Categories
blog howto windows

Windows 10 build update fails with 0x80004005

For a while now my work laptop was trying to update to Windows 10’s latest build (2004) but kept failing when almost finished.

You can manually go through the log files (located mostly at C:\windows\panther\ ). See below link to KB928901 for the complete list.
https://support.microsoft.com/en-us/help/928901/log-files-that-are-created-when-you-upgrade-to-a-new-version-of-window

However, I recommend using the much easier SetupDiag tool, also from Microsoft. Download the tool from the below link and save it to a folder Tools on your C: drive (for convenience).
https://docs.microsoft.com/en-us/windows/deployment/upgrade/setupdiag

From version 2004 onwards the tool should run automatically after failed setup, but it didn’t in my case, or did not show the relevant information anyway.

When I manually opened a command prompt (CMD) with administrative privileges and started “setupdiag” it showed me the reason for failing the update.

cd c:\tools
setupdiag

I had to scroll down a little bit in the output and found this:

Error: SetupDiag reports abrupt down-level failure. Last Operation: Finalize Error: 0x80004005 – 0x60016 LogEntry: 2020-07-21 19:00:10, Error SP Operation failed: Update Boot Code. Error: 0x80004005[gle=0x000000b7]

Specifically “update boot code” showed me the problem had something to do with the special EFI partition where the boot files reside (in case of UEFI boot, as I am using).

When I had a look at my partition layout with disk management, I saw a EFI partition (100MB, a bit small) and 2 Recovery partitions (+/- 500MB each) and some unused space in between them. A strange partition layout, I maybe suspect Acronis to be the reason for this.

Warning: What I did next is for advanced users, because it will make Windows stop from booting if not done correctly.
This is only for UEFI boot, not for Legacy boot.

– I deleted the recovery partitions, deleted the EFI boot partition.
– I made a new EFI boot partition and copied the bootfiles to it.

diskpart
select disk 0
create partition efi
format quick fs=fat32
exit
bcdboot C:\windows

– I used a free partition manager tool to expand/move my C partition so the unused space between the partitions was gone.

I tried the Windows Build update again and was successful!

Categories
blog exchange howto server windows

SBS: complete certificate request error

So you created a certificate request on the SBS wizard and now want to complete the request by running the wizard again and importing the CRT certificate file you received, but you get an error.

The imported certificate does not match your web site

If you look in the detailed logfile named TrustedCert.log located at “C:\program files\Windows Small Business Server\Logs” you may find an error reffering to ASN1bad tag.

An exception of type ‘Type: System.Runtime.InteropServices.COMException, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089’ has occurred.
Timestamp: 07/10/2019 11:04:25
Message: CertEnroll::CX509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b (ASN: 267)
Stack: at Microsoft.WindowsServerSolutions.CERTENROLLLib.Interop.CX509EnrollmentClass.InstallResponse(InstallResponseRestrictionFlags Restrictions, String strResponse, EncodingType Encoding, String strPassword)
at Microsoft.WindowsServerSolutions.CoreNetworking.CertificateProvider.InstallCertResponse(Byte[] certificateBytes)

Luckily you can manually import the certificate and restore the necessary private key from the request using the instructions below.

  1. Open an Microsoft Management Concole (mmc) as admin.
  2. Add the snap-in “certificates” and select computer account.
  3. Now go to Personal – Certificates, right click & select all tasks – import.
  4. Import the CRT file you received from the provider.
  5. Refresh the certificates list. The certificate is now present but without private key.
  6. Double-click the certificate, go to the details tab and copy the serial number. Should be something like: 1e 71 cb 7a ….
  7. Open an CMD with administrator rights and run the following the command: certutil -repairstore my “<serialnumber>”
    Where <serialnumber> is the value from step 6, i.e. 1e 71 cb 7a ….
  8. Refresh the certificate list in the MMC snap-in, the certificate should now show the key icon because the private key is present.
  9. I suggest you make an export with private key and extended properties to store for safekeeping for later use.
  10. I tried the import certificate wizard in the SBS console again, selected the CRT file, it still failed, but now the certificate was configured and the OWA was working again with the new certificate.

