tag:blogger.com,1999:blog-28921407822822690132024-03-20T22:07:24.744+07:00IT - HintAll about Information Technology infrastructure and system. Helpdesk & support issue, deployment guide, and daily activity in managing an information technology operation.Tom Bhttp://www.blogger.com/profile/05841345639731870694noreply@blogger.comBlogger150125tag:blogger.com,1999:blog-2892140782282269013.post-79048755432279817572024-01-02T17:31:00.006+07:002024-01-02T17:33:12.983+07:00Another Error code 0x80070643 when installing Microsoft Defender for Identity sensor <div style="box-sizing: border-box; margin: 0px; text-align: left;"><p style="text-align: justify;"><span style="background-color: white; font-family: verdana;">Description:</span></p><span style="background-color: white; font-family: verdana;"><div style="text-align: justify;">You got another 0x80070643 error when installing Microsoft Defender for Identity sensor. This time you don't use proxy to connect to internet or you have make sure that there's no proxy issue causing the error.</div><div style="text-align: justify;">When you look at the Microsoft.Tri.Sensor.Updater log file you notice there's an error saying "PerformanceCounterLib System.InvalidOperationException: Category does not exist."</div><span face="SegoeUI, Lato, "Helvetica Neue", Helvetica, Arial, sans-serif"><div style="text-align: justify;">Also at Microsoft.Tri.Sensor.Deployment.Deployer log file you saw "System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed" exception.</div></span><span face="SegoeUI, Lato, "Helvetica Neue", Helvetica, Arial, sans-serif"><div style="text-align: justify;">When you ran perfmon.exe you some error popup saying "Unable to add several counters"</div></span><div style="text-align: justify;"><span face="SegoeUI, Lato, "Helvetica Neue", Helvetica, Arial, sans-serif"><br /></span></div></span></div><div style="box-sizing: border-box; margin: 0px; text-align: justify;"><span style="background-color: white; font-family: verdana;">Resolution:</span></div><div style="box-sizing: border-box; margin: 0px; text-align: left;"><div style="text-align: justify;"><span face="SegoeUI, Lato, "Helvetica Neue", Helvetica, Arial, sans-serif" style="font-family: verdana;"><br /></span></div><span face="SegoeUI, Lato, "Helvetica Neue", Helvetica, Arial, sans-serif" style="background-color: white; font-family: verdana;"><div style="text-align: justify;">You need to rebuild the Performance Counter</div><div style="text-align: justify;">1. Launch Command Prompt as Administrator.</div><div style="text-align: justify;">2. Change Directory to "C:\WINDOWS\System32"</div><div style="text-align: justify;">3. Rebuild resource counters by typing the command: lodctr /r</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Verify by running perfmon.exe again, and it should start without an error.</div><div style="text-align: justify;">After that you should be able to install the MDI Sensor.</div></span></div>Tom Bhttp://www.blogger.com/profile/05841345639731870694noreply@blogger.com0tag:blogger.com,1999:blog-2892140782282269013.post-29745479368398457452023-09-25T15:28:00.001+07:002023-09-25T15:32:53.276+07:00Cannot Install PowerShell Module - Unable to find module repositories<p style="text-align: justify;"><span style="font-family: verdana;">Description:</span></p><p style="text-align: justify;"><span style="font-family: verdana;">You try to Install a new PowerShell Module. But you got an error saying "<span style="background-color: white; color: #333333;">No match was found for the specified search criteria and module name ' ' Try Get-PSRepository to see all available registered module repositories". However when you try to run Get-PSRepository command you got "</span><span style="color: #333333;">Unable to find module repositories error".</span></span></p><p style="text-align: justify;"><span style="color: #333333; font-family: verdana;">You have try the following, but still have the problem:</span></p><p></p><ul style="text-align: left;"><li style="text-align: justify;"><span style="color: #333333; font-family: verdana;">Make sure to Run as Administrator, </span></li><li style="text-align: justify;"><span style="font-family: verdana;">Make sure to use TLS 1.2 </span></li></ul><p></p><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px;"><p style="text-align: justify;"><span class="ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak" dir="ltr"><span style="font-family: verdana; font-size: x-small;">[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12</span></span></p></blockquote><p></p><ul style="text-align: left;"><li style="text-align: justify;"><span style="font-family: verdana;">Unregister and Register</span></li><ul><li style="text-align: justify;"><span style="font-family: verdana; font-size: x-small;">Unregister-PSRepository -Name PSGallery</span></li><li style="text-align: justify;"><span style="font-family: verdana; font-size: x-small;">Register-PSRepository -Default</span></li></ul></ul><div style="text-align: justify;"><span style="font-family: verdana;">Resolution:</span></div><div style="text-align: justify;"><span style="font-family: verdana;">Make sure there's no blocking at the Internet (proxy). Switch using different Internet connection and try to install again.</span></div><p></p>Tom Bhttp://www.blogger.com/profile/05841345639731870694noreply@blogger.com0tag:blogger.com,1999:blog-2892140782282269013.post-16571274825485703682023-09-25T14:43:00.003+07:002023-09-25T15:29:31.484+07:00Modifying AdminSDHolder Permission Delegation<p style="text-align: left;"></p><div style="text-align: justify;"><span style="font-family: verdana;">Description:</span></div><span style="font-family: verdana;"><div style="text-align: justify;"><br /></div><div style="text-align: justify;">You want to delegate permission to write certain user attribute for member of protected groups in Active Directory to a "normal" users. You have add the permission at the AdminSDholder container through GUI for that "normal" users. However during testing, you find that the "normal" users is still unable to modify the protected groups users attribute.</div></span><span style="font-family: verdana;"><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Resolution:</div></span><span style="font-family: verdana;"><div style="text-align: justify;"><br /></div><div style="text-align: justify;">You need to use command line instead of GUI.