Tuesday, June 27, 2017

Replacement Motherboard causes DC server to not allow login.

Recently I had a server that had to have a motherboard replaced. It was a Dell server for anyone who cares. I won't go into the drama around this issue, but basically the Windows Server 2012 was forcing the time on the server. We thought it was the motherboard BIOS doing it but actually it was the Windows OS.

The main issue here is the would reboot, and the time would be January, 1, 1981, or some weird number.

Needless to say since this was a Domain Controller and the time from when it was last on and the new time are soooo off, it would not let you log in.

To fix this, just boot into safe mode, log in, change the time and then reboot the system.

Problem solved.

Server 2012 R2 Evaluation won't register

Building new server you run into things sometimes that are annoying or weird. One of those can registration and activation. 

Building some new 2012 R2 Standard server and I couldn't register the server. It kept saying the activation code was wrong. 

Well there is a VERY easy fix for this. 

I found it here.

Run this code to change it from evaluation.

DISM /online /Set-Edition:<edition ID> /ProductKey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX /AcceptEula

Change <edition ID> to the edition you have the licence for eg.

DISM /online /Set-Edition:ServerStandard /ProductKey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX /AcceptEula

You will need to reboot, so keep that in mind. 

The one thing that the source where i found this doesn't tell you is, you still need to activate your server with your key. 

So go to the Server Manager > Local Server > Properties > Click Activate next to Product ID > Enter your information.


Thursday, December 8, 2016

Fresh Windows 7 install won't update

Fresh Windows 7 install won't update

If you have installed a fresh Windows 7  recently you might have run across an issue where it won't finish running Windows Update. It just hangs and runs and churns and seems to never finish. There is a resolution, and it was ultimately found at https://www.bleepingcomputer.com/forums/t/607544/windows-could-not-search-for-new-updates/

Here is the resolution and break down of that forum update.

The Resolution

I won't go into why this doesn't work, or how MS screwed up, I will just put the fix here. 

  1. Install SP1 if you haven't, and restart.
  2. Install the latest windows update, use Method 2 where you just download and install the update, and restart.
  3. Install Update for Windows 7 for x64-based Systems (KB3102810), and restart.
  4. Last install IE 11, and restart.

After all the restarts and the installs try and run Windows Update again.

NOTE it will still take what seems like for ever still, this is because it's downloading over 200 updates to your machine. 

Hope this helps. Let me know if this does or doesn't work, I would like to know and I am sure other will also. 

Wednesday, February 24, 2016

Quasi-Failover DHCP 2008 R2

I was given a client recently that was running out of IP addresses on their DHCP server. 

After some investigation I discovered that they had 2 DHCP server on the same AD and on the same network. Let say the network is, it had a subnet mask of No really it does have that subnet mask. Anyways, the 2 DHCP servers are giving out the same scope of - DHCP1 was giving an exclusion of - and DHCP2 had an exclusion of 192.168.170 - 254. Of course there were other exclusions for servers and printers but you get the point. 

After looking a little bit deeper I noticed that the DHCP1 server was not giving out any leases. This didn't make sense until I fully thought about what was happening here. 

The reason DHCP2 server was the only one giving out IP addresses is because it is, for lack of a better term, faster. The reason is because once a machine has made contact with a DHCP server, even if it’s out of addresses, it will NOT try a different DHCP server. It will keep  trying that same DHCP server for an address. This is why the DHCP1 is not giving out leases, its to slow to answer. 

So, since DHCP2 is always the fastest, it always replies first, even if its full. The one way of testing, and verifying, this is to turn off the DHCP2 services on DHCP2, momentarily, and do a request for an address from a device. Then look at DHCP1 to see if it gave out the address to that device. Of course we tested this and it worked as I expected. 

Doing an “ipconfig /release” and then an “ipconfig /renew” on a computer would give you the request needed for testing. I would not do this on a computer that already has an address that you need to use to turn the DHCP services back on, maybe do this on a temp PC.

So basically in this configuration there is a quasi-failover DHCP system in place. If DHCP2 is offline then DHCP1 would pick up and start handing out addresses. Of course this is not the best way to setup a failover DHCP environment, but, it kinda works. Here is the correct way:

I hope this helps someone in their endeavour of trying to figure out why a DHCP might not be giving out leases. 

New-MailboxExportRequest not recognized

If you go and try to use New-MailboxExportRequest and get "New-MailboxExportRequest' is not recognized as the name of a cmdlet.  That's because your user is not part of the ManagementRole.

To fix this run the below command in PowerShell from the Exchange server.

New-ManagementRoleAssignment -Role "Mailbox Import Export" -user UserName

UserName is the that you are using to run the command new-mailboxexportrequest.

Log out then log back in and you should be fine to to go.

Solution found at:

Monday, February 8, 2016

Trojan-Downloader.Win32.VB.eql (Translated)


Translated from

Technical details

This Trojan downloads without your knowledge on your computer other software. The program is a Windows application (PE EXE-file). Its size is 1509125 bytes.


Once launched, the Trojan copies its body to the Windows system directory under the name "WINSP00L.EXE":
% System% \ WINSP00L.EXE
To start automatically each time you start the system, the Trojan adds a link to its executable file in the system registry:
[HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run]
"WINSP00L" = "% System% \ WINSP00L.EXE"


Once launched, the Trojan extracts from its body to the catalog "E_4" in the temporary directory of the current user the following files:
% Temp% \ E_4 \ krnln.fnr - 1110016 bytes
% Temp% \ E_4 \ shell.fne - 61440 bytes
% Temp% \ E_4 \ eAPI.fne - 335872 bytes
% Temp% \ E_4 \ internet.fne - 196608 bytes
% Temp% \ E_4 \ spec.fne - 86016 bytes
% Temp% \ E_4 \ RegEx.fne - 167936 bytes
% Temp% \ E_4 \ dp1.fne - 126,976 bytes
% Temp% \ E_4 \ com.run - 278528 bytes
Then copy them to the Windows system directory under the same name:
% System% \ krnln.fnr
% System% \ shell.fne
% System% \ eAPI.fne
% System% \ internet.fne
% System% \ spec.fne
% System% \ RegEx.fne
% System% \ dp1.fne
% System% \ com.run
In addition, it removes the Windows system directory files:
% System% \ ul.dll - 2404 bytes
% System% \ og.dll - 692 bytes
% System% \ og.edt - 512 bytes
After completing these steps, the Trojan accesses the following address:
http: //www.*****base.cn/install.htm pn = M080410?
At the time of writing, this link was not working. The file is located on this link is stored in the temporary Internet files directory and launched for execution. Filename - random. And also drawn to the following address:
After that, remove the file from its body with a name composed of the current date and time, for example 20090929153554.exe and places it in the Windows system directory:
% System% \ 20090929153554.exe
This file has a size of 9216 bytes. 
The extracted file gets executed and then deleted. 
In addition, the Trojan spreads via removable media under the name "Recycled.exe". "Autorun.inf" file is also created to automatically run the Trojan file in the root directory of removable media.

Removal Instructions

If your PC was not protected by Antivirus and got infected with this malware, then remove it, proceed as follows:
  1. Using Task Manager to terminate the Trojan process:
  2. Delete the original Trojan file (its location on the infected computer will depend on how the program originally penetrated the victim machine).
  3. Delete the copy of the Trojan:
    % System% \ WINSP00L.EXE
  4. Remove files and directories created by the Trojan:
    % Temp% \ E_4 \ krnln.fnr
    % Temp% \ E_4 \ shell.fne
    % Temp% \ E_4 \ eAPI.fne
    % Temp% \ E_4 \ internet.fne
    % Temp% \ E_4 \ spec.fne
    % Temp% \ E_4 \ RegEx.fne
    % Temp% \ E_4 \ dp1.fne
    % Temp% \ E_4 \ com.run
    % Temp% \ E_4
    % System% \ krnln.fnya
    % System% \ shell.fne
    % System% \ eAPI.fne
    % System% \ internet.fne
    % System% \ spec.fne
    % System% \ RegEx.fne
    % System% \ dp1.fne
    % System% \ com.run
    % System% \ ul.dll
    % System% \ og.dll
    % System% \ og.edt
    Remove key registry :
    [HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run]
    "WINSP00L" = "% System% \ WINSP00L.EXE"
  5. Check removable media for files:
    In case of detection - remove them.
  6. Clear Temporary Internet Files directory, containing infected files ( How to delete infected files from Temporary Internet Files folder? ):
  7. And perform a full scan of your computer with Kaspersky Antivirus Update your antivirus databases ( download a trial version ).

Tuesday, February 2, 2016

Robocopy to the backup rescue

Robocopy to the backup rescue

So recently I had a client that had a SBS 2008 box that had a RAID issue. It had what known as a Punctured RAID , I will call it PR in this post. You can more on that here: http://www.dell.com/support/Article/us/en/04/438291/EN. The wonderful thing about a PR is they rear their ugly head till its too late. Well this client was too late.

The main reason I found out about this PR is that this clients Backup Exec kept failing. After fighting with the Backup Exec for over a week I finally found in the error logs something about this PR. This is what was making the Backup Exec fail. I could get into a lengthy discussion on this and at some point in time I might do that. 

Needless to  say because we couldn't use anything we threw at this server to back it up with out failing, and we tried a lot of options, I decided to use robocopy to try and keep at least a file level backup running for this server till we came up with a final solution for this issue. 

So this is the script I ended up making. I ran this as a nightly scheduled task with System user privileges. 

I know the script is kinda hacky and could be written better and more efficiently but it has a lot going on in it and I wanted to share. 

So basically it stops some services, robocopys files to an external drive then starts the services back up. 

With the mir option in the robocopy it made the copy very fast every night because it only grabbed what had been modified.

I used "net stop" and "net start" for some of the services.
I also used Powershell command Stop-Service  and Start-Services to start/start other services.

I broke out the main directories in the c: drive so that i could log what was happening in each directory when the robocopy ran.
In the robocopy sections I used the options:
/MIR :: MIRror a directory tree (equivalent to /E plus /PURGE).
/XJD :: eXclude Junction points for Directories.
/R:n :: number of Retries on failed copies: default 1 million.
/W:n :: Wait time between retries: default is 30 seconds.
/TEE :: output to console window, as well as the log file
/LOG:file :: output status to LOG file (overwrite existing log).

net stop msexchangeadtopology /y
net stop msftesql-exchange /y
net stop msexchangeis /y
net stop msexchangesa /y
net stop iisadmin /y

PowerShell.exe -Command "Stop-Service *sql* -Force"

robocopy "c:\Boot"  "F:\Backuprobocopy\Boot" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyBoot.log"
robocopy "c:\dell"  "F:\Backuprobocopy\dell" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopydell.log"
robocopy "c:\drivers"  "F:\Backuprobocopy\drivers" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopydrivers.log"
robocopy "c:\ExchangeSetupLogs"  "F:\Backuprobocopy\ExchangeSetupLogs" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyExchangeSetupLogs.log"
robocopy "c:\inetpub"  "F:\Backuprobocopy\inetpub" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyinetpub.log"
robocopy "c:\OpenManage"  "F:\Backuprobocopy\OpenManage" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyOpenManage.log"
robocopy "c:\PerfLogs"  "F:\Backuprobocopy\PerfLogs" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyPerfLogs.log"
robocopy "c:\Program Files"  "F:\Backuprobocopy\Program Files" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyProgram Files.log"
robocopy "c:\Program Files (x86)"  "F:\Backuprobocopy\Program Files (x86)" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyProgram Files (x86).log"
robocopy "c:\ProgramData"  "F:\Backuprobocopy\ProgramData" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyProgramData.log"
robocopy "c:\Scripts"  "F:\Backuprobocopy\Scripts" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyScripts.log"
robocopy "c:\Shared Data"  "F:\Backuprobocopy\Shared Data" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyShared Data.log"
robocopy "c:\Users"  "F:\Backuprobocopy\Users" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyUsers.log"
robocopy "c:\Windows"  "F:\Backuprobocopy\Windows" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyWindows.log"
rem robocopy "c:\WSUS"  "F:\Backuprobocopy\WSUS" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyWSUS.log"

net start msexchangeadtopology /y
net start msftesql-exchange /y
net start msexchangeis /y
net start msexchangesa /y
net start iisadmin /y

PowerShell.exe -Command "Start-Service -name """MSsql*""" " 

PowerShell.exe -Command "Start-Service -name """MSExchange*""" "

PowerShell.exe -Command "Start-Service -name """BackupExec*""" "