Windows Server 2016 – How to Blacklist Public IP Addresses, Alert Event ID 20271

June 21, 2019

If you notice unauthorised attacks on you network in your event viewer Event ID 20271 Remote Access

image

image

 

SOLUTION :

Create a BLACKLIST rule using Windows Firewall

Open Windows Firewall with Advanced Security by running wf.msc

On the left, select Inbound Rules, then under the Action menu, choose New Rule

On the Rule Type page, choose Custom.

image
On Program, choose “All programs”

image
On Protocol and Ports, leave the default of Any

image
On Scope, select “These IP addresses” in the remote addresses section and add the problematic IP address in the Add dialog

image
On Action, choose “Block the connection”

image

On Profile, leave the defaults of everything checked.

image

Finally, on Name give the rule a name like “Blacklisting”, and optionally a description.

image

 

See here on how to automate this using PowerShell Event Viewer Scanning & Firewall rules

1. First check if the DENY property is set on your DHCP server

Get-DhcpServerv4FilterList

image

If not you can activate it like this

Set-DhcpServerv4FilterList -ComputerName "YourDHCPServer" -Allow $False -Deny $True

Next you can list all IP’s

Get-DhcpServerv4Filter

And check if they exist as blocked.

image

If you need to add extra you can use this Cmd

Add-DhcpServerv4Filter -List Deny -MacAddress "F0-DE-F1-7A-00-5E" -Description "iphone 09"

 

See here on how to Blacklist based on MAC Address

 

Safety First …

Done !

Advertisements

Write cache enabled Event ID 32 Error

March 11, 2019

After physical to Virtual conversion, we get this event ID 32 Error on a regular basis..

image

The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.

Solution :

See here : https://support.microsoft.com/en-ca/help/324805/how-to-manually-turn-disk-write-caching-on-or-off
Turn Disk Write Caching On or Off
  1. Right-click My Computer, and then click Properties.
  2. Click the Hardware tab, and then click Device Manager.
  3. Expand Disk Drives.
  4. Right-click the drive on which you want to turn disk write caching on or off, and then click Properties.
  5. Click the Policies tab.
  6. Click to select or clear the Enable write caching on the disk check box as appropriate.
  7. Click OK.
For Windows Server 2008
  1. Right-click Computer, and then click Properties.
  2. Click the Device Manager link under Tasks.
  3. Expand Disk Drives.
  4. Right-click the drive on which you want to turn disk write caching on or off, and then click Properties.
  5. Click the Policies tab.
  6. Click to select or clear the Enable write caching on the disk check box as appropriate.
  7. Click OK.

To find out the DISK number relation use this SysInternal tool, diskext.exe :

image

\Device\Harddisk0\DR0 = C drive

If you see the yellow exclamation mark saying you are not allowed to change the caching …

image

See here for more Information :

http://techgenix.com/hyper-v-optimization-tips-part1/

Enjoy!


Windows Server 2016 – CleanUp Stale Devices – DeviceSetupManager Event ID 121

February 1, 2019

How to cleanup stale devices on your servers …

On one of our servers that is running as a Hyper-V Host and using a non windows backup software to backup the VM’s I see a lot of VSS copies hanging around …. ?

When looking at the HIDDEN devices

image

I saw a lot of Generic volume Shadow Copies

See here to know why this is occurs

image

And as well INACTIVE Storage volumes

image

The know why this is happening see here

Solution :

1. CleanUp all stale devices and registry related entries

Download the DriveCleanup Tool here

image

You can run this command to run in TEST MODE

drivecleanup -t > dc-output.txt

You can see this detailed output

image

In my case it suggest these entries to be removed.

image

I could see a clear relationship between the Event ID 121 Errors and output of the drivecleanup tool

image

image

To delete the stale devices and Registry Keys you need to use the Admin Privileges

Make sure you have good backups before removing anything !

2. Remove all VSS copies

Run this command to cleanup

vssadmin list shadows

vssadmin delete shadows /all

Check again the Event logs after the next backups.

And in my case all disk errors where gone. Smile

Enjoy !


Windows 10 – User Profile Service Event ID 1534 Error

December 27, 2018

You might run into the User Profile Service Event ID 1534 Error.

