Saturday, October 14, 2017

Troubleshoot blue screen errors

A stop error (also called a "blue screen" error) can occur if a problem causes your PC to shut down or restart unexpectedly. When you experience this type of error, you won't be able to see things like the Start menu or the taskbar on the screen when your PC is turned on. Instead you might see a blue screen with a message that your PC ran into a problem and needs to restart.

When did you get the error?
Error after an update is installed
Some stop errors occur after a specific update or driver is installed on your PC. Fixing the error depends on getting to the desktop.

Stop error that lets you get to the desktop
If you can get to the desktop, try uninstalling the update that's causing the error. You might need to uninstall more than one update if you don't know which one is causing the error.

  1. In the search box on the taskbar, type View installed updates, and then select View installed updates.
  2. Expand the window to see the installation date, and then select the update that you want to uninstall.
  3. Select Uninstall.

If uninstalling an update fixes the stop error, temporarily block the update from automatically installing again.
Stop error doesn't let you get to the desktop
If you can't get to the desktop and your PC has restarted several times, it will begin automatic repair.

After automatic repair, on the Choose an option screen, select Troubleshoot > Advanced options System Restore. This option reverts your PC to an earlier point, called a system restore point. Restore points are created when you install a new app, driver, update, or when you create a system restore point manually. Choose a restore point created before the error occurred.

Restoring your PC to an earlier point will remove updates and drivers installed after the restore point was made. It won't affect your personal files.

If restoring your PC to an earlier point fixes the stop error, temporarily block the update from automatically installing again.

Start Windows in safe mode

You can also start Windows in safe mode to uninstall recent updates.

  1. After automatic repair, on the Choose an option screen, select Troubleshoot Advanced options Startup Settings Restart.
  2. After your PC restarts, you'll see a list of options. Press the 4 or F4 key for Safe Mode. To access the Internet, press the 5 or F5 key for Safe Mode with Networking.
  3. When in safe mode on your PC, select the Start  button > Settings  Update & security  > Windows update .
  4. Depending on the version of Windows 10 that's installed, do one of the following:
    • In Windows 10 Version 1607, select Update history Uninstall updates.
    • In Windows 10 Version 1511, select Advanced options View your update history Uninstall updates.
Remove hardware
Unplug unnecessary external hardware (printers, webcams, additional monitors, etc.) and see if the stop error is fixed.
If removing software or hardware doesn’t work,

Backup jobs fails with the error: "0xe000ff15 - A communication failure has occurred with a system state/shadow copy resource."


Backup jobs fails with the error: "0xe000ff15 - A communication failure has occurred with a system state/shadow copy resource." 

Error Message

0xe000ff15 - A communication failure has occurred with a system state resource.


To resolve the issue please follow the steps below :

1. Use a different set of ports for whichever application is using the port(s) in conflict with Backup Exec. For detailed information on port usage with Backup Exec, refer the following technote :

2. Change the port range inside Backup Exec:
       a.   Open Backup Exec
       b.   Click Tools | Options 
       c.   In the left pane, click Network and Security
       d.   For Enable media server TCP dynamic port range and Enable remote agent TCP dynamic port range, specify a port range that does not conflict with existing applications installed on all servers within the network.
Note: If the Enable media server TCP dynamic port range check box and Enable remote agent TCP dynamic port range check box have not selected, Backup Exec will use the port range of 1025 - 65535.
1. Unable to backup system resources when AOFO is selected in job properties:
 a.    Go to the properties of the backup job - Under AOFO - Select VSS - Use Microsoft Shadow Copy Provider. 
 b.     Verify if  "Volume Shadow Copy" and the "Microsoft Software Shadow Copy" services are stopped and set to manual on the target servers.
 c.     From the command prompt on the Target Server, run VSSADMIN LIST WRITERS and confirm if the status of all the writers are stable. Reboot Target Server if the issue persists.
2. VSS snapshots require a certain amount of system resources in order to perform the backup.
       a. The local system volume should have an adequate amount of hard disk space available.
       b. The computer must also have an adequate amount of RAM to run installed applications and roles on the system.

Tuesday, October 3, 2017

Step-By-Step: Migrating Active Directory FSMO Roles From Windows Server 2012 R2 to 2016

With Windows server 2016 was released for public (GA), many businesses are working on migrating their services to the new offering. This post will walk you through the steps needed to migrate Active Directory FSMO roles running on Windows Server 2012 R2 to Windows Server 2016 Active Directory. The same steps are valid for migrating from Windows Server 2012, Windows Server 2008 R2 and Windows Server 2008.
In this setup, the Windows Server 2012 R2 domain controller is setup as a PDC. The Windows Server 2016 machine has already been added to the existing domain.

Current domain and forest functional level of the domain is windows server 2012 R2.

So, let's start with the migrate process.
Install Active Directory on windows server 2016
1. Log in to windows server 2016 as domain administrator or enterprise administrator
2. Check the IP address details and put the local host IP address as the primary DNS and another AD server as secondary DNS. This is because after AD install, server itself will act as DNS server
3. Run servermanager.exe form PowerShell to open server manager (there is many ways to open it)

4. Then click on Add Roles and Features

5. It will open up the wizard, click next to continue
6. In next window keep the default and click next
7. Roles will be installed on same server, so leave the default selection and click next to continue
8. Under the server roles tick on Active Directory Domain Services, then it will prompt with the features needs for the role. Click on add features. Then click next to proceed
9. On the features windows keep the default and click next
10. In next window, it will give brief description about AD DS, click next to proceed
11. Then in next window it will give brief description about configuration and click on install to start the role installation process.
12. Once installation completed, click on promote this server to a domain controller option

13. It will open up the Active Directory Domain Service configuration wizard, leave the option Add a domain controller to existing domain selected and click next.

14. In next window define a DSRM password and click next

15. In next window click on next to proceed
16. In next windows, it asks from where to replicate domain information. You can select the specific server or leave it default. Once done click next to proceed.Â
17. Then it shows the paths for AD DS database, log files and SYSVOL folder. You can change the paths or leave default. In demo, I will keep default and click next to continue
18. In next windows, it will explain about preparation options. Since this is first windows server 2016 AD on the domain it will run forest and domain preparation task as part of the configuration process. Click next to proceed.
19. In next window, it will list down the options we selected. Click next to proceed.

20. Then it will run prerequisite check, if all good click on install to start the configuration process.

21. Once the installation completes it will restart the server.

Migrate FSMO Roles to windows server 2016 AD
I assume by now you have idea what is FSMO roles. If not search my blog and you will find article explaining those roles.
There are 2 ways to move the FSMO roles from one AD server to another. One is using GUI and other one is using command line. I had already written articles about GUI method before so I am going to use PowerShell this time to move FSMO roles. If you like to use GUI mode search my blog and you will find articles on it.
1) Log in to windows server 2016 AD as enterprise administrator
2) Open up the Powershell as administrator. Then type netdom query fsmo. This will list down the FSMO roles and its current owner.

3) In my demo, the windows server 2012 R2 DC server holds all 5 fsmo roles. Now to move fsmo roles over, type Move-ADDirectoryServerOperationMasterRole -Identity REBELTEST-PDC01 -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster and press enter

In here REBELTEST-PDC01 is the windows server 2016 DC. If FSMO roles are placed on different servers, you can migrate each and every FSMO roles to different servers.
4) Once its completed, type netdom query fsmo again and you can see now its windows server 2016 DC is the new FSMO roles owner.

Uninstall AD role from windows server 2012 R2
Now we moved FSMO roles but we still running system on windows 2012 R2 domain and forest functional levels. In order to upgrade it, first we need to decommission AD roles from existing windows server 2012 R2 servers.
1) Log in to windows 2012 R2 domain server as enterprise administrator
2) Open the PowerShell as administrator
3) Then type Uninstall-ADDSDomainController -DemoteOperationMasterRole -RemoveApplicationPartition and press enter. It will ask for local administrator password. provide new password for local administrator and press enter.
4) Once its completed it will restart the server.

Upgrade the forest and domain functional levels to windows server 2016
Now we have the windows server 2012 R2 domain controllers demoted, next step is to upgrade domain and forest functional levels.
1) Log in to windows server 2016 DC as enterprise administrator
2) Open PowerShell as administrator
3) Then type Set-ADDomainMode -identity -DomainMode Windows2016Domain to upgrade domain functional level to windows server 2016.  In here is the domain name.Â
4) Then type Set-ADForestMode -Identity -ForestMode Windows2016Forest to upgrade forest functional level.
5) Once done you can run Get-ADDomain | fl Name,DomainMode and Get-ADForest | fl Name,ForestMode to confirm new domain and functional level

Sunday, October 1, 2017

New Strategies and Features to Help Organizations Better Protect Against Pass-the-Hash Attacks

The new guidance to help our customers address credential theft, called Mitigating Pass-the-Hash and Other Credential Theft, version 2. The paper encourages IT professionals to “assume breach” to highlight the need for the use of holistic planning strategies and features in Microsoft Windows to become more resilient against credential theft attacks. This paper builds on our previously released guidance and mitigations for Pass-the-Hash (PtH) attacks.

Given that organizations must continue to operate after a breach, it is critical for them to have a plan to minimize the impact of successful attacks on their ongoing operations. Adopting an approach that assumes a breach will occur, ensures that organizations have a holistic plan in place before an attack occurs. A planned approach enables defenders to close the seams that attackers are aiming to exploit.
The guidance also underscores another important point – that technical features alone may not prevent lateral movement and privilege escalation. In order to substantially reduce credential theft attacks, organizations should consider the attacker mindset and use strategies such as identifying key assets, implementing detection mechanisms, and having a breach recovery plan. These strategies can be implemented in combination with Windows features to provide a more effective defensive approach, and are aligned to the well-known National Institute of Standards and Technology (NIST) Cybersecurity Framework.
There are three important points technology leaders should understand about a PtH attack:
  • First, an attacker has to get a foothold on your network before a PtH type of attack occurs. This is commonly achieved using tactics such as phishing, taking advantage of weak passwords, or by exploiting unpatched vulnerabilities. 
  • Second, once initial administrative rights to a compromised computer are obtained, an attacker captures account login credentials on that computer, and then uses those captured credentials to authenticate to other computers on the network. 
  • Third, the ultimate goal of an attacker might be to compromise the domain controller – the central point of control for all computers, corporate identities and credentials – which effectively gives them control and full access to all of the organization’s IT assets. 
Lastly, there is no one silver bullet that solves credential theft attacks such as PtH. The risk of credential theft exists in  any type of single-sign-on implementation, both in open source and commercial  platforms. Microsoft is committed to not only furthering platform enhancements to harden against these attacks, but also to sharing guidance to help strengthen our customers’ infrastructure against these threats.
If you have responsibility for the security of your organization’s IT infrastructure, I strongly encourage you to read and apply the guidance in this whitepaper. Visit