I looked at several of the posts out there about the issue where Windows 10 system Start Menu, Cortana, etc works fine with a local account, but when added to the domain, Start Menu hangs and Cortana/Windows Search does not work.
I tried copying the file(folder)
‘C:\Users\Administrator\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy’
to
C:\Users\\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy’.
Didn't work. Plus, the folder was the same size as what I copied. Thought it may have been corrupted, but no change.
Went to the event log (should have went there first) and noticed all these errors from source:ESENT dealing with logging/recovery. Error details was:
WebCacheLocal database recovery restore failed with unexpected error - 1907
I have two Windows 2012 servers in a Windows Failover cluster. I was trying to look at the shares under the Fileserver role. It kept spinning and returned error: “There were errors retrieving the file shares.” One of the troubleshooting steps is to check WinRM.
When running the command: winrm id -r:myserver
I received the standard error:
Message = The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig". Error number: -2144108526 0x80338012
On my workstations, winrm is working correctly, so I was unsure where the problem was.
When I run winrm enumerate winrm/config/listener I got this weird:
The "ListeningOn = null" was strange. I have WinRM configured using group policy. After some research, discovered article Unable to Use Server Manager Remotely to help me realize that my group policy IPv4 filter was not set. The article suggested that I create a new instance of the HTTP Listener for all IPs using (winrm create winrm/config/Listener?Address=*+Transport=HTTP ) . But I have that configured in GPO. I double checked between the two GPOs that I have for clients and servers, and discovered that I did not set an IPv4 filter for servers.
Once I entered it, ran gpupdate on servers and restared WinRM Service, all was good again.
Suggested Reading Axioms of Permissions Administration http://networkadminkb.com/Shared%20Documents/Axioms%20of%20Permissions%20Administration.aspx
The Golden Rules of Permissions Administration http://networkadminkb.com/Shared%20Documents/The%20Golden%20Rules%20of%20Permissions%20Administration.aspx
Differences between Authenticated Users, Domain Users, and Everyone groups http://networkadminkb.com/kb/Knowledge%20Base/ActiveDirectory/Differences%20between%20Authenticated%20Users,%20Domain%20Users,%20and%20Everyone%20groups.aspx
Recommended NTFS Permissions for New Drives http://networkadminkb.com/kb/Knowledge%20Base/Windows2003/Recommended%20NTFS%20Permissions%20for%20New%20Drives.aspx
Creator Owner Explained http://networkadminkb.com/kb/Knowledge%20Base/ActiveDirectory/Creator%20Owner%20Explained.aspx
Doing security is about creating an developing a philosophy, there are many out there. The one below is mine and works for most situations, this is just a simplified explanation of the Axioms and Golden Rules listed above.
For shares you should do the following 1) Everyone - Read (optional not really needed but a nice just in case) 2) Authenticated Users - Change 3) Local Administators - Full Control 4) File Strucutre Administrators - Full Control
For Shares note the following: Alway limit Authenticated Users to Change at the Share to pervent non-admin users from accidently being given Full Control to the file structure. You should always configure Local Adminsitrators Full Control at the Share so they can administrate it remotely You should always create and use a Files Strucutre Adminsitrators groups and assign them full control to every share. This allows them to remotely administrater shares without being local administartors.
For your high level directories NTFS Permsisions where no files reside and only read access to folders is needed to get to the data in lower directories. 1) Authenticated Users - Read 2) Local Administators - Full Control 3) File Strucutre Administrators - Full Control 4) SYSTEM - Full Control
For NTFS in this situation note: Alway limited Authenticated Users to Read to pervent non-admin users chaning folders and creating files here. You should always configure Local Adminsitrators Full Control at the folder so they can administrate it remotely You should always create and use a Files Strucutre Adminsitrators groups and assign them full control to every folder. This allows them to remotely administrater shares without being local administartors.
For NTFS permissions where users need to write data, stop inheritance, copy permissions and replace Authenticated users to two different groups 1) Directory group - Read Only 2) Directory group - Read and Write 3) Local Administators - Full Control 4) File Strucutre Administrators - Full Control 5) SYSTEM - Full Control
For NTFS in this situation note: Alway remove Authenticated Users so the appropriate group limite access You should always configure Local Adminsitrators Full Control at the folder so they can administrate it remotely You should always create and use a Files Strucutre Adminsitrators groups and assign them full control to every folder. This allows them to remotely administrater shares without being local administartors.
Ran into a problem with creating a SMB Transparent Failover share on our Server 2012R2 cluster. It kept giving the error - “The request is not supported” and looking at the Event Log: Microsoft-Windows-SmbServer/Operational, there was the error: CA failure – Failed to set continuously available property on a new or existing file share as Resume Key filter is not started.
Followed the steps, essentially removing 8.3 filename support from my volumes. These volumes were created on Server 2008R2 and apparently 8.3 filename support was enabled by default. Server 2012 Failover clusters do not support 8.3 filenames or having the property enabled.
fsutil 8dot3name set 2
The registry state is now: 2 (Per volume setting – the default).
fsutil 8dot3name set f: 1
Successfully disabled 8dot3name generation on f:
fsutil 8dot3name strip f:
Remove any short file names present on this volume
Use SQLite plugin for firefox and mount the places.sqlite
file.The file is located in:
C: \ Users \
\ App Data \ Roaming \ Mozilla \ Firefox \ Profiles \ \
places.sqlite
Once SQLite is installed
in Firefox, go to the Tools menu and select the application.Once opened, use: Database / Connect Database
/ C:/temp/places.sqlite(location you
copied the users places.sqlite file)
Was tired of having Premiere CS6 generate a peak file with every video that I imported into it. Found this article 5 hidden features in Adobe Premiere CS6 that shows how to bring up a console allowing you to disable this feature and other setting in Premiere.
Was working with CSVDE to export users into a csv, but had no luck with exporting users from a group name containing spaces (i.e "Group 2"). One of my examples had the filter contained in quotes.
Discovered that:
The filter clause should be enclosed in parenthesis, not quotes. The quotes should enclose the distinguished name of the group.
Running a Active Directory on Windows Server 2012 Core in a VM on a Hyper-V host. The host lost power and corrupted the AD instance running on the VM.
Server 2012 would enter into the Repair mode and I caught the error 0x0c00002e2 as the resultant issue and discovered that AD was indeed corrupted. This is the only domain controller for the domain and has accounts on it, so a backup was not an option. (I know.... Murphy was in rare form today).
Boot into Directory Services Restore Mode. When the server powers on, press F8 before the OS begins to load. I used the recovery mode| change startup button, to bring up the boot options.
I was running Server Core, so from the prompt, cd \windows\ntds
Created a 'temp' folder in the c:\windows\ntds folder.
Copied the ntds.dit file to that temp folder.
Ran the commands below:
Type: esentutl /g c:\windows\ntds\ntds.dit
This will perform an integrity check, (the results indicate that the jet database is corrupt - ok)
Type: esentutl /p c:\windows\ntds\ntds.dit
Agree with the prompt
I had to run the last command twice for it to return success.
Rebooted and system was up an running.
In my test environment, I needed to change the hostname of the domain controller. You can rename a domain controller using the netdom command. It appears that you must first add a machine account based on the current machine account:
STEP 1: netdom computername /add:
so, in the powershell command prompt, type (with quotes) "netdom computername wrongname.domain.local /add:server.domain.local"
STEP 2: netdom computername /makeprimary:
so, we type netdom computername wrongname.domain.local /makeprimary:server.domain.local
Once the command completes successful, it will warn you that you need to reboot immediately, as it may not authenticate logons (very important if only DC in forest)
But, I kept getting this error message: "Unable to add "VM1" as an alternate name for the computer. The error is: The specified domain either does not exist or could not be contacted. The command failed to complete successfully."
Discovered from the following link, that in Windows Serve 2008 and Server 2012, that the netlogon share is not present after you install Active Directory services.
I’ve run into this on a system and wanted to share.
I was having aproblem with disk space and used diruse.exe utility to isolate an folder that was using an enormous amount of disk space. The folder was in the ProgramData\Microsoft folder.
Basically, the Windows Error Reporting service captures
errors and gathers data that may be related to a crash (i.e. files) and stores
them in the C:\ProgramData\Microsoft\Windows\WER\ReportQueue folder. I
had 33 GB of extraneous data there that I used the method in the link to clean
up.
The WER service never deletes these files that it
captures. Absolutely, crazy!
DFS Replication was doing something strange when I enabled replication during the day. Had a user complain that they were missing a file. Another user said the same, so I needed to do a simple folder compare to see if there were differences. The folders were different in *.tmp and ~*.* files, but I did find 7 files that were not on both replication partners.
Discovered this error on one of my servers - "There was an error 0x800106f7 in creating the Antimalware Health State WMI instance." This error was occuring every 30 seconds.
Powershell Split Operator
Had a problem with -split of a string variable that contained a "." (period) in it. Discovered from this article that a period as a regular expression means 'any character', so you must escape the period with a "\".
For example: $a,$b = $member.SamAccountName -split('\.')
I had installed base Windows Server 2012 Core to a virtual machine and tried to upgrade it to the GUI version. Had a crazy error:
0x800f0906 or ‘the source files could not be downloaded’ error
My machine was not on the network and I had the install CD. I could not get it to install at all. Did some digging and found that the following will work. Be sure to include the colon ":" after the word '-Source' and after the 'WIM' tag for the source location. Knowing the correct index in the install WIM is important as well.
First, confirm your edition index in install.wim: dism /get-wiminfo /wimfile:d:\sources\install.wim
Index:1 Windows Server 2012 SERVERSTANDARDCORE
Index:2 Windows Server 2012 SERVERSTANDARD
Index:3 Windows Server 2012 SERVERDATACENTERCORE
Index:4 Windows Server 2012 SERVERDATACENTER
It will produce Win Server 2012 R2 SERVERSTANDARD as index 2, then: Intall-WindowsFeature Server-Gui-Mgmt-Infra -Source:wim:d:\sources\install.wim:2
The last number is the edition index, change to 4 if running in SERVERDATACENTERCORE.
Using the Dism command works as well, but it is a longer process, since you have to mount the WIM file.
USING A SHARE NAME from an existing machine:
Dism /Online /Enable-Feature /FeatureName:Server-Gui-Mgmt /All /Source:\\[serverfqdn]\c$\Windows\WinSxS /LimitAccess
Found a great article on creating an unattended xml and creating an ISO from Ezra Undag post at:
https://medium.com/tech-jobs-academy/creating-a-windows-server-2012-r2-core-unattended-installation-iso-ab8071c03279#.dzuri1h35
The steps are as follows, but for more details, take a look at his post.
Start the installation process. Leave everything selected by default but make sure that Deployment Tools and Windows Preinstallation Environment(Windows PE) are selected.
Select the features you want to install Window Dialog
3. Finish the installation.
II. Create an answer file
Open Windows System Image Manager by going to Start Menu > Apps List or by hitting Windows key + S combination keys and typing in “Windows System Image Manager”.
2. Mount the ISO file by double-clicking it or opening it via File Explorer. It displays a new drive indicated by a letter.
3. Go to sources directory and copy install.wim to a local drive, such as D.
4. Switch back to Windows System Image Manager. Click File Menu > Select Windows Image, locate the install.wim you copied.
5. Select the Windows Distribution to build an answer file for. We select Windows Server 2012 R2 SERVERDATACENTERCORE.
Select an image in the Windows image file
6. The Windows Image pane is populated with Components and Packages folders. Expand Components and scroll through until amd64_Microsoft-Windows-International-Core-WinPE_6.3.9600.16384_neutral. [..6.3.9600.16384_neutral]may differ on other Windows distributions. Right click on amd64_Microsoft-Windows-International-Core-WinPE_6.3.9600.16384_neutral and click Add Setting to Pass 1.
7. Under Answer File pane, collapse Components > 1 windowsPE and select amd64_Microsoft-Windows-International-Core-WinPE. Configure settings according to your requirements or the image shown below.
8. Collapse Components > 1 windowsPE > amd64_Microsoft-Windows-International-Core-WinPE and select SetupUILanguage. Configure settings according to your needed language or the image shown below. In this case, we use en-US(US English).
9. In this step, we configure disk partitions by scrolling through Windows Image pane under Components until amd64_Microsoft-Windows-Setup_6.3.9600.17031_neutral is found. [_6.3.9600.17031_neutral] may differ in other Windows distributions. Right click on amd64_Microsoft-Windows-Setup_6.3.9600.17031_neutral and click Add Setting to Pass 1.
11. Under amd64_Microsoft-Windows-Setup_neutral, find DiskConfiguration and right click on itand select Insert New Disk.
12. In DiskConfiguration > Disk, right click on CreatePartitions and select Insert New CreatePartition. Configure the partition as shown in the image below. This partition becomes the System Reserved Partition which contains hardware-related files and the Boot folder that tell a computer where to look to start Windows. In Windows 7 and Windows Server 2008, the partition is 100MB. In Windows 8 and Windows Server 2012, it is 350MB.
13. Right click on CreatePartitions and select Insert New CreatePartition to create a second partition then set Extend to true. This means that the partition takes up the rest of the disk. This becomes our logical partition where the Operating System is installed.
14. Click on Disk under Disconfiguration. Set DiskID to 0 and WillWipeDisk to true. Disk 0 is generally the first disk in most computer systems where the Operating System resides.
15. Modify the System Reserved Partition by right-clicking on ModifyPartitions and selecting Insert New ModifyPartition. Configure settings as shown in the image below.
16. Modify the logical partition by right-clicking on ModifyPartitions and selecting Insert New ModifyPartition. Configure settings as shown in the image below.
17. Select ImageInstall and configure settings as shown in the image below. This means we do not install to the available partition because we are specifying it later.
18. Specify the OS to install. Collapse OSImage, right-click on InstallFrom and select Insert New MetaData. Collapse InstallFrom and select Metadata. Configure the settings as shown in the image below. Key field can be set to /IMAGE/NAME , /IMAGE/INDEX, or /IMAGE/DESCRIPTION. In this case, we use /IMAGE/NAME to correspond to the name of the Windows Distribution selected in step 5.
19. Set the Disk and Partition where OS will be installed. Select InstallTo and configure settings as shown in the image below.
20. Bypass EULA Dialog. Scroll down to find UserData and select it. Configure settings as shown in the image below. Fill up FullName and Organization if desired.
21. Configure UserData > ProductKey. This is not where we provide the product key. Leave empty as shown in the image below.
22. Set Computer name, product key, organization name and timezone. Scroll through Windows Image pane and find amd64_Microsoft-Windows-Shell-Setup_6.3.9600.17031_neutral, (6.3.9600.17031 may differ in other Window distributions)right-click on it and select Add Setting to Pass 4 specialize.
23. In Answer File pane, collapse 4 specialize and select amd64_Microsoft-Windows-Shell-Setup_neutral configure settings as shown in the image below. If desired to set random computer name during installation, set [* ] (asterisk symbol)to ComputerName field. By default, TimeZone is set to Pacific Standard Time.
In this case, we are using an evaluation copy for Windows so we are leaving ProductKey empty.
24. In Windows Image pane, right-click on amd64_Microsoft-Windows-Shell-Setup_6.3.9600.17031_neutral andselect Add Setting to Pass 7 oobeSystem to specify Out of Box Experience (oobe) settings.
25. In Answer File pane, select amd64_Microsoft-Windows-Shell-Setup_neutral and configure settings as shown below.
26. Collapse amd64_Microsoft-Windows-Shell-Setup_neutral, select AutoLogon and configure settings. Set LogonCount to 2 so that image build process goes quicker and in case administrator password is not configured in the answer file, we can reset it during the first two reboots.
27. Collapse AutoLogon, select Password and type in the the password which is automatically encrypted during installation. In this case, we type in a sample password. Please provide a more secure password.
28. In Answer File pane, scroll down to find UserAccounts and collapse it. Select AdministratorPassword and provide the same password as in the step 26.
29. Validate answer file. Click Tools menu, and select Validate Answer file. Make sure there are no errors in the Messages pane. Validation warnings are fine and normal.
30. Save answer file as autounattend.xml. This is placed in the root directory of our ISO image as instructed in the next section.
II. Generate an unattended installation ISO
In the previous section step 2, we mounted the ISO image that created a new DVD drive F. Copy and paste all the contents in DVD drive F to a folder in the computer’s disk. In this case, we created drive ISO folder in local drive E. Put autounattend.xml file to the ISO folder as shown in the image below.
2. In the sources directory, delete install.wim and replace it with the install.wim we copied and pasted to local drive D in the previous section step 3.
3. Launch Deployment and Imaging Tools Environment (included in Windows ADK).
4. Generate a new bootable ISO for unattended installation. Use oscdimg.exe command as in the image below. Update the paths accordingly.
–b points to the etfsboot.com file which is necessary for bootable media such as CDs and DVDs. This file will be written to the boot sector of the disk.
–u2 this option is used to produce an image that has only the UDF file system on it.
-h this option will include all hidden files and directories under the source path for this image.
–m specifies that the file size can be larger than the maximum size limit.
–l is the label of the media that will be created.
5. Locate new ISO in drive E with file name WinServer2012Core_unattend2.iso. Configure a VM using Hyper-V or physical server to boot from it and verify that there are no prompts or errors during the installation process. Note that the disk configuration and data will be wiped during the seamless unattended installation process.
I needed a system that would dual boot Windows Server 2012 with Centos 7.
I used half of the physical drive to create the Windows NTFS partition and installed Windows Server 2012 there. Then with the remaining space, I installed Centos 7 on the remaining free space.
As expected, the Windows install does NOT show up in the boot loader menu.
Here is the instructions I followed to get it to display the Windows OS option. Worked without issues.
to find out, on what partition Windows is actually installed (for me it is 0/sda1), run
fdisk -l
for example, it shows ....
/dev/sda1 * 2048 718847 358400 7 HPFS/NTFS/exFAT
....
to find out partion UUID, by using blkid /dev/sda1 and find matching UUID
blkid /dev/sda1
then add the menu entry to /boot/grub2/grub.cfg like
menuentry "Windows 2012 R2" --class windows --class os { insmod ntfs set root='(hd0, 1)' search --no-floppy --fs-uuid --set=root XXXXXXXXXXXXX(UUID from step 2) chainloader +1 }
loves to study the prophecies of Daniel and Revelation. He is currently working on M.A. in Religion & Evangelism. He is a student of preaching and teaching.
