Add Active Directory Domain Services (AD DS) Role on Server 2016 Fails with Error: 0x800f0831

You just spun up a fresh server and it won’t install the Domain Controller Role. and you are frustrated. I am here to help. When attempting to install AD DS or .Net 3.5 you get this error. You will get the same error from the GUI or Powershell:

Install-windowsfeature -name AD-Domain-Services

The Error Code 0x800f0831 means Windows is attempting to check updates for the needed software package. This causes the hang/fail because it is not there. This is the error:

The request to add or remove features on the specified server failed. Installation of one or more roles, role services, or features failed. Error: 0x800f0831

Restarting doesn’t help, nor will most other “fixes” on the internet.

The problem is that you have the Windows installation disk attached (in my case to a virtual machine in VMware or in the disk drive after installation) so that is where Windows is trying to find the files.

Verify the Remote Registry service is running. Open Services on your machine and Start the Remote Registry service if it is not already running.

You can presumably unattach the disk and restart but I selected Specify an alternate source path on the Confirmation page.

Luckily there are instructions. The path on my system was as follows because the ISO was attached to the D: drive.

WIM:D:\sources\install.wim:4

Enter the path information into the box and click ok.

Now it will install without hanging or failure. I just saved you a big headache, shared the love.

 

Namespace ‘Microsoft.Policies.WindowsStore’ is already defined as the target namespace for another file in the store

Windows 10 Creators Update build 1703 came with a new set of .admx and .adml policy definitions. Everything was working fine but Microsoft changed the name of the Windows Store policy definition files and borked up a bunch of random unrelated GPO. If you view affected GPO in Group Policy Manager on your domain controller you may see this error in place of your normal settings information.

The error is:

Namespace ‘Microsoft.Policies.WindowsStore’ is already defined as the target namespace for another file in the store. File \FQDN-DC\SysVol\domain.com\ Policies\PolicyDefinitions\WinStoreUI.admx, line 4, column 80

To fix this issue go to your sysvol. Usually at path above or something similar:

\\SysVol\ yourdomain.com\Policies\PolicyDefinitions\

Delete the file: WinStoreUI.admx

Rename file WindowsStore.admx to WinStoreUI.admx

\\SysVol\ yourdomain.com\Policies\PolicyDefinitions\en-US (or whatever your language is)

Delete the file: WinStoreUI.adml

Rename file WindowsStore.adml to WinStoreUI.adml

Refresh the settings view in Group Policy Manager and you will see that your policy definitions are working again.

You are done!

The number of vSphere HA heartbeat datastores for host is 1, which is less than required 2 – vSphere 6.5

This is a pesky common error that has plagued vSphere administrators for a long time.  If you do not have multiple redundant datastores, you will get this error.

The number of vSphere HA heartbeat datastores for host is 1, which is less than required 2

To fix this issue for vCenter Server Appliance 6.5, follow these simple steps.

Login to vSphere Server Appliance web host client. Go to Hosts and Clusters from the main menu. Select the cluster you want to modify from the tree.

Go to Configure tab and select vSphere Availability (used to be called vSphere HA), click Edit

Go to Advanced Options, click in the Options box and paste this:

das.ignoreInsufficientHbDatastore

Paste this in the value box:    true

Click OK, wait a bit for it to modify all your hosts. Done!

File Explorer Not Responding Issue After Windows 10 Update

I have been having an issue recently with my File Explorer in Windows 10 opening painfully slow, so slow that it indicated Not Responding in the status bar. I thought this was just happening on my work computer, which has an SSD, plenty of RAM and a decent CPU too.  Then I discovered the same issue on my home PC which has 32 GB of RAM and realized that this must be an issue with a recent Windows update.

After some experimentation, I determined that the bug is with the Quick Launch function in File Explorer.  If you set File Explorer to go to This PC or turn off the Quick Launch function, the problem stops immediately.

Open File Explorer, go to File, then select Change folder and search options.

Select This PC from Open File Explorer to field. Or you can deselect the Privacy check boxes Show recently used files in Quick access and Show frequently used folders in Quick access. Either way will get you to the solution you want.

You File Explorer should open very quickly now!

VMware Common Logging Service Health Alarm VCSA

If you get this service alarm, you are having a problem with your logging service in vCenter Server Appliance 6.0. Typically the log drive fills up and it is not set to auto expand so you get a critical error and logs won’t be saved.

To correct this issue, follow these steps. To view the logging health open up vCenter Web Client and navigate to Administration > System Configuration > Services > VMware Syslog Service. Verify your service is still running.

 

Open up Putty and access vCenter with the VCSA IP Address and root account. Run this command to check status:

service-control –status vmware-syslog

Run these command to enable shell:

shell.set –enabled true
shell

Check the status of the log drive by running the command:

df -h

Notice that the log drive in 10GB in size and is almost full.

Go to vCenter Web Client and open up your vCenter Service Appliance Server properties and select Edit Setting in VM Hardware.

Select Manage other disks.

