Category Archives: Windows

Microsoft Certificate Authority (CA) won’t start

Posted on by
Reply

Sometimes strange things can happen in an IT environment.

For example, you want to (re)start your CA and you get the message:

Or maybe you get:

Active Directory Certificate Services did not start: Could not load or verify the current CA certificate: LAB-CA Object was not found. 0x80090011 (-2146893807)

Well, what’s next? New CA?

The problem here is that the private key for the CA certificate is gone (deleted) or corrupted!

So, grab your backup (you do make backups, do you?!)

The private key is stored in:

%systemdrive%\ProgramData\Microsoft\Crypto\Keys

Restore the key(s) and you will have a happy CA again!

Happy certificate issuing!

 

Microsoft Failover Cluster – Requested resource is in use – Disk Manager

Posted on by
Reply

So I made the ‘mistake’ of destroying a Microsoft Failover Cluster and thinking Windows would release my disks. Well I was wrong!

I went to Disk Manager and saw my disks as ‘Online’, ‘Primary’ and ‘RAW‘.

And off course I could not access the disks from the Explorer, giving me a nice Error.
OK to Disk Manager and wipe the disk.

No Go:

But wait, in USE??

So there must have gone something wrong.
Technet search gave me this: http://technet.microsoft.com/en-us/library/ee461016.aspx

There is a command for releasing the disks that need releasing after a Cluster destroy, or even an ungraceful shutdown!

Powershell and give in:

Clear-ClusterDiskReservation –Disk <DiskNumber>

A Refresh of Disk Manager showed my disk again and it became visible in Explorer, yeah!

Sysprep was not able to validate your Windows installation

Posted on by
1

On a machine running Windows 8, 8.1, 10 or even Windows Server 2012, 2012R2 or 2016 you can get a strange error when sysprepping the machine.

Sysprep was not able to validate your Windows installation.

(Error 0x8007139f)

Normally this is true because you can’t sysprep an upgraded machine. But I had this in a fresh install.

So the error is telling me to look in C:\Windows\System32\Sysprep\Panther and open the setupact.log file. So I did:

Error [0x0f0036] SYSPRP spopk.dll:: Sysprep will not run on an upgraded OS. You can only run Sysprep on a custom (clean) install version of Windows.

Error [0x0f0082] SYSPRP ActionPlatform::LaunchModule: Failure occurred while executing ‘Sysprep_Clean_Validate_Opk’ from C:\Windows\System32\spopk.dll; dwRet = 0x139f

Error SYSPRP SysprepSession::Validate: Error in validating actions from C:\Windows\System32\Sysprep\ActionFiles\Cleanup.xml; dwRet = 0x139f

Error SYSPRP RunPlatformActions:Failed while validating SysprepSession actions; dwRet = 0x139f

Error [0x0f0070] SYSPRP RunExternalDlls:An error occurred while running registry sysprep DLLs, halting sysprep execution. dwRet = 0x139f

Error [0x0f00d8] SYSPRP WinMain:Hit failure while pre-validate sysprep cleanup internal providers; hr = 0x8007139f

What we see here is that for some reason Windows thinks it has been upgraded.
Ok now we know that, what is the solution?

Actually pretty easy, in the registry!

In the HKEY_LOCAL_MACHINE\SYSTEM\Setup\ node you will
find a REG_DWORD ‘Upgrade‘ with a value of probably 0 (meaning not an upgrade…)

Just delete the ‘Upgrade’ key and you are good to go!

Not even a reboot is required.

Reset Trust Relationship for Domain Computer

Posted on by
1

When a computer somehow loses the trust relationship with the domain (for instance when longer than 30 days not connecting to the domain, or in a virtual environment returning to a snapshot) the usual steps you have to take are:

  1. Get the computer out of the domain to a workgroup (remember the local admin password!)
  2. Reboot
  3. Rejoin the domain
  4. Reboot

With powershell to the rescue it is an easier process:

Test-ComputerSecureChannel -Repair -Credential YourDomain\AdminUser

From the get-help

NAME

Test-ComputerSecureChannel

SYNOPSIS

Tests and repairs the secure channel between the local computer and its domain.

