Troubleshooting Error 0xC004F042 after installing new KMS key

We recently installed KB 2757817 on our Server 2008 SP2 KMS host to support Server 2012 installations. Following the instructions, we used the slmgr script to install the new Server 2012 product key and activate the KMS host. However, after doing so, attempting to activate a Server 2012 client using slmgr /ato gave us error 0xC004F074 suggesting that it could not contact the KMS server. After ensuring that the KMS server was accessible from the client and that the DNS records were registered properly, I checked Event Viewer on the client and found this entry:

Log Name: Application
Source: Microsoft-Windows-Security-SPP
Date: 10/14/2012 11:24:07 AM
Event ID: 12288
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: client.domain.com
Description:
The client has sent an activation request to the key management service machine.
Info:
0xC004F042, 0x00000000, kmshost.domain.com:1688

According to KB 938450, this error means a mismatch between the client and server KMS keys, however the KMS host was properly reporting the key as VOLUME_KMS_2012_C. I found a thread that suggested removing the key, rebooting, installing the key, activating and rebooting again to resolve a similar issue with 2008 R2. Given that this is a production system, rebooting outside of a maintenance window isn’t possible, however, that gave me the idea that the KMS service may cache the key. Sure enough, after restarting the Software Licensing Service on the KMS host, we could successfully activate Server 2012 client systems.

VMWare False VM Snapshot Size Alarm

Just finished troubleshooting an issue with a false alarm being triggered in vCenter after upgrading to vCenter 5.1. We have a custom alarm defined that warns if a VM has a snapshot larger than 15GB and alerts if it’s larger than 25GB. After the upgrade, all VM’s were triggering that alert even though they did not have snapshots that large – even VM’s without any snapshots were triggering. Turns out this is a known issue with vCenter 5.1.0 (799731). The workaround is to set the warning threshold to something less than 15GB and the alert threshold to something less than 20GB (we used 14GB for warning and 19GB for alert).

Must have addons for Windows 8

I recently upgraded both my desktop and MacBook Pro to Windows 8. I was a bit reluctant since I rely heavily on the desktop experience of Windows 7 for work. While the Metro UI is great for tablets, I’ve found it cumbersome to use as a desktop. I started pinning items to the taskbar with Windows 7, so using that same functionality in Windows 8 has made things a lot easier. Here are a few recommendations to make your Windows 8 system more desktop friendly:

1. Windows 7 Style start menu. My preference is Start8 from Stardock. It’s a simple install and works flawlessly. Performance is excellent and with the exception of right-clicking on Computer to get to the System applet in Control Panel, it works exactly as the Windows 7 start menu.

2. Gadgets. I was apparently one of the few users who liked and relied upon gadgets. There’s so many things vying for my attention on my desktop, Gadgets were a great way for me to watch system resources, server response times, twitter updates, and access music quickly. There’s a few solutions available over at ghacks.net, but my favorite is the 8Gadget Pack. It includes a bunch of the Gadgets I already used and it’s a clean install rather than dumping pre-RTM bits on a RTM system. One drawback is that it’s a Vista style sidebar instead of Windows 7 style, but nearly all of my gadgets (All CPU Meter, Drives MeterRemote Desktop Gadget, Server PingTweetz, and my own WAAF Gadget) worked without issue. I couldn’t get the in-box RSS reader to work, but that could be that I’m using Office 2013 preview.

3. Media Center. Again, I must have been one of the few users who loves this feature. While it’s not completely going away in Windows 8, it’s no longer inbox. Furthermore, it’s not available until October 26th – which makes no sense to me. Since I’ve already upgraded my laptop to Windows 8 and I rely on Media Center to connect up my OTA antenna so I can get out of market NFL games from distant stations, I needed a work around. Luckily, Tom Keating has a great blog post describing his attempts Installing Media Center in Windows 8 Pro RTM. While I don’t recommend using a pirated key, this *should* get you by until the 26th when you can revert back to your existing key. I should mention that initially, I had installed using the Windows 8 Pro VL media from my MSDN subscription and that “Add features to Windows 8” is ONLY available in the Retail version. So I had to re-install the OS on both my laptop and desktop using the proper media to get that option to even show up.

4. Acrobat Reader. I thought having an in-box PDF reader would be an awesome addition to Windows 8 – until I found out that it’s Metro only. So that means when I need to open up invoices so I can enter them into an Excel spreadsheet, I have to keep switching between Metro and Desktop. Highly annoying and extremely unproductive. You’ll still need Adobe’s Acrobat Reader if you plan on actually using PDF’s.

Have favorite tools/tweaks for your Windows 8 installation? Post them in the comments section.

Features on Demand in Server 2012

Windows 8 and Server 2012 introduce a new concept of Features on Demand whereby each installation contains only basic components. Adding new components requires the OS to gather source files from an external location for installation. This is a move away from Server 2008 and Server 2008 R2 where an installation contained everything necessary to service the installation. When adding new features, Windows would simply use its locally cached installation sources.

This was a great concept for home users who no longer needed to worry about having source media, and it resolved a lot of problems for IT administrators having to deal with missing files for patching. The problem was that it drastically increased the size of every installation in the datacenter, chewing up tons of un-needed space. With Server 2012, Microsoft has found a decent balance between the two – provided you configure your environment appropriately.

By default, Server 2012 will go out to Windows Update any time it’s looking for a feature for which it does not have the source files. For example, a common feature that many programs still use for which Windows does not cache installation files locally is the .NET Framework 3.5. Under normal circumstances, you’ll simply use Server Manager to add the new features and never notice the difference. However, if you have a WSUS configured or if the server does not have Internet access, you might see the following error:

Update NetFx3 of Package Microsoft .NET Framework 3.0 failed to be turned on. Status: 0x800f0906.

The error means that Windows was unable to find appropriate source installation files to add the feature. This is because WSUS doesn’t currently support the new Features on Demand functionality in Server 2012. There are a few ways to workaround this issue.

First, you can specify a source from the command line using the Enable-Feature and Source switches for the DISM tool (or -Source parameter from the Install-WindowsFeature powershell command). You can then point to the X:\Sources\Sxs directory to proceed with the installation. The GUI will also allow you to specify this alternate source via the Add Roles and Features Wizard via a yellow warning banner on the confirmation screen.

Second, you can use a GPO or modify the registry to tell Windows to by-pass your WSUS server and go directly to Windows Update when servicing your Server 2012 installation. There are two REG_DWORD values that control this behavior located under [Software\Microsoft\Windows\CurrentVersion\Policies\Servicing]. The first is UseWindowsUpdate – setting this to 2 tells Windows to NEVER go to Windows Update for enabling features. The second is RepairContentServerSource – setting this to 2 tells Windows to go to Windows Update for repair source only (does not affect servicing). Both of these can be controlled via GPO (new Servicing.admx template) under Computer Configuration > Administrative Templates > System > Specify settings for optional component installation and component repair.

Last, you can use a GPO or modify the registry to point Windows to a list of installation source locations – similar to functionality in Server 2003 and XP. These can either be a copy of the X:\Sources\Sxs directory from installation media, or the actual WIM file (either install.wim from installation media or a copy of your company’s customized WIM image). Again, the value is located under [Software\Microsoft\Windows\CurrentVersion\Policies\Servicing]. Setting the REG_EXPAND_SZ value named LocalSourcePath allows you to specify one or more installation source locations (separated by a semicolon). To point to a WIM file, use the following format:

WIM:[path to wim]:[index]

You must specify the index so Windows knows where to find the appropriate installation files for your Server 2012 instance. The nice thing about using a WIM file is that you can perform offline servicing of the image to ensure that it always contains the latest patches and updates.

Error creating Server 2012 cluster on 2008 domain

We worked with Microsoft extensively throughout the Server 2012 TAP program providing feedback in various areas. We encountered an issue late in the program when creating a Server 2012 cluster on our production domain. We did not see this same issue in any lab environment, or in our development environment which mirrors production.

When attempting to create the cluster, the wizard would fail when creating the AD objects. We confirmed that the user had proper permissions, and did not encounter the same issues creating 2008 or 2008 R2 clusters on our production domain. After working with Microsoft, they recommended we install KB 976424 on our production domain controllers. After installing this hotfix and rebooting all of the domain controllers, we were able to create a Server 2012 cluster on our 2008 domain without issue.

Cisco VPN Client on Windows 8

Just upgraded my late 2007 MacBook Pro Boot Camp partition to Win 8 RTM and was in the process of re-installing several apps. The Cisco VPN Client we use to connect to our corporate network was a bit finicky. There are a few workarounds to get it running on Win8.

First, you need to fix the following registry key to resolve error 442 Unable to enable virtual adapter:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CVirtA\DisplayName

It will be set to something like “@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter for 64-bit Windows” – drop everything before “Cisco Systems” from that value.

Next, when using certs, you cannot use your certificate from the local user store. Rather, import the certificate to the local computer store and delete it from your user store. This should resolve error 403 Unable to contact the security gateway.

Patching Server 2012 using Solarwinds Patch Manager

**UPDATE: Microsoft released KB 2734608 on August 24th, 2012 that describes a patch for WSUS 3.0 SP2 to support Windows 8 and Server 2012 which makes this procedure unnecessary unless you want to take advantage of new features supported in WSUS on Server 2012.

**NOTE: The configuration described here is not supported by SolarWinds.

With Server 2012 RTM around the corner, we’re working diligently to ensure that our infrastructure is configured appropriately to support it. Part of the excellent service OrcsWeb provides is managed Windows patching for all of the systems on our network. We pride ourselves in ensuring the best possible hosting experience, so deploying Microsoft critical and security patches in a timely manner is a must.

In order to patch a Server 2012 system, you must use a Server 2012 system running the WSUS role – WSUS 3.0 SP2 will not work with Server 2012. The reason is an incompatibility between the Windows Update client on Server 2012 and the WSUS server. That being said, a Server 2012 system running the WSUS role, can provide updates to Windows Server 2003, Server 2008, Server 2008 R2, and Server 2012 clients – provided they have the client update of KB 2720211. Using GPO’s, you could then configure your systems to connect to your WSUS server, and patch themselves during an appropriate window. We utilize Solarwinds Patch Manager (formerly EminentWare Extension Pack) to compliment WSUS for our environment. It provides additional functionality like the ability to publish 3rd party updates via WSUS (for Dell firmware & drivers, or Adobe updates for instance) and pushing patches during discrete windows – something our customers have asked for time and again.

Unfotunately, even the current beta version of Patch Manager (version 1.8) cannot be installed on Server 2012 (at the time of this writing), so that leaves us without a fully supported way of patching our Server 2012 systems. That being said, anyone in the IT industry knows *supported* and *it works* are two completely different concepts. Using a decentralized architecture, we are able to leverage a Server 2012 system running the WSUS role and Patch Manager 1.8 beta running on Server 2008 R2 with the WSUS 3.0 SP2 console to successfully patch Server 2012 clients.

I’ve outlined the steps below to accomplish this:

  1. Install the WSUS role on a Server 2012 system (we’ll call this WSUS-SERVER).
  2. Configure WSUS-SERVER to synchronize updates and arrange computers into groups like you would in previous versions of WSUS.
  3. Configure a GPO for domain clients to use WSUS-SERVER to receive updates.
  4. Install the WSUS 3.0 SP2 console on a Server 2008 R2 SP1 system (we’ll call this PATCH-SERVER).
  5. Connect to WSUS-SERVER from the WSUS 3.0 SP2 console on PATCH-SERVER.
  6. Install Patch Manager 1.8 Beta on PATCH-SERVER.
  7. During the configuration of Patch Manager, select WSUS-SERVER as your WSUS server and DO NOT configure 3rd party updates (unfortunately, 3rd party update publishing does not work because of the console version mismatch).

The WSUS 3.0 SP2 and Patch Manager consoles will incorrectly report the Operating System version as Windows Server 2003 x64 Edition, even though the systems are running Server 2012 RC (8400).


The WSUS console on Server 2012 will show the correct OS version:

Server 2012 clients can be included in standard Patch Manager jobs like any other client.

Happy Patching!

 

WSUS and update download failure 0x80244017

Recently configured WSUS on Server 2012 RC for a lab environment in preparation for RTM and ran into a configuration problem. Clients were failing to download updates and reporting error 0x80244017. After ensuring my RC installation was updated with KB 2627818 and that the clients had KB 2720211, I double checked that clients could access the WSUS site: https://wsusserver:8531/ClientWebService/client.asmx (you’ll receive a YSOD .NET error if you load that in a web browser, it’s normal). The C:\Windows\WindowsUpdate.log file contained the following error information:

WARNING: Download job failed because of proxy auth or server auth.
Error 0x80244017 occurred while downloading update; notifying dependent calls.

After some brief troubleshooting, I came across a post that suggested it was an authentication problem, but anonymous authentication had been configured in IIS appropriately. I compared NTFS permissions of the WSUS folder with a working installation in our production environment, and found that the local Users group did not have permissions. After granting the Users group Read permissions, clients were able to successfully download updates.

Fix Windows Update 800F0902 Error

Recently worked on a 2008 SP2 server that was receiving error 800F0902 when trying to check for updates. I confirmed access to the WSUS server manually via Internet Explorer and also confirmed no proxy settings were coming into play. I tried the age old trick of stopping the Windows Update service and renaming the C:\Windows\SoftwareDistribution folder to SoftwareDistribution.old and restarting the service. This regenerates the Windows Update configuration for you. This stubborn error survived that reset, so I finally came across a Microsoft FixIT KB article to fix Windows Update problems. I’m quite skeptical of using these, and I prefer to know exactly what’s being fixed, but without any other options, I decided to give it a try. No surprise, it said it found a configuration problem and fixed it, but the error persisted. A few other posts suggested an issue with trustedinstaller.exe (aka Windows Module Installer Service) so I gave that a restart and started receiving 80080005 errors. Another post suggested that after a reboot, this error cleared for that user. Sure enough, a reboot solved the problem for me as well.

Troubleshooting ARR 502.3 Errors

Load balancing is critical for any highly available application. In the case of websites, a webfarm fronted by a load balancer can help distribute the load across multiple servers to increase scale and ensure that your application remains online during planned maintenance or in the event of a server or application failure on a particular node. Microsoft provides a free IIS extension called Application Request Routing that can perform load balancing of HTTP and HTTP traffic. At OrcsWeb, we use a cluster of ARR servers to load balance our production sites.

There’s plenty of resource available that describe how Application Request Routing works, so I won’t go into detail about it here, but how do you troubleshoot when something goes wrong? One of the more common errors that can be generated by ARR is the 502 error code. There are two substatus codes: 502.3 and 502.4.

The 502.4 error is considerably easier to troubleshoot as it generally means that there were no available content nodes to route the request. This likely occurs when you have a health check configured for the content nodes, and it is failing for all of them – thus, there are no healthy content nodes to which ARR can route the request. Obviously, at this point, the easiest solution is to fix whatever’s causing the health check to fail on the content nodes. Additionally, there’s the concept of minimum servers in ARR. This value can help prevent a health check from taking too many nodes out of rotation. Setting this to at least 1 which ensure that users don’t receive a 502.4 error (though they may still see errors returned by the backend content node).

The 502.3 error can be a little more difficult to troubleshoot. It effectively means there was a communication issue between the ARR node and the content node. Most times it is a timeout due to a long running request on the content node. This is easy to spot by looking at the web logs. I recommend using LogParser to analyze the web logs and looking for any request with a time-taken value that exceeds the proxy timeout setting configured for the webfarm. You can either increase the value of the proxy timeout, or troubleshoot the web application to find out why the request is taking so long to process. Replace W3SVC0 with the site id of your website and replace *.log with the specific name of a log file if you web logs are large to help speed up processing:

LogParser.exe “select date, c-ip, cs-method, cs-uri-stem, cs-uri-query, sc-status, sc-substatus, time-taken from C:\inetpub\logs\logfiles\w3svc0\*.log where time-taken > 25000” -i:IISW3C -o:DATAGRID

The 502.3 error can also appear when something else it happening, and when this occurs, it’s time to get into deep troubleshooting. The first thing to do is enable Failed Request Tracing in IIS on the ARR node, then create a rule for all content that trips on 502.3 response codes. It’s important to note that only certain modules have tracing enabled by default. To capture tracing information from the URL Rewrite and Application Request Routing module, open up your applicationHost.config file, and add Rewrite and Request elements to traceProviderDefinitions/WWW Server:

<traceProviderDefinitions>
                <add name=”WWW Server” guid=”{3a2a4e84-4c21-4981-ae10-3fda0d9b0f83}”>
                    <areas>
                        <clear />
                        <add name=”Authentication” value=”2″ />
                        <add name=”Security” value=”4″ />
                        <add name=”Filter” value=”8″ />
                        <add name=”StaticFile” value=”16″ />
                        <add name=”CGI” value=”32″ />
                        <add name=”Compression” value=”64″ />
                        <add name=”Cache” value=”128″ />
                        <add name=”RequestNotifications” value=”256″ />
                        <add name=”Module” value=”512″ />
                        <add name=”FastCGI” value=”4096″ />
                        <add name=”Rewrite” value=”1024″ />
                        <add name=”RequestRouting” value=”2048″ />
                    </areas>
                </add>
               ———————— Truncated for readability —————- 

Ensure that when you are creating your rule, that the new provider areas of WWW Server are selected:

Once you’ve done that, attempt to reproduce the issue and a log file will be generated in the C:\inetpub\FailedReqLogFiles\W3SVC0 (where 0 is the site id). This file can help tell you where in the IIS pipeline the request is failing – look for warning or errors returned by modules. For example, here’s an example of a log file showing a 0x80070057 error from the ApplicationRequestRouting module:

The underlying error from the ARR module is “There was a connection error while trying to route the request.” So how do we find out what that means? Well, we need to look a little deeper into ARR to understand. ARR will proxy requests on behalf of the client to the content nodes. This means that the request from the client is actually regenerated into a new request by ARR and sent to the content node. Once the content node responds, ARR then repackages the response to send back to the client. To facilitate this, ARR uses the WinHTTP interface. In Server 2008 R2, you can enable WinHTTP tracing via netsh. Run this command to enable tracing:

netsh winhttp set tracing trace-file-prefix=”C:\Temp\WinHttpLog” level=verbose format=hex state=enabled

Then recycle the application pool to start logging. To disable tracing, run this command:

netsh winhttp set tracing state=disabled

You will find a log file in the C:\Temp directory named WinHttpLog-w3wp.exe-<pid>.<datetime>.log. Open this file and you will be able to see details of what ARR submitted to WinHTTP when generating the proxied request to send to the content node. You’ll want to search this file for the error mentioned in the Failed Request Tracing log. From the above example, you’ll see the error logged by ARR is 0x80070057 with an error message of “The parameter is incorrect.” Looking through our sample WinHTTP trace file, we find this:

15:15:51.551 ::WinHttpSendRequest(0x164d9a0, “…”, 696, 0x0, 0, 0, 164d740)
15:15:51.551 ::WinHttpAddRequestHeaders(0x164d9a0, “…”, 696, 0x20000000)
15:15:51.551 ::WinHttpAddRequestHeaders: error 87 ERROR_INVALID_PARAMETER]
15:15:51.551 ::WinHttpAddRequestHeaders() returning FALSE
15:15:51.551 ::WinHttpSendRequest: error 87 [ERROR_INVALID_PARAMETER]
15:15:51.551 ::WinHttpSendRequest() returning FALSE
15:15:51.551 ::WinHttpCloseHandle(0x164d9a0)
15:15:51.551 ::usr-req 0163D520 is shutting down

I replaced the actual header value with “…” in the sample above, but we can see that WinHTTP is failing when trying to put together the request headers to send the proxied request to the content node. Further investigation found that this was due to Internet Explorer passing unencoded non-ascii characters in the Referrer header which violates RFC 5987. To resolve this specific issue, we can either fix the source HTML to encode the characters, or we can modify the routing URL rewrite rule to always encode the Referrer header:

<rule name=”www.orcsweb.com“>
<match url=”.*” />
<serverVariables>
<set name=”HTTP_REFERER” value=”{UrlEncode:{HTTP_REFERER}}” />
</serverVariables>
<action type=”Rewrite” url=”http://www.orcsweb.com/{R:0}” />
</rule>