Server 2016 unable to change Product key MAK in GUI (BUG)

by butsch 11. June 2019 22:18

We have a Server 2016 fully patched until 05/2019. We run a KMS-Server which does not have a SRV KMS 2016 channel activated.

PROBLEM: Strangely we can't change to Product key with the GUI. There is simply no reaction when you click "Change product key" button.

We have seen things like this under Control Panel (Unable to scroll) in W10 1903 where Dameware did not work and only possible with RDP.




Use the Activation Wizards to do it. In a cmd type.

slui 3


The wizard appears

Enter the MAK key (NOT any KMS please ;-)

You can also change the key with Commandline direct:

slmgr.vbs /ato



Deployment | W10 | Office KMS,MAK,APPV | Server 2012 R2

WSUS: Error on 2012R2 WSUS Server ERROR: Connection Error console

by butsch 27. June 2016 16:03

The WSUS Server Console on a 2012R2 server suddenly does not work anymore. You checked %appdata%\Roaming\Microsoft\MMC\WSUS (Backup, Remove try if it works and restore if did not solve) and this did not help.

You checked all Services and did a reboot of the WSUS and checked space and Size of Internal DB.

Error: Event 507, Windows Server Update Server

Error: Event 7031, The WSUS Server Service terminated


Error as Text from GUI

The WSUS administration console was unable to connect to the WSUS Server via the remote API.


Verify that the Update Services service, IIS and SQL are running on the server. If the problem persists, try restarting IIS, SQL, and the Update Services Service.


The WSUS administration console has encountered an unexpected error. This may be a transient error; try restarting the administration console. If this error persists,


Try removing the persisted preferences for the console by deleting the wsus file under %appdata%\Microsoft\MMC\.


System.IO.IOException -- The handshake failed due to an unexpected packet format.


Source System


Stack Trace:

at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)

at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)

at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)

at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)

at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)

at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)

at System.Net.ConnectStream.WriteHeaders(Boolean async)

** this exception was nested inside of the following exception **



System.Net.WebException -- The underlying connection was closed: An unexpected error occurred on a send.





Stack Trace:

at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)

at Microsoft.UpdateServices.UI.AdminApiAccess.AdminApiTools.GetUpdateServer(String serverName, Boolean useSecureConnection, Int32 portNumber)

at Microsoft.UpdateServices.UI.SnapIn.Scope.ServerSummaryScopeNode.ConnectToServer()

at Microsoft.UpdateServices.UI.SnapIn.Scope.ServerSummaryScopeNode.get_ServerTools()






"C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing



  • Console should work again



This article describes an update to a feature that enables Windows Server Update Services (WSUS) to natively decrypt Electronic Software Distribution (ESD) in Windows Server 2012 and Windows Server 2012 R2. Before you install this update, see the Prerequisites section.

Note You must install this update on any WSUS server that is intended to sync and distribute Windows 10 upgrades (and feature updates) that are released after May 1, 2016.

How to get this update


Important If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Add language packs to Windows.

Windows Update


This update is available on Windows Update. For more information about how to run Windows Update, see How to get an update through Windows Update.

Update detail information



To apply this update in Windows Server 2012 R2, you must have April 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 (2919355) installed.

Registry information

To apply this update, you don't have to make any changes to the registry.


Restart requirement

You may have to restart the computer after you apply this update.


Update replacement information

This update can be installed on top or in place of KB3148812.