Go to Hard Disk 5 and increase the size from 10GB to 20GB close and save.

Go back to Putty and enter this command to set the drives to autogrow.

vpxd_servicecfg storage lvm autogrow

When the command runs successfully you should get this result.

VC_CFG_RESULT=0

View the VMware kb article here for more details.

NetApp Virtual Storage Console (VSC) Error – TLS Not Configured

We utilize NetApp Virtual Storage Console on our vCenter Server. Something recently disrupted our connectivity to the storage server. We went to investigate.

vsc

If you navigate to Storage Systems from the VSC Dashboard, you will see the error TLS is not configured. This could be caused by several things but in our case the SSL certificate on the NetApp had expired. Default self-signed NetApp SSL certificates are set to expire after 365 days. For those who have vCenter Server and require NetApp Virtual Storage Console an active self-signed SSL certificate must be in place on the NetApp for it to work.

tls-not-conf

There are instructions in the console to correct the issue but they are not effective. To solve this problem you should open an SSL session to the filer and follow the instructions below. I use Putty for SSL. These instructions should work for Clustered Data ONTAP 8.1, 8.2 and 8.3.

Open Putty, enter the IP address of your NetApp and connect, enter your user and password. Once connected run this command to enable privileged mode:

cm2244a-cn::> set -privilege advanced
cm2244a-cn::*> security certificate show

The output will show the SSL expiration date.

SSL      server
Expiration Date: Thu Feb 27 14:16:49 2013

Check which SSL certificate is currently in use.

cm2244a-cn::> security ssl show
vser

To renew the certificate you should delete the original one and replace it with a new one. But first check the details to ensure you are deleting the correct certificate.

cm2244a-cn::*> security certificate show -instance -vserver cm2244a-cn 

vser3

vser2

Delete the SSL certificate by filling in the unique information from the above results. For Data ONTAP 8.2 and 8.3 use the following command. For Data ONTAP 8.1 commands refer to this articleNote: As soon you delete the certificate, the SSL service will be disabled.

cm2244a-cn::*> security certificate delete -common-name christoh-svm1.cert -ca christoh-svm1.cert -type server -vserver christoh-svm1 -serial 5514941E

Warning: Deleting a server certificate will also delete the corresponding
server-chain certificate, if one exists.
Do you want to continue? {y|n}:

Say yes to the prompt. Then recreate the SSL certificate with a longer lifespan.

cm6240c-cluster::> security certificate create -vserver christoh-svm1 -common-name christoh-svm1.cert -size 2048 -type server -country US -expire-days 3650 -hash-function SHA256

Verify your new certificate is in place.

cm2244a-cn::*> security certificate show -instance -vserver cm2244a-cn -common-name cm2244a-cn.cert

          FQDN or Custom Common Name: cm2244a-cn.cert
 Size of Requested Certificate(bits): 2048
              Certificate Start Date: Mon Sep 02 21:10:05 2013
         Certificate Expiration Date: Thu Aug 31 21:10:05 2023
              Public Key Certificate: -----BEGIN CERTIFICATE-----

 

Then you have to Enable SSL after the certificate is in place.

ssl modify -vserver cm2244a-cn -server-enabled true

Verify your results.

ssl show

If you would like more detail please visit this NetApp kb article.

Upgrade System Center Configuration Manager 2012R2 to 1511 to 1606

If you have System Center Configuration Manager 2012/2012R2 and you want to upgrade to the latest package 1606 you first have to upgrade to 1511. This should be the last upgrade you’ll need to manually perform, after you can upgrade straight from the SCCM console itself. Thank you Microsoft!

The supported in-place upgrade paths are below, more details found here.

upgrade-paths

Upgrading from SCCM 2012 to 1511 is straightforward. Before starting your installation of 1511, download this patch from Microsoft and install it.

ms-download

Download and install Windows 10 ADK even if you don’t have Windows 10 in your environment yet, because you will soon enough. Choose based on your version of Windows 10, the latest is 1607 at the time of writing.

1607

Check that are using a supported version of SQL Server and then download and install SCCM 1511. We downloaded it from Microsoft VLSC because we have a volume license account with Microsoft. If you need an evaluation copy you can find the current branch here.

ms-file

Install package, you know how this works. Just keep selecting Next, no surprises.

ms-install

I suggest restarting your server after completion just for peace of mind.

After your SCCM server has a chance to sit for a bit it will automatically download builds 1602 and 1606. Go to Administration > Cloud Services > Updates and Servicing to view.

console-upgrade

Note if it gets stuck in “Downloading” for too long, open Services.msc and restart the service named “SMS_EXECUTIVE” and downloading will resume.

sms

If you wait for a while (less than 30 minutes), then restart your server you will get a popup that lets you know the latest version is available for download.

update-avail

Install Update Pack from the console, you can skip to 1606.

pack

The steps are again really boiler plate, just keep selecting Next.

