We have a Server 2016 fully patched until 05/2019. We run a KMS-Server which does not have a SRV KMS 2016 channel activated.

PROBLEM: Strangely we can't change to Product key with the GUI. There is simply no reaction when you click "Change product key" button.

We have seen things like this under Control Panel (Unable to scroll) in W10 1903 where Dameware did not work and only possible with RDP.

Use the Activation Wizards to do it. In a cmd type.

slui 3

The wizard appears

Enter the MAK key (NOT any KMS please ;-)

You can also change the key with Commandline direct:

slmgr.vbs /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
slmgr.vbs /ato

The WSUS Server Console on a 2012R2 server suddenly does not work anymore. You checked %appdata%\Roaming\Microsoft\MMC\WSUS (Backup, Remove try if it works and restore if did not solve) and this did not help.

You checked all Services and did a reboot of the WSUS and checked space and Size of Internal DB.

Error: Event 507, Windows Server Update Server

Error: Event 7031, The WSUS Server Service terminated

Solution:

"C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing

• Console should work again

This article describes an update to a feature that enables Windows Server Update Services (WSUS) to natively decrypt Electronic Software Distribution (ESD) in Windows Server 2012 and Windows Server 2012 R2. Before you install this update, see the Prerequisites section.

Note You must install this update on any WSUS server that is intended to sync and distribute Windows 10 upgrades (and feature updates) that are released after May 1, 2016.

How to get this update

Important If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Add language packs to Windows.

Windows Update

This update is available on Windows Update. For more information about how to run Windows Update, see How to get an update through Windows Update.

Update detail information

Prerequisites

To apply this update in Windows Server 2012 R2, you must have April 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 (2919355) installed.

Registry information

To apply this update, you don't have to make any changes to the registry.

Restart requirement

You may have to restart the computer after you apply this update.

Update replacement information

This update can be installed on top or in place of KB3148812.

More information

Manual steps required to complete the installation of this update

1. Open an elevated Command Prompt window, and then run the following command (case sensitive, assume "C" as the system volume):

"C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing

1. Select HTTP Activation under .NET Framework 4.5 Features in the Server Manager Add Roles and Features wizard.
   
   
2. Restart the WSUS service.

If SSL is enabled on the WSUS server

1. Assign ownership of the Web.Config file to the administrators group (run at an elevated command prompt):
2. takeown /f web.config /a
3.  

icacls "C:\Program Files\Update Services\WebServices\ClientWebService\Web.config" /grant administrators:f

1. Locate the Web.Config file in the following path:

C:\Program Files\Update Services\WebServices\ClientWebService\Web.Config

1. Make the following changes in the file.
   
   Note This code sample represents a single text block. The line spacing is used only to emphasize the text changes, which are shown in bold.
2. <services>
3. <service
4. name="Microsoft.UpdateServices.Internal.Client"

behaviorConfiguration="ClientWebServiceBehaviour">

<!--

These 4 endpoint bindings are required for supporting both http and https

-->

<endpoint address=""

binding="basicHttpBinding"

bindingConfiguration="SSL"

contract="Microsoft.UpdateServices.Internal.IClientWebService" />

<endpoint address="secured"

binding="basicHttpBinding"

bindingConfiguration="SSL"

contract="Microsoft.UpdateServices.Internal.IClientWebService" />

<endpoint address=""

binding="basicHttpBinding"

bindingConfiguration="ClientWebServiceBinding"

contract="Microsoft.UpdateServices.Internal.IClientWebService" />

<endpoint address="secured"

binding="basicHttpBinding"

bindingConfiguration="ClientWebServiceBinding"

contract="Microsoft.UpdateServices.Internal.IClientWebService" />

</service>

</services>

1. Add the multipleSiteBindingsEnabled="true" attribute to the bottom of the Web.Config file, as shown:
2. </bindings>
3. <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />

</system.serviceModel

Activesync with Exchange 2013 does not work, ADMINSHOLDER Flag (an old bad friend)

ERROR YOU SEE: Access+is+denied.%0d%0aActive+directory+response%3a+00000005%3a+SecErr%3a+DSID-03152612%2c+problem+4003+(INSUFF%5FACCESS%5FRIGHTS)%2c+data+0%0a_

We just had a user with Activesync with a user migrated from 2007 to 2013. The user was fresh made on 2007 and migrated forth and back a few times.

https://testconnectivity.microsoft.com/

Did show all info he can get and one thing triggered alerts with us. 4003+(INSUFF%5FACCESS%5FRIGHTS)

This was back 2003 > 2007 Migrations but comes again and again. Strange thing is that the test user account is only in a few groups and we never made him LOCALADMIN. But one group still seems to trigger the ADMINSHOLDER flags which should protect special accounts like "IISUSER" or Administrator.

