Problems with Event viewer messages for AX

Quite ofter when I look in the eventviewer I can see issues that the Event ID text does tell me anything other than it is not possible to show the message. I got this today at a customers that is running AX so I descided to find the solution. The error message I got looked like this:

SNAGHTMLa609812

I searched around a bit and found a solutin online… turns out we need to create a registry key pointing to the correct file containing the event text. This could be a exe or a dll file.

Below is a link to the information and the entire solution. The short description is this:

  1. Open regedit and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application
  2. Create a new key called Microsoft Dynamics AX
  3. Create a String Value called EventMessageFile and add the following text:
    C:\Program Files (x86)\Microsoft Dynamics AX\60\\Client\Bin\Ax32.exe

Best Regards

/Johan

Link:

https://stoneridgesoftware.com/ax-event-log-message-the-description-for-event-id-from-source-microsoft-dynamics-ax-cannot-be-found/

Creating a crash dump of a crashing service

Once in a while it happens that processes and services crashes and when they do you will need a dump. There are some ways to do this using for instance Sysinternals ProcDump, but at some of our customers they have policy do log inactive users of the servers and since ProcDump is running interactively that will not work.

Instead you can use Windows Error Reporting to do this and the good thing… it is builtin to Windows. Here is how you do it:

  1. Start Regedit
  2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps (if the LocalDumps key does not exist, just create it)
  3. Create a new key with name of the process you are trying to debug, in my case Ax32Serv.exe
  4. Under the key you just created you create the settings… in my case
    DumpCount = 1
    DumpType = 2
    Which means I want one full dump. The dump will end up in the default directory %LOCALAPPDATA%\CrashDumps (all of these settings are documented in the first link below)

And now we wait…

Links
https://msdn.microsoft.com/en-us/library/windows/desktop/bb787181(v=vs.85).aspx
http://blogs.technet.com/b/kristinw/archive/2012/10/03/procdump-how-to-properly-gather-dump-dmp-files-for-crashes-and-hangs.aspx

Troubleshooting Windows Server Boot Problem

The other day at a customer I had the following problem

One of their physical machines had a problem starting. When trying to boot it went straight to System Recovery Options… not good

I tried all of the alternatives such as Safe boot, Last known good etc to get it to boot… no such luck 🙂

After some research I found the tip to rebuild the  boot records using
bootrec /rebuildbcd. When I tried this I got the following information:

Scanning all disks for Windows installations. Please wait, since this may take a while… Successfully scanned Windows installations. Total identified Windows installations: 0 The operation completed successfully.

So the solution here was to remove the BCD store and then rebuild it like this…

First we back up the BCD Store:

bcdedit /export c:\bcdbackup

Then we need to change change attributes on bcd folder in order to change it

attrib c:\boot\bcd -h -r -s

… and then we rename the bcd store to be able to replace it

ren c:\boot\bcd bcd.old

… and last but not least we recreate it

bootrec /rebuildbcd

Hopefully everything is ok and we get something like this:

Successfully scanned Windows installations.
Total identified Windows installations: 1
[1] C:\Windows
Add installation to boot list? Yes<Y>/No<N>/All<A>:

Which we respond Yes to and then reboot the computer

Links

http://answers.microsoft.com/en-us/windows/forum/windows8_1-windows_install/total-identified-windows-installations-0/52359f87-de4a-41dc-b0c3-cc275e1d9fbf
https://social.technet.microsoft.com/Forums/en-US/01acc1c7-cea6-429d-91ac-9159f3e7d855/windows-server-2008-r2-boots-into-system-recovery-options-after-system-power-offon?forum=winservergen


	

Problems starting a VM in Hyper-V

Today in our lab, when we tried to start one of our VMs we got the following error

‘vm-xx’ could not initialize machine remoting system. Error: ‘Element not found.'(0x80070490).

