Category Archives: Windows General

Unable to access admin shares on a Windows 10 network client with error 0x80070043 (The network name cannot be found)

The Scenario

I’m running running Microsoft’s ADMT  to migrate a computer from Domain A to Domain B. ADMT requires access to the administrative share \\computera\admin$ to install the ADMT agent locally on the computer.

The affected computer is Windows 10 Enterprise, Version 1607.

The Problem

However it is unable to access this share (despite being run with domain admin credentials. Additionally I, as a domain admin, cannot access any administrative share on this computer i.e. c$, admin$ etc. I get an 0x80070043 error:

admin_share_error

The Solution

In my case the fault was with the NIC; most of the services had been disabled preventing remote access to network shares, In my case only the Internet Protocol Version 4 (TCP/IPv4) was enabled.

These are the services that need to be enabled.

admin_share_error_NIC

Once these were all checked/enabled I could access all administrative shares.

 

Disclaimer: provided “AS IS” with no warranties and confer no rights

Advertisements

Enable SID History for Active Directory Forest Trusts

The Scenario

I am the System Administrator for a company Myretoun Inc which has the domain myretoun.local. Myretoun Inc have just purchased a rival company Dumyat Ltd. Their domain is dumyat.local. I have been tasked with migrating all Dumyat users over to the Myretoun domain.

Having created the Forest Trust between myretoun.local and dumyat.local I’ve started migrating users from dumyat.local to myretoun.local using Microsoft’s Active Directory Migration Tool (ADMT). As part of the migration process I have migrated SID History along with the users and the groups they are members of.

The problem

Now the Dumyat users are members of myretoun.local they need to be able to access shares that still reside on servers on the dumyat.local domain. I need to be able accomplish this using the existing dumyat.local domain security groups and thus the sidHistory attribute of the migrated user and groups.

The Solution

There are two NETDOM commands needed to be run, one on each side of the Forest Trust.

Disable SID Filtering

By default Windows filters (blocks) the sidHistory attribute from traversing the trust from myretoun.local to dumyat.local. To allow it to traverse the trust you must disable SID Filtering from the the domain where the (migrated) users have the sidHistory attribute, which in this case is myretoun.local

On the myretoun.local domain open a command prompt as a user who is a member of Enterprise Admins group and enter the following command:

Netdom trust myretoun.local /D:dumyat.local /quarantine:Yes /userD:myretoun\enterpriseadminaccount /passwordD:*

by using the /passwordD:* you will be prompted to enter your password to run the command.

Enable SID History

All the previous Quarantine:Yes command does is allow the sidHistory attribute to be passed across the trust, but until SID History is enabled on the other (dumyat.local) domain it cannot be used to grant access to resources. To allow this you must enable SID History, again using the NETDOM command.

On the dumyat.local domain open a command prompt as a user who is a member of Enterprise Admins group and run the following command:

netdom trust dumyat.local /D:myretoun.local /enablesidhistory /userD: dumyat\enterpriseadminaccount /passwordD:*

Once these two commands have been run, allow sufficient time for the changes to be replication throughout your Active Directory topology before you test access with a myretoun.local user accessing dumyat.local resources.

 

Disclaimer: provided “AS IS” with no warranties and confer no rights

Microsoft Virtual Machine Converter: Hyper-V 2016 VM Could Not Locate Integration Services Installation Disk Image

The Scenario

I have used Microsoft Virtual Machine Converter 3.1 to convert a VMware VM running Windows Server

The Problem

The conversion completes but produces an error right at the end when it tries to install Hyper-V Integration Services on the guest OS:

Could not locate Integration Services installation disk image

The older Wndows Server OS is looking for the C:\windows\system32\vmguest.iso file to mount and install but it is no longer included in Hyper-V 2016 – with 2016 guest VMs get Integration Services updates directly from Windows Update.

The Solution

The solution is to copy the vmguest.iso file from an existing Hyper-V 2012 R2 installation to the 2016 Hyper-V server. Then mount this ISO to the DVD Drive of the guest VM. Then in the OS of the VM run the installer.

