Add Active Directory Domain Services (AD DS) Role on Server 2016 Fails with Error: 0x800f0831

You just spun up a fresh server and it won’t install the Domain Controller Role. and you are frustrated. I am here to help. When attempting to install AD DS or .Net 3.5 you get this error. You will get the same error from the GUI or Powershell:

Install-windowsfeature -name AD-Domain-Services

The Error Code 0x800f0831 means Windows is attempting to check updates for the needed software package. This causes the hang/fail because it is not there. This is the error:

The request to add or remove features on the specified server failed. Installation of one or more roles, role services, or features failed. Error: 0x800f0831

Restarting doesn’t help, nor will most other “fixes” on the internet.

The problem is that you have the Windows installation disk attached (in my case to a virtual machine in VMware or in the disk drive after installation) so that is where Windows is trying to find the files.

Verify the Remote Registry service is running. Open Services on your machine and Start the Remote Registry service if it is not already running.

You can presumably unattach the disk and restart but I selected Specify an alternate source path on the Confirmation page.

Luckily there are instructions. The path on my system was as follows because the ISO was attached to the D: drive.

WIM:D:\sources\install.wim:4

Enter the path information into the box and click ok.

Now it will install without hanging or failure. I just saved you a big headache, shared the love.

 

Namespace ‘Microsoft.Policies.WindowsStore’ is already defined as the target namespace for another file in the store

Windows 10 Creators Update build 1703 came with a new set of .admx and .adml policy definitions. Everything was working fine but Microsoft changed the name of the Windows Store policy definition files and borked up a bunch of random unrelated GPO. If you view affected GPO in Group Policy Manager on your domain controller you may see this error in place of your normal settings information.

The error is:

Namespace ‘Microsoft.Policies.WindowsStore’ is already defined as the target namespace for another file in the store. File \FQDN-DC\SysVol\domain.com\ Policies\PolicyDefinitions\WinStoreUI.admx, line 4, column 80

To fix this issue go to your sysvol. Usually at path above or something similar:

\\SysVol\ yourdomain.com\Policies\PolicyDefinitions\

Delete the file: WinStoreUI.admx

Rename file WindowsStore.admx to WinStoreUI.admx

\\SysVol\ yourdomain.com\Policies\PolicyDefinitions\en-US (or whatever your language is)

Delete the file: WinStoreUI.adml

Rename file WindowsStore.adml to WinStoreUI.adml

Refresh the settings view in Group Policy Manager and you will see that your policy definitions are working again.

You are done!

VMware Common Logging Service Health Alarm VCSA

If you get this service alarm, you are having a problem with your logging service in vCenter Server Appliance 6.0. Typically the log drive fills up and it is not set to auto expand so you get a critical error and logs won’t be saved.

To correct this issue, follow these steps. To view the logging health open up vCenter Web Client and navigate to Administration > System Configuration > Services > VMware Syslog Service. Verify your service is still running.

 

Open up Putty and access vCenter with the VCSA IP Address and root account. Run this command to check status:

service-control –status vmware-syslog

Run these command to enable shell:

shell.set –enabled true
shell

Check the status of the log drive by running the command:

df -h

Notice that the log drive in 10GB in size and is almost full.

Go to vCenter Web Client and open up your vCenter Service Appliance Server properties and select Edit Setting in VM Hardware.

Select Manage other disks.

Go to Hard Disk 5 and increase the size from 10GB to 20GB close and save.

Go back to Putty and enter this command to set the drives to autogrow.

vpxd_servicecfg storage lvm autogrow

When the command runs successfully you should get this result.

VC_CFG_RESULT=0

View the VMware kb article here for more details.

NetApp Virtual Storage Console (VSC) Error – TLS Not Configured

We utilize NetApp Virtual Storage Console on our vCenter Server. Something recently disrupted our connectivity to the storage server. We went to investigate.

vsc

If you navigate to Storage Systems from the VSC Dashboard, you will see the error TLS is not configured. This could be caused by several things but in our case the SSL certificate on the NetApp had expired. Default self-signed NetApp SSL certificates are set to expire after 365 days. For those who have vCenter Server and require NetApp Virtual Storage Console an active self-signed SSL certificate must be in place on the NetApp for it to work.

tls-not-conf

There are instructions in the console to correct the issue but they are not effective. To solve this problem you should open an SSL session to the filer and follow the instructions below. I use Putty for SSL. These instructions should work for Clustered Data ONTAP 8.1, 8.2 and 8.3.

Open Putty, enter the IP address of your NetApp and connect, enter your user and password. Once connected run this command to enable privileged mode:

cm2244a-cn::> set -privilege advanced
cm2244a-cn::*> security certificate show

The output will show the SSL expiration date.

SSL      server
Expiration Date: Thu Feb 27 14:16:49 2013

Check which SSL certificate is currently in use.

cm2244a-cn::> security ssl show
vser

To renew the certificate you should delete the original one and replace it with a new one. But first check the details to ensure you are deleting the correct certificate.

cm2244a-cn::*> security certificate show -instance -vserver cm2244a-cn 

vser3

vser2

Delete the SSL certificate by filling in the unique information from the above results. For Data ONTAP 8.2 and 8.3 use the following command. For Data ONTAP 8.1 commands refer to this articleNote: As soon you delete the certificate, the SSL service will be disabled.

cm2244a-cn::*> security certificate delete -common-name christoh-svm1.cert -ca christoh-svm1.cert -type server -vserver christoh-svm1 -serial 5514941E

Warning: Deleting a server certificate will also delete the corresponding
server-chain certificate, if one exists.
Do you want to continue? {y|n}:

Say yes to the prompt. Then recreate the SSL certificate with a longer lifespan.

cm6240c-cluster::> security certificate create -vserver christoh-svm1 -common-name christoh-svm1.cert -size 2048 -type server -country US -expire-days 3650 -hash-function SHA256

Verify your new certificate is in place.

cm2244a-cn::*> security certificate show -instance -vserver cm2244a-cn -common-name cm2244a-cn.cert

          FQDN or Custom Common Name: cm2244a-cn.cert
 Size of Requested Certificate(bits): 2048
              Certificate Start Date: Mon Sep 02 21:10:05 2013
         Certificate Expiration Date: Thu Aug 31 21:10:05 2023
              Public Key Certificate: -----BEGIN CERTIFICATE-----

 

Then you have to Enable SSL after the certificate is in place.

ssl modify -vserver cm2244a-cn -server-enabled true

Verify your results.

ssl show

If you would like more detail please visit this NetApp kb article.

Upgrade System Center Configuration Manager 2012R2 to 1511 to 1606

If you have System Center Configuration Manager 2012/2012R2 and you want to upgrade to the latest package 1606 you first have to upgrade to 1511. This should be the last upgrade you’ll need to manually perform, after you can upgrade straight from the SCCM console itself. Thank you Microsoft!

The supported in-place upgrade paths are below, more details found here.

upgrade-paths

Upgrading from SCCM 2012 to 1511 is straightforward. Before starting your installation of 1511, download this patch from Microsoft and install it.

ms-download

Download and install Windows 10 ADK even if you don’t have Windows 10 in your environment yet, because you will soon enough. Choose based on your version of Windows 10, the latest is 1607 at the time of writing.

1607

Check that are using a supported version of SQL Server and then download and install SCCM 1511. We downloaded it from Microsoft VLSC because we have a volume license account with Microsoft. If you need an evaluation copy you can find the current branch here.

ms-file

Install package, you know how this works. Just keep selecting Next, no surprises.

ms-install

I suggest restarting your server after completion just for peace of mind.

After your SCCM server has a chance to sit for a bit it will automatically download builds 1602 and 1606. Go to Administration > Cloud Services > Updates and Servicing to view.

console-upgrade

Note if it gets stuck in “Downloading” for too long, open Services.msc and restart the service named “SMS_EXECUTIVE” and downloading will resume.

sms

If you wait for a while (less than 30 minutes), then restart your server you will get a popup that lets you know the latest version is available for download.

update-avail

Install Update Pack from the console, you can skip to 1606.

pack

The steps are again really boiler plate, just keep selecting Next.

 

1 7 6 5 4 3 2

Once installation is complete, then force update your client agents. Go to Administration > Site Configuration > Sites > Hierarchy Settings

agents

client

If interested here is additional documentation from Microsoft.

Call it a day!

How to Migrate SYSVOL from Oldschool FRS to DFSR

If you have any battle-worn domain controllers that have been upgraded multiple times, your domain is probably still running the outdated replication engine, File Replication Service (FRS), which dates back to Server 2000 and 2003. I am not sure why Microsoft doesn’t publicize this as much as upgrading to the latest OS, because it is just as important.

If you have domain controllers that are 2008 or newer, you absolutely should migrate to DFSR today. As it was designed in a bygone era, domains will often have replication errors or poor performance when using FRS in today’s demanding environments. Follow these steps to migrate to DFSR.

Prerequisites 

  •  All DCs must be at least Server 2008
  •  Domain Functional Level must be at least Server 2008
  •  Active Directory services must be in good general health
  •  Active Directory replication must be fully functioning

I would also suggest performing this migration after hours to minimize potential impact to users on the network. Ensure you have valid backup of all DCs before starting.

Note: perform this operation on your Primary Domain Controller (PDC)

There are 4 main stable states during this migration and you must wait for each to finish before moving on or you could cause yourself some serious problems.

States

  •  State 0 – Start
  •  State 1 – Prepared
  •  State 2 – Redirected
  •  State 3 – Eliminated

Open an elevated Powershell session on your PDC, run this command to go from Start through Prepared State.

dfsrmig /setglobalstate 1

1-dfs2

After running the previous command, wait for about 10 minutes or so then run the following command to see where you are at. Wait until you get a message that all domain controllers have reached a consistent state.

dfsrmig /getmigrationstate

2-dfs2

Once you are in Prepared State run this command.

dfsrmig /setglobalstate 2

3-dfs2

Again, wait for about 10 minutes or so then run the following command to see the migration status. Wait until you get a message that all domain controller have reached a consistent Redirected state.

dfsrmig /getmigrationstate

Once the operation is complete, you should open all of you domain controllers and check that you can navigate to the SYSVOL and it is the Redirected State. It is usually found here: C:\Windows\SYSVOL\sysvol\yourdomain.com

You need to check this because the last phase, getting to Eliminated State, cannot be undone and could cause some undue sadness if you didn’t reach Redirected. When ready run this command.

dfsrmig /setglobalstate 3

4-dfs2

Check status again with this command.

dfsrmig /getmigrationstate

Final Eliminated State message.

5-dfs2

After your reach Eliminated State you may get this error popup, do not be alarmed. This is telling you that the old SYSVOL is gone because it has been “Eliminated.” The new folder is called SYSVOL_DFSR, located here:  C:\Windows\SYSVOL_DFSR\sysvol\yourdomain.com

7-dfs

You might also want to check that the FRS service is completed stopped and disabled on every DC. Open up services.msc and find File Replication Service, verify it has been disabled.

8-dfs2

If it hasn’t been disabled open the service object and manually disable it.

6-dfs

You should be good to go at this point.

Removing Ctrl+Alt+Del to Login on Windows 10 After Upgrade

If you recently upgraded your computer to Windows 10 from Windows 7 Professional, you may notice that you have to select Ctrl + Alt + Del keys to be allowed to login. This is a legacy feature left over from previous Windows version and can be disabled.

Right click on the start button and select Run

1-run

Type netplwiz and click ok

2-netplwiz

In the dialog window, select the Advanced tab and uncheck the checkbox

3-checkbox

This will eliminate the need to use Ctrl+Alt+Del to open your machine. To reveal the login screen, just click your mouse button instead.

Migrating Mailbox to Cloud Fails in Hybrid Exchange Deployment

If you attempt to migrate an on-prem mailbox to Exchange Online using the Office 365 portal and it fails, there are several steps to take to correct the issue. This article assumes you have DirSync installed and are using it to sync your passwords.

Start by checking that the user has an Exchange license in Office 365 by using the portal. Lack of an Exchange Online license may cause migration failures.

Migrating 5

To check, go to the Admin page in the Office 365 portal

Migrating 1

Find and select the user

Migrating 2

 

On the user profile page, go to licences and select the location and both the Exchange Online and SharePoint Online licenses, save

Migrating 3

This may solve the problem. Wait a minute or so and attempt to migrate the mailbox again. If it doesn’t work, move on to the next steps below which are more complicated.

Migrate mailbox from on-prem Exchange to Office 365 with powershell 

First step is to download and install Windows Azure Active Directory Module for Windows PowerShell. Once installed, start the PowerShell module on a domain joined machine.

ad azure ps

 

To connect to a session, cut and paste these following PowerShell commands all at once, hit enter when needed to execute. The first two prompts require Office 365/Azure global admin credentials, in full email or “domain\username” form. The last prompt requires local admin credentials in full email or “domain\username” form.

Import-Module MSOnline
Connect-MsolService
$LiveCred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
Import-PSSession $Session
$OnPremAdmin=Get-Credential

 

Outlook Stuck Working Offline After Installing Office 2016

outlook offline 1

Working Offline in Outlook used to be solved by just clicking a button in the Send / Receive tab. This message appears on the lower right border when Outlook is Working Offline but it is not a button, only a status message.

If you just installed Office 2016 and Outlook is stuck in offline  mode you may be having difficulty trying to get it back into online mode. This is because there is no longer a button in the Send / Receive tab like in Office 2013.

Luckily there is an easy fix! Just reboot your device and the problem will solve itself. You may be prompted to log into Microsoft services on your computer if you have an Office 365 or Exchange online hosted email account. Fill in all passwords when required and you should be back in business.

 

 

Windows 10 Release

Yesterday Microsoft released Windows 10 into the wild. Besides some minor gotchas, it appears to be the best release of any new Windows to date. The clean look and refreshed user interface is impressive even if it is channeling the spirit of Apple left and right. It is almost like 75% of the Microsoft UX designers own Apple devices.

But really…is this Windows 10 or Windows 8.3 with automatic updates? The development cadence is quicker than in the past. It is like the dev guys at Microsoft were coming up with new features for the next Windows 8 release and had a meeting with Marketing who said, “whoa hold up pocket protectors, we need to make a clean break” hence a newly branded OS was released slightly before its time. Below are the Windows release and end-of-sales dates from Microsoft’s Windows lifecycle fact sheet.

Microsoft isn’t the only company strategically building a subscription model that emphasizes “services” that you never stop paying for. Obviously much better for their profitability. This trend, that started picking up momentum over 10 years ago, has really accelerated the last 5 years with associated catch phrases like cloud.

Nothing is really ‘free’ it seems, there is always a catch. Microsoft is just providing the vehicle to lock consumers into their shiny new ecosystem, like an operating system with the ‘in-app purchases’ we often see elsewhere. The first indication is Solitaire is a paid subscription based app on Windows 10 if you want to avoid the ads. Monetizing Solitaire, really?

The ads are actually the scariest part. I don’t own a TV and I use AdBlock Plus for Chrome. I never see ads. It has been so long that when I accidentally see an ad now it’s almost traumatic. Ads built into my OS are extremely unwelcome. I would have to get a Mac, I couldn’t handle it. The new Windows 10 browser Edge does not yet have support for extensions like AdBlock Plus. That means I won’t be using Edge for anything but online Microsoft products.

Yesterday when I upgraded my home computer to Windows 10 Pro, it freaked out. After the upgrade, it restarted several times and choked each time. The screen was black with a small cursor in the upper left corner. My heart sank. Apparently there was a Faulty Nvidia driver pushed out with the final release that millions of people downloaded. I happen to have an Nvidia video card. It finally worked because Redmond was quick to patch it again but this was definitely a wrinkle in the overall smoothness.

I drank the cool aid a long time ago and I genuinely like the new direction that Microsoft has been going in the last few years…but it’s not 100% yet. While they got a lot of it right in this latest release, Microsoft appears to be continuing some of the less than popular traditions like rushing things out the door and fumbling a bit with the initial release. All that aside, I like Windows 10 so far!