WU client failed Searching for update with error 0x80244018
I installed an ISA Server with a single NIC config and wanted it to hit my internal WSUS server for updates but when i ran a wuauclt /detectnow at the commandline my windowsupdate.log file would give me this erroneous error.
Error Message:
Error:
WU client failed Searching for update with error 0x80244018
Solution:
The Issue is related to the fact the ISA firewall is locked down to the max by default and so its being blocked.
By following this article Link Here
You need to allow http, https and kerberos-sec UDP in a new access rule from localhost to your wsus box and that fixes the errors for a wsus update.
Exchange 2007 Frontend with Exchange 2003 Backend
I’m currently running up a frontend exchange server for push to mobile devices and although my current setup is all 2003 exchange servers I thought maybe this could be the beginning of my 2007 exchange server infrastructure (I’m on Software Assurance don’t worry MS).
I found this article http://msexchangeteam.com/archive/2006/10/09/429135.aspx that describes in the discussions section that its most likely possible to do this, you just won’t get the 2007 functionality to those users on the backend in 2003 exchange servers.
I post this also because this article shows some very valuable info in relation to running 2003 and 2007 exchange servers simultaneously as the changes are very significant.
you do not have security rights to perform this operation - MS Config Manager 2007
When building a lab System Center Configuration Server i came across an odd issue, I accidentally logged in as the local admin when i was building it and when i then tried to login as the domain admin I didn’t have permissions to anything in the SCCM console.
Error Message:
you do not have security rights to perform this operation
Solution:
Log back in as local admin
Expand config manager
Expand site database
Right click site management -> Properties (Security Tab)
and add the appropriate people with rights as per your requirements, in my case i added domain admins and gave them all rights.
Extending your Schema for Microsoft System Configuration Manager 2007
This is a guide for Extending your Schema for Microsoft System Configuration Manager 2007
Root Technet Resource
http://technet.microsoft.com/en-us/library/bb633121.aspx
Note: Windows support tools required for these processes
http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en
1. Extend schema with ExtADSch.exe
http://technet.microsoft.com/en-us/library/bb680608.aspx
2. Create sys mgmt container in AD
http://technet.microsoft.com/en-us/library/bb632591.aspx
3. Set Security on the sys mgmt container
http://technet.microsoft.com/en-us/library/bb633169.aspx
4. Publish Config mgr site info
http://technet.microsoft.com/en-us/library/bb680711.aspx
5. Verify site info is published
http://technet.microsoft.com/en-us/library/bb693614.aspx
MSDTC Could Not Correctly Process a DC Promotion/Demotion event. EVENT ID 53258
Installing a fresh windows 2003 R2 install onto a new esx server and then creating a new forest from scratch yielded this error.
I created a brand new domain from scratch and got this error off the bat so i thought it was worth fixing before it got any worse.
Error Message:
EVENTID 53258
Source MSDTC
MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings.
One of the Many eventid.net responses helped me out here.
EVENTID Article
1. Click Start -> Administrative Tools -> Component Services.
2. Click the “+” next to Component services to expand it.
3. Right click “My Computer” in the right window pane and select Properties.
4. Click the MS DTC Tab.
5. Click the “Security Configuration” button, a dialog box appears. Click “OK”.
6. Click “OK” on the “My Computer Properties” box; this will take you back to the console.
7. Right click “My Computer” and select “Stop MS DTC” (this stops the MSDTC service.
8. Again, right click “My Computer” and select “Start MS DTC”.
By following the above steps, it appears that this sets the MS DTC defaults resolving the error messages. Check the event log to verify that the problem is gone. You might also want to restart the server to verify this.
SSH to ESX 3.5
Most people only have a root account created and wonder why you cant login via ssh with that, you can get to the ssh console but when you try to authenticate you can’t.
This is due to a security best practice and should not really be circumvented, your best course of action is to create another account and SU yourself up to admin.
