Window Server 2019 – Error DCOM Event ID 10000

March 19, 2020

On a Hyper-V Guest you might see the Event Id 10000 DCOM error


Vdsldr.exe is a “Virtual Disk service loader”

This event look very similar to the DCOM Error Event ID 10016 ?

See here for more info.

I go and open the registry to look for the GUID {9C38ED61-D565-4728-AEEE-C80952F0ECDE}


Also make note of the AppID GUID {5364ED0E-493F-4B16-9DBF-AE486CF22660}

Use the Reg Query command to check it :

reg query "HKEY_CLASSES_ROOT\CLSID\{9C38ED61-D565-4728-AEEE-C80952F0ECDE}" /ve
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{5364ED0E-493F-4B16-9DBF-AE486CF22660}" /ve



1. Open the Component Services Manager using the DCOMCNFG command

And look for Virtual Disk Service Loader


Next check the AppId GUID is matching the one in the Event Viewer


This is the one we found in the registry Smile

2. Check the Security for this DCOM App

Go to the Security Tab to see who has access…


Hmm the buttons are greyed out !

That is that reason why we get errors reported… !


See on the AppID GUID permission is set the TrustedInstaller

Similar as to the 10016 Event Errors you can fix the restricted access the same way.

3. Fix the Access

First in the Registry you need to change the OWNER of the RegKeys to the Administrator,

Instead of the TrustedInstaller.

And set the Adminstrator to have FULL CONTROL


If this still does not help go back to the DCOMCNFG and add Full Control for the

Administrator to the LAUNCH and ACTIVATION Permissions



Windows Server 2016–Sync Time Server using (S)NTP

October 30, 2019

How to sync the time to a public time server using NTP

You need to use the w32tm command.

First check the current settings :

w32tm /query /status


What about the 0x1 parameter ?

  • 0x01 – Use special poll interval Special Interval
  • 0x02 – Use As Fall back Only
  • 0x04 – Send request as Symmetric Active mode
  • 0x08 – Send request as Client mode

To set a new External Time Server like use this command :

net stop w32time

w32tm /config / /syncfromflags:MANUAL

net start w32time

w32tm /resync

This is the configuration :

w32tm /query /configuration


These are all the command line switches :

w32tm [/? | /register | /unregister ]
   ? – this help screen.
   register – register to run as a service and add default
     configuration to the registry.
   unregister – unregister service and remove all configuration
     information from the registry.

w32tm /monitor [/domain:<domain name>]
                [/threads:<num>] [/ipprotocol:<4|6>] [/nowarn]
   domain – specifies which domain to monitor. If no domain name
     is given, or neither the domain nor computers option is
     specified, the default domain is used. This option may be
     used more than once.
   computers – monitors the given list of computers. Computer
    names are separated by commas, with no spaces. If a name is
     prefixed with a ‘*’, it is treated as an AD PDC. This option
     may be used more than once.
   threads – how many computers to analyze simultaneously. The
     default value is 3. Allowed range is 1-50.
   ipprotocol – specify the IP protocol to use. The default is
     to use whatever is available.
   nowarn – skip warning message.

w32tm /ntte <NT time epoch>
   Convert a NT system time, in (10^-7)s intervals from 0h 1-Jan 1601,
   into a readable format.

w32tm /ntpte <NTP time epoch>
   Convert an NTP time, in (2^-32)s intervals from 0h 1-Jan 1900, into
   a readable format.

w32tm /resync [/computer:<computer>] [/nowait] [/rediscover] [/soft]
   Tell a computer that it should resynchronize its clock as soon
   as possible, throwing out all accumulated error statistics.
   computer:<computer> – computer that should resync. If not
     specified, the local computer will resync.
   nowait – do not wait for the resync to occur;
     return immediately. Otherwise, wait for the resync to
     complete before returning.
   rediscover – redetect the network configuration and rediscover
     network sources, then resynchronize.
   soft – resync utilizing existing error statistics. Not useful,
     provided for compatibility.

