Categories
blog exchange howto server windows

SBS: complete certificate request error

So you created a certificate request on the SBS wizard and now want to complete the request by running the wizard again and importing the CRT certificate file you received, but you get an error.

The imported certificate does not match your web site

If you look in the detailed logfile named TrustedCert.log located at “C:\program files\Windows Small Business Server\Logs” you may find an error reffering to ASN1bad tag.

An exception of type ‘Type: System.Runtime.InteropServices.COMException, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089’ has occurred.
Timestamp: 07/10/2019 11:04:25
Message: CertEnroll::CX509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b (ASN: 267)
Stack: at Microsoft.WindowsServerSolutions.CERTENROLLLib.Interop.CX509EnrollmentClass.InstallResponse(InstallResponseRestrictionFlags Restrictions, String strResponse, EncodingType Encoding, String strPassword)
at Microsoft.WindowsServerSolutions.CoreNetworking.CertificateProvider.InstallCertResponse(Byte[] certificateBytes)

Luckily you can manually import the certificate and restore the necessary private key from the request using the instructions below.

  1. Open an Microsoft Management Concole (mmc) as admin.
  2. Add the snap-in “certificates” and select computer account.
  3. Now go to Personal – Certificates, right click & select all tasks – import.
  4. Import the CRT file you received from the provider.
  5. Refresh the certificates list. The certificate is now present but without private key.
  6. Double-click the certificate, go to the details tab and copy the serial number. Should be something like: 1e 71 cb 7a ….
  7. Open an CMD with administrator rights and run the following the command: certutil -repairstore my “<serialnumber>”
    Where <serialnumber> is the value from step 6, i.e. 1e 71 cb 7a ….
  8. Refresh the certificate list in the MMC snap-in, the certificate should now show the key icon because the private key is present.
  9. I suggest you make an export with private key and extended properties to store for safekeeping for later use.
  10. I tried the import certificate wizard in the SBS console again, selected the CRT file, it still failed, but now the certificate was configured and the OWA was working again with the new certificate.

References:
https://support.microsoft.com/nl-nl/help/2351321/not-able-to-install-trusted-certificate-on-sbs2008
https://knowledge.digicert.com/solution/SO22327.html

Categories
blog howto server windows

Can’t find script engine “VBScript” for script …

I recently came across this error while trying to execute a VBscript.

Can’t find script engine “VBScript” for script …

After some troubleshooting this was related to the uninstall of McAfee antivirus software.
McAfee antivirus intercepts all VBscript execution by changing the executable that runs the scripts.
After uninstallation, this change was not rolled back and VBscript execution would faill unless explicitely called by wscript.exe or cscript.exe.

Solution is to revert he change in the Windows registry.
In the following registry key:
HKEY_CLASSES_ROOT\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
Find the value named (Default) of type REG_SZ and change the data back to:
C:\Windows\system32\vbscript.dll
instead of:
c:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110218083735.dll

You have the adjust the permissions on the key InprocServer32 to give write permission to Administrator (or your user).

If your problem is unrelated to McAfee and the registry value is correct you might have to re-register the DLL’s.
Open a CMD with elevated privileges (run as administrator) and execute the following commands:

cd "%systemroot%\system32"
regsvr32 jscript.dll
regsvr32 vbscript.dll
cd "%systemroot%\SysWow64"
regsvr32 jscript.dll
regsvr32 vbscript.dll

More information and information that i used to troubleshoot this issue:
http://answers.microsoft.com/en-us/windows/forum/windows_7-performance/cant-find-script-engine-vbscript-for-script/960f24d1-bf92-4cec-b73e-520a04891073
https://community.mcafee.com/thread/50961?start=0&tstart=0

Categories
blog howto windows

Windows 2012 Server Manager refresh failed, requires a restart

The request to add or remove features on the specified server failed. the operation cannot be completed because the server that you specified requires a restart.

Role and feature refresh failed with the following error: The Request to list features available on the specific server failed. The operation cannot be completed, because the server that you specified requires a restart.

Restarting the server does not help.

Check the eventlog for an error from Service Control Manager ID 7041 that reads:

The MSSQL$MICROSOFT##WID service was unable to log on as NT SERVICE\MSSQL$MICROSOFT##WID with the currently configured password due to the following error:
Logon failure: the user has not been granted the requested logon type at this computer.

Service: MSSQL$MICROSOFT##WID
Domain and account: NT SERVICE\MSSQL$MICROSOFT##WID

This service account does not have the required user right “Log on as a service.”

Check the “Windows Internal Database” service is running, it probably is not and can’t start.

If this is a domain controller you can assign the logon as service right for the account using the “Default Domain Controllers Policy” GPO.

  1. Open gpmc.msc
  2. Select the “Default Domain Controllers Policy” under the “Domain Controllers” OU in the left tree.
  3. Right click on it and select edit.
  4. In the editor navigate to “Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, User Rights Assignments”.
  5. Open the properties of the “Log on as a service” item.
  6. Add the user “NT SERVICE\MSSQL$MICROSOFT##WID” (without quotes) using the Add User or Group button.
  7. Close the window with OK. Close the GPO editor.
  8. Run gpupdate and restart the computer.

If this is a normal member or standalone server you can assign the logon as service right for the account using the “Local Security Policy”.

  1. Open secpol.msc
  2. Navigate to” Local Policies, User Rights Assignments”.
  3. Open the properties of the “Log on as a service” item.
  4. Add the user “NT SERVICE\MSSQL$MICROSOFT##WID” (without quotes) using the Add User or Group button. If this is greyed out, than the item is set using Domain Group Policies (see above).
  5. Close the window with OK. Close the local security policy editor.
  6. Run gpupdate and restart the computer.
Categories
blog exchange howto server windows

Exchange database dirty shutdown recovery JET_errLogFileSizeMismatch error -541

Warning: This is a technical article describing steps that you should only execute if you’re familiar and confident with the matter.

Error information:
Below is some error information that you might have seen and that’s why your search leads you here.

eseutil /ML “L:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2\E02.log”
Extensible Storage Engine Utilities for Microsoft(R) Exchange Server Version 15.00
Copyright (C) Microsoft Corporation. All Rights Reserved.
Initiating FILE DUMP mode…
Base name: E02
Log file: L:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2\E02.log
ERROR: Cannot read log file header. Error -541.
Operation terminated with error -541 (JET_errLogFileSizeMismatch, actual log file size does not match JET_paramLogFileSize) after 0.16 seconds.

eseutil /r “L:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2\E02.log”
Extensible Storage Engine Utilities for Microsoft(R) Exchange Server Version 15.00
Copyright (C) Microsoft Corporation. All Rights Reserved.
Initiating RECOVERY mode…
Logfile base name: E02

Performing soft recovery…
Operation terminated with error -541 (JET_errLogFileSizeMismatch, actual log file size does not match JET_paramLogFileSize) after 0.31 seconds.

Solution:
If possible have a backup or a copy of the database before you manipulate it! Transaction log files are critical for the database, these are not just information files that you can delete!

If the DISK where the log files of your exchange database resides has run out of space you could find yourself with a corrupt log file. When you try to perform a soft recovery with eseutil /r and the path to your E0?.log (in my case E02.log) file you get an error about header information and size mismatch. The E0?.log file is the current transaction log file that Exchange was writing to when the disk ran out of space. This file is now corrupt and transactions in the file that were not applied to the database will be lost. All other older log files will have hexadecimal sequence to it such as E0?00E475A.log and so on. You can check which log files are required for the database to perform a soft recovery by reading the header information of the database in question as follows:

eseutil /mh “F:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2\DB-MBBX2.edb”
replace path and filenames with your database

In the wealth of information returned you will see a line stating the state of the database, which will be Dirty Shutdown. (If it is Clean Shutdown than you do not need to perform recovery). Below the state is the line Log Required which shows the files needed.