Spamming your Event Viewer log, like this …

image

GUID refers to the tileobjserver and probably tiledatasvc.

It seems that tiledatasvc was removed in 1809 Upgrade. The removal of the Reg Keys is manual clean-up going forward.

 

Solution :

Open the registry and go to :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileNotification\TDL

Check the GUID in the the CLSID Reg Key

 

image

Next go to :

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\ProfileNotification

 

image

 

Export these TLD Keys and next DELETE it.

Reboot the PC and check again.

 

Success !


Windows 10 – New SSD Disk use MBR or GPT Initialization ?

December 26, 2018

I’ve got hold of a new SamSung 860 EVO 1 TB SSD disk.

 

image

This disk is lightning fast up to 6 Gbps internal speed.

While this disk can be used to replace 2.5” internal disks.

 

You can buy a SATA III to USB connector, so you can use it as an external SSD HDD.

image

Once connected, you will need to go to the Disk Management

And you will see the unallocated disk of 1 TB SSD in my case.

image

It will bring up the popup to Initialize the Disk

You will need to choose between MBR or GPT ?

 

MBR is the old fashed Master Boot Record standard that dates back from the DOS ages.

So best choose the new GPT option that is also compatible with Linux and Apple… Winking smile

 

Success !


Windows Server 2016 – ServerEssentials DesignatedActiveDirectoryServerDown Event ID 1280 Error

December 20, 2018

After removing a DC and cleaning up the metadata I still got errors relating to DesignatedActiveDirectoryServerDown ?

I rechecked all settings and had still some references in the DNS.

But even after removing all of this it was still complaining ?

image

Solution :

Open the registry and go to :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Server\ADContext

image

Key ConnectedDc was pointing to old DC server.

Correct the value and pointed the key to current  DC :

Correct the registry entry by overwriting with the proper value of the local server.

Restart the dashboard for the change to take effect.

Next go on searching for more references in the registry

image

https://support.microsoft.com/en-us/help/332199/domain-controllers-do-not-demote-gracefully-when-you-use-the-active-di

If there is an entry for Src Root Domain Srv, right-click the value and then click Delete.

This value must be deleted so that the domain controller sees itself as the only domain controller in the domain after promotion.

Remove these registry key

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NTDS\Parameters\Src Root Domain Srv 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NTDS\Parameters\Src Root Domain Srv 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Src Root Domain Srv 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NTDS\Parameters\Src Srv objectGuid 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NTDS\Parameters\Src Srv objectGuid 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Src Srv objectGuid
Reboot the server and check again.

Enjoy!


Windows Server 2016 – Disk Event ID 153 Errors

December 18, 2018

I got a lot of Disk Errors Event ID 153 every day when using Windows Backup. Every day at the same time more or less.

image

Analysis :

First we need to find out which one is Disk 4 ?

Open the registry and go to : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\disk\Enum

 image

You will see that I had 4 Disk, of which the number 4 is a USB Memory card storage…

It will match up with the Server Manager Disks

image

Next start the Command Line using Admin Privileges

And run this command

set DEVMGR_SHOW_NONPRESENT_DEVICES=1

devmgmt.msc

image

Go to Portable Devices and see check the Drive letters

In my case it is G: drive ?

On the GENERAL tab you can read that the device is NOT ENABLED

image

Using WMIC to get more info on the Event ID PDO name Device\00000xxx ID

image

Use this command to get all drivers detailed information :

 

wmic /output:c:\temp\drivers.txt path Win32_PnPSignedDriver

And look for the device number in the column PDO

image

If you don’t find it, it means it is a STALE device that can be removed.

See here on how to…

Solution :

In our case we had to disable the INTERNAL SD Card Slot using the BIOS.

Use these steps on an HP server :

UEFI System Utilities and Shell Command Mobile Help for HPE ProLiant Gen9 Servers and HPE Synergy

Going to System Utilities – by pressing F9

Enabling or disabling the Internal SD Card Slot

Procedure :

1. From the System Utilities screen, select System Configuration > BIOS/Platform Configuration (RBSU) > System Options > USB Options > Internal SD Card Slot and press Enter.

2. Select a setting and press Enter:

a. Enabled—The server can access the internal SD card slot.

b. Disabled—The server cannot access the internal SD card slot.

3. Press F10.

Enjoy!