Problems Logging Into Active Directory Accounts on a Mac With a Home Folder Specified

So, after running into this problem, I was initially sceptical of what the cause may be. I’d see talk around that Macs didn’t like their home folders to be part of an Active Directory domain that ends in the pseudo TLD of “.local”, but I never quite believed that this would be the cause.

Basically, symptoms would be that the machine will fail to log in using the domain credentials, and will just say something generic sounding like “Unable to login to the account, an error occurred”. After lots of testing and fettling with both the Mac and the domain settings (This was a new domain being provisioned for a specific event, and I wouldn’t suggest you just generally tinker with your domain controller configurations), it was found that the account could be logged in if the home drive was disabled in AD. In my case the home drive path was a location within a DFS namespace, but even a direct share on a file server gave the same results.

So, I spun up a new domain on a separate server (oh the joys of virtualisation) and this time gave the domain a .net TLD and the home drive specified in the same way within A DFS namespace. Surprisingly the account logged in here first time after the Mac had been rebound to the new domain. Some further fiddling was required with the domain controllers to make sure that they were responding to all requests with FQDN responses as opposed to NetBIOS ones. The details on how to do this via PowerShell or a direct registry hack are linked. After these changes have been made a reboot of the server will be needed, but then they should respond with FQDN addresses for both DFS referrals and targets.

At this point, the whole thing should work, and as usual, I hope this saves someone some time in figuring this out.

HP VMWare VIB Sources Not Connected – HP Killed The Old Pre-Rebrand URLS

I noticed today that when in the VMWare Update Manager in admin view, some of the custom VIBs I had in were showing as “Not Connected”. This was my custom location for HP VIBs of http://vibsdepot.hp.com/index.xml as I use the HP image on the hosts in this vCenter. When I forced VUM to check the URL again, it was coming back again as “Not Connected”. So I thought I would try loading the XML file in a browser, which presented me with this lovely little “notification”;

HP_VIB_Redirect

I say “notification” as what they’ve done is use a redirect to point you to a different URL, which then contains the message that you must use a different URL now.
The new HP VIB URL is https://vibsdepot.hpe.com/index.xml and note the https rather than http.

Adding the new updated URL to the XML file get’s us right back into a connected state;

HP_VIB_Connected

This has obviously been done following the HP and HPE split that was announced a few years ago, but which is obviously just starting to have consequences for things like this.

I hope this helps someone out.

Server 2012 and 2012 R2 Deduplication Removal

I just thought I’d post about this,as it’s something I’ve come up against recently, how to disable deduplication on a volume on Server 2012 or 2012 R2 and inflate the data back to it’s original form. In this example, the volume in question is E:

So let’s start with step one;
DO NOT DISABLE DEDUPLICATION ON THE VOLUME

After that, step two would be to run the following command in PowerShell;
Start-DedupJob -Type Unoptimization -Volume E: -Full

When that job has completed, which you can check with the Get-DedupJob command, then run the following command;
Start-DedupJob -Type GarbageCollection -Volume E: -Full

Finally, after that, step 3 is to turn off dedup on the volume with the following command;
Disable-DedupVolume -Volume E:

And that should save you any unnecessary drama.

Error 0x800f0922 Enabling Or Installing .Net 3.5 On Windows 8.1

Just a note, if you want to skip the narrative, the fix is at the bottom of the post, but if, like my GCSE maths teacher, Mrs Williams, you want me to show my working out, keep reading.

I’d been having some trouble installing .Net 3.5 on a Windows 8.1 machine for a while, seeing the same error no matter how I attempted the install. Turning the feature on through Windows features just threw a generic error which was of little help. Trying the same action directly on the command line via dism.exe, gave some detail in the dism.log file.

So, I ran dism.exe /online /enable-feature /featurename:NetFX3 on the command line and then checked the result in the dsim.log file, located at C:\Windows\Logs\DISM\dism.log

The two interesting lines in this are shown below;
DISM DISM Package Manager: PID=4564 TID=796 Failed while processing command enable-feature. - CPackageManagerCLIHandler::ExecuteCmdLine(hr:0x800f0922)
DISM DISM Package Manager: PID=4564 TID=796 Further logs for online package and feature related operations can be found at %WINDIR%\logs\CBS\cbs.log - CPackageManagerCLIHandler::ExecuteCmdLine

The CBS log file revealed a little further info in the following line;

CBS Failed to perform operation. [HRESULT = 0x800f0922 - CBS_E_INSTALLERS_FAILED]

When I did a bit more digging on that error, I found the following post, How to troubleshoot error 0x800F081F when installing roles and features. which admittedly is a totally different error, but there, like a diamond in the rough, was a comment pointing to corrupt performance counters and referenced another Microsoft blog post, Unable to install IIS Web Server Role – “The configuration registry key is invalid”.

The pearl of wisdom from these was to run lodctr /r from the command line, and then re-run the install.

Success, it worked, and I hope this at least proves helpful for someone else, as late at night and trying to fix this for someone who had a deadline looming to get some machines setup, it was a real problem to figure out.

Group Policy Preferences Processing Order

Just to clarify something that people should be aware of, the Group Policy Preferences processing order. Within each CSE the settings are applied starting at number one and working down from there. I know it sounds obvious, but the documentation generally say “starting with the highest”, which I think leaves room for confusion as “the highest” could mean it finishes with one, especially when you look in the context of Group Policy and that the last setting applied wins.

Anyway, one and down from there.

HP iLO2 Firmware Upgrade Failing Via Web Page

While I was trying to update an iLO from version 2.00 to 2.27 on a HP DL360 G6, I was seeing the firmware update fail in Windows, the error back was that the hardware installed in the server was incorrect. Installing the firmware through the iLO web page itself just failed, appearing to timeout when attempting to upload the image.

The fix for this, oddly enough was to use Firefox. When doing the same update to the iLO in Firefox, the image does get uploaded and the firmware update then completed without any problems.

svchost.exe troubleshooting

If you’ve ever been in a situation where you have a service falling over with no obvious cause, it might be some other service running under the same svchost process causing the failure. As it turns out the Microsoft Performance Team have a very handy guide on svchost troubleshooting.

This covers how to isolate the suspected service into it’s own process, even going as far as running it with it’s own svchost process, so it’s easier to see if it really is the service you suspect causing the problem, or something else. In my case I was trying to pin down a crash with the lanmanserver service, and this was very useful.

Group Policy – Unattended Sleep Timeout

There is a Group Policy setting called “Specify the unattended sleep timeout” located here;

Computer Configuration – Administrative Templates – System – Power Management – Sleep Settings

The description given for the policy is;

This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer.

If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep.

If you disable or do not configure this policy setting, users control this setting.

If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The “Prevent enabling lock screen slide show” policy setting can be used to disable the slide show feature.

What I want to know is how on earth the system determines when it’s unattended. What if you’re watching a full screen video, is that unattended? What if you’re just running an Excel calculation, is that unattended?

I can find very little information, none in fact, on the Internet on how this is determined, but if anyone knows, please share.

Adding name servers to multiple DNS zones with PowerShell

I ran into a little problem today where I needed to add multiple DNS servers as name servers to multiple DNS zones all in one go. So this is essentially adding NS resource records to a zone, but doing it for multiple zones all at once. Yes I could have done them manually, but that’s boring and time consuming. So, here’s a quick one-liner that does the trick, obviously substitute in your DNS server and name server FQDNs in the correct places. If it fails for any reason it will continue on, but report the zone it failed on.

Get-DnsServerZone -ComputerName dnsserver.domain.com | ForEach-Object {try {Add-DnsServerResourceRecord -ZoneName $_.zonename -ns -ComputerName dnsserver.domain.com -name $_.zonename -NameServer newdnsserver.domain.com -ea:stop} catch {"$_"}}

Hope someone finds that useful.

Cisco AnyConnect “Failed to initialize connection subsystem” Error When Connecting to VPN on Windows 7 or Windows 8

I just today I tried to connect to my work network from home using the Cisco AnyConnect client, for reference I’m using AnyConnect 3.1.05182 on Windows 8.1, and was unable to. I was immediately presented with an error before even being asked for a username and password, which said something was wrong with the client, as it hadn’t really had time to start any proper negotiations with the ASA.

A little bit of Googling revealed that the problem might have come from a recent Microsoft update, dated just a few days ago. I had noticed my machine downloading a few updates of late, and I’m nowhere near as diligent with testing updates on my personal machine as I should be, or as I am on any work related systems.

It turns out that this is indeed a bug with the latest set of Microsoft patches, and Cisco confirmed this here.

While Cisco have said ultimately the fix has to come from Microsoft, there is a workaround until a permanent fix is produced;

  • Close the AnyConnect client from the system tray
  • Navigate to the AnyConnect client install location, for example “C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\”
  • Right click on the vpnui.exe and click troubleshoot compatability
  • Pick “Try recommended settings”
  • Click “Test Program” and this will reopen the AnyConnect client
  • Repeat the same process again, but for vpnagent.exe
  • On the final test when the AnyConnect client opens again, you then find that you’re able to connect normally again. If you have Cisco support it would probably be valuable opening a TAC case and mentioning case number #115021112390273. This bug does also affect Windows 7 when IE11 is installed, and the same fix should work there too.