Forum Replies Created
August 18, 2018 at 6:54 pm in reply to: Windows 10 installation ignoring answer file from WDS #388847
That would be the “1 Windows PE” setting.
Remember, this phase has its own unattend file, separate from the one(s) used by the image(s).August 15, 2018 at 8:18 pm in reply to: Windows 10 installation ignoring answer file from WDS #388846
Exactly when are you being prompted for this information? At the very start of the process?August 10, 2018 at 7:11 am in reply to: Postmaster Sending Spam – Recently Migrated Smart Host #388845
Do you have access to any of these spam e-mails? The “Received:” headers will tell you the origins of these mails.
You’ll probably find that the mails are sent by third parties spoofing the “From:” address. Make sure your domain has a proper SPF record; this will help other mail servers reject mails from unauthorized senders.August 6, 2018 at 8:55 am in reply to: Unable to create shadow copies (on a specific volume) #388844
I have, and although I wasn’t able to definitively identify the cause, I’ve been able to narrow it down to a problem with the filesystem structure.
What I did, was this:
- Powered down the virtual server
- Attached the disk containing the affected volume to another, freshly installed W2k3 scratch VM
- Created a snapshot of the volume (which succeeded without issue) by starting and then immediately canceling ntbackup
- Powered down the scratch VM and started the original VM again
- Tried creating a snapshot, which promptly succeeded
Note that I didn’t do anything specific to change/fix/alter the filesystem structure, no reformatting or chkdsk or defragmentation or anything. I simply attached the disk to another VM, created (and deleted) the snapshot, and then moved the disk back. Obviously, the changes caused by this procedure would be limited to the filesystem of the volume in question.
I therefore conclude that “something” inside the NTFS structure is responsible for snapshots failing in this particular fashion. Not terribly informative, perhaps, but since the procedure above seems to have actually resolved the issue, I hope this post might be of use for others finding themselves in a similar predicament.July 27, 2018 at 5:53 am in reply to: Compatibility between Cisco RV340 and ASA 5510 to create VPN’s #388843
IPsec is a standard, so there shouldn’t be compatibility issues between any two devices regardless of make and model. Having said that, many devices support only a subset of the IPsec standard, so there may be options available on one device that just won’t work with another.
You said you’re using PSK and IKE. AFAIK, the RV series only supports IKEv1, so you have to make sure you’re not using IKEv2 on the ASA. Regarding IKEv1: Note that you can’t really use PSKs for devices with dynamic/changing IP addresses with IKEv1, unless you use the same PSK for every peer. IKEv1 can’t identify the peer username or FQDN without knowing the right key, leading to a catch-22 if you try to use the username/FQDN to differentiate between peers.
Also, make sure your Phase 1 parameters match exactly (DH Group, encryption and signing ciphers, lifetime).July 2, 2018 at 11:25 am in reply to: Unable to create shadow copies (on a specific volume) #388842
Thanks, I actually found that article earlier while searching for possible solutions.
There are quite a number of articles and forum posts about non-functioning VSS out there, and the suggested solutions are usually as follows:
- Are all VSS writers reported as being in a “stable” state? (yes)
- Have you tried rebooting? (yes)
- Is your OS fully patched? (yes)
- Might there be insufficient free disk space for a Shadow Copy? (no)
- Is the server experiencing high levels of disk I/O that might interfere with VSS? (no)
- Do you have multiple backup applications installed? (no)
- Have you installed VSS-related hotfixes X, Y and Z? (yes)
- Have you tried deactivating/uninstalling/updating your antivirus solution? (n/a, none is installed)
- Have you tried deleting the (aforementioned) Event Subscription registry keys and rebooting again? (yes)
I’ve seen this happening on several systems, running anything from Windows Server 2003 to Windows Server 2012. In some cases, one of the above suggestions will resolve the issue. If not, the suggested “solution” is to reinstall the OS, which will of course “solve” any issue one might have, since it implies causing the affected system to no longer exist.
Usually, VSS issues are quite pressing, as they prevent backups from running properly or even at all. In this case, however, the server in question is an old VM about to be decommissioned, so I thought for once I’d spend some time trying to get to the bottom of this.ranjb;n515969 wrote:It saying the database must be serialized. What exactly does this mean?