More information

Manual steps required to complete the installation of this update

  1. Open an elevated Command Prompt window, and then run the following command (case sensitive, assume "C" as the system volume):

"C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing

  1. Select HTTP Activation under .NET Framework 4.5 Features in the Server Manager Add Roles and Features wizard.

  2. Restart the WSUS service.

If SSL is enabled on the WSUS server

  1. Assign ownership of the Web.Config file to the administrators group (run at an elevated command prompt):
  2. takeown /f web.config /a

icacls "C:\Program Files\Update Services\WebServices\ClientWebService\Web.config" /grant administrators:f

  1. Locate the Web.Config file in the following path:

C:\Program Files\Update Services\WebServices\ClientWebService\Web.Config

  1. Make the following changes in the file.

    Note This code sample represents a single text block. The line spacing is used only to emphasize the text changes, which are shown in bold.
  2. <services>
  3. <service
  4. name="Microsoft.UpdateServices.Internal.Client"



These 4 endpoint bindings are required for supporting both http and https


<endpoint address=""



contract="Microsoft.UpdateServices.Internal.IClientWebService" />

<endpoint address="secured"



contract="Microsoft.UpdateServices.Internal.IClientWebService" />

<endpoint address=""



contract="Microsoft.UpdateServices.Internal.IClientWebService" />

<endpoint address="secured"



contract="Microsoft.UpdateServices.Internal.IClientWebService" />



  1. Add the multipleSiteBindingsEnabled="true" attribute to the bottom of the Web.Config file, as shown:
  2. </bindings>
  3. <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />




WSUS | Hotfixes / Updates | Server 2012 R2

Activesync with Exchange 2013 does not work, ADMINSHOLDER Flag (an old bad friend)

by butsch 18. May 2016 15:28


Activesync with Exchange 2013 does not work, ADMINSHOLDER Flag (an old bad friend)

ERROR YOU SEE: Access+is+denied.%0d%0aActive+directory+response%3a+00000005%3a+SecErr%3a+DSID-03152612%2c+problem+4003+(INSUFF%5FACCESS%5FRIGHTS)%2c+data+0%0a_

We just had a user with Activesync with a user migrated from 2007 to 2013. The user was fresh made on 2007 and migrated forth and back a few times.

Did show all info he can get and one thing triggered alerts with us. 4003+(INSUFF%5FACCESS%5FRIGHTS)

This was back 2003 > 2007 Migrations but comes again and again. Strange thing is that the test user account is only in a few groups and we never made him LOCALADMIN. But one group still seems to trigger the ADMINSHOLDER flags which should protect special accounts like "IISUSER" or Administrator.

Then we did see why. If the user is member of the group "PRINT OPERATORS" this will be the case.

So GPO, Activesync and many other things will not work. This has been mentioned here:

Good explanation from John Pollicelli


FIX the Inheritance of the account and all will work fine. See our other two posts on how to do that.


The Red part below (RED-X)

Activesync Log from



blUh4pH%2b19L4b%2fRk6uRZ%2bwFDxipa3umOc5NWKd8j3WZE%2f1rztOVQr3A7yqhQbWsCubcT0xJwV4JpO6fVK4ruS7rFkPgTuafoTzZOwv5kvn2wZAkGBr1hGm6NGz8%2fo4vFol0hWLVSJE3%2fX78fmSReawv4CBVixAAzyTR%2bm65WPSw86qwPxjfVseQiOrJ9qzUR8%2bPztEYmDjqvAfiVSNT6ouXwZf8%2fIpLnSalOyvp6n73yvkLu9rfgOsaQxOzJAX1TueDMkuiGV1EsG6HEYy3lD0Mdxo40pR EXCHANGE2013BUTSCH


Cache-Control: private

Content-Type: text/html; charset=utf-8

Set-Cookie: ClientId=IARSMT0ZIEEVVIXDSSW; expires=Thu, 18-May-2017 08:05:50 GMT; path=/; HttpOnly,X-BackEndCookie=S-1-5-21-4456168801-1912567065-1745900225-5325=u56Lnp2ejJqBysnJysyZzJzSz5maztLLnZvO0sabnszSncrHms3JzZ7Jm8zIgYHNz87J0s/J0s7Iq8/Hxc/Jxc7P; expires=Fri, 17-Jun-2016 08:06:10 GMT; path=/Microsoft-Server-ActiveSync; secure; HttpOnly

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET



Get a list of all user who have such a behaviour:

Windows Server 2008R2, blaue Powershell aufmachen

Import-Module ActiveDirectory

Get-ADUser -LDAPFilter "(objectcategory=person)(samaccountname=*)(admincount=1)"

Es gibt eine einfache Möglichkeit, um festzustellen, welche Benutzer und Gruppen in Ihrer Domäne AdminSDHolder geschützt.Sie können Abfragen das Attribut AdminCount, um festzustellen, ob ein Objekt durch das AdminSDHolder-Objekt geschützt ist.Die folgenden Beispiele verwenden das ADFind.exe-Tool, das von Joeware gedownloadet werden kann.NET.