 

1 7 6 5 4 3 2

Once installation is complete, then force update your client agents. Go to Administration > Site Configuration > Sites > Hierarchy Settings

agents

client

If interested here is additional documentation from Microsoft.

Call it a day!

How to Migrate SYSVOL from Oldschool FRS to DFSR

If you have any battle-worn domain controllers that have been upgraded multiple times, your domain is probably still running the outdated replication engine, File Replication Service (FRS), which dates back to Server 2000 and 2003. I am not sure why Microsoft doesn’t publicize this as much as upgrading to the latest OS, because it is just as important.

If you have domain controllers that are 2008 or newer, you absolutely should migrate to DFSR today. As it was designed in a bygone era, domains will often have replication errors or poor performance when using FRS in today’s demanding environments. Follow these steps to migrate to DFSR.

Prerequisites 

  •  All DCs must be at least Server 2008
  •  Domain Functional Level must be at least Server 2008
  •  Active Directory services must be in good general health
  •  Active Directory replication must be fully functioning

I would also suggest performing this migration after hours to minimize potential impact to users on the network. Ensure you have valid backup of all DCs before starting.

Note: perform this operation on your Primary Domain Controller (PDC)

There are 4 main stable states during this migration and you must wait for each to finish before moving on or you could cause yourself some serious problems.

States

  •  State 0 – Start
  •  State 1 – Prepared
  •  State 2 – Redirected
  •  State 3 – Eliminated

Open an elevated Powershell session on your PDC, run this command to go from Start through Prepared State.

dfsrmig /setglobalstate 1

1-dfs2

After running the previous command, wait for about 10 minutes or so then run the following command to see where you are at. Wait until you get a message that all domain controllers have reached a consistent state.

dfsrmig /getmigrationstate

2-dfs2

Once you are in Prepared State run this command.

dfsrmig /setglobalstate 2

3-dfs2

Again, wait for about 10 minutes or so then run the following command to see the migration status. Wait until you get a message that all domain controller have reached a consistent Redirected state.

dfsrmig /getmigrationstate

Once the operation is complete, you should open all of you domain controllers and check that you can navigate to the SYSVOL and it is the Redirected State. It is usually found here: C:\Windows\SYSVOL\sysvol\yourdomain.com

You need to check this because the last phase, getting to Eliminated State, cannot be undone and could cause some undue sadness if you didn’t reach Redirected. When ready run this command.

dfsrmig /setglobalstate 3

4-dfs2

Check status again with this command.

dfsrmig /getmigrationstate

Final Eliminated State message.

5-dfs2

After your reach Eliminated State you may get this error popup, do not be alarmed. This is telling you that the old SYSVOL is gone because it has been “Eliminated.” The new folder is called SYSVOL_DFSR, located here:  C:\Windows\SYSVOL_DFSR\sysvol\yourdomain.com

7-dfs

You might also want to check that the FRS service is completed stopped and disabled on every DC. Open up services.msc and find File Replication Service, verify it has been disabled.

8-dfs2

If it hasn’t been disabled open the service object and manually disable it.

6-dfs

You should be good to go at this point.

Removing Ctrl+Alt+Del to Login on Windows 10 After Upgrade

If you recently upgraded your computer to Windows 10 from Windows 7 Professional, you may notice that you have to select Ctrl + Alt + Del keys to be allowed to login. This is a legacy feature left over from previous Windows version and can be disabled.

Right click on the start button and select Run

1-run

Type netplwiz and click ok

2-netplwiz

In the dialog window, select the Advanced tab and uncheck the checkbox

3-checkbox

This will eliminate the need to use Ctrl+Alt+Del to open your machine. To reveal the login screen, just click your mouse button instead.

Migrating Mailbox to Cloud Fails in Hybrid Exchange Deployment

If you attempt to migrate an on-prem mailbox to Exchange Online using the Office 365 portal and it fails, there are several steps to take to correct the issue. This article assumes you have DirSync installed and are using it to sync your passwords.

Start by checking that the user has an Exchange license in Office 365 by using the portal. Lack of an Exchange Online license may cause migration failures.

Migrating 5

To check, go to the Admin page in the Office 365 portal

Migrating 1

Find and select the user

Migrating 2

 

On the user profile page, go to licences and select the location and both the Exchange Online and SharePoint Online licenses, save

Migrating 3

This may solve the problem. Wait a minute or so and attempt to migrate the mailbox again. If it doesn’t work, move on to the next steps below which are more complicated.

Migrate mailbox from on-prem Exchange to Office 365 with powershell 

First step is to download and install Windows Azure Active Directory Module for Windows PowerShell. Once installed, start the PowerShell module on a domain joined machine.

ad azure ps

 

To connect to a session, cut and paste these following PowerShell commands all at once, hit enter when needed to execute. The first two prompts require Office 365/Azure global admin credentials, in full email or “domain\username” form. The last prompt requires local admin credentials in full email or “domain\username” form.

Import-Module MSOnline
Connect-MsolService
$LiveCred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
Import-PSSession $Session
$OnPremAdmin=Get-Credential