Log Required: 190299-190336 (0x2e75b-0x2e780)

In my case the databases needs the files E020002E75B.log and newer on to E020002E780.log (this is HEX sequence). Older log files can be moved to a different hard disk if you need to free some space. Be careful, don’t delete, sorting these files in Explorer is not easy, you can’t do it by name because of the hex sequence and by date/time is not foolproof. So double-check or just expand the disk and leave all log files as-is.

Now to perform the recovery we have to move the corrupt E02.log file to a folder or other disk. Now that the corrupt file is removed and you are 100% sure that all the other required log files (see section above) are present we can perform soft recovery with the /a option to skip missing log files and bring the database back to a clean state.

eseutil /r /a E02 /l “l:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2” /s “l:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2” /d “F:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2”
change the names and paths to your situation.

/r is soft recovery
/a is skip missing logfile
E02 is the base name of the logfiles, this is dependant of the database, could be E01, E02, E03 …
/l is for the log files location (where E02.log and other E02xxxx.log files reside)
/s is for the system files location (where E02.chk resides)
/d is for the database files location (where DB-MBX2.edb resides)

Output will be like this:

eseutil /R /a E02 /l “l:\Program Files\Microsoft\Exchange Server\V15\Mailbox
\DB-MBX2” /s “l:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2” /d
“F:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2”

Extensible Storage Engine Utilities for Microsoft(R) Exchange Server Version 15.00
Copyright (C) Microsoft Corporation. All Rights Reserved.
Initiating RECOVERY mode…
Logfile base name: E02
Log files: l:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2
System files: l:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2
Database Directory: F:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2
Performing soft recovery…
Restore Status (% complete)
0 10 20 30 40 50 60 70 80 90 100
|—-|—-|—-|—-|—-|—-|—-|—-|—-|—-|
……………………………………………

Operation completed successfully in 3.635 seconds.

The database is now clean, you can check again with eseutil /mh as we did before and see the state listed as Clean Shutdown.

If you want to quickly clean-up logfiles no longer needed you should perform an Exchange aware backup. If you don’t have one and you understand the consequences you can enable circular logging on the database.

Good Luck!

Categories
blog exchange server windows

Outlook Web Access OWA error 500 when logging in

When you fill in your credentials on the login screen of Outlook Web Access or OWA (2010) and click submit you receive an Internal Server Error 500 and the URL shows /owa/auth.owa

There are no events logged in Application or System log that explain this problem.

IISreset does not help.

The problem and solution could be very simple.
Check the the service “Microsoft Exchange Forms-Based Authentication service” is started. If not, start the service and try to login to OWA again. Problem should be solved.

If the service doesn’t start or fails frequently you’ll have to investigate that further.

Categories
blog network server windows

RAS or NPS forward RADIUS request to same server different port

The address of the remote RADIUS server x.x.x.x in remote RADIUS server group yyyyy Resolves to local address x.x.x.x.
The address will be ignored.

Use case scenario: You want to forward RADIUS requests incoming on the server to some software, possibly for setting up OTP authentication.

My scenario: Extra security for PPTP vpn tunnel to Windows server with RAS (Routing and Remote Access) by using VASCO Identikey OTP (One-Time-Passkey) software (the same applies for other software such as RSAid). Normally the recommended setup is using two servers, one for the RAS connection and one with the VASCO Identikey middleware software on it. When you deploy like this you will not face the problem I’m about to describe. However if you have only 1 Windows server at your disposal and you install the VASCO Identikey software on the same server as the RAS and NPS (Network Policy Server) role you will run in to this problem.

Problem description: You have configured RAS correctly for PPTP MSCHAP v2 connections. In NPS you have configured a connection policy to forward the RADIUS requests (authentication and accounting) to a remote RADIUS server group. The authentication fails, VASCO audit viewer does not show any attempt to authenticate to the VASCO Identikey Radius server. In the eventviewer application log there is an event ID 25 with the following error:
The address of the remote RADIUS server x.x.x.x in remote RADIUS server group yyyyy Resolves to local address x.x.x.x.

The problem is that NPS cannot forward RADIUS requests to the same IP address as itself. Even if the software is listening on another port, or you configure 2 IP addresses on the same network card. NPS insists that the IP address of the remote RADIUS server is the same as it’s own IP address and ignores your configuration to forward the RADIUS requests.