No, it says that certain operations, like ALTER TABLE, must be serialized, as in multiple such operations cannot be performed in parallel. It seems you’re trying to run two or more jobs concurrently, or the dreaded Something Else is locking your database.
It’s clear from the “I/O is frozen” and “I/O is resumed” messages that Shadow Copy is involved. How exactly are you backing up the database(s)?February 5, 2018 at 12:45 pm in reply to: Windows update completed and reboot – Now cant see RAID so no OS #388840
Is that the literal error message? “No OS found?” If so, it doesn’t come from Windows, but from either the BIOS bootstrap or the very early stages of the OS loader.
If the storage driver in Windows had been missing or damaged, you’d get a blue screen error at boot. I believe the error code for that particular scenario is 0x0000007b, also known as “inaccessible_boot_device”. If you’re not getting that error message, something else is wrong.
You could try rebuilding the boot loader from the command prompt in the recovery environment with “bootrec /fixmbr” and “bootrec /fixboot”.You may want to do a chkdsk first (without /f), just to rule out disk/controller issues.
The upscaler i linked to on Amazon does not have a SCART connector, but it does accept either composite or S-Video input. You’d need a SCART-to-composite lead.
It does, however have a standard VGA female connector. It’s clearly visible in one of the pictures.
If you decide to get one of these devices, make sure to order from a regional supplier. Buying from a US Amazon supplier will get you the NTSC version unless otherwise specified, while listings on amazon.co.uk will likely show the PAL version.
The SCART standard specifies a connector with analog inputs and outputs for video and audio. The connector typically provides composite video output (CVBS), and may additionally provide either S-Video or analog RGB outputs. SCART is used by consumer electronics and the video output format is therefore (with very few exceptions) either NTSC, PAL or SECAM. Either 50 (PAL, SECAM) or 60 (NTSC) frames are sent per second, and the number of lines per image is either 525 (NTSC) or 625 (PAL) but these frames are interlaced, meaning a frame contains alternately every odd or every evenly numbered line. Hence, it takes two frames to transmit an entire picture.
VGA is an analog RGB connector used by computer equipment and monitors. The connector is RGB-only, so signal formats like S-Video or CVBS are not supported. Computer monitors typically support a wide range or frequencies from 60 fps and upwards, and resolutions from 640×480 or greater. Signals are expected to be non-interlaced.
As you can see, there are a number of fundamental incompatibilities between the VGA standard and your typical SCART output. Most DVD players will only supply a CVBS signal over the SCART connector, meaning there’ll be no signal at the VGA end at all. Even if the DVD player outputs an RGB signal, chances are the monitor won’t know what to do with a 50 or 60 Hz interleaved video signal. Additionally, the resolution and refresh rate is probably too low for most VGA monitors to lock on to.
If you want to view an NTSC/PAL/SECAM signal on a VGA monitor, you’ll need a signal converter/upscaler.
You’ve just run into Windows’ inconsistent handling of non-ASCII character sets.
An accented character typed in a regular command window is not the same as the exact same character typed into a Windows application like, say, Notepad. In other words, if you edit batch files using a Windows application that assumes encoding type Windows 1252 or somesuch, accented characters will appear mangled when viewed from the command line.
joeqwerty;n514085 wrote:Microsoft is clear on this issue: Use an unused sub-domain of your public domain. So… ad.company.com, corp.company.com, etc., etc.
- Create/edit your batch files with a Windows application that allows you to specify the encoding of non-ASCII characters in text files. In the US, codepage 437 is usually the one you want, while Western Europe uses codepage 850. For instance, LibreOffice Writer will let you do this if you choose File > Open and select “Text – Choose Encoding” from the file type pulldown menu.
- Use a command-line editor. I believe the Nano editor is available for Windows.
- Switch to PowerShell, which uses Windows encoding.
- Ugly workaround: Use redirection and the echo command to place the required character(s) at the end of your file (echo é >> yourfile.cmd), and then use cut and paste to put the character(s) in the right place(s). The character will look wrong in a Windows application like Notepad, but will function correctly when used in a cmd shell environment.
- Very impractical workaround: Don’t use accented characters in paths or filenames.
That’s their current recommendation, yes. Prior to that they were equally clear in recommending an invalid TLD.