w32tm /stripchart /computer:<target> [/period:<refresh>]
     [/dataonly] [/samples:<count>] [/packetinfo] [/ipprotocol:<4|6>]
   Display a strip chart of the offset between this computer and
   another computer.
   computer:<target> – the computer to measure the offset against.
   period:<refresh> – the time between samples, in seconds. The
     default is 2s
   dataonly – display only the data, no graphics.
   samples:<count> – collect <count> samples, then stop. If not
     specified, samples will be collected until Ctrl-C is pressed.
   packetinfo – print out NTP packet response message.
   ipprotocol – specify the IP protocol to use. The default is
     to use whatever is available.

w32tm /config [/computer:<target>] [/update]
     [/manualpeerlist:<peers>] [/syncfromflags:<source>]
   computer:<target> – adjusts the configuration of <target>. If not
     specified, the default is the local computer.
   update – notifies the time service that the configuration has
     changed, causing the changes to take effect.
   manualpeerlist:<peers> – sets the manual peer list to <peers>,
     which is a space-delimited list of DNS and/or IP addresses.
     When specifying multiple peers, this switch must be enclosed in
   syncfromflags:<source> – sets what sources the NTP client should
     sync from. <source> should be a comma separated list of
     these keywords (not case sensitive):
       MANUAL – sync from peers in the manual peer list
       DOMHIER – sync from an AD DC in the domain hierarchy
       NO – sync from none
       ALL – sync from both manual and domain peers
   LocalClockDispersion:<seconds> – configures the accuracy of the
     internal clock that w32time will assume when it can’t acquire
     time from its configured sources.
   reliable:(YES|NO) – set whether this machine is a reliable time source.
     This setting is only meaningful on domain controllers.
       YES – this machine is a reliable time service
       NO – this machine is not a reliable time service
   largephaseoffset:<milliseconds> – sets the time difference between
     local and network time which w32time will consider a spike.

w32tm /tz
   Display the current time zone settings.

w32tm /dumpreg [/subkey:<key>] [/computer:<target>]
   Display the values associated with a given registry key.
   The default key is HKLM\System\CurrentControlSet\Services\W32Time
     (the root key for the time service).
   subkey:<key> – displays the values associated with subkey <key>
     of the default key.
   computer:<target> – queries registry settings for computer <target>.

w32tm /query [/computer:<target>]
     {/source | /configuration | /peers | /status}
   Display a computer’s windows time service information.
   computer:<target> – query the information of <target>. If not
     specified, the default is the local computer.
   source: display the time source.
   configuration: display the configuration of run-time and where
     the setting comes from. In verbose mode, display the undefined
     or unused setting too.
   peers: display a list of peers and their status.
   status: display windows time service status.
   verbose: set the verbose mode to display more information.

w32tm /debug {/disable | {/enable /file:<name> /size:<bytes> /entries:<value>
   Enable or disable local computer windows time service private log.
   disable: disable the private log.
   enable: enable the private log.
     file:<name> – specify the absolute filename.
     size:<bytes> – specify the maximum size for circular logging.
     entries:<value> – contains a list of flags, specified by number and
       separated by commas, that specify the types of information that
       should be logged. Valid numbers are 0 to 300. A range of numbers
       is valid, in addition to single numbers, such as 0-100,103,106.
       Value 0-300 is for logging all information.
   truncate: truncate the file if it exists.

Now that you set the server to properly sync you can use this one as internal NTP server for other devices.


Keep in mind to set the firewall UDP 123 rules to accepts

More info see here

Enjoy !

Windows Server 2016 – Get Boot Date & Time – Uptime

October 21, 2019

How to get Windows Server 2016 Boot Date & Time – Uptime

There are several ways to get this information :

1. Command line :

| find “System Up Time”


2. Command line Tools :

– SysInternals :
| Find “uptime”


– SysInternals : BgInfo.exe Display as background


3. WMI

OS GET CSName,LastBootUpTime


4. PowerShell

$obj = Get-WmiObject Win32_OperatingSystem


Get-CimInstance -ClassName win32_operatingsystem | select lastbootuptime


get-eventlog System | where-object {$_.EventID -eq "6013"} | sort -desc TimeGenerated

new-timespan -Seconds 26079971 | Select Days,Hours,Seconds


5. Event Viewer

Filter the System events with the Event ID 6013


Enjoy !

Windows Server 2016 – Blacklist Mobile devices on WIFI network

June 21, 2019

Let’s assume you have 2 WIFI networks. 1 for the Office users and 1 for the Guests on a separate VLAN.