References:
https://support.microsoft.com/nl-nl/help/2351321/not-able-to-install-trusted-certificate-on-sbs2008
https://knowledge.digicert.com/solution/SO22327.html

Categories
blog howto windows

Mount network drive shared folder in DOSBOX

Newer versions allow you to mount a shared folder from the network straightforward using the below syntax.
mount P //server/P-share/
* Note the trailing slash, it’s required!

Some (older) versions of DOSBOX do not allow you to mount (a drive letter connecting to) a network share, but you can circumvent this by using a soft symlink.

Let’s say we have a network drive with the letter P: that we want to mount inside DOSBOX.
We create a folder DOSPROGS on the C: drive to hold the symlink (and perhaps put the DOSBOX executable inside as well).

We then create the soft directory symlink by running the following command in a CMD prompt.
Note that I prefer to use the UNC path, because I think it’s more reliable than a drive letter to a share (that might be disconnected), but you can use both.
mklink /D C:\DOSPROGS\P-DRIVE \\server\P-share
mklink /D C:\DOSPROGS\P-DRIVE P:\

In DOSBOX we can now mount it using the symlink.
MOUNT P C:\DOSPROGS\P-DRIVE

Categories
blog cloud howto

Enable or disable password expiration for Office365 users using Powershell

You can change the general password expiration policies in the online GUI but for individual users and to check the state you need to use powershell.

  1. First make sure you have installed the required module for powershell.
    – Azure Active Directory Module for Windows Powershell.
    On Windows 10 you can open powershell with run as administrator and run the command: Install-Module -Name MSOnline
    Or you can download the installer from:
    http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=59185
    You need the AdministrationConfig-V1.1.166.0-GA.msi file.
    – For this to install you need to have the Microsoft Online services sign-in assistant > 7.
    If you don’t have it you can download it from:
    https://www.microsoft.com/en-us/download/details.aspx?id=41950
  2. Now that we have the necessary software we can connect, start powershell for windows azure ad and execute:

    Connect-MsolService
  3. Check if password expiration is set for any of the users:
    Get-MSOLUser | Select UserPrincipalName, PasswordNeverExpires
  4. Change password expiration for all users:
    Get-MSOLUser | Set-MsolUser -PasswordNeverExpires $true
    Get-MSOLUser | Set-MsolUser -PasswordNeverExpires $false
  5. Change password expiration for just one user:
    Set-MsolUser -UserPrincipalName u1@dm.tld -PasswordNeverExpires $true
    Set-MsolUser -UserPrincipalName u1@dm.tld -PasswordNeverExpires $false
Categories
blog howto server windows

Can’t find script engine “VBScript” for script …

I recently came across this error while trying to execute a VBscript.

Can’t find script engine “VBScript” for script …

After some troubleshooting this was related to the uninstall of McAfee antivirus software.
McAfee antivirus intercepts all VBscript execution by changing the executable that runs the scripts.
After uninstallation, this change was not rolled back and VBscript execution would faill unless explicitely called by wscript.exe or cscript.exe.

Solution is to revert he change in the Windows registry.
In the following registry key:
HKEY_CLASSES_ROOT\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
Find the value named (Default) of type REG_SZ and change the data back to:
C:\Windows\system32\vbscript.dll
instead of:
c:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110218083735.dll

You have the adjust the permissions on the key InprocServer32 to give write permission to Administrator (or your user).

If your problem is unrelated to McAfee and the registry value is correct you might have to re-register the DLL’s.
Open a CMD with elevated privileges (run as administrator) and execute the following commands:

cd "%systemroot%\system32"
regsvr32 jscript.dll
regsvr32 vbscript.dll
cd "%systemroot%\SysWow64"
regsvr32 jscript.dll
regsvr32 vbscript.dll

More information and information that i used to troubleshoot this issue:
http://answers.microsoft.com/en-us/windows/forum/windows_7-performance/cant-find-script-engine-vbscript-for-script/960f24d1-bf92-4cec-b73e-520a04891073
https://community.mcafee.com/thread/50961?start=0&tstart=0

Categories
blog howto windows

Windows 2012 Server Manager refresh failed, requires a restart

The request to add or remove features on the specified server failed. the operation cannot be completed because the server that you specified requires a restart.

Role and feature refresh failed with the following error: The Request to list features available on the specific server failed. The operation cannot be completed, because the server that you specified requires a restart.

Restarting the server does not help.