SYNTAX

Test-ComputerSecureChannel [-Credential [<PSCredential>]] [-InformationAction {SilentlyContinue | Stop | Continue | Inquire | Ignore | Suspend}] [-InformationVariable [<System.String>]] [-Repair] [-Server [<String>]] [-Confirm] [-WhatIf] [<CommonParameters>]

DESCRIPTION

The Test-ComputerSecureChannel cmdlet verifies that the secure channel between the local computer and its domain is working correctly by checking the status of its trust relationships. If a connection fails, you can use the Repair parameter to try to restore it.

Test-ComputerSecureChannel returns “True” if the secure channel is working correctly and “False” if it is not. This result lets you use the cmdlet in conditional statements in functions and scripts. To get more detailed test results, use the Verbose parameter.

This cmdlet works much like NetDom.exe. Both NetDom and Test-ComputerSecureChannel use the NetLogon service to perform the actions.

RELATED LINKS

Online Version: http://go.microsoft.com/fwlink/p/?linkid=293925

Checkpoint-Computer

Reset-ComputerMachinePassword

Restart-Computer

Stop-Computer

REMARKS

To see the examples, type: “get-help Test-ComputerSecureChannel -examples”.

For more information, type: “get-help Test-ComputerSecureChannel -detailed”.

For technical information, type: “get-help Test-ComputerSecureChannel -full”.

For online help, type: “get-help Test-ComputerSecureChannel -online”

Windows Installer Error Codes

Posted on by
Reply

When working with Windows msi installers you sometimes run into some kind of error or message.

Here is an overview of the most common errors or messages. They are most commonly found at the end of your installer log (always install with logging ;-)) usually prefaced by “MainEngineThread is returning”. This is the place where a zero is most preferred.

Enable logging on installation:

msiexec /I “yourInstaller.msi” /l*v “LOGlocation.log”

(There are versions where you have to use capital l (so L) instead of the lowercase l)

Value Description Error Code
0 Action completed successfully. ERROR_SUCCESS
13 The data is invalid. ERROR_INVALID_DATA
87 One of the parameters was invalid. ERROR_INVALID_PARAMETER
120 This function is not available for this platform. It is only available on Windows 2000 and Windows XP with Window Installer version 2.0. ERROR_CALL_NOT_IMPLEMENTED
1259 This error code only occurs when using Windows Installer version 2.0 and Windows XP or later. If Windows Installer determines a product may be incompatible with the current operating system, it displays a dialog informing the user and asking whether to try to install anyway. This error code is returned if the user chooses not to try the installation. ERROR_APPHELP_BLOCK
1601 The Windows Installer service could not be accessed. Contact your support personnel to verify that the Windows Installer service is properly registered. ERROR_INSTALL_SERVICE_FAILURE
1602 User cancel installation. ERROR_INSTALL_USEREXIT
1603 Fatal error during installation. ERROR_INSTALL_FAILURE
1604 Installation suspended, incomplete. ERROR_INSTALL_SUSPEND
1605 This action is only valid for products that are currently installed. ERROR_UNKNOWN_PRODUCT
1606 Feature ID not registered. ERROR_UNKNOWN_FEATURE
1607 Component ID not registered. ERROR_UNKNOWN_COMPONENT
1608 Unknown property. ERROR_UNKNOWN_PROPERTY
1609 Handle is in an invalid state. ERROR_INVALID_HANDLE_STATE
1610 The configuration data for this product is corrupt. Contact your support personnel. ERROR_BAD_CONFIGURATION
1611 Component qualifier not present. ERROR_INDEX_ABSENT
1612 The installation source for this product is not available. Verify that the source exists and that you can access it. ERROR_INSTALL_SOURCE_ABSENT
1613 This installation package cannot be installed by the Windows Installer service. You must install a Windows service pack that contains a newer version of the Windows Installer service. ERROR_INSTALL_PACKAGE_VERSION
1614 Product is uninstalled. ERROR_PRODUCT_UNINSTALLED
1615 SQL query syntax invalid or unsupported. ERROR_BAD_QUERY_SYNTAX
1616 Record field does not exist. ERROR_INVALID_FIELD
1618 Another installation is already in progress. Complete that installation before proceeding with this install. ERROR_INSTALL_ALREADY_RUNNING
1619 This installation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package. ERROR_INSTALL_PACKAGE_OPEN_FAILED
1620 This installation package could not be opened. Contact the application vendor to verify that this is a valid Windows Installer package. ERROR_INSTALL_PACKAGE_INVALID
1621 There was an error starting the Windows Installer service user interface. Contact your support personnel. ERROR_INSTALL_UI_FAILURE
1622 Error opening installation log file. Verify that the specified log file location exists and is writable. ERROR_INSTALL_LOG_FAILURE
1623 This language of this installation package is not supported by your system. ERROR_INSTALL_LANGUAGE_UNSUPPORTED
1624 Error applying transforms. Verify that the specified transform paths are valid. ERROR_INSTALL_TRANSFORM_FAILURE
1625 This installation is forbidden by system policy. Contact your system administrator. ERROR_INSTALL_PACKAGE_REJECTED
1626 Function could not be executed. ERROR_FUNCTION_NOT_CALLED
1627 Function failed during execution. ERROR_FUNCTION_FAILED
1628 Invalid or unknown table specified. ERROR_INVALID_TABLE
1629 Data supplied is of wrong type. ERROR_DATATYPE_MISMATCH
1630 Data of this type is not supported. ERROR_UNSUPPORTED_TYPE
1631 The Windows Installer service failed to start. Contact your support personnel. ERROR_CREATE_FAILED
1632 The temp folder is either full or inaccessible. Verify that the temp folder exists and that you can write to it. ERROR_INSTALL_TEMP_UNWRITABLE
1633 This installation package is not supported on this platform. Contact your application vendor. ERROR_INSTALL_PLATFORM_UNSUPPORTED
1634 Component not used on this machine ERROR_INSTALL_NOTUSED
1635 This patch package could not be opened. Verify that the patch package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer patch package. ERROR_PATCH_PACKAGE_OPEN_FAILED
1636 This patch package could not be opened. Contact the application vendor to verify that this is a valid Windows Installer patch package. ERROR_PATCH_PACKAGE_INVALID
1637 This patch package cannot be processed by the Windows Installer service. You must install a Windows service pack that contains a newer version of the Windows Installer service. ERROR_PATCH_PACKAGE_UNSUPPORTED
1638 Another version of this product is already installed. Installation of this version cannot continue. To configure or remove the existing version of this product, use Add/Remove Programs on the Control Panel. ERROR_PRODUCT_VERSION
1639 Invalid command line argument. Consult the Windows Installer SDK for detailed command line help. ERROR_INVALID_COMMAND_LINE
1640 Installation from a Terminal Server client session not permitted for current user. ERROR_INSTALL_REMOTE_DISALLOWED
1641 The installer has started a reboot. This error code not available on Windows Installer version 1.0. ERROR_SUCCESS_REBOOT_INITIATED
1642 The installer cannot install the upgrade patch because the program being upgraded may be missing or the upgrade patch updates a different version of the program. Verify that the program to be upgraded exists on your computer and that you have the correct upgrade patch.
This error code is not available on Windows Installer version 1.0.		 ERROR_PATCH_TARGET_NOT_FOUND
1643 The patch package is not permitted by system policy. This error code is available with Windows Installer versions 2.0 or later. ERROR_PATCH_PACKAGE_REJECTED
1644 One or more customizations are not permitted by system policy. This error code is available with Windows Installer versions 2.0 or later. ERROR_INSTALL_TRANSFORM_REJECTED
3010 A reboot is required to complete the install. This does not include installs where the ForceReboot action is run. This error code not available on Windows Installer version 1.0. ERROR_SUCCESS_REBOOT_REQUIRED

