Close

Strange problem: VMware Inventory Service cannot start due to Microsoft Update (July 2016)

In one datacenter of my company, there was a strange problem last month of VMware vSphere.

Here is our structure:
SqlServer instance for vSphere is installed dedicated on cluster server. SqlServer version is 2012 Enterprise and Windows is 2012R2 Standard
vCenter is installed on another server.

After we applied July patches from Microsoft and restart the vCenter server, nearly all services from VMware cannot start. In event viewer, one event said:

The VMware Inventory Service service terminated with the following service-specific error:
Incorrect function.

As the request from VMware support, I uninstalled all updates related and reboot but it won’t help. I thought there may be some error related to the database connection. I ran the connection test from ODBC setup window, test finished succeeded. So I collected and submitted the log file generated from vCenter server command line. You know it’s really huge.

2 weeks later, I got an email from the high level engineers of VMware. By digging the log, they found that the vCenter cannot connect to SqlServer and the tcp service port is specified. At that moment, thanks to documentation I wrote :), I found that tcp service port is different than it should be. When I checked the SqlServer, I found the reason really weird: the TCP port of this instances is modified, automatically and silently. Due to I really used vSphere client just before upgrading Windows, I’m quite sure this issue is related to at least one of the patch which applied on the database cluster, launched by Microsoft in July 2016. And after a search, there is another instance of SqlServer which has the port changed. Due to the port changed and our firewall policy is set based tcp port, the client, vCenter in this issue, cannot connect to this SqlServer instance. After the port setting changed back and instance restarted, vCenter is back to normal.

Don’t ask me why ODBC test passed without any problem. If you know the answer, I’m listening as well.

Build a USB Stick for Windows Installation

After the ISO file of Windows installation disc downloaded, it’s possible to build a USB stick instead of burning a DVD disc.

To do that, you need a USB stick not less than 8GB as well as a working Windows. During the process, all data on this USB stick will be removed.

 

Phase 1: Preparing the USB stick

  1. From Windows client, run DiskPart as administrator. A console will be shown with the prompt “DISKPART> ” (without quotes, the same below).
  2. Enter “list disk” and press Enter. All disks will be shown with a number.
  3. Enter “select disk x” and press Enter. Replacing x with the number of disk shown in the step 2. If you run the step 2 again, you can see a star before the disk you selected.
  4. Enter “clean” and press Enter to clean the drive.
  5. Enter “create partition primary” and press Enter to create a partition filled this drive.
  6. Enter “format fs=fat32 quick” and press Enter to format this partition quickly with FAT32.
  7. Enter “active” and press Enter to mark this partition as active.
  8. Enter “assign” and press Enter to assign a letter to this drive.
  9. Enter “exit” and press Enter to quit DiskPart.

 

Phase 2: Copy files into this drive.

You just need to copy all files within the ISO file into this drive, making the root of this drive the same as the ISO file system. Do not put these files into any sub folder.

 

Phase 3: Optional, only if the Install.wim larger than 4GB.

If Install.wim is larger than 4GB, you cannot put it into this drive because no file larger than 4GB can be put into a FAT32 based partition beyond the limitation. You have to split it into smaller files. All other files should be copied as described in Phase 2.

To do that, you need to run this command:

DISM /Split-Image /ImageFile:d:\sources\install.wim /SWMFile:e:\sources\install.swm /FileSize:4096

It will split the install.wim from drive D into the USB stick drive E. Change these paths in your case.

 

Now you can use this USB stick to boot your computer and start the installation process like from the disc.

The sad thing is if you had to prepared this stick through Phase 3, the installation will be slower due to merging process, but nothing will be different in your installed system.

Increase WSUS downloading speed

The downloading of updates in Windows Server Update Services (WSUS) is based on Background Intelligent Transfer Service (BITS). BITS is designed to download big files using idle bandwidth only. If you need to speed up the downloading process, you may change it to use a foreground mode.

 

To do that, you need a SQL Management Studio to connect the database used by WSUS. The database name is SUSDB. You can run this command in that database specified:

update susdb.dbo.tbConfigurationC set BitsDownloadPriorityForeground=1

For reversion, run it again with replacing the 1 to 0.

 

Mixed Windows Authentication in IIS 8.5 (ASP.Net)

Update:

Actually, this not works. It looks OK because of the cache of client. There is no way to do this as I know.


Original:

 

I got a case recently to build a site in IIS 8.5:

  • When the visitor is logged on to the desktop with domain account, use this account for this website.
  • When the visitor is not using domain account, do not pop up a login window asking for domain account, redirecting to a version for anonymous instead.

I thought it’s simple in IIS setting but I was wrong. The anonymous cannot work parallelly with Windows authentication.

After some digging in Google, I started my test:

  1. Deploy the site by using anonymous authentication.
  2. Select the login page for detecting domain user and change that page to Windows authentication instead of anonymous model.
  3. Add a custom page for this page on error 401. Model is set to “Execute a URL on this site”.

It works good but…

When the login page opened, it should contain a Url as parameter for returning back to the original page. So I have to deal it in the customized 401 page. I turned that page to an ashx with the command context.Response.Redirect. The URL for returning can be cut from context.Request.RawUrl.

After that, it went wrong. Form the same server which has the IIS installed, it still works well. But when I try this page on another computer, it will always redirect to the anonymous version page no matter it’s from the desktop logged with domain account or not. I’m sure that the site is added as Intranet zone and automatically logon is set in this zone.

Checked by network monitor, the browser will not get the 401 response in this scenario. As the ashx file request, only the 302 code is returned. That’s the reason why the browser won’t be notified to logon with the current user.

The solution is: if you want to use ashx with redirect function as a customized 401 page still, do not use context.Response.Redirect. Instead, try to do that with an HTML function with the 401 code in HTTP response.

context.Response.Status = "401 Unauthorized";
context.Response.StatusCode = 401;
context.Response.ContentType = "text/html";
context.Response.Write(@"<html>
<head>
<title>Redirecting</title>
<meta http-equiv=""refresh"" content=""0; url=" + redirectUrl + @""" />
");

It works like a charm.

I guess (yes, guess) when the browser get a 401 response first time, it will retry to the previous submitting/navigation with the domain account for login. If it’s failed again, it will pop up a login window after the html page is displayed. So as I required in HTML code, after it navigate to another page, the browser has no chance to display the login window. That’s the deal.

All I’m sure is it really works well. Hope it useful to you.

Set SQL Alias

When you need to move the SQL Server instance to another server, you can use SQL Alias to get avoid of changing connection string for softwares which use this database.

All you need is setting up SQL Alias on the computers running your softwares. Nothing need to be done with the SQL Server if it’s installed other than the computers running applications.

The tool for setting up SQL Alias is included with Windows. You just need to run cliconfg.exe to set. Be careful the typing — it’s not config.

If your Windows is x64 based, you may need to choose the right version of that tool. The x64 version is C:\Windows\system32\cliconfg.exe and the x86 version can be located as C:\Windows\syswow64\cliconfg.exe. If you don’t know which is the right one, set up both of them.

Install SoftEther VPN Server on CentOS

This is a guide for installing SoftEther VPN Server on CentOS. SoftEther VPN is a good choice for accessing your local network from a computer outside, or overcoming blocking on your local network. It works much faster than other VPN services but you need a client tool for all advanced features.

 

Preparing

The server requirement:

  • Hardware:
    • A not so bad CPU. Intel Atom CPU is good enough.
    • 256MB RAM, 512MB will be better.
    • 2GB free disk space after OS installed.
  • CentOS
  • A Windows client for running configuration tool.

For who want to choose Ubuntu as server side: The recommended Linux for SoftEther is RHEL, Fedora and CentOS. I’ve tried to install SoftEther VPN Server on Ubuntu Server 14. Some technique problem about firewall (iptables) may occur.

 

For the people in China: A working VPN is required for installing SoftEther server. Some friends said the server will be blocked by GFW while installing oversea. But working with a configured SoftEther VPN Server is allowed.

 

For the people who need to install on Windows Azure: This server cannot support protocols other than TCP and UDP. PPTP (not supported by SoftEther either) and L2TP cannot be supported due to protocol GRE support is lacked. SSTP and SoftEther client software are supported well. And don’t forget to open the port 443 on the management webpage.

 

We will create a VPN server using a subnet 192.168.250.0/24. If this is not acceptable, you need to change all related IP addresses below.

The network interface name should be eth0. If not, you need to change related device name below.

 

CentOS environment adjusting

We need some tools to build and install SoftEther VPN Server.

First, please make sure all components are up to date.

yum update -y

Tools for building executable files are required:

yum groupinstall "Development Tools" -y

Some services for VPN clients should be installed:

yum install dhcp dnsmasq -y

Data forwarding should be enabled by set net.ipv4.ip_forward to 1 in /etc/sysctl.conf.

in file: /etc/sysctl.conf

net.ipv4.ip_forward = 1

Edit dhcpd configuration file to start dhcpd only for VPN clients. In CentOS 7, this step can be skipped.

in file: /etc/sysconfig/dhcpd

DHCPDARGS=tap_vpn

Don’t worry. The tap_vpn will be created by following steps soon.

Adjust dhcpd configuration file like this:

in file: /etc/dhcp/dhcpd.conf

option domain-name "myvpndomain.com";
option domain-name-servers 192.168.250.1, 8.8.8.8;

default-lease-time 600;
max-lease-time 7200;

subnet 192.168.250.0 netmask 255.255.255.0 {
range 192.168.250.10 192.168.250.100;
option routers 192.168.250.1;
}

This dhcpd.conf should be edited carefully. Make sure all semicolons and quotes are written in the right position. The domain-name should be changed into your name specified. If you don’t want to change the default gateway for VPN clients, delete the option routers line. You may want to check the conf file provided by user sigma in the comment area of this article.

For CentOS 7 user: this document is prepared with iptables which is replaced by firewalld in CentOS 7 by default. You can follow this article to make the iptables back. Main commands are listed here.

yum install -y iptables-services
systemctl mask firewalld
systemctl enable iptables
systemctl stop firewalld
systemctl start iptables

If required, add these commands to the end of /etc/sysconfig/iptables to open the ports for SoftEther. You need to change the port numbers below. Each line is for one port. Lines of port 53 are for DNS. You can remove all lines with REJECT and DROP if you want to make it easier.

in file: /etc/sysconfig/iptables

-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

SoftEther VPN Server installing

First, you need to get the address for the right release. Navigate to SoftEther Download Center by your client computer, select the SoftEther VPN Server and your CPU type to get the URL of the latest release.

Download the file into your server by using wget or some other tool you like.

! For example only. You should choose the right CPU version. !

wget http://www.softether-download.com/files/softether/v4.10-9473-beta-2014.07.12-tree/Linux/SoftEther_VPN_Server/64bit_-_Intel_x64_or_AMD64/softether-vpnserver-v4.10-9473-beta-2014.07.12-linux-x64-64bit.tar.gz

Decompress the downloaded file by using tar.

! For example only. File name should be changed. !

tar zxvf softether-vpnserver-v4.10-9473-beta-2014.07.12-linux-x64-64bit.tar.gz

A folder named vpnserver will be created after decompressing. Let’s make the executable files and change the permissions.

cd vpnserver/
make
cd ..
mv vpnserver /usr/local
cd /usr/local/vpnserver/
chmod 600 *
chmod 700 vpnserver
chmod 700 vpncmd

By making process in current version, you need to answer 1 three times.

Check the NIC name of this server by typing ifconfig. It the name is not eth0, correct it in script below.

Create a script file named vpnserver for handling server instance start and stop.

new file: /etc/init.d/vpnserver

#!/bin/sh
# chkconfig: 2345 99 01
# description: SoftEther VPN Server
DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
test -x $DAEMON || exit 0
case "$1" in
start)
$DAEMON start
touch $LOCK
sleep 3
ifconfig tap_vpn 192.168.250.1
iptables -t nat -A POSTROUTING -s 192.168.250.0/24 -o eth0 -j MASQUERADE
service dhcpd restart
service dnsmasq restart
;;
stop)
iptables -t nat -D POSTROUTING -s 192.168.250.0/24 -o eth0 -j MASQUERADE
$DAEMON stop
rm $LOCK
;;
restart)
iptables -t nat -D POSTROUTING -s 192.168.250.0/24 -o eth0 -j MASQUERADE
$DAEMON stop
sleep 3
$DAEMON start
sleep 3
ifconfig tap_vpn 192.168.250.1
iptables -t nat -A POSTROUTING -s 192.168.250.0/24 -o eth0 -j MASQUERADE
service dhcpd restart
service dnsmasq restart
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0

Make sure the folder for lock is created.

mkdir /var/lock/subsys

Grant the permission of the file created.

chmod 755 /etc/init.d/vpnserver

Set vpnserver to auto start. There are two hyphens before “add”.

chkconfig --add vpnserver

Start the vpnserver.

service vpnserver start

Some errors will occur related to tap_vpn and dhcp. Don’t worry about that.

Now we set a password for remote management.

cd /usr/local/vpnserver
./vpncmd
... press 1 and press enter ...
... press 2 enters to get the prompt "VPN Server>" ...
ServerPasswordSet
exit

Let’s turn to Windows now. Don’t close the shell or reboot the server.

 

SoftEther VPN Remote Managing

Install SoftEther VPN Server Manager for Windows from SoftEther Download Center.

Create a new server by entering the remote server IP address.

After connected, delete the hub named DEFAULT and create a new one. Check “No Enumerate to Anonymous Users” to protect and hide your server.

Create at least one user account for the Hub created.

Click “Local Bridge Setting” button below. Select the Hub you’ve created, “Bridge with New Tap Device” and type the New Tap Device Name “vpn” (lowercase, without quotes) to create the “tap_vpn” we’ve mentioned twice above. Never use SecureNAT for this hub because it’s not compatible with bridge and sucks currently.

Now you need to go back to the server shell to reboot the whole system.

 

SoftEther VPN Client Optimizing

To make the VPN connection fast and stable, you may want to change some advanced settings in client side.

  • Number of TCP Connections: Set to 8 or above for broadband.
  • Set Connection Lifetime for Each TCP Connection: Check and set to 300.
  • Use Half-Duplex Mode: Check if you can.
  • Disable UDP Acceleration: Check.

 

Future Upgrading

When you need to update the server side, you need to:

Stop the service.

service vpnserver stop

Download the latest version of SoftEther VPN Server and build it.

wget brabrabrabra
tar zxvf brabrabrabra
cd vpnserver
make
chmod 600 *
chmod 700 vpnserver
chmod 700 vpncmd
cp -r * /usr/local/vpnserver/

And start the service again.

service vpnserver start

Choosing server for internet accessing

I’ve tested this on Linode (CentOS x64) and Windows Azure (OpenLogic).

Azure is faster but quite expensive. Linode is a better choice in most cases.

If you want to try Linode, you can choose the cheapest server (Linode 1024). 2TB transferring (output only, input is free) is included in price (10 USD /mo). If you buy Linode for more than 90 days from this link, I’ll get a credit. Thanks for your help lol.

WDS of Windows Server 2012 R2 with Update

No matter the way you get the Windows Server 2012 R2 with Update, by fresh installing from the CD supplied by MSDN Subscription or simply upgrading by Windows Update, the WDS of this system sucks.

 

If you planned to upgrade, please remember to backup the Boot folder of WDS while using Windows Server 2012 R2 without that update. After upgrading process, you need to stop WDS service, replace the Boot folder with your backup and restart WDS.

 

The Boot folder provided with Windows Server 2012 R2 with Update or Windows 8.1 with Update, is not compatible with capture image creation. If you use the original Boot folder from Windows Server 2012 R2 with Update, or get the Boot folder upgraded by adding a boot.wim from Windows Server 2012 R2 with Update or Windows 81. with Update, it can boot but cannot support capture image any more. No matter which boot file your capture image is created based on, even you get your capture image from another server, it just cannot boot your PC for capturing. After loading finished, you will get an error in winload.exe with the status code 0xc000000f.

 

To avoid this, do NOT use the boot.wim from Windows Server 2012 R2 with Update or Windows 8.1 with Update ISO files which are provided by MSDN Subscription. And do NOT use the Boot folder provided with the WDS of Windows Server 2012 R2.

To fix this, you just need to restore the WDS Boot folder from your backup before upgrading this update. If you don’t have a backup, copy this folder from another server which is hosted by Windows Server 2012 R2 (without that Update).

 

Still don’t know the reason but it’s not suprised me that WDS is not tested well. In many versions of Windows Server, WDS cannot work well.

 

Related:

Do NOT add a boot file for WDS from Windows 6.3 with Update

Caution: Upgrading Windows to 2012 R2 may change the interface number of network interface card

Some server has specified settings wrote by command “route -p” to deal with multiple internet or intranet connections. To make it work with RRAS, the option “if <number>” must be provided with each route command.

If you’re planning to upgrade such a server to Windows Server 2012 R2, be careful, you may have to get a console connection. Through upgrading process will not failed or at least give you any warning about route settings, after it done, the interface number of NIC (network interface card) will be changed. It means you have to remove and add the related persistent routes to resume the remote connection before you can use this server again.

If you cannot get a console, you may want to disable RRAS, remove the “if <number>” parameter from the route command before upgrading.

Visual Studio 2013 Update 1 is not compatible with Windows 8.1 with Update (MSDN CD) while using sysprep

While the new installation CD named Windows 8.1 with Update launched for MSDN subscriptions user, I downloaded it and try to upgrade all the images from the Windows Deployment Service in my company. But I found the new version of Windows 8.1 might have some problem with Visual Studio 2013 Update 1.

 

Coz I need to upgrade some related images in batch, this is my way:

Create a VM and install Windows 8.1 (x64 enterprise version with update, downloaded from MSDN subscriptions site);

  1. Install Office 2013 with Service Pack 1 (VL version, coz there is a KMS in our company);
  2. Update to the latest patches;
  3. Run Cleanmgr to minimal the system;
  4. Create a snapshot named Office 2013;
  5. Use Sysprep to boot into the audit mode;
  6. Remove the current user;
  7. Use Sysprep to boot into the OOBE mode with Generalize checked;
  8. Use WDS to capture this status and upload, named as Office 2013. Before capturing, I deleted the pagefile, swap file and the contents within temp folder.

It works great.

Then,

  1. Reverse to snapshot Office 2013;
  2. Install Visual Studio 2013 with Blend, Office Developer Tools, SQL Server Data Tools, Web Developer Tools, Silverlight Development Kit; (No C++, nor mobile things)
  3. Install Update 1 from iso;
  4. Install Visual Studio SDK;
  5. Update to the latest patches;
  6. Run Cleanmgr to minimal the system;
  7. Create a snapshot named Visual Studio;
  8. Use Sysprep to boot into the audit mode;
  9. Remove the current user;
  10. Use Sysprep to boot into the OOBE mode with Generalize checked;
  11. Use WDS to capture this status and upload, named as Visual Studio. Before capturing, I deleted the pagefile, swap file and the contents within temp folder.

It looks familiar right? Actually, it WON’T WORK.

After deploy from this Visual Studio and create a new user, system end with this text:

The User Profile Service service failed the sign-in.

User profile cannot be loaded.

Even when trying to boot from the template VM in current status, it failed in the same way.

But if I try to install Team Explorer from Team Foundation Server with Update 2 CD instead, or using the Office 2013 image created above, it works like a charm. Even just use the old Windows 8.1 CD instead of the new one, it still works great.

I’ve check by using reg in command line. There is nothing wrong like this KB mentioned: http://support.microsoft.com/kb/947215.

I have no clue about this but just leave a message here for avoiding others go into the same jam.

 

 

Update: It fixed in VS 2013 with Update 2.

Do NOT add a boot file for WDS from Windows 6.3 (2012R2/8.1) with Update

If you have a Windows Deployment Service (WDS for short) hosted by Windows Server 2012 R2 (w or w/o update), never try to add a boot file from Windows Server 2012 R2 with Update (MSDN CD) or Windows 8.1 with Update (MSDN CD). If you do so, all capture image, no matter which version of boot file is based on, or it’s created by this server or others, just cannot work. After the loading finished, you will get an error in winload.exe with the status code 0xc000000f.

If you have been in this jam, you have to restore the whole boot folder from the backup before you attach the new version boot files. Don’t forget to stop the WDS before you replace the folder. Delete the new boot file only won’t work.


Update: There is another way to fix the broken capture image file directly. But you have to do that for every capture file. http://social.technet.microsoft.com/Forums/windowsserver/en-US/a164b948-1778-42bd-8d77-9cef1ca70866/image-capture-boot-image-fails-with-0xc000000f?forum=winserversetup