If you feel the desperate need to enable root to have ssh abilities into your esx box (really not reccomended) then here it is.
on the service console on the esx box physically type:
vi /etc/ssh/sshd_config
Where you see PermitRootLogin the no needs to be a yes
then type
do service sshd restart
and you are done
Deploying Vista Service Pack 1 (Vista SP1) via WSUS
Well I luckily upgraded our WSUS Server to 3.0 SP1 and ran into a snag where I couldn’t deploy SP1 to our Vista test machines, after some digging I found out that under that version you need to run a patch on the WSUS server retrieving the update. Updating the WSUS server that connects to the internet for updates would never actually retrieve the vista SP1 so you have to run through this.
The full step by step is here http://blogs.technet.com/wsus/archive/2008/03/24/deploying-vista-sp1-into-a-wsus-3-0-server-part-ii.aspx
Or for my trademark cliff notes.
Get this Patch http://support.microsoft.com/kb/938759
Patch your wsus server that connects to the internet for updates (I patched all my WSUS servers to be safe) NOTE: Requires a reboot
Then in the WSUS console under your server right click “Updates” choose “Import”
This will redirect you to the website where you can search for Vista SP1
Pick the standalone pack, click view basket at the top of the page and then import.
Voila Vista SP1 in your shiny new WSUS box.
IIS Service Stuck Stopping
A friend of mine shared a solution to an issue they were having when they tried to update Trends Spam filter and it crashed an IIS service.
When they did the update the IISADMIN Service got stuck in a Stopping state, using the following command restarted all IIS services and fixed the issue.
iireset
iireset
The Microsoft Article detailing this and other switches is below.
http://support.microsoft.com/default.aspx?scid=kb;en-us;202013
The Ultimate MMC Setup
I’m not going to go through everything I use as alot are default and you should be able to sort out remote desktop and standard stuff like event logs on your own, i do however recommend these packs to really spice up your remote mmc goodness.
2003 admin pack
Must be installed before proceeding
http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&DisplayLang=en
Vista Issue: Note that Vista is a bit broken with this so to get this working with vista and active directory connector (mmc) you need to follow This Guide
Active Directory Admin Pack
http://technet2.microsoft.com/windowsserver/en/library/2218144f-bb92-454e-9334-186ee7c740c61033.mspx?mfr=true
Note: You will need your Server 2003 CD to do this.
Overview:
http://technet2.microsoft.com/WindowsServer/en/library/57adeda2-3e00-4d5e-9b01-cf2bf256912d1033.mspx
Installation instructions
http://technet2.microsoft.com/windowsserver/en/library/57adeda2-3e00-4d5e-9b01-cf2bf256912d1033.mspx?mfr=true
Remote Schema Management
This isn’t in the AD admin pack by default so you need to follow this
http://technet2.microsoft.com/WindowsServer/en/library/8c76ff67-9e9d-4fc7-bfac-ffedee8a04d41033.mspx
Exchange Admin Pack
http://www.petri.co.il/administer_exchange_2003_from_windows_xp_2000_2003.htm
You need to install the admin pack from the exchange cd and I would walk you through it but petri as usual comes through with the goods so if you need a guide on that go to the link
Remote desktop right click addon
Allows you to right click a computer in AD and try to remote control it
http://www.microsoft.com/downloads/details.aspx?FamilyID=0A91D2E7-7594-4ABB-8239-7A7ECA6A6CB1&displaylang=en
needs to be run once on the AD
rcontrol_setup.exe program is run once for the AD to enable the feature
On any computer you want to have this feature on (your admin machines) copy rControl.exe tool and make sure it’s in a locatable path, e.g. %WINDIR% (C:\WINNT for example)
note: I don’t tend to use this feature, i find it easier to just make a section of my MMC with remote desktops setup to all my important servers. I use dameware for remoting to clients as that is much easier and allows for an interactive session.
WSUS
Install .Net Framework 2.0 or 3
http://www.microsoft.com/downloads/thankyou.aspx?familyId=10cc340b-f857-4a14-83f5-25634c3bf043&displayLang=en
Install MMC 3.0
http://www.microsoft.com/downloads/details.aspx?familyid=4C84F80B-908D-4B5D-8AA8-27B962566D9F&displaylang=en
Install Report Viewer
http://www.microsoft.com/downloads/details.aspx?FamilyID=8a166cac-758d-45c8-b637-dd7726e61367&DisplayLang=en
Run the WSUS Setup and just choose the console, nothing else
http://www.microsoft.com/downloads/details.aspx?FamilyId=F87B4C5E-4161-48AF-9FF8-A96993C688DF&displaylang=en
Handy WSUS Commands
When im doing troubleshooting i always find random commands that help me along the way, this is the best of the best for WSUS.