 

Disclaimer: provided “AS IS” with no warranties and confer no rights

Check LDAP DNS Using NSLOOKUP

The Scenario

I have just created an Active Directory Forest Trust between my domain (DomainA.local) and the acquired domain (DomainB.local)

The Problem

I need to be able to confirm that DNS on my domain is able to source the Domain Controllers on the trusted domain using SRV records.

The Solution

Use NSLOOKUP to check if the DNS servers used by the local server can locate the domain controllers on the trusted forest using the SRV records.

Open a Command Prompt and type the following 3 lines:
nslookup
set type=all
_ldap._tcp.dc._msdcs.domainb.local

 

Disclaimer: provided “AS IS” with no warranties and confer no rights

Wifi Security key is incorrect (when it’s not!) – Windows 10 & KB4053579

The Scenario

My Windows 10 Professional (build 1607) has recently installed two updates; KB4049411 and KB4053579

The Problem

After these two updates were installed and the computer rebooted I could not get my computer to connect to my wifi, it kept failing with the error “The security key is incorrect”.

I knew the key was correct because I was able to access my router from another laptop and confirm the password I was entering was correct. I even tried using the WPS auto-configuration but that didn’t work either.

The Solution

I decided to uninstall both those updates as that was the only change my , starting with KB4053579. After uninstalling this one, and without a reboot, I tried connecting to my wifi, this time it worked without any issue. I didn’t uninstall KB4049411.

I don’t usually like uninstalling updates given they’re meant to secure my device or make it more stable, nor would I normally advocate anyone else doing the same but I really didn’t have a choice here. Please consider the security implications before doing so yourself. I will attempt to reinstall it in a few days once I get my work finished and will post an update here afterwards to let you know the outcome.

 

Disclaimer: provided “AS IS” with no warranties and confer no rights

Hyper-V: Provide Internet Access for VMs with Internal/Private vSwitches

The Scenario

I have VMs configured to use either an Internal virtual switch or a Private virtual switch

The Problem

As neither an Internal or Private virtual switch are bound to a physical NIC they have no way of getting internet connectivity. This for me is a real problem as I want to connect to the internet to download updates and other files from these VMs.

The Solution

I’ve tested this solution on Hyper-V running on Windows Server 2008 R2 Enterprise, 2012 R2 Standard and Windows 10 Professional. This solution assumes the following:

  1. You have already created a standard Private and/or Internal virtual switch
  2. You have a physical NIC on the Hyper-V host that is already connected to a network that has Internet access.

Step 1: Open the services on the Hyper-V host and select the “Routing and Remote Access” service, enable it and set it to automatically run.

Check also that the “Internet Connection Sharing (ICS)” is set to automatic and is started.

Step 2: Open the Network and Sharing Center (NCS) and open the properties of the physical NIC on the Hyper-V host that is connected a network that has Internet connectivity. Select the Share tab and enable the “Allow other network users to connect through this computer’s Internet connection” option.

In the drop down menu select the virtual switch Private/Internal NIC which will use this ICS connection. In the NCS a new icon will appear called “Incoming Connections“.

Step 3: Staying in the Network and Sharing Center open the properties of the virtual switch Private/Internal NIC and ensure it has a static IP address. In my tests it was automatically assigned 192.168.137.1/24, but you can assign any address as you require – make a note of this as it is needed in Step 4.

Step 4: For the VMs to use this ICS, login to them and open their Network and Sharing Center and configure the NIC to have a static IP address in the same subnet. In my example I gave my VM the address 192.168.137.10/24. Finally set the default gateway for the VM to be the IP address of the address of the virtual switch Private/Internal NIC, in my case 192.168.137.1.

In my example I also added the google DNS server 8.8.8.8 to the DNS settings in the VM, but configure this as fits your requirements.

Step 5: Test you have Internet connectivity. In my example no further configuration was required, I had Internet access immediately

Important: As this client has got direct Internet access it is advisable to install an anti-virus solution and ensure it is fully patched.

