Category: Windows

KB5009624 Causing Some Domain Controllers to Reboot

Update: This issue has been resolved with new updates released by Microsoft.

Today, I had the pleasure of troubleshooting why a domain controller was continually, and randomly, rebooting itself. Though, rebooting is a light term, when the reality was the server was entering a fault state (aka, crashing) and rebooting to recover. Inspection of the event logs revealed Event ID 1074, which stated:

The process wininit.exe has initiated the restart of computer on behalf of user32 for the following reason: No title for this reason could be found

Reason Code: 0x50006

Shutdown Type: restart

Comment: The system process ‘C:\Windows\system32\lsass.exe’ terminated unexpectedly with status code [blank]. The system will now shut down and restart.

One or two Google searches later, refined to display only from the past week, I found a post where someone figured out that Microsoft Window’s Server 2012 R2 Security Update KB5009624 was the cause of the reboots, further detailed here.

Microsoft did release an emergency out of band update (KB5010794) though it is listed as an Optional update. So if you are not in the habit of installing those optional updates, now is a good time to start.

However, if you don’t want to install that optional update (for whatever reason), this fix is simple enough: either go to Windows Update -> Installed Updates -> and select it and click Uninstall; or, go to Control Panel -> Programs and Features -> View Installed Updates -> and select it and click Uninstall. (Note: a reboot will be required).

Using an Intel NUC as a Server

Some organizations have servers that are old or perhaps they just have a single server. This can pose a problem if they utilize an Active Directory environment. I have seen an organization have only one Domain Controller, which doubled as a file server, which was infected by Ransomware. Luckily, we were able to restore the server from a recent backup. However, not all organizations are lucky. Had there been a catastrophic hardware failure or no good backup, they would have had to rebuild their environment. Another alternative issue is organizations that have several branch offices and thus need a Domain Controller at every location.

Unfortunately, not all organizations can afford another physical server. One solution is to remove them entirely from Active Directory and place them into a workgroup. However, not all organizations want that. As such, another cost-effective solution needed to be found.

Enter the Intel NUC. They are fast, cheap, customizable, but really, they are cheap. Also, depending on the one you buy, they are compatible with Windows Server 2019. They are not ideal as a standalone domain controller, let me be clear on that (unless you operate a home lab). However, they are suitable for branch offices that are interconnected via VPN tunnels, and organizations that have a physical server in place but need redundancy.

Not all Intel NUCs are compatible with Windows Server and those that are pose their own challenges. Through testing, the best and most compatible NUC we have found is the NUC7i5DNHE (we prefer utilizing the Tall version).  The NUC7i5DNHE can be customized with NVMe SSD or a traditional 2.5” SSD or HDD, with up to 32GB DDR4 Memory. Our usual build-out for clients is a 250 to a 1 TB 2.5” SSD and between 8 GB and 16 GB of memory. Regardless of the two options for SSD and memory, these things are fast. With Windows Server 2019 standard installed, we see full patch times, including boot times, to be within 5 minutes. Straight boot times usually fall inside 45 seconds.

Sounds good, right? So what issues have we found? Mainly driver support issues. With the NUC7i5DNHE, two drivers will not work out of the box (nor have we been successful in getting them to work, not that we put much effort into it anyway). The built in WiFi and Bluetooth drivers will not work. However, everything else installs perfectly with Windows Server 2019. We did have Ethernet issues working right with Windows Server 2012 R2, but there are drivers out there if you can find them to manually install via a USB drive. Windows Server 2016 on the other hand was a bit more complicated, so I would avoid that OS entirely if possible. Another note: BIOS updates through windows will not work, so it is best done to update the BIOS through the BIOS itself (which is fairly easy).

Keep in mind, we are using these only as a redundancy domain controller for smaller organizations or organizations with several branches. If one of these units die, it’s trivial and cost effective to order a replacement and have the redundancy restored in a day. Want an extra step of redundancy? Utilize an external HDD to do bare metal backups via Windows Server Backup (or another backup solution of your choice).

We have deployed nearly a dozen of these over the last year in different organizations and each seem to meet the needs of the clients nicely.

Dislike this idea or have questions? Let me know in the comments!

SMTP Stopped Sending Mail to Office 365

Had a client whose SMTP server suddenly stopped sending scan to e-mails to their domain cloud Office 365 e-mail from their on-premise SMTP server. The queue folder quickly filled up with over a hundred e-mails, so what could have caused this problem?

After three days of troubleshooting, I finally figured it out. In the event log, I was seeing the following issue:

A total of three IP addresses were rejecting the mail, which never even left the queue folder to generate a log in the badmail folder. The three IP addresses were ‘207.46.163.42’, ‘207.46.163.74’, and ‘216.32.180.10’. A cursory search on Google revealed these to be Microsoft servers.

Now this worked perfectly just a few days ago, with no error message like it in the event logs prior to the 23rd of January, 2018. Could it really be this simple of a fix? I tried resetting IIS 6.0, started and stopped the SMTP service many time. I added smtp.office365.com as a smart host, I added a relay as detailed in several websites (including Microsoft’s), and I event played with different settings. Nothing worked… but I did notice occasionally a few e-mails would kick off at a time before failing again as I made changes. Now, I can’t say I know a lot about TLS, but it is my understanding that TLS required authentication and had to go across port 587.

Apparently not. I went back into IIS 6.0 Manager and right clicking on SMTP Virtual server and went to properties. Under the delivery tab, I clicked Outbound Security… at the bottom. There I clicked TLS encryption. I made zero other changes.

I clicked OK and then clicked apply. I didn’t even have to restart the SMTP service – all the e-mail in the queue folder cleared out within moments. Finally, a victory. As a final test, I sent test scans to our domain e-mail account from the Xerox SMTP configuration as well as sending another IT technician to send scans at the printers to themselves. It all worked like it should.

I’m not entirely sure why this works, but I would love if someone could fill me in. Remember, it worked days ago, then suddenly it stopped working until I enabled TLS encryption. I did not configure any ports other than 25.

KB4056894 May Break Hyper-V VMs

UPDATE: This issue has since been resolved.

KB4056894 has the potential to break Windows 2008 R2 Hyper-V hosts. The server itself comes up just fine, however the VMs get stuck in restoring mode at 0%. This poses a huge problem. So far this has only happened to one of our host servers with the rest coming up normally (Server 2012, Server 2012 R2, and one other Server 2008 R2 host). So how do you fix this issue? So long as the host comes up, simply uninstall the offending patch and restart. When we did this, the VMs immediately booted back up.

It is interesting to note that at one point Microsoft pulled these patches, but has obviously made them available again. Thankfully, the only issue we have had affected only this one server (so far) out of several hosts and over a hundred VMs. Of course, now Intel recommends that you skip those patches completely.

Random Black Screens with nVidia Graphics Card and Windows 7

For several months, I had dealt with an increasingly frustrating issue with my monitor’s screen suddenly going to sleep. Nothing I could do, aside from unplug it from the desktop and plug it back in, could get it to wake up. It certainly wasn’t a monitor issue (though I had those too), as swapping the monitor resulted in the same behavior. It wasn’t a cable issue, nor was it an issue with Windows power settings. I had narrowed it down to single point of failure – driver issues. My NVIDIA driver kept crashing and its frequency was increasing. It went from only happening in games to happening in Office and general browsing.

I had taken some steps to fix this – reverting to old drivers, installing new drivers from a completely clean slate. Nothing worked. Then I found this thread on the EVGA forums. The thread included details that matches my symptoms, down to the event log. According to that thread, it was an issue between the driver series and Windows 7. Even reverting to old drivers didn’t work as I simply hadn’t gone back long enough, as this issue has plagued the driver series for months.

So, I did what any sane person would do – I upgraded to Windows 10.

It has been two weeks now and not a single crash or blip in the event logs about a driver crash.

Now if you are having a similar issue, what do you do? Upgrading to Windows 10 for free ends December 31st, so after that you will need to pay a hefty sum for a license. I wish I can say I have a fix for users still on Windows 7 (aside from going back long enough on the driver history to avoid the bad drivers), but perhaps the thread above will.

Firewall unable to turn on (Windows Error code 0x80070422)

An odd issue, Windows Firewall was automatically off. This impacted a user who had numerous issues with their computer. The issue wasn’t hard to fix, but was certainly not easy to find a fix for.

A co-worker approached me asking for help to troubleshoot the firewall issue. We employ GPO for the firewall, but to my knowledge we do not disable the firewall.

After looking, it was obvious that this was no GPO that disabled the firewall. However, when we went to enable it we got an error code that the firewall could not be re-enabled, with error code 0x80070422.

 

After some digging, we discovered that the firewall was disabled automatically via Services. We simply had to choose “Automatic” for startup, then start the firewall through Services.

 

Once that was done, we checked back on the firewall. Sure enough, the Firewall was re-enabled. We restarted the computer to ensure that the firewall would automatically start, which it did.