The solution is to use the loopback IP address range. For example 127.0.0.2. Unfortunately VASCO Identikey is licensed on IP address and as such you can’t change it to listen to the loopback IP address without also requesting a new license. I have not tried this, so even with the new license I’m not sure VASCO Identikey will listen on loopback IP address. Maybe other OTP software can do this, check with your vendor or manual.

What can you do? Use a RADIUS proxy to sit between the NPS and VASCO Identikey. If you have a linux server around you can use opensource FreeRadius software on that linux box to proxy the RADIUS requests between RAS/NPS and VASCO Identikey.
If like me you had nothing but this 1 windows server, you can use the FreeRadius.net software, this is a prebuilt binary of the opensource FreeRadius software made for windows versions. The software is quite old and not updated but it still seems to work for our simple setup.

I have installed the FreeRadius.net software in C:\FreeRadius.net
I have configured it to accept RADIUS requests on interface 127.0.0.2 port 11812 and forward them to a RADIUS server on IP x.x.x.x on port 18120 (I changed the default RADIUS ports for VASCO and FreeRadius to avoid conflicts with NPS/RAS).

configuration file c:\FreeRadius.net\etc\raddb\clients.conf
I have put all the default things in comment (#) and add
client 127.0.0.2 {
secret = testing123
shortname = localhost2
}

configuration file c:\FreeRadius.net\etc\raddb\radiusd.conf
I have put the default listen directive in comment (#) but you must leave the bind = * line and add
listen {
ipaddr = 127.0.0.2
port = 11812
type = auth
}
listen {
ipaddr = 127.0.0.2
port = 11813
type = acct
}

configuration file c:\FreeRadius.net\etc\raddb\proxy.conf
In this file I configured both the NULL realm for plain usernames and the DEFAULT realm for all others to forward to VASCO Identikey wich I have listening on the port 18120 & 18130 (auth & acct).
# This realm is for requests which don't have an explicit realm
# prefix or suffix. User names like "bob" will match this one.
#
realm NULL {
type = radius
authhost = 10.x.y.z:18120
accthost = 10.x.y.z:18130
secret = testing123
}

#
# This realm is for ALL OTHER requests.
#
realm DEFAULT {
type = radius
authhost = 10.x.y.z:18120
accthost = 10.x.y.z:18130
secret = testing123
}

You can now start the FreeRadius.net in debug mode, using the supplied batch file you can test your configuration.

Below I will attach screenshots of my configuration for NPS, RAS and VASCO.
RAS settings (EAP can be enabled if you like)
NPS RADIUS client
NPS configure remote RADIUS server group
NPS connection policy screenshot
NPS Network Policy
VASCO port settings

With thanks to:
http://bent-blog.de/vasco-identikey-server-auf-microsoft-forefront-tmg-2010/

Categories
blog howto linux network server virtualization

Virtual Private Server on SSD storage

 Update: After reviewing the offerings, I’m no longer running my VPS at digitalocean. Instead I’m using Linode at the moment.
www.linode.com

Easily deploy an SSD cloud server on @DigitalOcean in 55 seconds.

Recently I read about the virtual private servers you can create on www.DigitalOcean.com. They call them Droplets, and they get created in less then a minute if you don’t enable back-ups, or just a couple of minutes with back-up service enabled. You can choose between different geographically located data centers. You can choose between New York, San Francisco, London, Amsterdam and Singapore. You get one public ip address (or ipv6 if you prefer, but who does anyway).

You can choose out of some pre selected minimal OS installations such as Ubuntu, CentOS, Debian, Fedora and CoreOS. Or you could even deploy your VPS complete with a LAMP (Linux, Apache, MySQL and PHP) or even with WordPress of Drupal setup. If I looked at the price (10$/month or 12$ with back-up) for a VPS, with 1 CPU, 1GB RAM, 30GB DISK and 2TB data transfer, and compared that to what I was currently paying for 2 shared hosting plans, the math was clear. For a bit less than what I was paying I get my very own Virtual Private Server where I can configure everything I want and have full rights on everything.

