Delete Windows.old from an upgraded Windows Server install operating in Core

I was at a customer site and they had a single Hyper-V host (running Server Hyper-V edition) and had done an in-place upgrade. Microsoft generally recommends you always do fresh installations and migrate, except for Configuration Manager servers where it is a supported configuration to upgrade Windows versions.  They were starting to run low on disk space on the C drive, so I’ve outlined the below process for removing the windows.old directory.  You can get anywhere from 6 GB to 15 GB back by removing the windows.old folder which is where everything Windows based is moved to if you decide to upgrade your Windows Server.

Download the SysInternals Junction utility which we will use to find and delete and directory symbolic links (or NTFS Junctions) that may still exist in the directory structure, expand the zip file and create a PowerShell file with the following code and save it under a C:\temp location (which is where we will work from).

foreach ($line in [System.IO.File]::ReadLines("c:\temp\junctions.txt"))
{
    if ($line -match "^\\")
    {
        $file = $line -replace "(: JUNCTION)|(: SYMBOLIC LINK)",""
        & c:\temp\junction64.exe -d "$file"
    }
}

The above code will iterate through the junction list we can extract with the below command.  On a majority of systems this should actually come back empty indicating that the Windows upgrade has gone smoothly.

junction -s C:\Windows.old > junctions.txt

We then execute the PowerShell file we saved earlier with the text file we just created with the Junction utility.  Once that is done we can begin to clean up.  Firstly, take owernship by issuing;

takeown /F c:\Windows.old\* /R /A /D Y

You may find that will be all you need and can issue the rmdir otherwise, run this additional command

cacls c:\Windows.old\*.* /T /grant administrators:F

So after all that I was easily able to reclaim a whole bunch of disk space by issuing the following command.

rmdir /S /Q c:\Windows.old

If only Microsoft kept Disk Cleanup on Windows Server to make life easier.

Hyper-V Virtual Machine stops responding to network traffic if VMQ (Virtual Machine Queues) are enabled on a 1GB physical NIC

vmqI recently took on a new customer who’s IT infrastructure was a mess.  They have good hardware but the setup they had was just awful (it was an internal guy who had great ideas but little skill).  They had Hyper-V running on a nice new Gen9 HP Server on Windows Server 2012 R2, which is a nice combination.  Once they were on boarded they let us know that the server kept on crashing (they had no idea their setup was virtualised or that they had more than one server…).    Virtual Machine Queuing or VMQ allows the “virtualization” of the network allowing for the NIC to create paths to each virtual NIC to offload the traffic.

After about a week, I got the call I was waiting for to tell me their server had stop responding, the virtual machine was still up but wasn’t responding to pings or allowing access to network resources (it was their SBS server).   So as a quick fix, I disabled and re-enabled the NIC on the server (as a best practice you should have a dedicated Management NIC to allow access to the host), this brought things back online.  After having a quick look at the Broadcom NIC it had VMQ enabled, I then set it to disabled and restarted the server out of hours.  Since then there hasn’t been any issues with the servers dropping off the network.

The issue hasn’t resurfaced since and is documented in the following Microsoft KB article https://support.microsoft.com/en-us/kb/2986895

It is interesting to note that the server had the latest drivers and firmware installed but was still having the issue, so I’d recommend leaving VMQ Disabled completely as the benefits aren’t that great (unless your high-traffic 10 Gbps).

Upgrading your current KMS Server (Server 2008 R2) to support Windows 8 and Server 2012 activation

If you’re in an enterprise environment, chances are that you have a KMS server running (usually either Windows 7 or Server 2008 R2).  So now that Windows 8 and Server 2012 has hit VLSC for SA customers you’ll most likely want to begin testing and performing pilot deployments but we need to get our Key Management Server to accept these new clients.  If you have tried to activate your KMS keys with existing KMS hosts you will receive the following error message:

Error: 0xC004F050 The Software Licensing Service reported that the product 
key is invalid.

Thankfully for us, Microsoft has released an update that will upgrade Windows 7 or Server 2008 R2 KMS Hosts to support Windows 8 and Windows Server 2012, you can view the KB article by clicking here (KB2691586).  You will need to request the hotfix from the KB.  Once downloaded, open up an elevated command prompt and execute the update (which acts as a windows update package).  When it finishes installing you will need to restart your server.

Now that our server is back up, we need to replace the KMS Host key with one for 2012 or Windows 8.  Open an elevated command prompt and enter slmgr.vbs /upk which will show us Uninstalled product key successfully when complete.  Now we install our new key with slmgr.vbs /ipk product-key-here

You should now be presented with a product activated successfully window.  You can also run
slmgr.vbs /dlv and under description you should see VOLUME_KMS_2012.  Now you can start to activate your new Windows 8 and Server 2012 clients.