Now you don’t want to have all the Office users using there mobile device to log on to the local LAN.

Most challenging is that if you apply MAC address filtering on the Access Point.

It will block the device on both WIFI networks Sad smile


On your DHCP server you need to activate the BLOCK MAC address filtering

Open the DHCP console and enable the DENY LIST using the FILTERS Tab


Now you can add the BLOCKED Mac ADDRESSES in the DENY section


Tip :

You can also use WILDCARDS like this :


Solution :

Windows 2008r2 :

You can use the NETSH command to block MAC addresses on your local LAN.

netsh dhcp server v4 add filter deny 00-0c-29-fe-dd-60 "Mary's PC"

If you need to automate this on a Windows 2008r2 server you need to apply some regular expressions to grab the  MAC address ,-)

Took me more then a day to figure that out how to make it work Sad smile

Windows 2012r2 and higher :

You can use the DHCP Powershell cmdlets

Get-DhcpServerv4Scope -cn YourServer

Set-DhcpServerv4FilterList -ComputerName "YourServer" -Allow $False -Deny $True


Add-DhcpServerv4Filter -List Allow -MacAddress "F0-DE-F1-7A-00-5E" -Description "Laptop 09"

Remove-DhcpServerv4Filter -MacAddress "F0-DE-F1-7A-00-5E","F0-DE-F1-7A-00-5E"

See also here how to build a Blacklist for PUBLIC IP addresses.

Enjoy !

Windows Server 2016 – How to Blacklist Public IP Addresses, Alert Event ID 20271

June 21, 2019

If you notice unauthorised attacks on you network in your event viewer Event ID 20271 Remote Access





Create a BLACKLIST rule using Windows Firewall

Open Windows Firewall with Advanced Security by running wf.msc

On the left, select Inbound Rules, then under the Action menu, choose New Rule

On the Rule Type page, choose Custom.

On Program, choose “All programs”

On Protocol and Ports, leave the default of Any

On Scope, select “These IP addresses” in the remote addresses section and add the problematic IP address in the Add dialog

On Action, choose “Block the connection”


On Profile, leave the defaults of everything checked.


Finally, on Name give the rule a name like “Blacklisting”, and optionally a description.



See here on how to automate this using PowerShell Event Viewer Scanning & Firewall rules

1. First check if the DENY property is set on your DHCP server



If not you can activate it like this

Set-DhcpServerv4FilterList -ComputerName "YourDHCPServer" -Allow $False -Deny $True

Next you can list all IP’s


And check if they exist as blocked.


If you need to add extra you can use this Cmd

Add-DhcpServerv4Filter -List Deny -MacAddress "F0-DE-F1-7A-00-5E" -Description "iphone 09"


See here on how to Blacklist based on MAC Address


Safety First …

Done !

Windows Server 2016 – Windows Update Center closes immediately

March 10, 2019

Opening the Windows Update Center closes immediately … ?


The main reason is that the Windows 2016 Software Distribution has become corrupted.


Clean the C:\Wndows\SoftwareDistribution folder…

See here for the procedure

After this cleanup everything was back to normal


Windows Server 2016 – ServerEssentials DesignatedActiveDirectoryServerDown Event ID 1280 Error

December 20, 2018

After removing a DC and cleaning up the metadata I still got errors relating to DesignatedActiveDirectoryServerDown ?

I rechecked all settings and had still some references in the DNS.

But even after removing all of this it was still complaining ?


Solution :

Open the registry and go to :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Server\ADContext


Key ConnectedDc was pointing to old DC server.

Correct the value and pointed the key to current  DC :

Correct the registry entry by overwriting with the proper value of the local server.

Restart the dashboard for the change to take effect.

Next go on searching for more references in the registry


If there is an entry for Src Root Domain Srv, right-click the value and then click Delete.

This value must be deleted so that the domain controller sees itself as the only domain controller in the domain after promotion.

Remove these registry key

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NTDS\Parameters\Src Root Domain Srv 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NTDS\Parameters\Src Root Domain Srv 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Src Root Domain Srv 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NTDS\Parameters\Src Srv objectGuid 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NTDS\Parameters\Src Srv objectGuid 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Src Srv objectGuid
Reboot the server and check again.