</div></span><span style="font-family: verdana;"><div style="text-align: justify;"><span style="background-color: white; color: #232629;">In order to grant access to a specific user object attribute, for example </span><code style="border-radius: var(--br-sm); border: 0px; box-sizing: inherit; color: #232629; font-feature-settings: inherit; font-kerning: inherit; font-optical-sizing: inherit; font-stretch: inherit; font-variant-alternates: inherit; font-variant-east-asian: inherit; font-variant-numeric: inherit; font-variation-settings: inherit; line-height: inherit; margin: 0px; padding: var(--su2) var(--su4); vertical-align: baseline; white-space-collapse: preserve;">department</code><span style="background-color: white; color: #232629;">, use </span><code style="border-radius: var(--br-sm); border: 0px; box-sizing: inherit; color: #232629; font-feature-settings: inherit; font-kerning: inherit; font-optical-sizing: inherit; font-stretch: inherit; font-variant-alternates: inherit; font-variant-east-asian: inherit; font-variant-numeric: inherit; font-variation-settings: inherit; line-height: inherit; margin: 0px; padding: var(--su2) var(--su4); vertical-align: baseline; white-space-collapse: preserve;">dsacls</code><span style="background-color: white; color: #232629;">:</span></div></span><span class="ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak" dir="ltr"><div style="text-align: justify;"><span style="font-family: verdana;">dsacls “CN=AdminSDHolder,CN=System,DC=example,DC=com” /G Allow-User-Management:WP;department;</span></div></span><p></p>Tom Bhttp://www.blogger.com/profile/05841345639731870694noreply@blogger.com0tag:blogger.com,1999:blog-2892140782282269013.post-74820086773634598192023-08-25T11:52:00.000+07:002023-08-25T11:52:11.373+07:00Using Microsoft Graph to Find Inactive Guest Users in Azure Active Directory<span style="font-family: verdana;">Description:</span><div><span style="font-family: verdana;"><br /></span></div><div><span style="font-family: verdana;">You have been using Azure Active Directory for a while. Now you notice you have several "external - guest" user listed in your Azure AD users. You need to gather the list of inactive guest user account.</span></div><div><span style="font-family: verdana;"><br /></span></div><div><span style="font-family: verdana;">Resolution:</span></div><div><span style="font-family: verdana;"><br /></span></div><div><span style="font-family: verdana;">We can try to get the list of inactive users by using Microsoft Graph.</span></div><div><span class="ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak" dir="ltr"><span style="font-family: verdana;"><p>Connect-MgGraph -Scopes "User.Read.All","AuditLog.Read.All"</p><p> #Logon using Global Admin</p><p>$guestUsers = Get-MgUser -Filter "userType eq 'Guest' and accountEnabled eq true" -Property DisplayName, UserPrincipalName, SignInActivity, CreatedDateTime</p><p>
$inactiveGuestUsers = $guestUsers | Where-Object {($_.SignInActivity.LastSignInDateTime -lt (Get-Date).AddDays(-90)) -or ($_.SignInActivity.LastSignInDateTime -eq $null)}</p><p># Display the list of inactive guest users</p><p>
$inactiveGuestUsers | Select-Object DisplayName, UserPrincipalName, @{Name="LastSignInDateTime"; Expression={$_.SignInActivity.LastSignInDateTime}}, CreatedDateTime</p></span></span></div>Tom Bhttp://www.blogger.com/profile/05841345639731870694noreply@blogger.com0tag:blogger.com,1999:blog-2892140782282269013.post-59177183221007501982023-08-25T11:42:00.001+07:002023-08-25T11:42:18.597+07:00Windows 2019 NPS Server Firewall Exclusion<p><span style="font-family: verdana;">Description:</span></p><p><span style="font-family: verdana;">You have completed the NPS configuration using Windows Server 2019. You have put the correct secrets at the VPN servers. You also have make sure there's no Network Firewall between the VPN server and NPS Server. </span></p><p><span style="font-family: verdana;">However client machine cannot connect to the VPN. And you cannot see the traffic reaching the NPS Server. There's nothing in the NPS Server event viewer.</span></p><p><span style="font-family: verdana;">Resolution:</span></p><p><span style="background-color: white; color: #333333;"><span style="font-family: verdana;">At the NPS server, open command prompt with elevated permission and type:</span></span></p><p><span style="background-color: white; color: #333333;"><span style="font-family: verdana;"><i>sc sidtype IAS unrestricted</i></span></span></p><p><span style="background-color: white; color: #333333;"><span style="font-family: verdana;">Restart the server after that.</span></span></p><p style="background-color: white; box-sizing: inherit; color: #161616; margin: 1rem 0px 0px; outline-color: inherit; overflow-wrap: break-word; padding: 0px;"><span style="font-family: verdana;">Windows Defender Firewall on the NPS should be automatically configured with exceptions, during the installation of NPS, to allow this RADIUS traffic to be sent and received.</span></p><p style="background-color: white; box-sizing: inherit; color: #161616; margin: 1rem 0px 0px; outline-color: inherit; overflow-wrap: break-word; padding: 0px;"><span style="font-family: verdana;">With Server 2019 this firewall exception requires a modification to the service account security identifier to effectively detect and allow RADIUS traffic. If this security identifier change is not executed, the firewall will drop RADIUS traffic. The above command changes the IAS (RADIUS) service to use a unique SID instead of sharing with other NETWORK SERVICE services.</span></p>Tom Bhttp://www.blogger.com/profile/05841345639731870694noreply@blogger.com0tag:blogger.com,1999:blog-2892140782282269013.post-42432719169143760962023-07-24T16:52:00.005+07:002023-07-24T16:52:46.158+07:00Failed F5 Big-IQ connection to Azure MFA<div style="text-align: left;"><span style="font-family: verdana;">Description</span></div><div style="text-align: left;"><span style="font-family: verdana;"><br />You have setup Azure MFA with NPS Extension in your Organization. You have make sure the firewall from and to your NPS server is configure properly. You have also make sure the internet connection from NPS Server to Azure MFA is working properly<br />Now, you want to test the the connection from your F5 Big-IQ to the NPS Server. However you got an error saying "Failed while connecting to radius server, server responded with: Access-Challenge". </span></div><div style="text-align: left;"><span style="font-family: verdana;">You also notice that there are No authentication challenge or prompt at Microsoft Authenticator Apps. </span></div><div style="text-align: left;"><span style="font-family: verdana;">From the event viewer you can see the following <span style="font-size: x-small;">"</span><span style="background-color: white; box-sizing: inherit; color: #161616; outline-color: inherit;"><span style="font-size: x-small;">NPS Extension for Azure MFA: CID xxxxx : Challenge requested in Authentication Ext for user Domain\UserName with state xxxxx".</span><br /></span><span style="background-color: white; box-sizing: inherit; color: #161616; outline-color: inherit;"><br /></span></span></div><div style="text-align: left;"><span style="font-family: verdana;"><span style="background-color: white; box-sizing: inherit; color: #161616; outline-color: inherit;">Resolution<br /></span><span style="background-color: white; box-sizing: inherit; color: #161616; outline-color: inherit;"><br /></span></span></div><div style="text-align: left;"><span style="font-family: verdana;"><span style="background-color: white; box-sizing: inherit; color: #161616; outline-color: inherit;">NPS extension version 1.2.2216.1 or later is prompted to sign in with a TOTP method instead of <span style="box-sizing: inherit; outline-color: inherit;">Approve</span>/<span style="box-sizing: inherit; outline-color: inherit;">Deny. If the Client doesn't support it, take the following steps to return to the Approve/Deny behavior.