Microsoft

You may heard about self service password reset (SSRP) in Microsoft Azure cloud. A nice feature where your users can reset thier password and unlock their accounts on their own. But if you are implementing it and wonder if you get errors you may get stuck and wonder what the hell is going one with Azure AD Connect software. The AD connect has all permissions it need. Maybe setup has done something wrong or the powershell permission scripts are doing something wrong and not setting the required permissions properly in AD or whaterver... reading all the documented 3 times and you see nothing is wrong. MS Support beginners are also not helpful and may tell you incorrect stuff like granting domain admin permission to AD Connect service and so on and so on.

What happened? We tried to change the users password of a dummy user we typically use for testing purposes. The password change was tried with this dummy user and he received an generic error message that the password cannot changed for unknown reasons and the user should not try again and ask the administrator. The administrator reviews the logs and can see:

If you shutdown a VM and you cannot restart it again this might be caused by Read Only Domain Controller (RODC).

If you may seen an error message that a VM cannot start with error code 0x80070569 check if the site the VM is running on has an RODC only. If this is the case you may missed to add the new VM to the "Allowed RODC Password Replication Group" of this site. The error 0x80070569 point to a Logon Failure per https://learn.microsoft.com/en-us/troubleshoot/windows-server/virtualization/starting-or-live-migrating-hyper-v-vms-fails.

Search on the Hyper-V host for System Eventlog for ID 5723 and you may see the VM machine name is not trusted by the local RODC server. Also search Hyper-V-VMMS > Admin eventlogs for event ID 15500 to find error code 0x80070569.

Now add the VM machine name into your "Allowed RODC Password Replication Group" and reboot the RODC and VM. When it comes up again the machine account will be cached locally on RODC and you can start/stop the virtual machine successfully.

A few days ago I found out that the previouly hidden link used to download Skype as MSI setup is broken. The last available version was Skype 7.41.101. The latest 8.x versions (8.28.0.41) seem no longer available as official MSI package. This means enterprise deployment is made impossible as EXE setups cannot deployed via Active Directory GPO deployment. Originally when Skype 8.0 was released it was planed to discontinue the Skype 7 ("Skype Classic") support per 1^th September 2018, but they extended the deadline to 1^th November 2018, until some customer requested features are added back to 8.x. It is not clear if these missing features also include the MSI setup. The learning curve that customers cannot ignored seems not very strong; if we keep the past mobile client fiasco in mind.

Contacted Skype support and they confirmed that MSI setup is not available and they named it no longer supported. They pointed to other solutions like Skype for Business and noted that this team may know where the required MSI is, but they cannot help if it comes to end user Skype.

We need to make sure the meetings can take place. Being surprised in weeks or months by a no longer working Skype client is not really an option. A solution is required as there was news around from a Skype employee named Babs that stated the old Skype Classic 7.x will still work for now, but may break in near future. The current deadline for 7.x is 1th November 2018. You need to install 8.x before this date.

You may have seen that SQL Server Management Studio 2017 automatically bubbles and asks for updates. But your users do not have permission to install updates and you maintain updates via WSUS. SQL Server Management Studio 17.x is available via WSUS.

Microsoft has for unknown reasons moved this setting into HKEY_CURRENT_USER. How stupid is this... Software is deployed per machine and not per user. Software is only deployed by idiots per user.

Now you have two options:

1. Walk to every users and uncheck the Tools > Check for Updates > Automatically check for updates for SQL Server Management Studio setting. Not really an enterprise solution.
   

   

We just installed Windows 2016 CORE. As recommened you typically should install all available Windows Updates before you move forward and install other software.

When we started to install Commvault File Agent and Virtual Server Agent setup failed with errors in eventlog and never completed. If you search Application event log you will find two errors logged:

Log Name: Application
Source: .NET Runtime
Date: 8/3/2017 3:59:44 PM
Event ID: 1026
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: HOST1.example.local
Description:
Application: setup.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.ComponentModel.Win32Exception

For an extended time we are trying to install Windows Updates on our machines, but this always fails with error message Failure configuring Windows Updates. Reverting changes when the system reboots. In case all the update rolling back and you are back to no update installed. This happens typically if you install Windows 2012 Core from DVD and try to install all the available Microsoft hotfixes. After a few months with Microsoft this has been escalated MS internally and they identified coldfusion.exe has an open file handle on TTF font files. It looks like Microsoft does not add the TTFs to pending files for rename list and just replace them on reboot from my point of view.

After lot of digging we found an interfering process that causes an update failure of tahomabd.ttf, see C:\Windows\Logs\CBS\CBS.log on the affected machine:

You may read the Microsft Article Reindex the WSUS Database. This article does not document that the command has changed under Windows 2012. If you are using Windows Internal Database (WID) for the WSUS database, you need to use the sqlcmd utility.

To use this script with Windows Internal Database, you should run the following command:

sqlcmd -E -S np:\\.\pipe\MICROSOFT##WID\tsql\query -i WsusDBMaintenance.sql

or with logging to a file:

sqlcmd -E -S np:\\.\pipe\MICROSOFT##WID\tsql\query -i WsusDBMaintenance.sql > WsusDBMaintenance.log 2>&1

Required:

• Microsoft® ODBC Driver 11 für SQL Server® – Windows
• Microsoft® Command Line Utilities 11 for SQL Server®
• WsusDBMaintenance.sql script

For about several months we are trying to figure out a bug with Adobe. Support is telling me they are unable to reproduce the issue as always. The problem is that the DataDirect Driver for Microsoft SQL that Adobe delivers with ColdFusion 10 and 11 product seems to have a major memory leak.

Heap with Adobe / DataDirect MsSQL Driver

Very high and bad memory usage compared to Microsoft driver. Memory usage will grow over longer period of time until system goes out of memory. CPU usage will also grow extremely over time to 50% or more where a normal load is 5-10% when the service is restarted. This is one extreme example:

Symptom:

If you run ColdFusion in virtual machines under HyperV with dynamic memory enabled you may expierence that the ColdFusion services are not started after the server has booted up. The services are set to start automatically, but are failing to start at boot time with strange and unknown error messages in system event log. If you manually start them they fire up properly.

Application log

This PowerShell script setups your Windows Computer to support TLS 1.1 and TLS 1.2 protocol with Forward secrecy. Additionally it increases security of your SSL connections by disabling insecure SSL2 and SSL3 and all insecure and weak ciphers that a browser may fall-back, too. This script implements the current best practice rules. It was originally written for Microsoft Internet Information Server 7.5/8.0/8.5/10 (IIS) on Windows 2008R2/2012/2012R2/2016/2019, but the below settings implements system wide settings that work for everything that uses the Microsoft Crypto infrastructure. This means Microsoft Exchange and Internet Explorer and Edge and all applications that use WinHTTP API, too. It works on both Windows Desktops and Servers.

After you have added below registry entries you may like to verify that your server offers the much more secure SSL connections. There is the great https://www.ssllabs.com/ssltest/ site that gives you a feeling how secure your SSL connections are. You should get a Summary like these: