Windows Server – System Channel Event ID Error 36888

July 28, 2020

When your event viewer is flooded by the Channel Event ID 36888 alerts.

image

SOLUTION :

Turn this off by changing the registry key value :

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL

From 1 to 0

image

Enjoy!


MS SQL Server – Error SQLWRITER Event ID 24581

May 29, 2020

When you see this event appearing after a backup has ran.

Event ID 24581 SQLWRITE Error SQL Server Instance XXX is empty.

image

It means that you have not granted permission to the account

NT AUTHORITY\SYSTEM

Solutions :

Grant SYSADMIN access to NT AUTHORITY\System Account

User this command :

ALTER SERVER ROLE [sysadmin] ADD MEMBER [NT AUTHORITY\SYSTEM]
GO

Or open the SSMS and add the ROLE SYSADMIN to the user NT AUTHORITY\System Account

image

Enjoy!


Windows Server 2019 – Hyper-V VMMS Errors Event ID 19100

March 25, 2020

On the internet I found this nice visual that helps understanding the Hyper-V and Backup Infrastructure.

image

After we installed a Hyper-V on a new Window Server 2019, everything seemed to be running OK.

But apparently after the 1st backup there where a lot of errors in the Event viewer ID 19100.

Error 0x8007052F

image

After that point no backups would run anymore, until the Hyper-V host was restarted.

Next backup cycle the same story Sad smile

So I checked the VSS writer to see if all was OK. But I saw that there was an error reported?

Microsoft Hyper-V VSS writer : Unexpected Error ?

image

So that did not help a lot ?

Next I ran some VSS diagnostics apps, but no errors found ?

VSSDoctor :

image

VssDiag :

image

Everything pointed out to be OK, but it was not … Sad smile

Solution :

Conclusion was that this could be nothing else then a Permission issue.

So I ran the Resultant Set of Policy – rsop.msc

image

I noticed that some policies where overruled by a Domain Policy so I started cleaning up.

But still no success until I noticed that the Local Log on As a Service Policy again I clean this one up.

And check the local Policy settings for this policy using SecPol.msc

image

I noticed that the ‘NT VIRTUAL MACHINE\Virtual Machines’ was not in there ?

After adding the NT VIRTUAL MACHINE\Virtual Machines to the LOCAL Policy ‘Allow run as a Service’

All Backup problems were solved. Smile

TIPS :

Make sure the Hyper-V Guest Integration Services and the Backup (Volums Shadow Copy) are active as well

image

And the CheckPoints are set like this

image

See also here :

https://audministrator.wordpress.com/2020/03/12/windows-server-2019-hyper-v-backup-error-event-id-19100-event-id-32/

Enjoy !


Window Server 2019 – Error DCOM Event ID 10000

March 19, 2020

On a Hyper-V Guest you might see the Event Id 10000 DCOM error

image

Vdsldr.exe is a “Virtual Disk service loader”

This event look very similar to the DCOM Error Event ID 10016 ?

See here for more info.

I go and open the registry to look for the GUID {9C38ED61-D565-4728-AEEE-C80952F0ECDE}

image

Also make note of the AppID GUID {5364ED0E-493F-4B16-9DBF-AE486CF22660}

Use the Reg Query command to check it :

reg query "HKEY_CLASSES_ROOT\CLSID\{9C38ED61-D565-4728-AEEE-C80952F0ECDE}" /ve
 
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{5364ED0E-493F-4B16-9DBF-AE486CF22660}" /ve

image

SOLUTION :

1. Open the Component Services Manager using the DCOMCNFG command

And look for Virtual Disk Service Loader

image

Next check the AppId GUID is matching the one in the Event Viewer

image

This is the one we found in the registry Smile

2. Check the Security for this DCOM App

Go to the Security Tab to see who has access…

image

Hmm the buttons are greyed out !

That is that reason why we get errors reported… !

image

See on the AppID GUID permission is set the TrustedInstaller

Similar as to the 10016 Event Errors you can fix the restricted access the same way.

3. Fix the Access

First in the Registry you need to change the OWNER of the RegKeys to the Administrator,

Instead of the TrustedInstaller.

And set the Adminstrator to have FULL CONTROL

image

If this still does not help go back to the DCOMCNFG and add Full Control for the

Administrator to the LAUNCH and ACTIVATION Permissions

image

Enjoy!


Windows 2019 – SceCli Error Event ID 1202

March 18, 2020

When you see this Event ID 1202. follow this procedure to fix it.