<br /></span></span><span style="background-color: white; color: #161616;">Go to NPS Server, open the Registry Editor.</span></span></div><div style="text-align: left;"><span style="background-color: white; color: #161616; font-family: verdana;"><br /></span></div><div style="text-align: left;"><ol><li><span style="background-color: white; color: #161616; font-family: verdana;">Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa.</span></li><li><span style="background-color: white; color: #161616; font-family: verdana;">Create the following String/Value pair:</span></li></ol></div><div style="text-align: left;"><ol style="text-align: left;"><ol><li style="box-sizing: inherit; list-style: disc; margin: 0px; outline-color: inherit; outline-style: initial; outline-width: 0px; padding: 0px;"><span style="font-family: verdana;">Name: OVERRIDE_NUMBER_MATCHING_WITH_OTP</span></li><li style="box-sizing: inherit; list-style: disc; margin: 0px; outline-color: inherit; outline-style: initial; outline-width: 0px; padding: 0px;"><span style="font-family: verdana;">Value = FALSE</span></li></ol></ol><span style="font-family: verdana;">Restart the NPS Service.</span></div>Tom Bhttp://www.blogger.com/profile/05841345639731870694noreply@blogger.com0tag:blogger.com,1999:blog-2892140782282269013.post-5169427556712811062023-03-11T15:55:00.004+07:002023-03-11T15:55:40.900+07:00Cannot Delete DNS Zone - Access was Denied<div style="text-align: justify;"><span style="font-family: verdana;">Description:</span></div><div><div style="text-align: justify;"><span style="font-family: verdana;"><br /></span></div><div style="text-align: justify;"><span style="font-family: verdana;">You have several DNS Zone listed in your Active Directory Integrated DNS Server.</span></div><div style="text-align: justify;"><span style="font-family: verdana;">One day, you want to remove one of the DNS Zone there. However you got an error message saying Access was Denied.</span></div><div style="text-align: justify;"><span style="font-family: verdana;">You are already using a Domain Admins account.</span></div><div style="text-align: justify;"><span style="font-family: verdana;"><br /></span></div><div style="text-align: justify;"><span style="font-family: verdana;">Resolution:</span></div><div style="text-align: justify;"><span style="font-family: verdana;"><br /></span></div><div style="text-align: justify;"><span style="font-family: verdana;">You or other Admin probably already set the protection from accidental deletion for those DNS Zones.</span></div><div style="text-align: justify;"><span style="font-family: verdana;">On the DNS Manager Console, go to the DNS Zone that you want to delete. Open the properties and go to Security Tab. Open Advanced and Edit the Everyone (Deny) permission. Remove the check mark on the Delete Objects and Delete All Child Objects permission. Click Apply, click Ok.</span></div><div style="text-align: justify;"><span style="font-family: verdana;">You should be able to delete the DNS Zone.</span></div></div>Tom Bhttp://www.blogger.com/profile/05841345639731870694noreply@blogger.com0tag:blogger.com,1999:blog-2892140782282269013.post-5122179248741078342023-03-11T15:21:00.001+07:002023-03-11T15:36:34.951+07:00How to Fix "Trust Relationship Failed" error without Rejoin Domain<p style="text-align: left;"><span style="font-family: verdana;">Description:</span></p><p style="text-align: left;"><span style="font-family: verdana;"><br /></span><span style="font-family: verdana;">One of your users suddenly sees the error message "Trust Relationship Between This Workstation And The Primary Domain Failed" when trying to logon to their machine.<br /></span><span style="font-family: verdana;">You have verify the Computer Account is exist on Active Directory. DNS settings are properly set and there's no problem with port or networking.<br /></span><span style="font-family: verdana;">You wish to remediate the issue without having to disjoin and rejoin the computer to the domain.<br /></span><span style="font-family: verdana;"><br /></span></p><p style="text-align: left;"><span style="font-family: verdana;">Resolution:<br /></span><span style="font-family: verdana;"><br /></span></p><p style="text-align: left;"><span style="font-family: verdana;">On the problematic machine, logon using local admin credential. Open PowerShell and run as Administrator. <br /></span><span style="font-family: verdana;">Type the following:<br /></span><span style="font-family: verdana;">Reset-ComputerMachinePassword -Server DomainController -Credential</span></p><p style="text-align: left;"><span style="font-family: verdana;">DomainAdmin</span></p><p style="text-align: left;"><span style="font-family: verdana;">If the command completed successfully, logoff and try to logon again.</span></p>Tom Bhttp://www.blogger.com/profile/05841345639731870694noreply@blogger.com0tag:blogger.com,1999:blog-2892140782282269013.post-31996299239401295522023-03-05T21:09:00.002+07:002023-03-05T21:09:06.479+07:00Migrate from Windows Hello to Windows Hello For Business (WHFB)<div style="text-align: left;"><span style="font-family: verdana;">Description:</span></div><div style="text-align: left;"><span style="font-family: verdana;"><br /></span><span style="font-family: verdana;">You have deployed Windows Hello in the past to several machines in the organizations. Recently you got direction from Management to deploy Windows Hello For Business (WHFB) for your organization. <br /></span><span style="font-family: verdana;">You have enable the Hybrid Cloud Kerberos trust and the configured required group policy. However, on the test machine, no WHFB got the prompt for provision. You have try to restart and make sure the WFHB group policy apply correctly.<br /></span><span style="font-family: verdana;"><br /></span></div><div style="text-align: left;"><span style="font-family: verdana;">Resolution:<br /></span><span style="font-family: verdana;"><br /></span></div><div style="text-align: left;"><span style="font-family: verdana;">Since you previously deployed Windows Hello, you need to make sure the "old" policy is being disabled.<br /></span><span style="font-family: verdana;">Go to <span style="background-color: white; color: #2a2a2a;">"Computer Configuration\Administrative Templates\System\Logon\Turn on convenience PIN sign-in". Make sure it is Disabled.</span></span></div>Tom Bhttp://www.blogger.com/profile/05841345639731870694noreply@blogger.com0tag:blogger.com,1999:blog-2892140782282269013.post-16170161109821677092023-03-05T10:54:00.001+07:002023-03-05T10:54:21.281+07:00Multiple Prompt when creating Azure AD Kerberos Server object<p style="text-align: left;"><span style="font-family: verdana;">Description:</span></p><p style="text-align: left;"><span style="font-family: verdana;">You want to Deploy Windows Hello For Business with Hybrid Cloud Kerberos type in your environment.