Surprisingly easy fix:

  1. Shut down or save all virtual machines.
  2. Restart the Hyper-V VMMS.
  3. Start the virtual machines.

clip_image001

/JP

Links:

https://social.technet.microsoft.com/Forums/systemcenter/en-US/c1dd4789-3f1f-403c-b15d-9fce7958db76/could-not-initialize-machine-remoting-system-error-element-not-found0x80070490?forum=virtualmachingmgrhyperv

Nice to know: What is going on during logon

When you are logging onto a Windows machine you will sometimes notice that it is taking a long time… usually you just blame GPOs and move on… If you want to get a hint on what´s taking so long you can set a GPO setting which turns on detailed information during logon

image 

There are two different settings depending on which OS you are running (pre 2008R2/2012 or later)

You will find the setting in gpedit under Computer Configuration – Administrative Templates – System

The setting is called:

Pre 2012: Verbose vs normal status messages

Post 2012: Display highly detailed messages

/Johan

Manage Local Admin Passwords – Additional Comments

Todays work consists of implementing a system for managing local admin passwords for Servers and Workstations in an Active Directory Environment. I have used the method in the following (excellent) article series from the PlatformPFE team at Microsoft.

Part 1 – Overview
Part 2 – Random Password Generation
Part 3 – Secure Active Directory Attribute Update
Part 4 – Update Local Account’s Password
Part 5 – Logging The Update Process
Part 6 – Extending The Active Directory Schema
Part 7 – Managing Local Administrators Passwords

In short this series uses a new attribute in AD (set to confidential) to store the local admin password. The password is changed and written to the attribute using a powershell script which is run on every startup of a computer.

There are some aspects of the solution that where not completely obvious to me so I thought I would write the down so I won’t forget them:

The Confidential attribute is a flag that is set on the attribute which requires not only Read Permissions but also CONTROL_ACCESS to the attribute to be able to read it.

There are some limitations:

  • The confidential flag cannot be applied on most of the default attributes. It is however applied to some default attributes such as Bitlocker Recovery Keys
  • The CONTROL_ACCESS permission is default set for members of administrators and account operators in active directory which means that these users will always have access to to confidential attributes.
  • The CONTROL_ACCESS permission can only be set using LDP.exe (which I will explain later how to do). You will need to do this if you want to allow users not member of  administrators and account operators to access the local admin password

To set the CONTROL_ACCESS permission for the AD-MemberServers OU-Read-Attribute-LocalAdminPWD group (described in the series), do the following:

  1. Start LDP.exe elevated as a Domain Admin User
  2. Connect to your domain controller

    image

  3. Bind LDP to the domain using your user account

    image

  4. Turn on the tree view in LDP

    image image

  5. Browse to the OU where you set up permissions and open Security Descriptor

    image
     

  6. Double-click the ACL you set to open it and check the Control Access box. Click OK when you are done

     image
     
    Note: If you set up the  password solution for Workstations to you will need to repeat the procedure for the workstation OU

  7. Done

Addendum:

To verify if all computers have a local admin password set you can run:

$Filter = {(-not(LocalAdminPWD -like “*”))}
Get-ADComputer -Filter $Filter  -Properties LocalAdminPWD | ft Name,LocalAdminPWD

Links

http://blogs.technet.com/b/craigf/archive/2011/01/26/delegating-access-in-ad-to-bitlocker-recovery-information.aspx
http://blogs.technet.com/b/platformspfe/archive/2014/05/13/part-7-managing-local-administrator-passwords.aspx

AD Demotion

I am currently helping a customer with upgrading all of their old DCs. When I tried to demote one of the DCs I got the following error message:

Title bar text: Active Directory Domain Services Installation Wizard
Message Text:
The operation failed because:
Active Directory Domain Services could not transfer the remaining data in directory partition
DC=DomainDNSZones,DC=<DNS domain name>
to
Active Directory Domain Controller
\\OtherDC
“The directory service is missing mandatory configuration
information, and is unable to determine the ownership of floating single-master operation roles.”

The problem is that each of the application Partitions for DNS has a FSMO and this name is present in more than one place. If these location does not match you will get the above error. To verify that this is actually the problem you can check the following parameters in ADSI Edit:

In ADSI edit connect to Default naming context and browse to CN=Infrastructure,DC=domain,DC=local and verify fSMORoleOwner

Then connect to CN=Infrastructure,DC=DomainDNSZones,DC=domain,DC=local and check that the fSMORoleOwner is the same as above. Perform the same operation for CN=Infrastructure,DC=ForestDNSZones,DC=domain,DC=local

If these do not match up the is a VB Script from MS you can use to fix it:

const ADS_NAME_INITTYPE_GC = 3
const ADS_NAME_TYPE_1779 = 1
const ADS_NAME_TYPE_CANONICAL = 2

set inArgs = WScript.Arguments

if (inArgs.Count = 1) then
    ‘ Assume the command line argument is the NDNC (in DN form) to use.
    NdncDN = inArgs(0)
Else
    Wscript.StdOut.Write “usage: cscript fixfsmo.vbs NdncDN”
End if

if (NdncDN <> “”) then

    ‘ Convert the DN form of the NDNC into DNS dotted form.
    Set objTranslator = CreateObject(“NameTranslate”)
    objTranslator.Init ADS_NAME_INITTYPE_GC, “”
    objTranslator.Set ADS_NAME_TYPE_1779, NdncDN
    strDomainDNS = objTranslator.Get(ADS_NAME_TYPE_CANONICAL)
    strDomainDNS = Left(strDomainDNS, len(strDomainDNS)-1)
    Wscript.Echo “DNS name: ” & strDomainDNS

    ‘ Find a domain controller that hosts this NDNC and that is online.
    set objRootDSE = GetObject(“LDAP://” & strDomainDNS & “/RootDSE”)
    strDnsHostName = objRootDSE.Get(“dnsHostName”)
    strDsServiceName = objRootDSE.Get(“dsServiceName”)
    Wscript.Echo “Using DC ” & strDnsHostName

    ‘ Get the current infrastructure fsmo.
    strInfraDN = “CN=Infrastructure,” & NdncDN
    set objInfra = GetObject(“LDAP://” & strInfraDN)
    Wscript.Echo “infra fsmo is ” & objInfra.fsmoroleowner

    ‘ If the current fsmo holder is deleted, set the fsmo holder to this domain controller.

    if (InStr(objInfra.fsmoroleowner, “\0ADEL:”) > 0) then

        ‘ Set the fsmo holder to this domain controller.
        objInfra.Put “fSMORoleOwner”,  strDsServiceName
        objInfra.SetInfo

        ‘ Read the fsmo holder back.
        set objInfra = GetObject(“LDAP://” & strInfraDN)
        Wscript.Echo “infra fsmo changed to:” & objInfra.fsmoroleowner

    End if

End if

Paste it into a file called fixfsmo.vbs and run it

cscript fixfsmo.vbs DC=ForestDnsZones,DC=domain,DC=local
cscript fixfsmo.vbs DC=DomainDnsZones,DC=domain,DC=local

“The User Profile Service service failed the logon” på Microsoft Exchange

Jag vet inte hur många gånger jag sagt till mig själv att jag skall skriva en post om detta problem

Ibland när man försöker logga in på en Exchange 2010 server kan man få upp följande felmeddelande:

The User Profile Service service failed the Logon
User Profile Cannot Be Loaded

problemet är åtkomst till en fil i användarens profil. Denna kopieras från defaultprofilen så det hjälper inte att ta bort sin profil och skapa en ny.

Filen är:

C:\Users\Default\AppData\Local\Microsoft\Exchange Server\V14\CmdletSqmData3700_100.sqm

Lösningen är ändra rättigheterna på filerna i default profilen till Everyone – Full Control

Edit: flyttade runt lite text då jag inte korrläst ordentligt. Tack Anders A

Back to basics – FSMO Roles

Today in class I hade a student who had a Windows Server 2012 Essentials migration that did nor succeed. The reason was that the FSMO move did not complete.

To list all the FSMO roles using NTDSutil:

   1: ntdsutil: roles

   2: fsmo maintenance: connections

   3: server connections: connect to server [TheNameOfYourDC]

   4: server connections: q

   5: fsmo maintenance: Select operation target

   6: select operation target: List roles for connected server

To seize all the FSMO roles using NTDSutil:

   1: fsmo maintenance: Seize domain naming master

   2: fsmo maintenance: Seize infrastructure master

   3: fsmo maintenance: Seize PDC

   4: fsmo maintenance: Seize RID master

   5: fsmo maintenance: Seize schema master

If you, like in this case, have a broken DC, remember to delete the object from AD Users and Computers and Sites and Services

/Johan