Keep in mind, you must be an administrator to make changes to services.

Input signal out of range when trying to install windows 10

I had an interesting yet frustrating issue pop up after buying a refurbished dell desktop. I wanted to do a fresh install of Windows 10 on the machine so I hooked it all up. The computer I bought only had integrated intel graphics so that is what I plugged my Dell 2412M (1920 x 1200) monitor into. The computer booted up and I could view the bios just fine, but when I booted to the USB drive to install windows, I ran into a problem.

The windows logo would show and then the dots would circle, then the screen would go black and I would get the error message: “Input Signal Out of Range”. Puzzled, I restarted the computer. I again could see the BIOS followed by the windows logo with the rotating dots. Yet again the monitor went dark and displays the same message as before. (Honesty check: the dell displays a different message than input signal out of range, but my second monitor had that message instead).

So I ran downstairs and grab a spare lower resolution monitor sitting in my garage. I brought it up and plugged it in and into the computer. Same message. Weird. So it isn’t the monitor – it’s the computer. Googling the issue brought me to others having this issue, even trying the steps outlined here: https://www.infopackets.com/news/9901/how-fix-windows-10-display-not-compatible-when-upgrading.

Yet the only real fix I could find was to get a graphics card and hope that solves the issue. This was an unacceptable solution as I had a 24-hour turnaround on this build and I wasn’t in the mood to shop at several stores to try to find a low-wattage low profile graphics card that wouldn’t be sold at rip off prices.

The fix ended up being pretty simple though – when I plugged in the second monitor I didn’t bother to restart the computer – I just did a straight swap. So this time I turned off the computer, swapped the screens, and turned the computer back on. Voila. Success.

This might not fix your problem, after all who else has multiple monitors just sitting around? But maybe there is someone out there who this helps.

Unable to Add Account in Windows 10 – A Workaround

Had a particular issue today while working on a troublesome Windows 10 machine. A user wanted to create a new user account, however the add an account button was not working. When clicked, the button would do its animation but nothing occurred. There is a way to bypass this issue:

  1. Press the Windows Key + R
  2. Type (sans quotations) “control userpasswords2” – Click Okay
    run username
  3. Click on “Add” under the users’ tab
  4. Click the option “Sign-in without a Microsoft account”
  5. Click on Local Account
  6. Create a login name for the new user
  7. Create a password if you choose
  8. Click Apply then okay.

You can also use the same method to remove old accounts or to change the account to an administrator account (by selecting the user account and then click properties).

If you have another way, or a permanent fix, drop a comment below!

Windows 7 Stuck on Checking for Updates? Use the Windows 7 Update Readiness tool.

Windows 7 may be dead (at least according to Microsoft), but I have found myself still working on many Windows 7 machines. I also still end up with the occasional new computer that I am tasked to bring up to date and deploy for a client.

One particular issue I have found with either new Windows 7 computers or fresh Windows 7 installs is when I begin the computer’s first check for updates. Often it will take between one to three hours for the computer to go from Checking for Updates to actually having updates to install.

However, there have been a few times (including a machine I am working on now) where Windows 7 Updates is stuck on ‘Checking for Updates’. It doesn’t seem to matter how long it runs for, it will always stay at ‘Checking for Updates’.

The first time I ran across this mess I ran it for three days before calling it quits. I have had computers take a few hours to find updates before, but after three days then you know it’s a lost cause.

Thankfully there are a several ways of fixing this, but for now I will just cover the two that has consistently worked for me.

Update Windows Update Agent

This one can be a fairly quick fix. Simply download the update agent and run it. This has worked a couple of times for me, however if that fails then it’s time for the Windows Update Readiness Tool.

The Windows 7 Update Readiness Tool

This tool isn’t the easiest to find. As a matter of fact, it’s buried below all the other Microsoft support pages for Windows 7 Update issues. Despite the various standalone FIXIT programs they offer, this tool has worked every time where the others fail.

Simply download the tool and run it. Be warned – this will take a very long time as the software scans the updates on the system and searches for updates that are needed. Even on a machine with 12GBs of RAM and a speedy SSD, it took over an hour for the scanner to do its job. Worst case, you can probably run it overnight.

Once the tool does its job, simply follow the prompts and install the updates.

It should be as simple as that! Granted there might be a different update issue you are having than the one I listed here. Unfortunately I do not have the answers for them all I’m afraid, but this one is one that hopefully helps for those whose updates get stuck on ‘Checking for Updates’.

Do you have any questions or tips? Comment below!