 server before rerunning the update (step 8)

I’ll update this If microsoft every comes up with an official fix.



Enable Remote Desktop Logon

To allow automatic logon to a computer running Windows XP through Remote Desktop, follow these steps while logged on as an Administrator: 1.Click Start, click Run, type MMC, and then press ENTER.
2.Click File, and then click Add/Remove Snap-in.
3.Click Add, select Group Policy, click Add, and then click Finish.
4.Click Close, and then click OK.
5.Navigate to the following directory:
Local Computer Policy/Computer Configuration/Administrative Templates/Windows Components/Terminal Services/Encryption and Security

6.Double-click Always prompt client for password upon connection.
7.Click the Disabled box, and then click OK. You may now quit the MMC snap-in. Remote Desktop clients should now be able to connect to this Windows XP computer using the automatic logon feature of the Remote Desktop client.

No Comments

Redirect new computers from default container in active directory

This is posted lots of other places but this is easier to find:

Run the Redircmp.exe file at a command prompt by using the following syntax, where container-dn is the distinguished name of the organizational unit that will become the default location for newly created computer objects that are created by down-level APIs:
redircmp container-dn container-dn
Redircmp.exe is installed in the %Systemroot%\System32 folder on Windows Server 2003-based or newer computers. For example, to change the default location for a computer that is created with earlier-version APIs such as Net User to the OU=mycomputers container in the CONTOSO.COM domain, use the following syntax:
C:\windows\system32>redircmp ou=mycomputers,DC=contoso,dc=com

No Comments

PXE deployment doesn’t find WDS server

You’ve had your WDS server working for a while now, but suddenly it appears to stop responding to PXE boot requests. There are no error messages anywhere. WTF? What likely has happened is that the WDS server is running on a server that also has DNS running on it and the WDS and DNS services have overlapped ports with DNS overriding WDS. To fix this on a 2008 R2 server do the following: Set the UdpPortPolicy value in HKLM\System\CurrentControlSet\Services\WDSServer\Parameters to 0.

No Comments

IE 9 with romaing profiles, redirected folders and Vista/7

IE 9 has a problem when running in vista or Windows 7 and using roming profiles and redirected folders (you know, the configuration the MS tells you to do if your users move around???) Anyway, this one manifests it’s self as printing from IE 9 only prints a header and footer and nothing else. the fotter refers to a path in the user’s appdata\local\temp\low folder. when you look for that folder, you find that it didn’t get created. If you create it manually, it still doesn’t work. that’s because the integrity level isn’t set by default on anything that you create yourself. there are some MS Mr. fix-it patches available under KB973479, but they only work on the user/coputer combination you are on, they do not work at the roaming profile level. currently the only way around this is to turn off IE’s protected mode. (I know it’s not the best thing to do - but until MS un-breaks this, it’s all I’ve figured out how to fix it globally. You can turn off IE protected mode via GPO Computer (not user) policy. Administrative Templates, Windows components, Internet Explorer, Internet Control Panel, security Page, Internet Zone. Enable the policy and set protected mode to disabled.

another way around this is to add the following to the user’s login script:

If not exist %localappdata%\Temp\Low (mkdir %localappdata%\Temp\Low)
ICACLS “%localappdata%\Temp\Low” /setintegritylevel (OI)(CI)low



1 Comment

Mapped Drives in Vista/7 when elevated

Having finally been fed up with always having my mapped drives dissapear every time Vista/7 UAC wants elevated credentials and it being hard to search on the solution. Here it is. It involves a registry change at the computer level. The good news is you can make those changes pretty easy now with GPP being built in to Vista/7. so here is the value that needs to be added:


DWORD Value name: EnableLinkedConnections
Value of: 1

No Comments

IBM Client Access in Windows 7

Yet another older program having issues in windows 7. This time the program runs well enough, it’s just that it doesn’t seem to complete the installation and you don’t find that out until you log in as a non-admin user. You get a message “An Administrator must logon after restarting windows to complete the installation” .  The wierd part is you don’t get that mesage when logging on as an admin. It seems that UAC is getting in the way of client access install finishing up registering some DLLs that you don’t really need anyway.  To help CA install cleanup you simply need to go to c:\programs files\ibm\client access\ and run cwbsreg.exe as administrator.  That will register four dlls, clear the marker file and remove it’s self from the HKLM\software\microsoft\windows\currentversion\run key. This is for Client access 5.3  It may be applicable to other versions but I’ve not tested that.



SQL 2008 Sillyness

In server 2008 (and probably other versions as well) if you need to add a user or group local to the server as an SQL user, you get the following lovely error: “Error 15401: Windows NT user or group ‘%s’ not found. Check the name again. ” Domain accounts add fine, but not local accounts. Well, SOME local accounts add fine but other ones don’t Now isn’t that silly? Turns out that any predefined local accounts or groups like “administrators” or “system” need to use the domain “BUILTIN” and not the server name as the domain preface. Problem solv-ed.


No Comments

Funky DNS resolution with cisco VPN and Vista/7

You have Vista or Windows 7 and finally got the latest version of Cisco VPN client ( to install and apparently work. All is well until you try to get to some other internal host after a few minutes or more.  Suddenly no other hosts than the original host resolve! You ping your internal DNS server by address and it responds. NSlookup reports timeouts and cant resolve the host name for the internal DNS server. What the heck is going on here? Is it another Cisco “issue”? The clue is that everything works fine on XP but not on Vista/7.  So what changed between XP and Vista/7?  Well, it turns out that Microsoft rewrote the IP stack for Vista/7 and among other things added a nifty little feature called autotune.  This is supposed to automatically tune the recieve window size based on latenacy, usage and the color of your underware.  So guess what?  Since you don’t resolve internal names over the VPN very much (and you have green undies on), name resolution gets tuned down to practically nothing.  So when you try to use it, it times out.  The fix is to turn off autotune. You can do this as follows:

Disable TCP Auto-Tuning

1.Open elevated command prompt with administrator’s privileges.
2.Type the following command and press Enter:
netsh interface tcp set global autotuning=disabled

Enable TCP Auto-Tuning

1.Open elevated command prompt with administrator’s privileges.
2.Type the following command and press Enter:
netsh interface tcp set global autotuning=normal

How about that law of unintended consequences???


Update:  Sometimes the above does not entirely fix the problem.  Do the following (note: article was originally written for Server 2003 but appears to be applicable to this case too)


The Domain Name System (DNS) client screening feature lets Microsoft Windows Server 2003-based computers determine whether a DNS server is reachable from the configured interface. However, this feature mayalso prevent access to a DNS server that is otherwise available.

This article describes how to turn off the DNS client screening feature.

To turn off the DNS client screening feature, you must first create the ScreenUnreachableServers registry entry. To do this, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type ScreenUnreachableServers, and then press ENTER.
  5. On the Edit menu, click Modify.
  6. Type 0 in the Value data box, and then click OK.
  7. Exit Registry Editor.

    Note You must stop and then start the DNS Client service for the registry change to take effect.

In some configurations, the DNS client screening feature may prevent access to a DNS server that is otherwise available. Typically, this occurs on a server that has more than one network adapter interface. The operating system determines whether a DNS server is reachable, together with the DNS client screening feature.

It is by design that the DNS Client service does not access the DNS servers that appear to be unreachable from the interface on which they are configured. The DNS servers are marked unreachable for the server even though they may be available to the other network adapter on the same server.


Restoring Exchange 2003 from a remote Backupexec 9.1 server

So this seems like it should be a fairly straight forward task.  I mean there are a ton of BE backups going on every day and a ton of exchange backups in those.  And I seriously doubt that all of the backups are running from the exchange server (unless it an SBS - but that’s a totally different animal).  But documantation and gotchas are seriously lacking here.  So, follow the bellow exactly!  Do not skip anything otherwise you will go directly to jail and will owe $200.
1)  Install the base OS.
 a) Do a parallel install or scratch install to a folder that is NOT c:\windows on the server to be restored

 2)Install the BE remote agent on the exhcnage server and make sure it is running!
 IMPORTANT!  Don’t forget this - bad things happen!

3) Restore the remote server OS from the BE server.
 Only include the C:, D: volumes and system state. Do NOT include the exchange stores.
 Before restarting, edit the Boot.ini to add back the parallel install.  IMPORTANT because it’s likely the restore will munch one or more of the drivers

4) If the server does not restart, it’s probably the video driver.
 restart in safe mode, then reinstall the correct video driver - even if it says it’s already there.

5) Once successfully restarted, start the Exchange store.
 Make sure the stores are dismounted
 In the store properties, check the setting to allow restore.

6) restore the exchange store from BE.

7) there may be misc stuff to cleanup but it should be mostly good to go.
what can happen???

If you forget to install or don’t have the remote agent running on the remote server, BE will restore the system state to the local server!  No shit!
It won’t tell you it did that - it will only fail on the volume restores but say the system state was successful.  If you see something like that - DO NOT REBOOT!�
Immediately restore the local system state from BE.  If you screwed that up, then you’ll need to do a parallel OS install.�
You will need to remove (or rename the existing MSSQL$dackupexec instance and make sure when you install BE, you install to a different directory.
Unless you want to recatalog the tape (yikes!) copy all of the *.ui1 files from the backupexec/nt/catalog folder to the new install.
Then, you will need to service pack the OS up to the level the orginal server was.  Then restore in Directory Restore mode and restore the system state.  Oh, and you have to restore the entier C: volume along with the system state to get your registry and SAM back.  Otherwise it will fail to restore with a cryptic error (eventhough it lets you select only the system state - how lmae is that??)


No Comments