SOLUTION :

Follow the steps as indicated in the Event Viewer :

image

Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.


Advanced help for this problem is available on https://support.microsoft.com. Query for “troubleshooting 1202 events”.


Error 0x534 occurs when a user account in one or more Group Policy objects (GPOs) could not be resolved to a SID. 

This error is possibly caused by a mistyped or deleted user account referenced in either the User Rights or Restricted Groups branch of a GPO.  To resolve this event, contact an administrator in the domain to perform the following actions:


1.    Identify accounts that could not be resolved to a SID:


From the command prompt, type: FIND /I “Cannot find”  %SYSTEMROOT%\Security\Logs\winlogon.log


The string following “Cannot find” in the FIND output identifies the problem account names.


Example: Cannot find JohnDough.


In this case, the SID for username “JohnDough” could not be determined. This most likely occurs because the account was deleted, renamed, or is spelled differently (e.g. “JohnDoe”).


2.    Use RSoP to identify the specific User Rights, Restricted Groups, and Source GPOs that contain the problem accounts:


a.    Start -> Run -> RSoP.msc
b.    Review the results for Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment and Computer
     Configuration\Windows Settings\Security Settings\Local Policies\Restricted Groups for any errors flagged with a red X.


c.    For any User Right or Restricted Group marked with a red X, the corresponding GPO that contains the problem policy setting is listed under the column entitled “Source GPO”.
     Note the specific User Rights, Restricted Groups and containing Source GPOs that are generating errors.


3.    Remove unresolved accounts from Group Policy


a.    Start -> Run -> MMC.EXE
b.    From the File menu select “Add/Remove Snap-in…”
c.    From the “Add/Remove Snap-in” dialog box select “Add…”
d.    In the “Add Standalone Snap-in” dialog box select “Group Policy” and click “Add”
e.    In the “Select Group Policy Object” dialog box click the “Browse” button.
f.    On the “Browse for a Group Policy Object” dialog box choose the “All” tab
g.    For each source GPO identified in step 2, correct the specific User Rights or Restricted Groups that were flagged with a red X in step 2.
     These User Rights or Restricted Groups can be corrected by removing or correcting any references to the problem accounts that were identified in step 1.

If you run step 1 :

FIND /I "Cannot find"  %SYSTEMROOT%\Security\Logs\winlogon.log

image

You will find out easily which account entries are causing the errors.

Open the GPEDIT.msc again and remove the entries from the Domain or Local Policy

image

Because the Policy Editor will accept any kind of string that you enter.

If the account SID does not exist it starts complain using Event ID 1202

Enjoy!


Windows Server 2019 – Hyper-V VMMS Errors Event ID 15300 – 19600 – 15010 – 16010

March 13, 2020

After restarting the Hyper-V manager or creating a new VM you can get these errors

Event ID 15300 & 19600 & 15010 & 16010 Errors

image

It took me some time to figure out what was causing this …

SOLUTION :

Open the Hyper-V Settings

The reason was an incorrect path in the Hyper-V settings

image

After correcting the PATH to the new destination, all was OK again Smile

Enjoy!


Windows Server 2019 – Hyper-V Backup Error Event ID 19100 & Event ID 32

March 12, 2020

After running a backup of the Hyper-V Virtual Machines you might get this error Event ID 19100

“Either the component that raises this event is not installed on your local computer

or the installation is corrupted. You can install or repair the component on the local computer.”

SOLUTION :

1. I noticed that the Guest Services was not activated…

image

Make sure this is selected. A reboot of the VM might be needed.

If this is not fixed see the next steps

2. Run this PowerShell command

Get-VM | Format-List Name, ID

image

Check the Event ID 19600 error code details

image

As you can see the GUID is the same as the one returned from the PS command.

3. Run this iCALCS command using Admin Privileges


Icacls <the path to the folder containing the VHDS files> /grant "NT VIRTUAL MACHINE\":(OI)F

image

See here for more details :

image

After this step it did not yet start ! Sad smile

I could not INPSECT the disk, there was always an error !

image

There are Event ID 32 reported !!

clip_image002

Hmmm….

So I decided to stop the VM and next manually MERGE the checkpoints.

There where 4 in total in the chain

image

The MERGE operation did not go as planned too Sad smile

The first 3 where OK …. the last one did not want to merge !

It ended up in a error as well …

SOLUTION 2 :

So you need to this manually 1 by 1 or use PowerShell…

image

Select the AVHDX file .

image

Select MERGE

image

Select TO NEW VIRTUAL HARD DISK

image

It will end up in a new VHDX file …

But I could not connect it to the previous VM… ?

Once I DELTEDED the VM from the Hyper-V manager and created a NEW VM in a new Folder.

Connected the NEW MERGED VM to the new VM all was OK Smile

Enjoy!


Windows Server 2016 – How to Blacklist Public IP Addresses, Alert Event ID 20271

June 21, 2019

If you notice unauthorised attacks on you network in your event viewer Event ID 20271 Remote Access

image

image

 

SOLUTION :

Create a BLACKLIST rule using Windows Firewall

Open Windows Firewall with Advanced Security by running wf.msc

On the left, select Inbound Rules, then under the Action menu, choose New Rule

On the Rule Type page, choose Custom.

image
On Program, choose “All programs”

image
On Protocol and Ports, leave the default of Any

image
On Scope, select “These IP addresses” in the remote addresses section and add the problematic IP address in the Add dialog

image
On Action, choose “Block the connection”

image

On Profile, leave the defaults of everything checked.

image

Finally, on Name give the rule a name like “Blacklisting”, and optionally a description.

image

 

See here on how to automate this using PowerShell Event Viewer Scanning & Firewall rules

1. First check if the DENY property is set on your DHCP server

Get-DhcpServerv4FilterList

image

If not you can activate it like this

Set-DhcpServerv4FilterList -ComputerName "YourDHCPServer" -Allow $False -Deny $True

Next you can list all IP’s

Get-DhcpServerv4Filter

And check if they exist as blocked.

image

If you need to add extra you can use this Cmd

Add-DhcpServerv4Filter -List Deny -MacAddress "F0-DE-F1-7A-00-5E" -Description "iphone 09"

 

See here on how to Blacklist based on MAC Address

 

Safety First …

Done !


Write cache enabled Event ID 32 Error

March 11, 2019

After physical to Virtual conversion, we get this event ID 32 Error on a regular basis..

image

The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.

Solution :

See here : https://support.microsoft.com/en-ca/help/324805/how-to-manually-turn-disk-write-caching-on-or-off
Turn Disk Write Caching On or Off
  1. Right-click My Computer, and then click Properties.
  2. Click the Hardware tab, and then click Device Manager.
  3. Expand Disk Drives.
  4. Right-click the drive on which you want to turn disk write caching on or off, and then click Properties.
  5. Click the Policies tab.
  6. Click to select or clear the Enable write caching on the disk check box as appropriate.
  7. Click OK.
For Windows Server 2008
  1. Right-click Computer, and then click Properties.
  2. Click the Device Manager link under Tasks.
  3. Expand Disk Drives.
  4. Right-click the drive on which you want to turn disk write caching on or off, and then click Properties.
  5. Click the Policies tab.
  6. Click to select or clear the Enable write caching on the disk check box as appropriate.
  7. Click OK.

To find out the DISK number relation use this SysInternal tool, diskext.exe :

image

\Device\Harddisk0\DR0 = C drive

If you see the yellow exclamation mark saying you are not allowed to change the caching …

image

See here for more Information :

http://techgenix.com/hyper-v-optimization-tips-part1/

Enjoy!


Windows Server 2016 – CleanUp Stale Devices – DeviceSetupManager Event ID 121

February 1, 2019

How to cleanup stale devices on your servers …

On one of our servers that is running as a Hyper-V Host and using a non windows backup software to backup the VM’s I see a lot of VSS copies hanging around …. ?

When looking at the HIDDEN devices

image

I saw a lot of Generic volume Shadow Copies

See here to know why this is occurs

image

And as well INACTIVE Storage volumes

image

The know why this is happening see here

Solution :

1. CleanUp all stale devices and registry related entries

Download the DriveCleanup Tool here

image

You can run this command to run in TEST MODE

drivecleanup -t > dc-output.txt

You can see this detailed output

image

In my case it suggest these entries to be removed.

image

I could see a clear relationship between the Event ID 121 Errors and output of the drivecleanup tool

image

image

To delete the stale devices and Registry Keys you need to use the Admin Privileges

Make sure you have good backups before removing anything !

2. Remove all VSS copies

Run this command to cleanup

vssadmin list shadows

vssadmin delete shadows /all

Check again the Event logs after the next backups.

And in my case all disk errors where gone. Smile

Enjoy !