Note: all are done at the commandline unless specified otherwise
wuauclt /detectnow
Explanation: Forcing an update/install of a client against the server, this command will force the client to check for new updates and install them if thats enforced in a group policy.
wuauclt /detectnow /reauthorize
Explanation: A variant that can be used when really trying to update a machine in the WSUS database.
wuauclt.exe /resetauthorization
Explanation: This will reauthorize the machine for WSUS updates,
All commands will create an entry in the windowsupdate.log file this is located in the root of your system root (usually WINNT or WINDOWS), make sure its the one without a space as the ‘windows update.log” file is different.
/ReportNow
Explanation: This will send reports to the report server immediately.
Wsus Not Applying Group Policy Groups(OU’s) To Computers
Computers would not go into groups thanks to this tickbox
http://www.eggheadcafe.com/software/aspnet/30033002/wsus--assign-computers-t.aspx
“3. Open WSUS console, click Options->Computers, select “Use Group Policy or
registry settings on computesr” setting and click OK.”
I had initally set it up using the internal WSUS listings then i changed to using site based OU’s to apply their groups but had forgotten about that tickbox from the initial install.
Installing WSUS 3.0 SP1
So i was installing WSUS 3.0 SP1 and I thought I would put all the links i used here.
You need to download the installer HERE
you will need the .net framework installed before installing this or you will get the following error.
Error Message:
WusSetup.exe – Unable To Locate Component
This application failed to start because mscoree.dll was not found. Re-installing the application may fix this problem.
Ms article related to it HERE
.net Framework download link HERE
Unable To Browse To Sharepoint From Clients
Every now and then a single client will stop being able to browse to sharepoint, they will get a 404 or 504 error or something. Sharepoint works fine for everyone else but whenever this specific client tries to go there its just a plain error, It’s to do with credential caching and heres the solution.
Solution
In IE -> tools->options->security->local intranet->custom level->(scroll to the bottom)->”prompt for user name and password”
Access the site once like this and it will prompt for credentials, enter your correct credentials.
Then set that back to “automatic logon only” in intranet zone
Gpresult On 2003 Native Domain Shows 2000
This did come as a shock to me but due to the age of the application it still only identifies Native 2003 domains as 2000 Domains, so no need to panic like I did and wonder what massive part of your network just broke.
Example gpresult on a native 2003 domain:
------------------------------------------------------------------
C:\>gpresult
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 27/03/2008 at 11:16:03 AM
RSOP results for domain\user.name on computername : Logging Mode
----------------------------------------------------------------------
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: domainname
Domain Type: Windows 2000
Site Name: sitename
Roaming Profile:
Local Profile: C:\Documents and Settings\user.name
Connected over a slow link?: No
How to find FSMO roles in a Domain
FSMO Roles are extremely important to Active Directory and understanding where they lie and how they all work (eg. some roles only exist once on a domain) should be at the top of your list of “things to know” if you aren’t already well versed on it.
Wiki - FSMO Explained
Windows Networking explain FSMO
Petri explanation of FSMO
I found this Technet Blog to be extremely useful in the most efficient ways to find where your roles lie.
On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.
Type roles, and then press ENTER.
Type connections, and then press ENTER.
Type connect to server
At the server connections: prompt, type q, and then press ENTER again.
At the FSMO maintenance: prompt, type Select operation target, and then press ENTER again.
At the select operation target: prompt, type List roles for connected server, and then press ENTER again.
Type q 3 times to exit the Ntdsutil prompt.
Petri has an article on the matter but i find his ways a little more involved than the technet above from Mark.
I find that no matter how confident I am that I have removed all FSMO from a domain controller before demoting it, I still use this to double check.