<br /></span><span style="font-family: verdana;">You have met all the require prerequisites. However when trying to create Azure AD Kerberos Server object using below PowerShell command you encounter multiple prompt asking for Azure AD credential.</span></p><div style="text-align: left;"><span style="font-family: times;"># Specify the on-premises Active Directory domain. A new Azure AD<br /># Kerberos Server object will be created in this Active Directory domain.<br />$domain = $env:USERDNSDOMAIN<br /># Enter an Azure Active Directory global administrator username and password.<br />$cloudCred = Get-Credential -Message 'An Active Directory user who is a member of the Global Administrators group for Azure AD.'<br /># Enter a domain administrator username and password.<br />$domainCred = Get-Credential -Message 'An Active Directory user who is a member of the Domain Admins group.'<br /># Create the new Azure AD Kerberos Server object in Active Directory<br /># and then publish it to Azure Active Directory.<br />Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred</span></div><p style="text-align: left;"><span style="font-family: verdana; font-size: x-small;"></span></p><p style="text-align: left;"><span style="font-family: verdana;">Resolution:</span></p><p style="text-align: left;"><span style="font-family: verdana;">Make sure the Azure AD Global Administrator account that you are using during configuration are not included in any of Azure AD Conditional Access rules. You may also need to close the previous PowerShell session and try again.</span></p>Tom Bhttp://www.blogger.com/profile/05841345639731870694noreply@blogger.com0tag:blogger.com,1999:blog-2892140782282269013.post-13941471468821102242022-10-22T14:30:00.005+07:002022-10-22T14:31:38.387+07:00ADRMS and SharePoint IRM Integration Error - 0x80020009<p style="text-align: left;"><span style="font-family: verdana;">Description:</span></p><p style="text-align: left;"><span style="font-family: verdana;">You have configure ADRMS properly in your environment. Now you want to make SharePoint to use ADRMS. At the SharePoint Central Admin, you specify the location of the RMS Server.</span></p><p style="text-align: left;"><span style="font-family: verdana;">However when you try to open a document protected with RMS, there's a pop-up error saying couldn't find the document. At the SharePoint event viewer you saw the following error:</span></p><span class="ui-provider afc b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak" dir="ltr"><span style="white-space: pre-wrap;"><p><span style="font-family: verdana; font-size: x-small;">Information Rights Management (IRM): There was a problem while ensure IRM client. Status value: -1, error value: 0x80020009.</span></p></span><p style="text-align: left;"><span style="white-space: pre-wrap;"><span style="font-family: verdana; font-size: x-small;">[Information Rights Management (IRM): There was a problem while creating the generic issuance license template.</span></span></p><span style="white-space: pre-wrap;"><p style="text-align: left;"><span style="font-family: verdana; font-size: x-small;">All issuance licenses for protected documents are constructed from a generic, base issuance license template.</span></p><p style="text-align: left;"><span style="font-family: verdana; font-size: x-small;">Additional Data</span></p><p style="text-align: left;"><span style="font-family: verdana; font-size: x-small;">Error value: 0x800704DC</span></p><p style="text-align: left;"><span style="font-family: verdana;">Resolution:</span></p><p style="text-align: left;"><span style="font-family: verdana;">Please go to the SharePoint Central Admin and make sure you already select or type in the correct RMS cluster server address. Use HTTPS instead of HTTP when typing the RMS cluster address.</span></p></span></span>Tom Bhttp://www.blogger.com/profile/05841345639731870694noreply@blogger.com0tag:blogger.com,1999:blog-2892140782282269013.post-15225418967428406692022-10-22T11:40:00.005+07:002022-10-22T11:40:52.909+07:00Sample SQL Script to Update ADRMS Configuration Database during Parallels Upgrade<p style="text-align: left;"><span style="font-family: verdana;"><code style="color: #006699; font-size: 12.1104px; font-weight: bold;">UPDATE</code><span style="background-color: white; color: #2a2a2a; font-size: 12.1104px;"> </span><code style="font-size: 12.1104px;">[dbo].[DRMS_ClusterPolicies]</code></span></p><p style="background-color: white; color: #2a2a2a; font-size: 12.1104px; text-align: left;"><span style="font-family: verdana;"><code style="color: #006699; font-weight: bold;">SET</code> <code style="color: black;">PolicyData = </code><code style="color: blue;">''</code> <code style="color: #008200;">--(your new string with updated information goes between the ' ' )<br /></code><code style="color: #006699; font-weight: bold;">WHERE</code> <code style="color: black;">PolicyName=</code><code style="color: blue;">'CertificationUserKeyStorageConnectionString'<br /></code> <br /><code style="color: #006699; font-weight: bold;">UPDATE</code> <code style="color: black;">[dbo].[DRMS_ClusterPolicies]<br /></code><code style="color: #006699; font-weight: bold;">SET</code> <code style="color: black;">PolicyData = </code><code style="color: blue;">''</code> <code style="color: #008200;">--(your new string with updated information goes between the ' ' )<br /></code><code style="color: #006699; font-weight: bold;">WHERE</code> <code style="color: black;">PolicyName=</code><code style="color: blue;">'DirectoryServicesCacheDatabase'<br /></code> <br /><code style="color: #006699; font-weight: bold;">UPDATE</code> <code style="color: black;">[dbo].[DRMS_ClusterPolicies]<br /></code><code style="color: #006699; font-weight: bold;">SET</code> <code style="color: black;">PolicyData = </code><code style="color: blue;">''</code> <code style="color: #008200;">--(your new string with updated information goes between the ' ' )<br /></code><code style="color: #006699; font-weight: bold;">WHERE</code> <code style="color: black;">PolicyName=</code><code style="color: blue;">'LoggingDatabaseServer'</code></span></p>Tom Bhttp://www.blogger.com/profile/05841345639731870694noreply@blogger.com0tag:blogger.com,1999:blog-2892140782282269013.post-19049266292924896372022-10-22T11:33:00.000+07:002022-10-22T11:33:00.403+07:00Update AD RMS Config Database using SQL Server Management Studio during Parallels Upgrade<p><span style="font-family: verdana;">Description:</span></p><p><span style="font-family: verdana;">During AD RMS Parallels Upgrade, you need to modify the restored database to point to the new database servers.</span></p><p><span style="font-family: verdana;">Resolution:</span></p><p></p><ol style="text-align: left;"><li><span style="font-family: verdana;">Log on to the AD RMS configuration database server as local Administrator or another user account that is a member of the local Administrators group.</span></li><li><span style="font-family: verdana;">Click Start, point to All Programs, point to Microsoft SQL Server 2012, and then click SQL Server Management Studio.</span></li><li><span style="font-family: verdana;">On the Connect to Server page, ensure that the new database server name is listed in the Server name box, and then click Connect.</span></li><li><span style="font-family: verdana;">Expand Databases, expand DRMS_Config_<RMS cluster name>_<Port>, and then expand Tables.</span></li><li><span style="font-family: verdana;">Right-click DRMS_ClusterPolicies, and then click Open Table.</span></li><li><span style="font-family: verdana;">In the results pane, change the value in the PolicyData column of the LoggingDatabaseServer row to the new RMS database server name.</span></li><li><span style="font-family: verdana;">Change the value in the PolicyData column of the CertificationUserKeyStorageConnectionString row to reflect the new database server. The value should be data source=<new database server name>;integrated where <new database server name> is the name of the new database server.</span></li><li><span style="font-family: verdana;">Repeat steps 6–7 for the value in the PolicyData column of the DirectoryServicesCacheDatabase row.</span></li><li><span style="font-family: verdana;">Close Microsoft SQL Server Management Studio.</span></li></ol><p></p>Tom Bhttp://www.blogger.com/profile/05841345639731870694noreply@blogger.com0tag:blogger.com,1999:blog-2892140782282269013.post-68423431861365626882022-10-22T11:25:00.001+07:002022-10-22T11:25:27.498+07:00Active Directory Rights Management Services - Parallels Upgrade<p style="text-align: left;"><span style="font-family: verdana;">Description:<br /></span><span style="font-family: verdana;">You have an Active Directory Rights Management Services (ADRMS) being deployed in your IT Environment. You need to upgrade the version of ADRMS, the Windows OS, and also the Database with minimal downtime and minimal risk to new Windows 2019 and SQL 2019 machines.<br /></span><span style="font-family: verdana;">You decided to do a Parallel Upgrade.</span><span style="font-family: verdana;"><br /></span><span style="font-family: verdana;"><br /></span></p><p style="text-align: left;"><span style="font-family: verdana;">Resolution:</span></p><p style="text-align: left;"><span style="font-family: verdana;">You would need to perform the following:</span></p><p style="text-align: left;"></p><ol style="text-align: left;"><li><span style="font-family: verdana;">Prepare the new Windows 2019 OS and SQL 2019 Databases on different machines. Install all the necessary patches.</span></li><li><span style="font-family: verdana;">Back up the existing AD RMS database.</span></li><li><span style="font-family: verdana;">Restore the AD RMS databases to a new location (new instance, new SQL server, etc.).</span></li><li><span style="font-family: verdana;">The following SQL changes must be made on the restored databases.</span></li><ul><li><span style="font-family: verdana;">Database: DRMS_Config</span></li><li><span style="font-family: verdana;">Table: DRMS_ClusterPolicies</span></li><li><span style="font-family: verdana;">PolicyName entries in which the PolicyData value needs to reflect the new SQL connection string information.</span></li><ul><li><span style="font-family: verdana;">LoggingDatabaseServer</span></li><li><span style="font-family: verdana;">CertificationUserKeyStorageConnectionString</span></li><li><span style="font-family: verdana;">DirectoryServicesCacheDatabase</span></li></ul></ul><li><span style="font-family: verdana;">Built a new Windows Server of the desired version for the AD RMS cluster upgrade.</span></li><li><span style="font-family: verdana;">Add the AD RMS role.</span></li><li><span style="font-family: verdana;">When it gets to the role configuration choose the “join an existing cluster” option.</span></li><li><span style="font-family: verdana;">At the SQL database dialog enter the NEWLY RESTORED SQL database location, not the actual production database currently in use.</span></li><li><span style="font-family: verdana;">Complete the role configuration using all the same settings, service accounts, etc.</span></li><li><span style="font-family: verdana;">Edit the NTFS permissions on new AD RMS server's "C:\inetpub\wwwroot\_wmcs\certification\ServerCertification.asmx" file. Configure the same permissions as on the existing AD RMS server.</span></li></ol><p></p><div style="text-align: left;"><br /></div>Tom Bhttp://www.blogger.com/profile/05841345639731870694noreply@blogger.com0tag:blogger.com,1999:blog-2892140782282269013.post-46436769277970581372022-10-20T14:37:00.002+07:002022-10-20T14:37:24.968+07:00PowerShell Command to Identify Local Admin Account<p><span style="font-family: verdana;">Description:</span></p><p><span style="font-family: verdana;">You have several local account on your computer. One day, you need to find out which one is the real local Admin Account.</span></p><p><span style="font-family: verdana;">Resolution:</span></p><p><span style="font-family: verdana;">You can run the following PowerShell command on the local computer:</span></p><p><span style="font-family: verdana;">Get-CimInstance -ClassName Win32_UserAccount -Filter "LocalAccount = TRUE and SID like 'S-1-5-%-500'"</span></p>Tom Bhttp://www.blogger.com/profile/05841345639731870694noreply@blogger.com0tag:blogger.com,1999:blog-2892140782282269013.post-66957114153095744362022-06-03T10:52:00.002+07:002022-06-03T10:54:07.309+07:00Cannot Publish or Missing Certificates Template<p style="text-align: left;"><span style="font-family: verdana;">Description:<br /></span><span style="font-family: verdana;"><br /></span></p><p style="text-align: left;"><span style="font-family: verdana;">You created a certificate template in your Windows Enterprise CA. However when you want to publish it, you cannot saw the templates inside the "Enable Certificate Templates" wizard. All other Certification Authority function works normally and you've used the account which has proper permission.</span></p><p style="text-align: left;"><span style="font-family: verdana;"><br /></span><span style="font-family: verdana;">Resolution:<br /></span><span style="font-family: verdana;"><br /></span></p><p style="text-align: left;"><span style="font-family: verdana;">Try to use the following command:<br /></span><span style="font-family: verdana;">Certutil -setcatemplates +<i>templatename</i></span></p><p style="text-align: left;"><span style="font-family: verdana;"><i><br /></i></span><i><span style="font-family: verdana;">Note: The plus (+) sign is mandatory. Otherwise it will replace all of the other published template.