Check the eventlog for an error from Service Control Manager ID 7041 that reads:

The MSSQL$MICROSOFT##WID service was unable to log on as NT SERVICE\MSSQL$MICROSOFT##WID with the currently configured password due to the following error:
Logon failure: the user has not been granted the requested logon type at this computer.

Service: MSSQL$MICROSOFT##WID
Domain and account: NT SERVICE\MSSQL$MICROSOFT##WID

This service account does not have the required user right “Log on as a service.”

Check the “Windows Internal Database” service is running, it probably is not and can’t start.

If this is a domain controller you can assign the logon as service right for the account using the “Default Domain Controllers Policy” GPO.

  1. Open gpmc.msc
  2. Select the “Default Domain Controllers Policy” under the “Domain Controllers” OU in the left tree.
  3. Right click on it and select edit.
  4. In the editor navigate to “Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, User Rights Assignments”.
  5. Open the properties of the “Log on as a service” item.
  6. Add the user “NT SERVICE\MSSQL$MICROSOFT##WID” (without quotes) using the Add User or Group button.
  7. Close the window with OK. Close the GPO editor.
  8. Run gpupdate and restart the computer.

If this is a normal member or standalone server you can assign the logon as service right for the account using the “Local Security Policy”.

  1. Open secpol.msc
  2. Navigate to” Local Policies, User Rights Assignments”.
  3. Open the properties of the “Log on as a service” item.
  4. Add the user “NT SERVICE\MSSQL$MICROSOFT##WID” (without quotes) using the Add User or Group button. If this is greyed out, than the item is set using Domain Group Policies (see above).
  5. Close the window with OK. Close the local security policy editor.
  6. Run gpupdate and restart the computer.
Categories
blog howto windows

Uninstall Sophos Antivirus tamper protection lost password

How to uninstall Sophos Antivirus when the Tamper Protection doesn’t let you, and you don’t know the Tamper password.

  1. Stop the Sophos Anti-Virus service if possible. Open services.msc and stop the service.
  2. Open notepad with UAC elevation, run as Administrator.
  3. In notepad open the file “C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml”
  4. Find the configuration section for TamperProtectionManagement

    <TamperProtectionManagement>
    <settings>
    <password>123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ</password><enabled>true</enabled>
    </settings>
    </TamperProtectionManagement>

  5. Change the password string (123456789ABCD… above is just an example, yours will be different.) to the new value: E8F97FBA9104D1EA5047948E6DFB67FACD9F5B73
  6. Start Sophos Antivirus or restart the computer.
  7. Disable tamper protection using the new password: “password” (without the quotes).
  8. Uninstall Sophos Antivirus.
Categories
blog exchange howto server windows

Exchange database dirty shutdown recovery JET_errLogFileSizeMismatch error -541

Warning: This is a technical article describing steps that you should only execute if you’re familiar and confident with the matter.

Error information:
Below is some error information that you might have seen and that’s why your search leads you here.

eseutil /ML “L:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2\E02.log”
Extensible Storage Engine Utilities for Microsoft(R) Exchange Server Version 15.00
Copyright (C) Microsoft Corporation. All Rights Reserved.
Initiating FILE DUMP mode…
Base name: E02
Log file: L:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2\E02.log
ERROR: Cannot read log file header. Error -541.
Operation terminated with error -541 (JET_errLogFileSizeMismatch, actual log file size does not match JET_paramLogFileSize) after 0.16 seconds.

eseutil /r “L:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2\E02.log”
Extensible Storage Engine Utilities for Microsoft(R) Exchange Server Version 15.00
Copyright (C) Microsoft Corporation. All Rights Reserved.
Initiating RECOVERY mode…
Logfile base name: E02

Performing soft recovery…
Operation terminated with error -541 (JET_errLogFileSizeMismatch, actual log file size does not match JET_paramLogFileSize) after 0.31 seconds.

Solution:
If possible have a backup or a copy of the database before you manipulate it! Transaction log files are critical for the database, these are not just information files that you can delete!