Installing the PowerShell ISE (Integrated Scripting Environment) on Windows Server 2008 R2

I was recently looking at modifying our SharePoint warm-up script as we had found out that it wasn’t working as it should be.  So I went to fire up the small but useful PowerShell ISE and found that it wasn’t available.  So there are two ways to go about getting it installed.

First off is running the Windows Add Feature under Server Manager.  You will find the Windows PowerShell ISE and be able to tick and install the feature.  The other method which is quite easy is to use PowerShell.

First off we need to import the ServerManager module into PowerShell and then we can go ahead and add the ISE feature.  The following snippet will do it all for you via PowerShell.

Import-Module ServerManager
Add-Windowsfeature PowerShell-ISE

And that is all you have to do to get the wonderful PowerShell ISE going under Windows Server. Hope that helps.

Deploying printers via Group Policy and getting them pushed out the right way as well as solving driver installation issues (0x80070bcb Specified printer driver was not found and needs to be downloaded)

So we recently upgraded our printing infrastructure with a whole new lot of printers and software (along with a shiny new version of PaperCut MF) and have implemented a global queue or better known as Follow Me Printing.  So how do we go about pushing out all the new global printers to our users.  Well along with the 50 other projects we have on the go, one of them is a clean up of our group policy, so after removing around 15 GPOs related to our old printers I got to work.

So for starters I’ve created a GPO which will contain all of our Follow Me Printing settings, including deploying the PaperCut Client and Global Queue Printers. In our environment we have a mix of Windows XP, Windows Vista and Windows 7 which will all handle printers being deployed via Group Policy differently (Microsoft make things so easy, don’t they).  For XP, things are simple, simply add the printer to be deployed either by user or computer preference under control panel > printers. For Vista and 7 however this is where it gets tricky.  If you are using a driver which has been loaded on the machine before, the printer will deploy, otherwise you will receive an error in the event log such as the following:

The user 'Printer Name Here' preference item in the 'Group Policy Object
{GUID-GOES-HERE}' Group Policy object did not apply because it failed with
error code '0x80070bcb The specified printer driver was not found on the system
and needs to be downloaded.' This error was suppressed.

This basically means that the client couldn’t download the driver, but the real reason is because of UAC and the computer not requesting permission to install a driver. Thankfully there is a Policy that we can enable that will allow us to set the permission requirements during printer driver installation.

Using the Point and Print Restrictions Policy we can enable printer driver installation without it getting hassled by UAC. Under Windows Vista it is a User Policy and on Windows 7 it is a Computer Policy (I have both enabled for good measure). So enable toe Point and Print Restrictions Policy and change the following options:

  • When installing drivers for a new connection: Do not show warning or elevation prompt
  • When updating drivers for an existing connection: Show warning only

Once we have configured the Point and Print Restrictions Policy printers will download and install on any client computer that the Object is targeting.

Hope that helps a few people out when setting up and configuring their Group Policy Printer Distribution, any queries please comment.

Thoroughly cleaning up a WSUS server

I was recently tasked with performing a clean-up of some of our servers, removing old files/software installations as well as a clean-up of our WSUS server.  After a quick look I could see that our previous administrator had set it to download Driver updates as well, which was taking up quite a large amount of space and something that we wern’t really looking at using (no driver updates were approved).

So I ran the WSUS clean-up wizard, which removed some old computers, but the driver updates remained. I wanted them gone.  So I quickly made sure that driver updates category wasn’t selected and ran the following PowerShell script on the WSUS machine.

[reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration") | out-null
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer();
$cleanupScope = new-object Microsoft.UpdateServices.Administration.CleanupScope;
$cleanupScope.DeclineSupersededUpdates = $true
$cleanupScope.DeclineExpiredUpdates         = $true
$cleanupScope.CleanupObsoleteUpdates     = $true
$cleanupScope.CompressUpdates                  = $true
#$cleanupScope.CleanupObsoleteComputers = $true
$cleanupScope.CleanupUnneededContentFiles = $true
$cleanupManager = $wsus.GetCleanupManager();
$cleanupManager.PerformCleanup($cleanupScope);

This script took about an hour to run but worked like a charm. It basically cleaned up the whole WSUS database, removing old computers, obsolete and unneeded updates (including the drivers I no longer wanted) as well as removing the associated update files which cleaned up a lot of space. The script above is modified so as not to remove computers from the database but that can be simply uncommented and included in the script.

Let me know in the comments if you found this useful.

How to set (and change) an NTP time source in Windows Server 2008 R2 (SBS 2011 and Vanilla Server).

Recently, the clocks on my home networked PCs began drifting off sync until the difference was around 30 minutes. At first i thought that my SBS server was no longer synching with time.windows.com (the default time server for windows). After a quick look at the event log, I could see that it was syncing correctly and that the date and timezone were correct. So I began to look at how I could change the NTP server that Windows was syncing with. Unlike Windows XP, which had a tab were you could set the source and even add your own in the date and time control panel applet, Windows Server 2008 and Windows 7 have nothing of the sort, so how was I going to change the source. A quick look on technet led me to an article titled Windows Time Services Tools and Settings.

To query the time service about its current status open up an elevated command prompt and type in:
w32tm /query /status

This will display the following output (it will either state Source: Local CMOS Clock or time.windows.com)

After working out the souce and that it was synching without error as well as the obvious the fact the time was way off I needed to find a reliable Time service. After a bit of searching around the web I found pool.ntp.org which is the part of the home for the Network Time Protocol open source project (ntp.org). Members work together to provide a public pool of time servers for use by individuals and businesses. pool.ntp.org uses DNS round robin to make a random selection from a pool of time servers who have volunteered to be in the pool making this service highly redundant and reliable.

If you navigate to the Time Servers page on their wiki you will see a list of servers as rell as regional servers which you can also choose from.  Since I’m in Australia I narrowed it down to Oceanaia and then Australia leaving me with au.pool.ntp.org.  So basically I now had to reconfigure the Windows Time service to sync with the NTP Australian Server Pool. A quick look over the technet documentation told me the commands I needed to run which was:
w32tm /config /manualpeerlist:au.pool.ntp.org

Which after being executed in an elevated command prompt will leave you with command completed successfully.  Once that is configured we need to restart the time service by either doing net stop/start w32time or via the Services Control Panel on Windows Time.

You can then query the time service again using /query and /status which will present you with the above output. As you can see the time service is now synching with the service that I specified it to. You can look around the NTP site to find a group of services which are closer to your location, but it generally doesn’t matter where you pick the NTP server from.

And there you have it, how to reconfigure the Windows Time service to look at a different time source.  As a side note before closing off the article, Microsoft don’t fully support the Windows 32 Time service for use in high accuracy environments as mentioned in this Knowledge base article. So if you need something which is highly accurate then you need to look elsewhere.

Fixing the Outlook Web Access web application failed to initialize error

During the Christmas break many still wish to check their e-mails whilst enjoying their holidays.  One of my Clients who don’t use OWA are now taking the plunge and going to be checking their e-mail (great feature). With SBS 2008 (so Exchange 2007), OWA is enabled by default, so I thought there would be nothing that I needed to do, I was wrong.

After loading up OWA on the server and my laptop I received the following error:

The Outlook Web Access web application failed to initialize.
..
Exception
Exception type: Microsoft.Exchange.Clients.Owa.Core.OwaThemeManagerInitializationException

The fix I’ve worked out for this is to copy the original files in the theme directory from your installation media (x:\Setup\ServerRoles\ClientAccess\owa\version\) back into the OWA working directory.

The cause, I suspect a corrupt file, not too sure exactly and didn’t have much time to investigate seeing as it’s holiday time, but believe something had changed the theme configuration causing OWA to look elsewhere for theme files, I also have a suspicion that an update might have caused this, but can’t confirm.

BackupExec unable to read or write to the Database

Today when checking one of the servers I manage, I got an error when opening up the BackupExec 12.5 management console. The error was “Unable to read or write to the Database” which I found a bit puzzling. I checked to make sure SQL Server which hosted the BE database was running, and it was.

After having a quick look in the Application Event Log, I found an error relating to the issue I was experiencing. Event ID: 33152.  Thankfully the fix for this error is quite simple.

Open up the Backup Exec Services Manager and click on Stop All Services. Now open up the SQL Server Configuration Manager and restart the instance of SQL Server hosting your Backup Exec database. Once it restarts, return to the Backup Exec Services Manager and click on Start All Services to start them all up again. Once they’re up, open the management console.  If all went well it should now log you in successfully and show you the current status of your server.

Letting Exchange accept Mail from other domains

One of the usual things I perform as an IT Consultant is maintenance and configuration tasks on Exchange. One of the most requested tasks is accepting e-mail for more than one domain. Most of my clients run Windows SBS Server 2008 which comes with Exchange 2007. In this article I will walk through accepting mail from other domains.

Firstly, open up the management console, expand Organization Configuration, click on Hub Transport and finally select the Accepted Domains tab. Now under the Actions for Hub Transport click New Accepted Domain…

The New Accepted Domain window now pops up. Configure it with your new domain.  The domain must be yours and  its MX record configured to point to your exchange server. After you enter your domain, there are three options to tell exchange how to handle mail. Authoritative Domain tells the exchange server to accept ALL e-mail for this domain, if a user doesn’t exist then an NDR is generated and sent to the sender. The Internal and External relay options are handy, if you have multiple domains with multiple exchange servers, you can choose the Internal Relay option, which will look for other exchange servers under the forest for your entire organisation.

The third option is the External Relay. This is useful for those domains which you don’t ‘own’.  A prime example are franchise companies. Which may have one e-mail for a particular store or location, allowing you to send and receive for that domain to users not on your exchange server.

And That’s it. Simply ensure that the domain’s MX Record is pointing to your server, or if you are using the SBS POP3 Connector this will now properly process e-mails for that particular domain.