</span></i></p>Tom Bhttp://www.blogger.com/profile/05841345639731870694noreply@blogger.com0tag:blogger.com,1999:blog-2892140782282269013.post-33355717681785427192022-06-03T10:27:00.007+07:002022-06-03T10:30:13.811+07:00Error while creating Windows 2016 Cluster at "Find a suitable Domain Controller"<div style="background-color: white; border: none; color: #2a2a2a; list-style-type: none; margin: 0px 0px 1em; outline: 0px; padding: 0px; text-align: left;"><span style="font-family: verdana;">Description:</span></div><div style="background-color: white; border: none; color: #2a2a2a; list-style-type: none; margin: 0px 0px 1em; outline: 0px; padding: 0px; text-align: left;"><span style="font-family: verdana;"><br />You want to create Windows 2016 cluster on Windows 2012 R2 Domain. You run the Wizard, however encountered error and the cluster cannot be created. <br /><br /></span></div><div style="background-color: white; border: none; color: #2a2a2a; list-style-type: none; margin: 0px 0px 1em; outline: 0px; padding: 0px; text-align: left;"><span style="font-family: verdana;">During investigation, you saw several error message such as:<br />"Check whether the computer object "clustername" for node "hostnameFQDN" exists in the domain. More data is available".<br /><br /></span></div><div style="background-color: white; border: none; color: #2a2a2a; list-style-type: none; margin: 0px 0px 1em; outline: 0px; padding: 0px; text-align: left;"><span style="font-family: verdana;">At event viewer (after enabling Debug Log) you could see:<br /><span lang="EN-US" style="border: 0px; font-style: inherit; margin: 0px; outline: 0px; padding: 0px;">"Failed to find suitable DC. Error 234"<br /></span><span lang="EN-US" style="border: 0px; font-style: inherit; margin: 0px; outline: 0px; padding: 0px;">"Searching for object "clustername" on first choice DC failed. Error 234"<br /></span><span style="font-style: inherit;">"Couldn't resolve RPC binding to cluster, Status = 1753"<br /></span><br /></span></div><div style="background-color: white; border: none; color: #2a2a2a; list-style-type: none; margin: 0px 0px 1em; outline: 0px; padding: 0px; text-align: left;"><span style="font-family: verdana;">You then try to run the Cluster Validation wizard but everything seems to pass. You validated that the required AD permission for the User Account creating the Cluster are already meet. You also verify the Group Policy setting for "D<span style="background-color: white; border: 0px; color: #2a2a2a; margin: 0px; outline: 0px; padding: 0px;">eny Access to this computer from the Network" is correct. You check the network port requirement and verify all the necessary port are open.</span></span></div><div style="background-color: white; border: none; color: #2a2a2a; list-style-type: none; margin: 0px 0px 1em; outline: 0px; padding: 0px; text-align: left;"><span style="font-family: verdana;"><span style="background-color: white; border: 0px; color: #2a2a2a; margin: 0px; outline: 0px; padding: 0px;"><br /></span>Resolution:</span></div><div style="background-color: white; border: none; color: #2a2a2a; list-style-type: none; margin: 0px 0px 1em; outline: 0px; padding: 0px; text-align: left;"><span style="font-family: verdana;"><br />First, verified the DNS record in your DNS Server. Especially the record for all of your Domain Controllers. Make sure the Active Directory required Zones has the correct NS records, CNAME records, A Records, and also SRV DNS records. Remove the stale records for old or unknown broken Domain Controllers.</span></div><div style="background-color: white; border: none; color: #2a2a2a; list-style-type: none; margin: 0px 0px 1em; outline: 0px; padding: 0px; text-align: left;"><span style="font-family: verdana;"><br />Second, check the Application partition (DomainDnsZone and ForestDnsZone) in your Active Directory. Use ADSIedit to connect to the application partition and try to browse the content. If you encountered error, you may need to delete the application partition using NTDSUtil.</span></div><div style="background-color: white; border: none; color: #2a2a2a; list-style-type: none; margin: 0px 0px 1em; outline: 0px; padding: 0px; text-align: left;"><span style="font-family: verdana;">You should be able to create the Windows Cluster afterwards.</span></div>Tom Bhttp://www.blogger.com/profile/05841345639731870694noreply@blogger.com0tag:blogger.com,1999:blog-2892140782282269013.post-24895938174083676072022-04-09T21:08:00.000+07:002022-04-09T21:08:06.069+07:00Error Event ID 345 on ADFS Server<p style="text-align: justify;"><span style="font-family: verdana;">Description:</span></p><p style="text-align: justify;"><span style="font-family: verdana;">You recently just upgraded your ADFS to newer OS version. After a while you notice Event ID 345 on one of the secondary ADFS server. It said "There was a communication error during AD FS configuration database synchronization. Synchronization of the data from primary federation server to a secondary federation server did not occur". You are sure that all of the network port requirement are met.</span></p><p style="text-align: left;"></p><p style="clear: both; text-align: center;"></p><div style="text-align: justify;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgJhX6vNFedlJ-uc_t5c2TR3u3XI6JtctDWgnPESRmRxR-IXaCD89dNUtHMg6qEZUGSp3dgdiR-W8iRd3kXk1RVyJx4kGaYmrmD0q9UhYU1jp8dh0fFjAwlCDL1t9YTORVlXxY_B9BXsilcXKg2qke1r7bVeOxxyf2UQEtHYFr8PNAMt_5E64ytoymhIw" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: verdana;"><img data-original-height="181" data-original-width="1051" height="110" src="https://blogger.googleusercontent.com/img/a/AVvXsEgJhX6vNFedlJ-uc_t5c2TR3u3XI6JtctDWgnPESRmRxR-IXaCD89dNUtHMg6qEZUGSp3dgdiR-W8iRd3kXk1RVyJx4kGaYmrmD0q9UhYU1jp8dh0fFjAwlCDL1t9YTORVlXxY_B9BXsilcXKg2qke1r7bVeOxxyf2UQEtHYFr8PNAMt_5E64ytoymhIw=w640-h110" width="640" /></span></a></div><span style="font-family: verdana;"><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Resolution:</div></span><p></p><p style="text-align: left;"></p><p style="text-align: justify;"><span style="font-family: verdana;">The previous ADFS upgrade process is somehow causing the farm behavior level (FBL) on the secondary server doesn't match with the FBL on the primary server.</span></p><p style="text-align: justify;"><span style="font-family: verdana;">We need to remove the ADFS role and WID database feature on the problematic secondary ADFS server. After that try to re-install the ADFS role and finish the post configuration. </span></p><p style="text-align: justify;"><span style="font-family: verdana;">The secondary server will then use the correct version of ADFS configuration database and synchronization will works as expected.</span></p><p><br /></p>Tom Bhttp://www.blogger.com/profile/05841345639731870694noreply@blogger.com0tag:blogger.com,1999:blog-2892140782282269013.post-44368568726104202572022-02-03T22:25:00.002+07:002022-02-03T22:25:21.390+07:00DNS Event 4015 on Windows 2012 R2 Domain Controller<p style="text-align: left;"><span style="font-family: verdana;">Description:</span></p><p style="text-align: left;"><span style="font-family: verdana;">At DNS Server which also a Domain Controller, you notice the Event Viewer is full with the following error.