Then we did see why. If the user is member of the group "PRINT OPERATORS" this will be the case.

So GPO, Activesync and many other things will not work. This has been mentioned here:

Good explanation from John Pollicelli

https://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

https://technet.microsoft.com/de-de/magazine/2009.09.sdadminholder.aspx

http://www.butsch.ch/post/Migrated-NT42000-users-are-unable-to-ActiveSync-with-Exchange-Code-0x85010014.aspx

http://www.butsch.ch/post/Exchange-2003-3e-2007-3e-2010-User-Move-Request-fails-ADMINCOUNT3d1-INSUFF_ACCESS_RIGHTS.aspx

Resolution:

FIX the Inheritance of the account and all will work fine. See our other two posts on how to do that.

The Red part below (RED-X)

Get a list of all user who have such a behaviour:

Windows Server 2008R2, blaue Powershell aufmachen

Import-Module ActiveDirectory

Get-ADUser -LDAPFilter "(objectcategory=person)(samaccountname=*)(admincount=1)"

Es gibt eine einfache Möglichkeit, um festzustellen, welche Benutzer und Gruppen in Ihrer Domäne AdminSDHolder geschützt.Sie können Abfragen das Attribut AdminCount, um festzustellen, ob ein Objekt durch das AdminSDHolder-Objekt geschützt ist.Die folgenden Beispiele verwenden das ADFind.exe-Tool, das von Joeware gedownloadet werden kann.NET.

• Suchen alle Objekte in einer Domäne, die durch AdminSDHolder geschützt sind, geben Sie:

  Adfind.exe -b DC=domain,DC=com -f "adminCount=1" DN

• Suchen alle Benutzerobjekte in einer Domäne, die durch AdminSDHolder geschützt sind, geben Sie:

  Adfind.exe -b DC=domain,DC=com -f "(&(objectcategory=person)(objectclass=user)(admincount=1))" DN

• Suchen alle Gruppen in einer Domäne, die durch AdminSDHolder geschützt sind, geben Sie:

  Adfind.exe -b DC=domain,DC=com -f "(&(objectclass=group)(admincount=1))" DN

  Hinweis: Ersetzen Sie in den vorherigen Beispielen, DC = Domain, DC = com mit dem definierten Namen Ihrer Domäne.

   

Problem:

You have to renew an Exchanger SAN/UC-Certificate and you can't do this anymore after 2015 because it contains a NON EXTERNAL First Level Extension like ".LOCAL".

1. Rename the Full Windows Domain in a 1 year project and have fun
2. Integrate a SPLIT DNS as below, Bend all Exchange URL to the same FQDN

Main Technet Link:

http://support.microsoft.com/kb/940726/en-us

I personally don't like this solution since you may in most complex case end up in trouble with some special cases like "RPC-over-HTTP" (Outlook anywhere) and some Autodiscover functions.

On the other side don't like Wildcard Certs for this because if you have that the other departments want to use the same Certificate and at the end everyone uses it. Worst it lays around on laptops and Servers then if you don't Controll it strict.

Currently still March 2015 this is the only solution quick and fast if you customer has a First Level Windows Domain with .LOCAL. Most it's urgent because Cert has expired.

Just to mention that there is another way but this needs planning and time

Enterprise way:

Internal Domain: Cover these with your own internal Certificate Authority (Ask if you have one, make a project separate for that because it's sensitive and complex) .

External Domain: Use a Cert Provider SAN/UC-Certificate as we had before for all external FQDN

This enterprise mix however leads us to splitting the CAS/OWA Directories on separates SITES within the IIS (Because of only 1 Cert per IIS-Site) or we make single separate CAS Server for internal and external (Which Microsoft does not want us).

On the other side if we have Load Balancers for the CAS mostly those separate CAS are not in the Load Balancer HA team.

Timeline for SAN/UC Certs with Local ending or non-external First level (www.technet.local)

http://www.butsch.ch/post/Exchange-Certificates-Aenderung-CAS-Outlook-mit-local-Domain.aspx

Such a SAN Certificate which includes LOCAL is not valid anymore after some date. And you can't reorder it. (Screenshot)

Powershell: Get-exchangecertificate | fl

In Green BOX there are the First Level Domains .LOCAL Domains that you can't COVERY anymore in ONE Cert in 2015.

INTERNAL DNS NAME:    customer.local (The Active Directory Domain)

EXTERNAL DNS NAME:    customer.ch (Your Webserver, FTP, MX-E-Mail Domain from external)

Third level DOMAIN: async.customer.ch

Why can't I renew?

Because we can't make a UC/SAN-certificate after November 2015 anymore we have to convert the DNS into SPLIT DNS setup. That means we copy the Extern DNS into Internal DNS. Even if you CAN renew it WILL only run until November 2015 with some Cert Issuer.

http://www.butsch.ch/post/Exchange-Certificates-Aenderung-CAS-Outlook-mit-local-Domain.aspx

Make the SPLIT DNS

See links at end for more help on the SPLIT DNS.

SPLIT DNS Copy External ZONE File to internal Active Directory DNS

1. Get the info from External ZONE file from the Provider ISP like customer.ch. Ask them you need an extract (copy) of the ZONE file for your external Domain.
2. Do a new Active Directory integrated Forward ZONE File with same name "customer.ch" internal
3. Make the A-Records internal so INTERNAL users can reach www and ftp also from internal (These are shown on the right side). Make "FTP", "WWW" point to same IP as the external. (If you don't do that your INTERNAL users will not be able to reach the External Website or Cloud Service you use with your ISP)
4. The ASYNC in OUR sample POINTS to the IP of the Exchange 2010 CAS
5. On the External DNS the ASYNC points to our Firewall and then to the Exchange 2010 CAS

This is how this may look.

Get the NEW SINGLE FQDN Certificate

• Next if you are sure this works Generate the Certificate Request (http://www.butsch.ch/post/Generate-SAN-UC-Certificate-SSL-on-Exchange-2010.aspx)
• Keep in MIND you need NO SAN/UC just one SINGLE Certificate with ONE FQDN for all
• Send Request to provider
• Integrate the Certificate you get in Exchange (But Don't activate it)

We need to change all FQDN that Exchange uses for different Service now to the SAME FQDN the SINGLE Domain Cert runs on.

FQDN Single Domain Certificate was ordered for: async.customer.ch

OLD Entry in Exchange somewhere:

https://async.cutsomer.local/OAB

NEW:

https://async.cutsomer.ch/OAB

Analyze the values you need to change by Powershell

• Read the Values (WAS) from Powershell Exchange for The things below and note them DOWN on a documentation
• Adapt the VALUES after term SET NEW with your new FQDN https://mynameiwant.mycustomerdomainexternal.ch/

-------------------------------------------------------------------------------------------------------------------------------------

CHANGE1

get-ClientAccessServer | fl Identity,AutodiscoverServiceInternalUri

WAS:

Identity : CAS1

AutoDiscoverServiceInternalUri : https://async.customer.local/Autodiscover/Autodiscover.xml

SET NEW:

Set-ClientAccessServer -Identity CAS1 -AutodiscoverServiceInternalUri

-------------------------------------------------------------------------------------------------------------------------------------

CHANGE2

get-WebServicesVirtualDirectory | fl Identity, InternalUrl , ExternalUrl

WAS:

InternalUrl : https://cas1.customer.local/EWS/Exchange.asmx

ExternalUrl : https://mobile.customer.local/ews/exchange.asmx

SET NEW:

Set-WebServicesVirtualDirectory -Identity "CAS1\EWS (Default Web Site)" -InternalUrl https://async.customer.ch/EWS/Exchange.asmx

Set-WebServicesVirtualDirectory -Identity "CAS1\EWS (Default Web Site)" -ExternalUrl https://async.customer.ch/EWS/Exchange.asmx

-------------------------------------------------------------------------------------------------------------------------------------

CHANGE3

get-OABVirtualDirectory | fl Identity, InternalUrl, ExternalUrl

WAS:

InternalUrl : http://cas1.customer.local/OAB

ExternalUrl : https://mobile.customer.local/OAB

SET NEW:

Set-OABVirtualDirectory -Identity "CAS1\OAB (Default Web Site)" -InternalUrl http://async.customer.ch/OAB

Set-OABVirtualDirectory -Identity "CAS1\OAB (Default Web Site)" -ExternalUrl http://async.customer.ch/OAB

-------------------------------------------------------------------------------------------------------------------------------------

If you don't have UTM Service (Unified Messaging leave that)

Change Values in Exchange 2010 GUI

Change all other things in Exchange 2010 GUI on the tabs below to corresponding values.

Some you may have changed above already. Check them twice.

• Do this for all possible location Web app/Activesync/Offline etc.
• DO this for INTERNAL and EXTERNAL (Set the SAME value)
• Do not change AYNTHING behind the FQDN name as example
• AT the end Restart Exchange or do a CMD.exe then IISRESET

OLD:

https://async.cutsomer.local/OAB

NEW:

https://async.cutsomer.ch/OAB

Activate the Certificate in Exchange 2010 GUI or Powershell and RESET IIS

Activate the new SINGLE Certificate in Exchange for IIS.

Get-exchangecertificate | fl

Get the GUID sample: 020564B683E9D540DA0DF20A

enable-exchangecertificate -identity 020562B683E5D540DA0DF20A -Services "IIS"

AT the end Restart Exchange:

CMD.exe then IISRESET

References:

SPLIT DNS, Windows Server 2008: The Definitive Guide

https://books.google.de/books?id=H7RgtZEgUvsC&pg=PA137&dq=split+dns&hl=de&sa=X&ei=a9H2VMrNJ4TXyQPBkoFg&ved=0CCcQ6AEwAQ#v=onepage&q=split%20dns&f=false

SPLIT DNS with ISA

http://www.isaserver.org/img/upl/isabokit/9dnssupport/9dnssupport.htm#_Toc63649957

Exchange PRO

http://exchangeserverpro.com/ssl-requirements-for-exchange-when-certificate-authorities-wont-issue-certificate/

Main Technet Link

http://support.microsoft.com/kb/940726/en-us

Setup of KMS server in Enterprise an several unwanted KMS DNS Entrys

While installing a KMS Server for Enterprise we had already had two or three DNS entrys per Domain Controller already there. But the KMS was not installed and planned before.

We found out that the person installing the Server 2008R2 used tke KMS-key to activate the Server itself instead of using a MAK key. You only need the KMS ONCE per company or Domain

and then leave the Server 2008R2, WIndows 7, Vista as they are. They will connect to the KMS Server and do the rest. Everything goes over one or two KMS keys or KMS Groups.

Mostly people don't understand that you need to activate a minimum of 5 servers or 25 windows 7 or 5 Office 2010 to get the whole thing running.

If you try to run with 4 servers 2008R as example at the end it will fail (After Grace period).

 So while looking at DNS an TCP\ you had two _VLMCS entrys there. If you don't want Round Robin Redudancy

something is wrong here. (Worng keys used for installing the Server)

If you use the KMS key for installing a nommal 2008R2 Windows automaticly thinks THIS is the KMS licence

server an dthus install the KMS licence server in the background.

http://social.technet.microsoft.com/Forums/en/itprovistaactivation/thread/62726fca-02ff-4d86-8781-aafa18cb0b2a

You need to change the product key of the machines that should not be KMS

slmgr /IPK xxxxx-xxxxx-xxxxx-xxxxx-xxxxx

Then activate with that key

Slmgr /ATO

Then we need to stop and restart the service( the name is different depending on the product)

For Windows Vista or for Windows Server 2008

For Windows 7 or for Windows Server 2008 R2

Normaly done via Registry here is a more elegant way. Now ETH told once, that they can't cary anymore traffic. But who cares! It's the public who pays. And once "we the people who work" all day and pay all the students can profit from something. ;-) Not only the business owners who then hire ETH students.

First, locate your PDC Server. Open the command prompt and type: C:\>netdom /query fsmo

1. Log in to your PDC Server and open the command prompt.
2. Stop the W32Time service: C:\>net stop w32time
3. Configure the external time sources, type: C:\> w32tm /config /syncfromflags:manual /manualpeerlist:0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org
4. Make your PDC a reliable time source for the clients. Type: C:\>w32tm /config /reliable:yes
5. Start the w32time service: C:\>net start w32time
6. The windows time service should begin synchronizing the time. You can check the external NTP servers in the time configuration by typing: C:\>w32tm /query /configuration
7. Check the Event Viewer for any errors.

w32tm /config /syncfromflags:manual /manualpeerlist:0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org

net time /setsntp:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org"