 

Disclaimer: provided “AS IS” with no warranties and confer no rights

AVG 17.5.x firewall blocking Hyper-V VM connections

The Scenario

I have a Windows 10 (v1607) Pro instance with AVG Internet Security 17.5 installed, including the AVG Firewall component.

I have the Hyper-V feature enabled and an Internal Hyper-V vSwitch named “hv-int” which all my VMs use. This vSwitch uses the APIPA 169.254.0.0/16 range.

AVG175_version.png

The Problem

I cannot locally connect to any of my VMs via the Connect option in Hyper-V Manager, the connection just times out after several attempts. When I disable the AVG Firewall it works fine, but I don’t want to permanently disable my Firewall for obvious reasons.

The Solution

By default all local network connections, including Hyper-V vSwitches are classified as Public. By changing this to the more trusted Private option the local connections are permitted:

Step 1: Open the AVG management console

AVG175-0.png

Step 2:  Click the Internet Security option:

AVG175-1.png

 

Step 3:  Click the top-right Menu > Settings option – this lists the AVG components installed.

AVG175-2.png

Step 4: Click the left-menu Components option and in the main pane scroll down to the Firewall option. Click Customize.

AVG175-3.png

Step 5: Click the left-menu Network profiles option and in the main pane locate your Hyper-V vSwitch. Change the Profile type from Public to Private. Click OK to confirm the changes and exit out of the AVG console.

AVG175-4.png

Now try launching a local connection to the VM via the Hyper-V Manager, in my case it now worked.

 

Disclaimer: provided “AS IS” with no warranties and confer no rights

WSUS Console Fails to Start: SQL server may not be running

The Scenario

I have WSUS installed on a Windows Server 2012 Standard instance. At the weekend I have installed various updates, including KB3159706.

The Problem

Once KB3159706 installed the WSUS console will not run despite both the WSUS Service and Windows Internal Database services running. It keeps reporting the error that the SQL server may not be running, which is not the case.

The Solution

The fault lies with update KB3159706, and there are two options

Solution 1 (Preferred):

Open an elevated command prompt and type

“C:\Program Files\Update Services\Tools\wsusutil.exe” postinstall /servicing

wsus1

Wait 1-2 minutes for it to complete…

wsus2

Enable HTTP Activation under .NET Framework 4.5 Features (I did this in PowerShell or use the Server Manager GUI)

Install-WindowsFeature AS-HTTP-Activation

wsus3

Finally, restart the WSUS Service

get-service WsusService | Restart-Service

The WSUS console should now launch successfully.

 

Solution 2 (less secure):

You can simply uninstall this update from the Control Panel (Control Panel > All Control Panel Items > Programs and Features > Installed Updates and search for this update, right-click and select uninstall).

 

Disclaimer: provided “AS IS” with no warranties and confer no rights

MBAM Event ID 2: Error code:0x80310052

The Scenario

I have amended the disk partition configuration on my computer, now I need to run the MBAM (Microsoft BitLocker Administration and Monitoring – the enterpise implementation of BitLocker) client in order to encrypt the C drive.

The Problem

The MBAM client launches OK and I can set a PIN, but when I click proceed with the encryption of my C drive it fails with the following error:

mbam0

Reviewing the MBAM event logs (Event Viewer > Applications and Service Logs > Microsoft > Windows > MBAM > Admin logs). There is the following associated event:

mbam1

Event ID: 2

Error Code: 0x80310052

Details: The path specified in the Boot Configuration Data (BCD) for a BitLocker Drive Encryption integrity-protected application is incorrect. Please verify and correct your BCD settings and try again.

The Solution

In my case this is a result of me changing the size of the system partitions, so Windows becomes confused about where it should store the BitLocker BDE files. To repair this complete the following:

  1. Open an elevated command prompt and type: bcdboot %systemdrive%\Windows (requires a reboot but do not do so yet).
  2. Open Explorer, Go to C:\Windows\System32\Recovery and rename REagent.xml to eg. REagent.old.xml.
  3. Reboot computer.
  4. Rerun MBAM client.

 

 

Disclaimer: provided “AS IS” with no warranties and confer no rights