For me, as an enthusiastic system engineer, with experience on multiple Linux flavors, this was a very nice project. Starting from a minimal CentOS 7 installed Droplet, I quickly installed and configured Apache, Nginx, MySQL and PHP and started serving web pages. My first tests were a success. I configured different management tools and secured the system with a software firewall. Because your VPS has a public ip address you must think good about security. It took some time getting used to the new firewall software system in CentOS 7 called firewalld. After some cursing I had it set up as I wanted.

The next step was to migrate the first of my existing websites over to the new VPS. I chose to configure virtual hosts in an organized manner so that I could always expand to more websites if needed. After transferring the databases and website data, I set course for a new goal. Making my sites more secure by using HTTPS encryption on the login pages. By using the free 1 year class 1 certificates from www.startssl.com I did not have to make any extra costs. Update: Using Let’s Ecrypt now and HTTPS on all pages! After some hours of configuring and testing I had everything running smoothly. I migrated all the DNS records to my new VPS and shortly after my 1st website was running live on the new VPS.

My next goal was to set up mailboxes for every virtual host and using IMAP to connect to them. I choose POSTFIX as the SMTP server and DOVECOT as the IMAP server. POSTFIX was configured for using virtual mailboxes that don’t require a Linux user. DOVECOT was configured for SSL/TLS encrypted connections so password are never sent in clear text. To finish it off I installed ROUNDCUBE as a web mail solution.

After my successful first website migration the second one followed quickly and went smoothly as well. This time I also needed a FTP setup and I chose VSFTPD and again made it possible to use SSL encryption.

The VPS is now running all of my websites, except this blog.

PS: If you are wondering why I don’t migrate this blog, running on my home server, that’s because it’s a challenge to keep a website running on a homeserver with minimal hardware costs and dynamic internet ip address. It also has some other uses for me besides serving this blog.

Categories
blog server windows

Windows 7 profile SID wrong mstsc can’t login

This is a very strange problem I came across on a windows 7 Embedded thin client. I don’t quite understand what went wrong but I’ll give you a detailed description.

CASE:
The user has a thin client with Windows 7 Embedded that’s been entered in to the Active Directory domain. On the public desktop of the thin client there is a RDP file to connect to a Remote Desktop Server (a.k.a. Terminal Server). The user logs on to the thin client using their AD credentials. The user was able to log on to the server using the RDP file without problems until today.

SYMPTOMS:
– User can’t log on to the Remote Desktop Server, the error received is:

The connection was denied because the user account is not authorized for remote login

TROUBLESHOOTING:
Normally this just means that the user is not a member of the “Remote Desktop Users” local group on the server.
– I verified the user was a member of the correct groups to log on to the server.
– I then tried to log on the server with the same credentials from a different workstation. This worked without a problem. Which led me to conclude at the server-side everything was OK.
– On the troublesome workstation (thin client with WIN 7 E in my case) I launched remote desktop with the “Run As Administrator” option and supplied credentials for an admin account. I tried to connect to the Remote Desktop server using the credentials of the troublesome user account. This worked without a problem.
– I tried again without the run as, and it failed again with the same error.

This led me to my conclusion that something was very wrong with the user profile on the workstation for this domain user.

SOLUTION:
I decided to delete the user profile on the local workstation since nothing is stored in it (they don’t work locally). However when I opened Explorer and went to see in “C:\Users” I saw 2 identical folders with the same name (the username of the troublesome user). It seems there were 2 identical profile folders. I didn’t think it was possible for 2 folders to have the same name.
I deleted both folders!
I then opened REGEDIT and went to HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PROFILELIST
I saw multiple user SID’s and checked them all. To my surprise there were 2 different user SID’s that both had a value c:\users\problem.username underneath it. So 2 different user SID’s for the same username. I thought that was impossible. I deleted both registry keys.
After deleting the profiles and the keys I logged back in with the user and profile was recreated and the remote desktop worked perfectly.

So it seems that the remote desktop client was sending the wrong SID to the server and that was the reason for the unauthorized error message.

Categories
blog howto network server windows

Backup domain controller sync issues KRB_AP_ERR_MODIFIED 0x80090322 target principal name incorrect

My case:
1x Windows 2008 Small Business Server (named: SBS2008)
1x Windows 2008 R2 standard on off-site location (named: TS2008) BACKUP DOMAIN CONTROLLER & GC
Connection between the 2 servers was lost for nearly 3 months.
Replication would only work from SBS2008 to TS2008 but not from TS2008 to SBS2008.
I couldn’t view the shares on \\SBS2008 from the console on TS2008, i received the error “The target principal name is incorrect”. On SBS2008 I could view the shares on TS2008.
In the eventlog there were errors:

The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.

Sites:
CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domein,DC=local

The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.

Directory partition:
DC=domain,DC=local

There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers.

All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.

Site:
CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
Directory partition:
DC=domain,DC=local
Transport:

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=domain,DC=local

The File Replication Service is having trouble enabling replication from SBS2008 to TS2008 for c:\windows\sysvol\domain using the DNS name SBS2008.domein.local. FRS will keep retrying.
Following are some of the reasons you would see this warning.

The session setup from the computer SBS2008 failed to authenticate. The name(s) of the account(s) referenced in the security database is SBS2008$. The following error occurred:
Access is denied.

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server sbs2008$. The target name used was E3514xx-xxxxxxxxxxxxxxx/yyyyyyyyyyyyyyy/domain.local@domain.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please …

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server sbs2008$. The target name used was DNS/sbs2008.domain.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please …

Demote and the promote for TS2008 would not work without forcing and doing a lot of NTDS cleanup on the PDC. So this was my last resort.

1st reboot -> did not work.
Doing a lot of searching and looking up the SPN for SBS2008 on both DC’s did not show any differences.

Luckily I found an older KB from microsoft on how to reset the kerberos secure channel between two DC’s.
http://support.microsoft.com/kb/288167

I had to disable the KDC (Kerberos Key Distribution Center) service on TS2008 and then reboot.
Immediately after reboot I noticed I could browse the shares on the SBS2008 without error.
This is because TS2008 was no longer supplied Kerberos tickets itself but requesting them from SBS2008.
Now I opened an elevated command prompt and forced a sync of all replica partitions and triggered the KCC checker.
repadmin /syncall /ade
repadmin /kcc

To check the replication backlog queue use:
repadmin /queue

After replication was succesful I put the KDC service back to automatic and started it. Problem solved.

If you can’t get replication working yet, you’ll need these extra steps.
klist /purge
netdom resetpwd /server:sbs2008 /userd:domain\Administrator /passwordd:* (the * will make it prompt for password).

Also you might need to check your DNS settings and put the IP adres of SBS2008 as primary DNS IP on the NIC of TS2008.

Other helpful information:
http://support.microsoft.com/kb/2090913

Categories
blog howto server virtualization

VMware ESXi 5.1 on USB stick won’t boot Proliant DL380 G5

Installation using the cdrom was succesful but after restarting the server won’t boot from the USB stick.
Make sure you set the correct BIOS options to allow to boot from USB.
bios_boot_order

bios_usb_enable

ESXIi formatwithmbr runweasel

If still doesn’t boot than it probably has to do with GPT/MBR formatting of the USB stick done by VMWARE.
You need to boot from the ESXi install CD again and right after you press enter to choose “ESXi5.1 installer ISO …” you see in the lower righthand corner the text “Shift + o” press this key combination (shift and the letter o). Now you see the text “runweasel” remove any chars after this, type a space and then “formatwithmbr”.

Now install as normal but now VMware should format your USB stick as MBR instead of GPT and you should be able to boot from it after the install finishes.

sources:
http://vmtoday.com/2012/09/esxi-5-wont-boot-from-usb/
http://communities.vmware.com/thread/430852?start=0&tstart=0
http://communities.vmware.com/message/1824957#1824957
http://community.spiceworks.com/topic/247715-sandisk-cruzer-fit-esxi-5