I say consider the likely consequences your choice will have for your particular organization. No matter what you choose it’ll be you who have to clean up the mess should your choice turn out to be the wrong one, not someone at Microsoft.
Using your registered Internet domain as the Active Directory domain name means your local DNS server(s) will believe they’re authoritative for an Internet domain that’s really registered elsewhere. This is commonly referred to as split-brain DNS or split-horizon DNS, and means you’ll have to create and maintain local DNS records mirroring the “real” records in the public DNS zone. Unless you’re also responsible for managing the external DNS service, you’re likely to experience issues like not being able to access corporate web resources when external records are created or updated. It’s a hassle and your users will complain when it happens.
Using an otherwise unused subdomain of your registered Internet domain (like activedirectory.company.com) avoids the split-brain DNS issue, and all your servers would still have hostnames that are valid on the Internet and as such could be issued valid certificates from an external CA. Please note that although commonly used as examples in various books and articles, “ad” or “ads” might not be the best subdomains to use, as a name collision is likely to occur should those responsible for your company’s web presence ever decide to host their own ads.
Now, in both the above scenarios you could run into security issues down the line. Should your domain name ever lapse or be sold or transferred (for instance due to a merger or a split), you would find yourself in a position where someone else would be able to register the domain and obtain certificates that could easily be used to spoof internal, trusted resources on your LAN. That could force you to rename your internal domain, which in many cases is a a non-trivial task. I’ve been in that position more than once, and for that reason I’m reluctant to recommend this particular naming policy.
Another common strategy is to use an invalid DNS domain or TLD suffix for the internal AD DNS zone. This obviously avoids conflicts with external DNS names, but as Ossian mentioned, you’ll be unable to procure external certificates for local host names. That may not be an issue if you don’t actually need certificates, or if your certificate needs can be satisfied by setting up an internal Certification Authority or by using self-signed certificates. However, an invalid TLD or domain may not remain invalid forever; see what happened to .local.
Finally, using a reserved TLD puts you in the exact same position as with an invalid TLD, but without the risk of the TLD or domain suddenly being allocated to some other entity in the future, creating a naming conflict. There exists a number of reserved country codes that could be used for that purpose,see ISO 3166-1 alpha 2.September 4, 2017 at 4:52 am in reply to: Web traffic across Cisco site-to-site VPN to Linux web server failing #388834
Can you ping the Linux box and vice versa? If not, check the routing table/gateway setting.
If the Linux server does respond to pings, you should check the firewall settings.September 4, 2017 at 4:47 am in reply to: need to create a batch to automatically install an MSI package #388833
Is this an Active Directory domain environment? And if so, is there any particular reason why you can’t use Software Distribution via Group Policy to push this software to the remote computers?November 15, 2016 at 5:58 pm in reply to: Updating drivers on a Windows 7 system with new hardware #388832
I’m willing to bet the system produces a STOP/blue screen because you don’t have the correct drivers for your new motherboard, and as a result, Windows can’t access the disk.
If you really want to fix the old Windows installation, you’ll need to figure out which drivers you need for the storage (SATA) controller on the new motherboard. If the board came with a driver CD, you should copy the relevant drivers onto a USB stick. Alternatively, download the drivers from the manufacturer’s website.
Then do the following:
- Boot from a Windows 7 DVD.
- After selecting/confirming your language and keyboard settings, choose “repair”.
- The Setup program won’t be able to find your existing Windows installation, so click the button that lets you load a third-party driver.
- Plug the USB stick into a USB2 port if you have one (USB3 ports may not work yet due to missing drivers), and browse to the driver directory
- After a few seconds, rhe Setup program should display the name of your storage controller. If it doesn’t, you have the wrong drivers. If it does, click the relevant button to load the drivers.
- Wait for a few minutes while the Setup program tries in vain to fix the boot problem.
- Once the Setup program gives you the bad news that it can’t fix the issue, click the “Advanced” button and then open a command prompt.
- Find the current drive letter of your Windows installation (it probably isn’t C). Try “dir e:”, “dir f:” and so on until you see a file system with the subdirectories “Program Files”, “Users”, “Windows” etc.
- Add the storage driver to the Windows installation with the dism command:
dism /image: /Add-driver /driver:
should be the current drive letter of your Windows drive, while should be the complete path to the .inf file for the driver on the USB stick (for instance “E:driversomefile.inf” if you saved the driver files to a directory called “driver” on the USB drive)
- Assuming the dism command completes successfully, you should now be able to reboot into Windows and add any other driver that might be missing.
It seems the Google servers aren’t expecting mail from your domain to originate from the second IP address.
As Ossian said, you should update the SPF record for your domain (or create one) and make sure both IP addresses are listed as valid senders.March 3, 2016 at 1:17 pm in reply to: Preferred and Alternate Server not working on Servers #388827jason0923;n495616 wrote:We are having a problem where one DNS server fails ( I know why and have dealt with that) But my problem is the secondary one is and was working but the clients didn’t use it.
It all depends on exactly how the primary “fails”.
If it fails in the sense that it stops responding altogether then yes, the client should switch to the secondary and keep using it until it fails or the client is rebooted.
However, if the failure involves being unable to resolve names and returning NXDOMAIN or some other error message, that’s not considered a “failure” from the standpoint of a client. After all, an error message is a perfectly valid response to a DNS query.Ossian;n495594 wrote:Roughly:
Private Cloud – you manage the servers although they are located in a datacentre and you have provisioning tools
IaaS – you buy e.g. Azure Active Directory, so you don’t have any actual servers to manage, just the service
Not quite. IaaS means “Infrastructure as a Service”, so you’re renting (virtualized) hardware (servers/routers/switches/whatever) from a hosting provider, and get to install anything you like.
“Private Cloud” is indeed a cloud infrastructure that you’re owning and managing yourself, but that can even include hosting the services locally but making them accessible over the Internet. You don’t have to use a hosting provider, although many do.March 3, 2016 at 1:02 pm in reply to: There are currently no logon servers available to service the logon request #388825Jae;n495597 wrote:I did unplug the network cable and log in, once I’m logged in I can connect to the mapped drives and do whatever I need to do. But if I log off, switch user or restart I’m unable to logon unless I unplug the cable.
This is something of a classic. The trust relationship between the domain controllers and the workstation in question has somehow become corrupted, and you’ll have to log in to the computer with an admin account and have it re-join the domain. It happens from time to time, and to this day, Microsoft has no fix and no real explanation as to why it happens. In my experience, Windows 7 clients seem particularly vulnerable.
The reason you can log in when you unplug the cable is that you’ve logged in using that account previously, so the PC will allow the use of cached credentials when no domain controller is available. And as long as the AD account has the same password as the one that’s cached on the PC, you’ll be able to access network resources when you plug the cable back in. GPOs won’t be processed, though, since the machine account can’t log on.
Tip: When re-joining the domain, try just changing the domain name from to (the shorter, all-caps domain name). You will then be able to re-join in one operation rather than having to reboot, log on using a local account with administrative privileges, join the domain, and reboot again.
Yes, do post the error messages you’re receiving.
It would seem you’re having some kind of authentication and/or name resolution issues disrupting communication between your DCs, I recommend you run dcdiag on both servers and post the results.
You’re probably right about the profile being corrupted. Unfortunately, if you copied the entire profile directory to another location (you mentioned a USB drive), you’re likely to have missed some files due to permission issues, which would render the copy unusable. But as I mentioned, the profile does in no way affect the rights of the user account.
The name of a profile directory is not necessarily related to the name of the corresponding user account. For instance, if you rename a user account, the name of the profile directory stays the same. The fact that you’re seeing a directory called “USERNAME.001” or somesuch does not imply the existence of a user account by that name. By the way, the mapping between account SIDs and profile directories are local to each machine and can be found in the registry under “HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionProfileList”.
I wouldn’t spend too much time on the profile issue, especially since it may not be fixable. If the old profile contains shortcuts, documents or other data that are of value to you, you could just copy those over to the new profile directory.GreenGhost;n495410 wrote:What do I need to do? I need to merge the two profiles? I’m not sure exactly where the issue lies and I don’t want to just blindly try to fix this.
Precisely. Some further detective work is required to find out what’s actually causing the issue.
The non-working DHCP service and the inability to connect to other services is not related to the user profile. Your account retains all access rights regardless of the profile, so something else is going on here. It’s much more likely that your profile issues is the symptom of an underlying network issue.
First things first:
- Have you checked the IP settings on the server? What does “ipconfig /all” report?
- Is the network interface visible in Device Manager, and can you see it in Network and Sharing Center under “Change adapter settings”?
- Can you ping the IP address of the other server?
- Can you ping the other server by name?
- Is this server a Domain Controller?
You should perform the above tests/checks using an account with administrative privileges. If the server isn’t a Domain Controller, a local account with sufficient privileges can be used.
In the subject field you say Windows is “creating new user accounts” (which would be really, really strange), but reading the contents of your post I get the impression that you’re actually referring to a new user profile.
Have you logged in to this particular server using this exact user account before? If not, Windows will indeed create a new profile. The only way to use the exact same user profile across multiple computers is to implement Roaming Profiles. You can also achieve partial profile synchronization using Folder Redirection.
On the other hand, if you have logged in to this server before, using this user account, you should expect to see the same user profile. However, Windows will create a new profile under certain conditions:
- If Roaming Profiles are configured but the profile server is unavailable, Windows will create a temporary profile which will be discarded when you log off.
- If the profile directory for the user in question is damaged or has been deleted, Windows will create a new profile in a folder called “user.domain” or “user.computername” or “user.”, depending on the circumstances.
- If the “ProfileList” Registry setting for the user account in question has been damaged/deleted, Windows will create a new profile.
- If the “ProfileList” entry doesn’t match the SID of the user account (for instance, if you’ve deleted and recreated the account in Active Directory), Windows will create a new user profile
If you can provide some more details regarding the account and whether you’ve logged in to this server before, I’m sure we can get to the bottom of this.
The error message comes from the PXE Boot ROM itself, so this happens way before any drivers are loaded or needed.
Examining the error messages (“PXE-T04: Access violation” and “PXE-E36: Error recieved from TFTP server”), you’ll notice that the PXE ROM only tells you about an error that occurred at the server side of the TFTP transaction. A misconfigured DHCP server can cause this to happen (see these threads for more information), but then I’d expect the error to manifest itself on every PC, or at least all PCs in the same network/subnet.
Have these machines been installed with WDS previously, and if not, have you configured the PXE Response Policy on the WDS server to accept all requests, not just “known client computers”?
If there’s no configuration issue on the WDS server and the DHCP server is not at fault, then either the PXE ROM is sending an invalid or non-standard TFTP request, or the WDS TFTP server is too picky about the syntax of the TFTP request. One of the parties (or both) must not be fully compliant with the PXE specifications for such a scenario to occur. You could try:
- contacting the PC manufacturer to see if there’s a BIOS update available (the PXE boot ROM for an onboard NICs is part of the system BIOS)
- making sure all Windows updates are installed on the WDS server
- enabling logging on the WDS server and see what appears in the event logs
- using a network traffic sniffer to inspect the TFTP transaction and post the results here
- reporting the issue to the PC vendor and/or Microsoft
Sniffing network traffic is perhaps the quickest way to get to the bottom of what’s actually going on, so I’d recommend installing Wireshark on the WDS server. A good capture filter would be “udp port 67 or udp port 68 or udp port 69”, as that would catch both DHCP and TFTP trafficFebruary 9, 2016 at 4:17 pm in reply to: PPTP using port 1723 the "old fashioned" way in 2012 #388820
PPTP is deprecated because the authentication protocol used, MSCHAPv2, is fatally flawed. Logging in from a public WLAN is basically the same as sharing your login credentials with anyone sufficiently motivated to run a read-made sniffing tool that can be downloaded freely from the Internet.
You should go for DirectAccess or SSTP. Both require a server certificate, but nowadays those are free.
Before the forum software upgrade, I used the “find new [as in unread by me] posts” daily. Usually, that search returned between two or three pages of hits. I can’t remember exactly how many results there used to be on each page, but I’m fairly sure it must have been at least 10.
Nowadays, there’s seldom more than 3 or 4 new threads on a weekday, plus perhaps one or two new posts in existing threads. On some days there’s been no activity at all, which was pretty much unheard of only a few months ago.
I can’t help but think this has something to do with the forum upgrade. I still miss the old “find unread posts” search function, but ironically the loss of this function hasn’t been as much of a problem as I initially thought it’d be. Since there’s been so little traffic lately, I’ve been able to keep track of unread vs. read posts myself.