If the DISK where the log files of your exchange database resides has run out of space you could find yourself with a corrupt log file. When you try to perform a soft recovery with eseutil /r and the path to your E0?.log (in my case E02.log) file you get an error about header information and size mismatch. The E0?.log file is the current transaction log file that Exchange was writing to when the disk ran out of space. This file is now corrupt and transactions in the file that were not applied to the database will be lost. All other older log files will have hexadecimal sequence to it such as E0?00E475A.log and so on. You can check which log files are required for the database to perform a soft recovery by reading the header information of the database in question as follows:

eseutil /mh “F:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2\DB-MBBX2.edb”
replace path and filenames with your database

In the wealth of information returned you will see a line stating the state of the database, which will be Dirty Shutdown. (If it is Clean Shutdown than you do not need to perform recovery). Below the state is the line Log Required which shows the files needed.

Log Required: 190299-190336 (0x2e75b-0x2e780)

In my case the databases needs the files E020002E75B.log and newer on to E020002E780.log (this is HEX sequence). Older log files can be moved to a different hard disk if you need to free some space. Be careful, don’t delete, sorting these files in Explorer is not easy, you can’t do it by name because of the hex sequence and by date/time is not foolproof. So double-check or just expand the disk and leave all log files as-is.

Now to perform the recovery we have to move the corrupt E02.log file to a folder or other disk. Now that the corrupt file is removed and you are 100% sure that all the other required log files (see section above) are present we can perform soft recovery with the /a option to skip missing log files and bring the database back to a clean state.

eseutil /r /a E02 /l “l:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2” /s “l:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2” /d “F:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2”
change the names and paths to your situation.

/r is soft recovery
/a is skip missing logfile
E02 is the base name of the logfiles, this is dependant of the database, could be E01, E02, E03 …
/l is for the log files location (where E02.log and other E02xxxx.log files reside)
/s is for the system files location (where E02.chk resides)
/d is for the database files location (where DB-MBX2.edb resides)

Output will be like this:

eseutil /R /a E02 /l “l:\Program Files\Microsoft\Exchange Server\V15\Mailbox
\DB-MBX2” /s “l:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2” /d
“F:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2”

Extensible Storage Engine Utilities for Microsoft(R) Exchange Server Version 15.00
Copyright (C) Microsoft Corporation. All Rights Reserved.
Initiating RECOVERY mode…
Logfile base name: E02
Log files: l:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2
System files: l:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2
Database Directory: F:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2
Performing soft recovery…
Restore Status (% complete)
0 10 20 30 40 50 60 70 80 90 100
|—-|—-|—-|—-|—-|—-|—-|—-|—-|—-|
……………………………………………

Operation completed successfully in 3.635 seconds.

The database is now clean, you can check again with eseutil /mh as we did before and see the state listed as Clean Shutdown.

If you want to quickly clean-up logfiles no longer needed you should perform an Exchange aware backup. If you don’t have one and you understand the consequences you can enable circular logging on the database.

Good Luck!

Categories
blog howto windows

Microsoft Print to PDF empty 0KB file

If you create a PDF file using “Microsoft Print to PDF” and the file is corrupt and appears empty 0KB. Try to make the file again but don’t use “,” (comma) in the name.

Categories
blog exchange howto server windows

Outlook 2013 sync problems and message that Administrator has made a change

This post describes a problem I recently experienced when migrating from Exchange 2007 to Exchange 2013. Outlook 2013 clients would pop-up a message about the administrator making changes that require a restart of Outlook continuously. Also the folder synchronization fails and you see new messages arrive in your Inbox only to dissapear again after 1 second and then come back again and so forth.

The Microsoft Exchange administrator has made a change that requires you quit and restart Outlook

outlook error synchronizing folder [0-0]

These problems started occurring right after the old public folder database was deleted on the Exchange 2007 server. I only noticed it after I had already uninstalled the Exchange 2007 server completely. Why only Outlook 2013 has this problem I don’t know, but here is what’s wrong.

On the Mailbox database on your new Exchange server there is still a value pointing to the OLD public folder database that is now deleted.
You need to fix this using Adsiedit.msc:
Go to:

Configuration >CN=Services > CN=Microsoft Exchange > CN=Your Organisation > CN=Administrative Groups > CN=Exchange Administrative Group > CN=Databases

For each mailbox database, right click and check the attributes for “MSEXCHHomePublicMDB”. You will see that the value for this attribute points to “CN=Public Folder Database*,CN=Deleted Objects,CN=Configuration,DC=YourDomain,DC=com” the old object for the public folder database that has been deleted. You must clear this value using the clear button, so it changes to “not set”, just emptying the value won’t work. Restart the Information store service or reboot the Exchange server and the problem should be solved.