</span></p><p style="text-align: left;"><span class="ods_si_code_example" style="background-color: white; white-space: pre;"><span style="font-family: verdana;">T<span style="font-size: x-small;">he DNS server has encountered a critical error from the Active Directory. <br /></span></span></span><span style="font-size: x-small;"><span class="ods_si_code_example" style="background-color: white; white-space: pre;"><span style="font-family: verdana;">Check that the Active Directory is functioning properly. <br /></span></span><span style="font-family: verdana;"><span class="ods_si_code_example" style="background-color: white; white-space: pre;">The extended error debug information (which may be empty) is </span></span></span><span style="font-family: verdana; font-size: small;"><span class="ods_si_code_example" style="background-color: white; white-space: pre;">0000051B: AtrErr: DSID-031508EF, #1:</span></span><span style="font-family: verdana; font-size: small;"><span class="ods_si_code_example" style="background-color: white; white-space: pre;">0: 0000051B: DSID-031508EF, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, </span></span><span style="background-color: white; font-family: verdana; font-size: small; white-space: pre;">Att 20119 (nTSecurityDescriptor).</span></p><p style="text-align: left;"><span style="background-color: white; font-family: verdana; white-space: pre;">Resolution:</span></p><p style="text-align: left;"><span style="font-family: verdana;"><span style="background-color: white;">Enabled AD diagnostic logging, </span><span style="background-color: white;">Enabled</span><span style="background-color: white;"> </span><span class="ods_si_emphasis_bold" style="background-color: white; font-weight: 700;">Directory access</span><span style="background-color: white;"> </span><span style="background-color: white;">key and set the value to</span><span style="background-color: white;"> </span><span class="ods_si_emphasis_bold" style="background-color: white; font-weight: 700;">5</span><span style="background-color: white;">.<br /></span></span><span style="font-family: verdana;"><span style="background-color: white;">Look for Event ID 1175 at event viewer and noticed the Object Distinguished Name. You may need to c</span><span style="background-color: white;">hange the ownership of that AD Object to </span><span class="ods_si_emphasis_bold" style="background-color: white; font-weight: 700;">SYSTEM</span><span style="background-color: white;"> </span><span style="background-color: white;">and restarted the DNS service on the domain controller.</span></span></p>Tom Bhttp://www.blogger.com/profile/05841345639731870694noreply@blogger.com0tag:blogger.com,1999:blog-2892140782282269013.post-79583710950633995982022-02-03T22:10:00.000+07:002022-02-03T22:10:12.488+07:00ADFS Error - MSIS8022: Unable to find the specified user account.<p><span style="font-family: verdana;">Description:</span></p><p><span style="font-family: verdana;">You saw several error at ADFS server event viewer. The error was saying "<span style="background-color: white; color: #333333;">MSIS8022: Unable to find the specified user account."</span></span></p><p><span style="font-family: verdana;">Resolution:</span></p><p><span style="font-family: verdana;">First, always double check on the user name, make sure they are exist inside Active Directory. After that check for Extranet Lockout feature in ADFS.</span></p><p><span style="background-color: white; color: #333333;"><span style="font-family: verdana;">When the Extranet Lockout is enabled, ADFS needs to query the badPwdCount attribute of the user, so it tries to look for it in AD before even trying to authenticate. If the user does not exist, you get the error message you see.</span></span></p>Tom Bhttp://www.blogger.com/profile/05841345639731870694noreply@blogger.com0tag:blogger.com,1999:blog-2892140782282269013.post-27540052441593342212022-02-03T21:36:00.007+07:002022-06-03T10:55:15.283+07:00WAP and ADFS trust certificate lifetime<p><span style="background-color: white; color: #747474; font-family: verdana; font-size: 15px;">Description:</span></p><p><span style="background-color: white; color: #747474; font-family: verdana; font-size: 15px;">The proxy trust certificate between WAP and ADFS is a rolling certificate which valid for 2 weeks and periodically updated. This is stored in an internal, protected store so we can't see it in any of the usual certificate stores. </span></p><p><span style="background-color: white; color: #747474; font-family: verdana; font-size: 15px;">What we see in the local machine store is the initial temporary certificate thumbprint used while the proxy trust is first being established. This explains why the WAP event log error included a strange, unknown certificate thumbprint.</span></p><p style="background-color: white; box-sizing: border-box; color: #747474; font-size: 15px; margin: 0px 0px 20px;"><span style="font-family: verdana;">If we leave our WAP server offline for more than 2 weeks, the proxy trust certificate will expire and we’ll need to re-initialise the proxy trust (Install-WebApplicationProxy cmdlet).</span></p><p style="background-color: white; box-sizing: border-box; color: #747474; font-size: 15px; margin: 0px 0px 20px;"><span style="font-family: verdana;">This can also happen when we move the VM’s configuration to another storage.</span></p><p style="background-color: white; box-sizing: border-box; color: #747474; font-size: 15px; margin: 0px 0px 20px;"><span style="font-family: verdana;">Resolution:</span></p><p style="background-color: white; box-sizing: border-box; color: #747474; font-size: 15px; margin: 0px 0px 20px;"><span style="font-family: verdana;">We can solve this issue by setting the following registry key to 1 on the WAP server and re-running post-install config from the Remote Management console:</span></p><p style="background-color: white; box-sizing: border-box; color: #747474; font-size: 15px; margin: 0px 0px 20px;"><span style="font-family: verdana;">HKLM\Software\Microsoft\ADFS</span></p><p style="background-color: white; box-sizing: border-box; color: #747474; font-size: 15px; margin: 0px 0px 20px;"><span style="font-family: verdana;">ProxyConfigurationStatus</span></p><ul style="background-color: white; box-sizing: border-box; color: #747474; font-size: 15px;"><li style="box-sizing: border-box;"><span style="font-family: verdana;">1 (not configured)</span></li><li style="box-sizing: border-box;"><span style="font-family: verdana;">2 (Web Application Proxy is configured)</span></li></ul>Tom Bhttp://www.blogger.com/profile/05841345639731870694noreply@blogger.com0tag:blogger.com,1999:blog-2892140782282269013.post-21949044152697202672022-01-25T21:30:00.002+07:002022-01-25T21:30:26.594+07:00Invalidate RID Pool Script<p> </p><p style="background-color: white; box-sizing: inherit; color: #171717; line-height: 1.3; margin: 32px 0px 12px -1.875rem; outline-color: inherit; padding: 0px 0px 0px 1.875rem; position: relative; text-align: left;"><span style="font-family: verdana; font-size: small;">To invalidate the current RID pool in Active Directory</span></p><p style="background-color: white; box-sizing: inherit; color: #171717; line-height: 1.3; margin: 32px 0px 12px -1.875rem; outline-color: inherit; padding: 0px 0px 0px 1.875rem; position: relative; text-align: left;"><span style="font-family: verdana;">Open an elevated Windows PowerShell session, run the following command and press ENTER:</span></p><div style="background-color: white; box-sizing: inherit; color: #171717; line-height: 1.3; margin: 32px 0px 12px -1.875rem; outline-color: inherit; padding: 0px 0px 0px 1.875rem; position: relative; text-align: left;"><span class="hljs-variable" style="background-color: var(--theme-code-block); box-sizing: inherit; font-family: verdana; outline-color: inherit; word-spacing: normal;">$Domain</span><span style="background-color: var(--theme-code-block); font-family: verdana; word-spacing: normal;"> = </span><span class="hljs-pscommand" style="background-color: var(--theme-code-block); box-sizing: inherit; color: #0101fd; font-family: verdana; outline-color: inherit; word-spacing: normal;">New-Object</span><span style="background-color: var(--theme-code-block); font-family: verdana; word-spacing: normal;"> System.DirectoryServices.DirectoryEntry<br /></span><span class="hljs-variable" style="box-sizing: inherit; font-family: verdana; outline-color: inherit;">$DomainSid</span><span style="font-family: verdana;"> = </span><span class="hljs-variable" style="box-sizing: inherit; font-family: verdana; outline-color: inherit;">$Domain</span><span style="font-family: verdana;">.objectSid<br /></span><span class="hljs-variable" style="box-sizing: inherit; font-family: verdana; outline-color: inherit;">$RootDSE</span><span style="font-family: verdana;"> = </span><span class="hljs-pscommand" style="box-sizing: inherit; color: #0101fd; font-family: verdana; outline-color: inherit;">New-Object </span><span style="font-family: verdana;">System.DirectoryServices.DirectoryEntry(</span><span class="hljs-string" style="box-sizing: inherit; color: #a31515; font-family: verdana; outline-color: inherit;">"LDAP://RootDSE"</span><span style="font-family: verdana;">)<br /></span><span class="hljs-variable" style="background-color: transparent; box-sizing: inherit; font-family: verdana; outline-color: inherit;">$RootDSE</span><span style="background-color: transparent; font-family: verdana;">.UsePropertyCache = </span><span class="hljs-literal" style="background-color: transparent; box-sizing: inherit; color: #07704a; font-family: verdana; outline-color: inherit;">$false<br /></span><span class="hljs-variable" style="background-color: transparent; box-sizing: inherit; font-family: verdana; outline-color: inherit;">$RootDSE</span><span style="background-color: transparent; font-family: verdana;">.Put(</span><span class="hljs-string" style="background-color: transparent; box-sizing: inherit; color: #a31515; font-family: verdana; outline-color: inherit;">"invalidateRidPool"</span><span style="background-color: transparent; font-family: verdana;">, </span><span class="hljs-variable" style="background-color: transparent; box-sizing: inherit; font-family: verdana; outline-color: inherit;">$DomainSid</span><span style="background-color: transparent; font-family: verdana;">.Value)</span><code class="lang-powershell" data-author-content="$Domain = New-Object System.DirectoryServices.DirectoryEntry
$DomainSid = $Domain.objectSid
$RootDSE = New-Object System.DirectoryServices.DirectoryEntry("LDAP://RootDSE")
$RootDSE.UsePropertyCache = $false
$RootDSE.Put("invalidateRidPool", $DomainSid.Value)
$RootDSE.SetInfo()
" style="border: 0px; box-sizing: inherit; direction: ltr; display: block; line-height: 1.3571; outline-color: inherit; padding: 0px; position: relative;"><span style="box-sizing: inherit; outline-color: inherit;"><span style="font-family: verdana;"><span class="hljs-variable" style="box-sizing: inherit; outline-color: inherit;">$RootDSE</span>.SetInfo()</span></span></code></div><p></p>Tom Bhttp://www.blogger.com/profile/05841345639731870694noreply@blogger.com0tag:blogger.com,1999:blog-2892140782282269013.post-59324959087313622332022-01-10T21:02:00.007+07:002022-01-10T21:03:53.403+07:00Cannot Install .Net Framework on Windows Server<p><span style="font-family: verdana;">Description:</span></p><p><span style="font-family: verdana;">You try to install .Net Framework 4.7.x to a Windows Server.</span></p><p><span style="font-family: verdana;">However the installation seems to be hang or stuck forever.</span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYD6nWF3Nl-zdFEAmHXqsi4HmvugkPP1ERGURUpTP0DQdZzBJaQG47hjpbejpg3kNvXnVFuaV93mhNTc0DwPzyjXmscfl3gZhVf6n_reVUAr85uOmnYGzICxJQnj7bC0VeWeD9HX57s_vq/" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: verdana;"><img data-original-height="482" data-original-width="512" height="376" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYD6nWF3Nl-zdFEAmHXqsi4HmvugkPP1ERGURUpTP0DQdZzBJaQG47hjpbejpg3kNvXnVFuaV93mhNTc0DwPzyjXmscfl3gZhVf6n_reVUAr85uOmnYGzICxJQnj7bC0VeWeD9HX57s_vq/w400-h376/image.png" width="400" /></span></a></div><p><span style="font-family: verdana;">Resolution:</span></p><p></p><p><span style="font-family: verdana;">Go to "services.msc" and check for Windows Installer services. Make sure the services is running. If not, perform a manual start and wait for a while. The installation should continue and completed within a couple of minutes.</span></p>Tom Bhttp://www.blogger.com/profile/05841345639731870694noreply@blogger.com0tag:blogger.com,1999:blog-2892140782282269013.post-89721516319409280312022-01-10T20:44:00.006+07:002022-01-10T21:04:27.936+07:00Log Files Deleted or Missing after Running Performance Monitor on Windows Server<p><span style="font-family: verdana;">Description:</span></p><p><span style="font-family: verdana;">You run a performance monitor on Windows Server. You use one of the existing template to collect the data. You leave it running for 5 minutes (default). After it completes, no report being generated and the log files seems to be gone. However if you run it for only 1 minutes, the report can be generated normally.</span></p><p><span style="font-family: verdana;">Resolution:</span></p><p><span style="font-family: verdana;">Go to Data Manager section in Data Collector. Uncheck at the Maximum root path size option.</span></p><p><span style="font-family: verdana;">Try to run the data collector again.</span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqg0JOHpeKC8FmIDZ6fVfQ052pgkM_WeOEWRYFoojLa2jLKd3g2hXKpzOCwD47212UEhhk3mfAeBWdzpT7ELyr2fcooBQjmP__CW-jtF5Hc87gZq_HVSoP_g3mVF9vCkSoxVcFpJM3c9W4/" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="610" data-original-width="501" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqg0JOHpeKC8FmIDZ6fVfQ052pgkM_WeOEWRYFoojLa2jLKd3g2hXKpzOCwD47212UEhhk3mfAeBWdzpT7ELyr2fcooBQjmP__CW-jtF5Hc87gZq_HVSoP_g3mVF9vCkSoxVcFpJM3c9W4/w328-h400/image.png" width="328" /></a></div><p></p>Tom Bhttp://www.blogger.com/profile/05841345639731870694noreply@blogger.com0tag:blogger.com,1999:blog-2892140782282269013.post-20441043610003665662022-01-10T20:29:00.003+07:002022-01-10T20:29:43.736+07:00Clear Cached Kerberos Tickets<p><span style="font-family: verdana;">To clear the cached Kerberos tickets:</span></p><p><span style="font-family: verdana;">Open Command Prompt with Administrative permission</span></p><p><span style="font-family: verdana;">Type:</span></p><p><span style="font-family: verdana;">Klist purge</span></p><p><span style="font-family: verdana;">klist purge –li 0x3e7</span></p>Tom Bhttp://www.blogger.com/profile/05841345639731870694noreply@blogger.com0