UEFI, Generation 2 VM, Windows 7 SP1 and Hyper-V Server 2012 R2 (or Windows 8.1)

Posted on by
6

With the new features of Hyper-V in Server 2012 R2 one of those is the Generation 2 VM. There is a lot to be said on this topic but here is a caveat when using Gen2 VM’s for systems older then Windows 8 or Server 2012.

Let’s start with a spoiler:

It doesn’t work for Windows 7 SP1!

If you create a VM the first question will be: a Generation 1 or Generation 2 VM

As you can see it cannot be changed…well it can 😉 (see http://blogs.technet.com/b/jhoward/archive/2013/11/06/hyper-v-generation-2-virtual-machines-part-8.aspx and http://blogs.technet.com/b/jhoward/archive/2013/11/14/hyper-v-generation-2-virtual-machines-part-10.aspx)

So you create a Gen2 VM and want to install Windows 7. Well oké, the installation is going fine. UEFI gets recognized. Everything is good. Then comes the restart

Hmm not so good. But this is to be expected. Windows 7 does not support Secure Boot! This will be turned off:

Now we try again and see this:

And here is stays, forever.

In the Hyper-V management console we see a lot of CPU Usage so it is doing something 😉

So WHY is this? Windows 7 DOES support UEFI boot. After a search I found this:

Q: Why doesn’t Microsoft support 64-bit Windows 7 or Windows Server 2008 R2 as a guest operating system in generation 2 virtual machines?


A: Certainly it is true that Windows 7 support UEFI, the first requirement for generation 2 virtual machines. However, Windows 7 has a hardware dependency on a Programmable Interrupt Controller (PIC) which is not present in generation 2 virtual machines. Even if Secure Boot is disabled, an attempt to install Windows 7 will result in an apparent hang at “Starting Windows” shortly after boot, consuming high CPU utilization. A similar effect to this will be seen if attempting a network install from a WDS server which has a Windows 7 era boot PE image – network boot will appear to hang as well. For that reason (along with the keyboard issue in Windows 8 PE) I strongly recommend any WDS server are upgraded to the Windows 8.1 PE boot image.

That is pretty clear, NO Windows 7 Generation 2 VM in Hyper-V!

P.S. DO try this with Windows 8.1 – it is incredibly FAST J

Windows Server 2012 R2 / Windows 8.1 KMS Service Activation

Posted on by
Reply

This is an update from another post I did https://wibier.me/windows-server-2012-kms-service-activation/

In that post I describe how to add support for Server 2012 and Windows 8. Now we are at the point where we want to add support for Server 2012 R2 and Windows 8.1! And that is possible.

So when you activate a Server 2012 R2 KMS key you will still get the same error:

Or when you add the KMS key itself:

Error: 0xC004F050 The Software Licensing Service reported that the product key is invalid

To resolve:

Download and install the following update: KB2885698 (Update adds support for Windows 8.1 and Windows Server 2012 R2 clients to Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012 KMS hosts).

Installation instructions

If you have a KMS host that is running Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, or Windows Server 2012, follow these steps to perform an upgrade:

  • Install the update (update 2885698).
  • Restart the computer when you are prompted to do so.
  • To install a new KMS host key for Windows 8.1 activation or for Windows Server 2012 R2 activation, run the following command:
cscript %windir%\system32\slmgr.vbs /ipk <KMS host key>

Note In this command, “<KMS host key>” is a placeholder for the new KMS host key for Windows 8.1 activation or for Windows Server 2012 R2 activation.

Important Every KMS host key is associated with a group of Windows editions. Additionally, a KMS host key that is associated with Windows client operating systems cannot be installed on Windows server operating systems, and vice-versa. This is true for all Windows operating systems except for Windows Server 2003. If you install a KMS host key on a Windows operating system that is not associated with that host key, you receive the following error message:

0xc004f015: The Software Licensing Service reported that the license is not installed.
SL_E_PRODUCT_SKU_NOT_INSTALLED


For example, you may receive this error message in the following situations:

  • You try to install a Windows 7 KMS host key (CSVLK) on a Windows Server 2008 R2 KMS host.
  • You try to install a Windows 8 KMS host key (CSVLK) on a Windows Server 2008 R2 KMS host or a Windows Server 2012 KMS host.
  • You try to install a Windows 8.1 KMS host key (CSVLK) on a Windows Server 2008 R2 KMS host or a Windows Server 2012 KMS host or a Windows Server 2012R2 KMS host.
  • To activate the new KMS host key on the host computer, run the following command:
cscript %windir%\system32\slmgr.vbs /ato
  • On an existing Windows Vista or Windows Server 2008 KMS host, restart the service by running the following command:
net stop slsvc && net start slsvc

Can’t connect to C$, ADMIN$ or any administrative share on workstations

Posted on by
20

If you are attempting to access a Windows 7, Windows 8, Vista or Server 2008 (R2), Server 2012 (R2) computer you may get  the” Access Denied – Failed to connect to ADMIN$ share” error , even when supplying the appropriate local user credentials that have Administrator access. If the target computer is not a member of a Windows 2003 or later Domain then this is most likely because the target system has Remote UAC enabled. Remote UAC prevents local administrative accounts from accessing ADMIN$. (more appropriately Remote UAC prevents local accounts from running in an elevated mode when connecting from the network) If you need to be able to access the ADMIN$ using a local account then you will need to disable Remote UAC. You can accomplish this by editing the registry.

Assuming you have all your other ducks in a row (Firewall exceptions, appropriate credentials of local administrative user, etc) then you just need to add a quick entry in the registry of the target computer. In the registry, navigate to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.

Create a DWORD value called LocalAccountTokenFilterPolicy and assign it a value of 1.

You then can restart the Server service (but a reboot would be ideal ;-)).

cant't connect to admin$ or administrative share

LocalAccountTokenFilterPolicy

* By default, when local credentials are used to access a Windows Vista (or later) system that is a member of a Windows Domain this problem does not exist. Your Windows domain may still disable Remote UAC.

** By default Remote administrative access is denied to local accounts when a Windows Vista (or later OS) is NOT a member of a Windows 2003 or later domain.

Microsoft info:

http://support.microsoft.com/kb/942817

http://support.microsoft.com/kb/951016

Set default OU for new AD computers

Posted on by
Reply

As we all know the standard Default Container for newly created computer objects is ‘Computers’

But I want my newly created computer objects in another Organizational Unit (OU), Always!

This can be easily achieved by an old friend: REDIRCMP

You have to use the Container-CN (which can be easily found with ADSIEdit!)

Always handy J

User Certificates

Posted on by
Reply

Note to self:

When you choose to redirect the Application Data folder the certificate store folders are NOT redirected. They will reside in the default folder.

Personal Certificates are stored under following locations:

%userprofile%\AppData\Roaming\Microsoft\SystemCertificates
%userprofile%\AppData\Roaming\Microsoft\Protect
%userprofile%\AppData\Roaming\Microsoft\Credentials
%userprofile%\AppData\Roaming\Microsoft\Crypto
%userprofile%\AppData\Roaming\Microsoft\CLR Security Config
%userprofile%\AppData\Roaming\Microsoft\CryptNetUrlCache

HKEY_CURRENT_USER\Software\Microsoft\Cryptography
HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates