Thursday 9 October 2014

"This theme can't be applied to the desktop"

I'm currently configuring a new Windows Server 2012 R2 RDS environment for my customer to migrate to from their existing Windows Server 2008 R2 TS farm and this error message had been bothering me for quite some time: "This theme can't be applied to the desktop"

The error message appeared every time a user tried to start a RemoteApp program from the new RDS environment. The investigation concluded that a new user which had never logged in to the old TS environment did not get the error message, only users with an existing profile. Users were logging in from Windows 7 workstations/laptops. After some testing with various GPO settings under User Configuration\Administrative Templates\Control Panel\Personalization I discovered that forcing all users to use the Aero Theme solved the problem.

Under User Configuration\Administrative Templates\Control Panel\Personalization configure the setting "Load a specific theme" with "%windir%\Resources\Themes\aero.theme"

Monday 10 March 2014

CAU - Target name resolution error

If removal of the CAU for a Windows Server 2012 R2 Failover Cluster has failed or if anyone has tried manually clean up the CAU, the following error might appear in Server Manager.

A look in the logs shows...:
Log Name: System
Source: DistributedCom
Event ID: 10028
Level: Error
OpCode: Info
More Information: Event Log Online Help
Task Category: None
Keywords: Classic
"DCOM was unable to communicate with the computer CAU-name.domain.local using any of the configured protocols; requested by PID b54 (C:\Windows\system32\ServerManager.exe)."

Log Name: System
Source: FailoverClustering
Event ID: 1228
Level: Error
User: System
OpCode: Info
More Information: Event Log Online Help
Task Category: Network Name Resource
"Cluster network name resource "CAU-name" encountered an error enabling the network name on this node. The reason for the failure was:
"Unable to obtain a logon token"
The error code was "1326".
You may take the network name resource offline and online again to retry."
If you do not see any trace of CAU but still see these error messages is probably the reason that CAU's Distributed Network Name is left lying around in the Failover Cluster. CAU's Distributed Network Name will be added up automatically during configuration of CAU but does not appear in the Failover Cluster Manager, but is hidden. Use PowerShell to list Cluster Resources and you will see the CAU's Distributed Network Name.
  1. Open an elevated Powershell window
  2. Specify Get-ClusterResource -Cluster "Cluster Name"
  3. Remove-ClusterResource "Name"

Monday 3 March 2014

How to disable Cluster Aware Updating (CAU)

Have you ever wanted to disable Cluster Aware Updating perhaps just for a while or even permanently? The problem is that you might get recurring an Kerberos Security error in Server Manager on one of your cluster nodes.

The error message below will appear in the system log:

"The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server "server name". The target name used was HTTP/server_name.domain.local. This indicates that the server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target server is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain "domain.local" is different from the client domain "domain.local" check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server."

The solution is quite simple but perhaps not obvious even though it's stated in the error message. What you need to do is to add two SPN's to your CAU account.

  1. Open an elevated command prompt
  2. setspn -S http/CAU-account-name CAU-account-name
  3. setspn -S http/CAU-fqdn-account-name CAU-account-name

Monday 24 February 2014

Unblock IPAM access to a DC

To roll out the Windows Server 2012 IPAM feature should be "a walk in the park" and it normally is but a while ago I was really struggling helping a customer out with this. I had made the configuration using GPO's and verified my settings several times but I kept getting the error "Unblock IPAM Access":

The solution was actually ridiculously simple. Editing the problem server in the IPAM Server Inventory panel to untick DNS - OK - then reticked DNS fixed it.

Thursday 13 February 2014

AD DS operation failed - Dcpromo error - FSMO role broken

I was about to remove a domain controller of a customer so many times before when the error below appeared.

Active Directory Domain Services Installation Wizard
The operation failed because:

Active Directory Domain Services could not transfer the remaining data in directory partition DC=ForestDnsZones,DC=company,DC=com to
Active Directory Domain Controller \\

"The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles."

Very strange considering that running "netdom query fsmo" gives the result that one of the other domain controllers owns all FSMO roles. The Event Viewer is in this case your best friend.

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          2014-02-01 14:44:13
Event ID:      2091
Task Category: Replication
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      DC.COMPANY.COM
Ownership of the following FSMO role is set to a server which is deleted or does not exist. 

The DC mentioned in the Event Viewer warning was an old Windows Server DC removed more than 5 years ago!

Let's move on, make sure to open ADSIEdit on the affected FSMO Role owner and make the necessary changes there.

How to obtain the correct setting:
  1. On the affected role owner open ADSIEdit.
  2. Click on Default Naming Context [DC.Company.Com].
  3. Click on DC=Company,DC=Com.
  4. Double click on CN=Infrastructure at the bottom of the list of folders.
  5. Locate the fSMORoleOwner attribute and click on it.
  6. Click the Edit button.
  7. CTRL+C to copy the contents of the attribute.
  8. Click CANCEL twice.

  1. Correct the problematic settings:
    1. Right click the ADSI Edit root and click on Connect to…
    2. Use the following connection point:
      1. DC=DomainDNSZones,DC=Company,DC=Com
    3. Click on Default Naming Context [DC.Company.Com] to populate it.
    4. Click on DC=DomainDNSZones,DC=Company,DC=Com folder.
    5. Double click on CN=Infrastructure.
    6. Locate the fSMORoleOwner attribute and click on it.
    7. Click the Edit button.
    8. CTRL+V to paste the correct setting.
    9. Click OK and then Apply.
    10. Repeat steps 2.1-2.9 to correct DC=ForestDNSZones,DC=Comapny,DC=Com.

Once the above steps were completed on the FSMO Role owner for Infrastructure I was able to properly demote the DC.

Monday 27 January 2014

Windows Server 2012 R2 - Virtual hard disk sharing limitations

There is quite a lot written about how good the new "virtual harddisk sharing" feature is in Windows Server 2012 R2, and I agree that it is very good feature but there is not as much written about the limitations. When you enable the function it says "Some virtual machine and virtual hard disk features will be disabled when this setting is enabled". Already known limititations and already published on other blogs are:
  • You cannot do host-level backups of the guest cluster.  This is the same as it always was.  You will have to install backup agents in the guest cluster nodes and back them up as if they were physical machines.
  • You cannot perform a hot-resize of the shared VHDX.  But you can hot-add more shared VHDX files to the clustered VMs.
  • You cannot Storage Live Migrate the shared VHDX file.  You can move the other VM files and perform normal Live Migration

There are also some limitations for virtual machines managed by VMM:
  • You cannot create a checkpoint on a virtual machine that has shared virtual hard disks.

  • You cannot change properties of a virtual machine with shared virtual hard disks.

However you can change properties of a virtual machine managed by VMM with powershell.

Monday 20 January 2014

KMS server "STATUS_SUCCESS" error

The error message below has to be one of the most funnier in a long time ...

So did I succeed or not? It says "Success" but at the same time it's an error. Confusing is surely the least one can say ;)

So what was I doing then? Well, I was about to move / re-install a KMS server on Windows Server 2012 R2 and when I got to the last page and clicked "commit", I got the error message.

The cause of the error and also visible in the picture below is that the wizard does not enter the right "KMS TCP listening port" automatically. The port should be 1688 and if you enter this the wizard goes through.