  • Suchen alle Objekte in einer Domäne, die durch AdminSDHolder geschützt sind, geben Sie:

    Adfind.exe -b DC=domain,DC=com -f "adminCount=1" DN

  • Suchen alle Benutzerobjekte in einer Domäne, die durch AdminSDHolder geschützt sind, geben Sie:

    Adfind.exe -b DC=domain,DC=com -f "(&(objectcategory=person)(objectclass=user)(admincount=1))" DN

  • Suchen alle Gruppen in einer Domäne, die durch AdminSDHolder geschützt sind, geben Sie:

    Adfind.exe -b DC=domain,DC=com -f "(&(objectclass=group)(admincount=1))" DN

    Hinweis: Ersetzen Sie in den vorherigen Beispielen, DC = Domain, DC = com mit dem definierten Namen Ihrer Domäne.



Exchange 2007 | Exchange 2010 | Exchange 2013 | Microsoft Exchange | Server 2012 R2

Exchange 2007/2010/2013 with SPLIT DNS and ONE single Certificate

by butsch 4. March 2015 14:59


You have to renew an Exchanger SAN/UC-Certificate and you can't do this anymore after 2015 because it contains a NON EXTERNAL First Level Extension like ".LOCAL".

  1. Rename the Full Windows Domain in a 1 year project and have fun
  2. Integrate a SPLIT DNS as below, Bend all Exchange URL to the same FQDN

Main Technet Link:


I personally don't like this solution since you may in most complex case end up in trouble with some special cases like "RPC-over-HTTP" (Outlook anywhere) and some Autodiscover functions.

On the other side don't like Wildcard Certs for this because if you have that the other departments want to use the same Certificate and at the end everyone uses it. Worst it lays around on laptops and Servers then if you don't Controll it strict.

Currently still March 2015 this is the only solution quick and fast if you customer has a First Level Windows Domain with .LOCAL. Most it's urgent because Cert has expired.


Just to mention that there is another way but this needs planning and time

Enterprise way:

Internal Domain: Cover these with your own internal Certificate Authority (Ask if you have one, make a project separate for that because it's sensitive and complex) .

External Domain: Use a Cert Provider SAN/UC-Certificate as we had before for all external FQDN

This enterprise mix however leads us to splitting the CAS/OWA Directories on separates SITES within the IIS (Because of only 1 Cert per IIS-Site) or we make single separate CAS Server for internal and external (Which Microsoft does not want us).

On the other side if we have Load Balancers for the CAS mostly those separate CAS are not in the Load Balancer HA team.



Timeline for SAN/UC Certs with Local ending or non-external First level (www.technet.local)

Such a SAN Certificate which includes LOCAL is not valid anymore after some date. And you can't reorder it. (Screenshot)

Powershell: Get-exchangecertificate | fl

In Green BOX there are the First Level Domains .LOCAL Domains that you can't COVERY anymore in ONE Cert in 2015.

INTERNAL DNS NAME:    customer.local (The Active Directory Domain)

EXTERNAL DNS NAME: (Your Webserver, FTP, MX-E-Mail Domain from external)

Third level DOMAIN:

Why can't I renew?


Because we can't make a UC/SAN-certificate after November 2015 anymore we have to convert the DNS into SPLIT DNS setup. That means we copy the Extern DNS into Internal DNS. Even if you CAN renew it WILL only run until November 2015 with some Cert Issuer.

Make the SPLIT DNS


See links at end for more help on the SPLIT DNS.

SPLIT DNS Copy External ZONE File to internal Active Directory DNS

  1. Get the info from External ZONE file from the Provider ISP like Ask them you need an extract (copy) of the ZONE file for your external Domain.
  2. Do a new Active Directory integrated Forward ZONE File with same name "" internal
  3. Make the A-Records internal so INTERNAL users can reach www and ftp also from internal (These are shown on the right side). Make "FTP", "WWW" point to same IP as the external. (If you don't do that your INTERNAL users will not be able to reach the External Website or Cloud Service you use with your ISP)
  4. The ASYNC in OUR sample POINTS to the IP of the Exchange 2010 CAS
  5. On the External DNS the ASYNC points to our Firewall and then to the Exchange 2010 CAS

This is how this may look.

Get the NEW SINGLE FQDN Certificate



We need to change all FQDN that Exchange uses for different Service now to the SAME FQDN the SINGLE Domain Cert runs on.

FQDN Single Domain Certificate was ordered for:

OLD Entry in Exchange somewhere:





Analyze the values you need to change by Powershell





get-ClientAccessServer | fl Identity,AutodiscoverServiceInternalUri


Identity : CAS1

AutoDiscoverServiceInternalUri : https://async.customer.local/Autodiscover/Autodiscover.xml


Set-ClientAccessServer -Identity CAS1 -AutodiscoverServiceInternalUri



get-WebServicesVirtualDirectory | fl Identity, InternalUrl , ExternalUrl


InternalUrl : https://cas1.customer.local/EWS/Exchange.asmx

ExternalUrl : https://mobile.customer.local/ews/exchange.asmx


Set-WebServicesVirtualDirectory -Identity "CAS1\EWS (Default Web Site)" -InternalUrl

Set-WebServicesVirtualDirectory -Identity "CAS1\EWS (Default Web Site)" -ExternalUrl



get-OABVirtualDirectory | fl Identity, InternalUrl, ExternalUrl


InternalUrl : http://cas1.customer.local/OAB

ExternalUrl : https://mobile.customer.local/OAB


Set-OABVirtualDirectory -Identity "CAS1\OAB (Default Web Site)" -InternalUrl

Set-OABVirtualDirectory -Identity "CAS1\OAB (Default Web Site)" -ExternalUrl


If you don't have UTM Service (Unified Messaging leave that)

Change Values in Exchange 2010 GUI


Change all other things in Exchange 2010 GUI on the tabs below to corresponding values.

Some you may have changed above already. Check them twice.




  • Do this for all possible location Web app/Activesync/Offline etc.
  • DO this for INTERNAL and EXTERNAL (Set the SAME value)
  • Do not change AYNTHING behind the FQDN name as example
  • AT the end Restart Exchange or do a CMD.exe then IISRESET






Activate the Certificate in Exchange 2010 GUI or Powershell and RESET IIS


Activate the new SINGLE Certificate in Exchange for IIS.


Get-exchangecertificate | fl

Get the GUID sample: 020564B683E9D540DA0DF20A

enable-exchangecertificate -identity 020562B683E5D540DA0DF20A -Services "IIS"


AT the end Restart Exchange:





SPLIT DNS, Windows Server 2008: The Definitive Guide


Exchange PRO

Main Technet Link



Exchange 2007 | Exchange 2010 | Microsoft Exchange | Server 2012 R2

Setup of KMS server in Enterprise an several unwanted KMS DNS Entrys

by butsch 30. June 2011 18:56

Setup of KMS server in Enterprise an several unwanted KMS DNS Entrys

While installing a KMS Server for Enterprise we had already had two or three DNS entrys per Domain Controller already there. But the KMS was not installed and planned before.

We found out that the person installing the Server 2008R2 used tke KMS-key to activate the Server itself instead of using a MAK key. You only need the KMS ONCE per company or Domain

and then leave the Server 2008R2, WIndows 7, Vista as they are. They will connect to the KMS Server and do the rest. Everything goes over one or two KMS keys or KMS Groups.

Mostly people don't understand that you need to activate a minimum of 5 servers or 25 windows 7 or 5 Office 2010 to get the whole thing running.

If you try to run with 4 servers 2008R as example at the end it will fail (After Grace period).



 So while looking at DNS an TCP\ you had two _VLMCS entrys there. If you don't want Round Robin Redudancy

something is wrong here. (Worng keys used for installing the Server)

If you use the KMS key for installing a nommal 2008R2 Windows automaticly thinks THIS is the KMS licence

server an dthus install the KMS licence server in the background.


You need to change the product key of the machines that should not be KMS

slmgr /IPK xxxxx-xxxxx-xxxxx-xxxxx-xxxxx

Then activate with that key

Slmgr /ATO

Then we need to stop and restart the service( the name is different depending on the product)

For Windows Vista or for Windows Server 2008

net stop slsvc

For Windows 7 or for Windows Server 2008 R2

net stop sppsvc

For Windows Vista or for Windows Server 2008

net start slsvc

For Windows 7 or for Windows Server 2008 R2

net start sppsvc
Also check:


APPV | Client Management | Office KMS,MAK,APPV | Server 2008 R2 | Server 2012 R2

Server 2008 2012 R2 R2 External Time Server Switzerland

by butsch 30. November 2010 21:53

Normaly done via Registry here is a more elegant way. Now ETH told once, that they can't cary anymore traffic. But who cares! It's the public who pays. And once "we the people who work" all day and pay all the students can profit from something. ;-) Not only the business owners who then hire ETH students.

First, locate your PDC Server. Open the command prompt and type: C:\>netdom /query fsmo

  1. Log in to your PDC Server and open the command prompt.
  2. Stop the W32Time service: C:\>net stop w32time
  3. Configure the external time sources, type: C:\> w32tm /config /syncfromflags:manual /,,
  4. Make your PDC a reliable time source for the clients. Type: C:\>w32tm /config /reliable:yes
  5. Start the w32time service: C:\>net start w32time
  6. The windows time service should begin synchronizing the time. You can check the external NTP servers in the time configuration by typing: C:\>w32tm /query /configuration
  7. Check the Event Viewer for any errors.
Sollten Sie eine neuere Version von Windows einsetzten, können Sie den NTP-Client nutzen, der in das System integriert ist. Führen Sie dazu folgendes Kommando als Administrator aus:
w32tm /config /syncfromflags:manual /,,,
Dieses Kommando funktioniert auf Versionen ab Windows 2003. Wenn Sie eine ältere Windows-Version benutzen, können Sie folgendes Kommando probieren:
net time /setsntp:""
MS Link:
Grote Link:
Time Server List: and
Time Server Server 2003:
1. Open Registry Editor (regedit.exe) on the server that is acting as the PDC emulator. This is usually the first domain controller that was installed in your domain.
2. Go to HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters. In the right pane double click on Type. Change the value to NTP.
3. Go to HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config. In the right pane double click on AnnounceFlags. Change the value to 5.
4. Go to HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters. In the right pane double click on NtpServer. Enter the IP addresses of any valid ntp time sources you want to sync your server with. Each IP address should be separated by a space. If you use host names for the ntp servers, you must follow the host names with a ,0x1. For example,,0x1.
5. Stop and restart the Windows Time Service. At the Windows command prompt type:
net stop w32time
net start w32time
6. In a short time, the server will sync to the ntp time source you specified. To have the time synchronize with the new ntp time sources immediately type the following at the command prompt:
w32tm /resync /rediscover
Time Server  Server 2012R2
Net Stop W32Time
W32tm /config /syncfromflags:manual /manualpeerlist:""
W32tm /config /reliable:yes
Net Start W32Time
W32tm /config /update
W32tm /resync
Here is a good tool to Test Time Servers using NTP Protocoll:


Server 2008 R2 | Server 2012 R2

Werbung von Drittfirmen (Nicht Butsch Informatik):

Werbung von Drittfirmen via Google Adsense: