Exchange Cant Mount Database ‘0x80004005’

KB ID 0001632

Problem

When attempting to mount an Exchange Database I got this error;

Failed to mount database “{Database-Name}”. Error: An Active Manager operation failed. Error: The database action failed. Error: Operation failed with message: MapiExceptionDatabaseError: Unable to mount database. (hr=0x80004005, ec=1108) Diagnostic context: Lid: 65256 Lid: 10722 StoreEc: 0x454 Lid: 1494 —- Remote Context Beg —- Lid: 1238 Remote Context Overflow Lid: 34760 StoreEc: 0xFFFFFDEF Lid: 41344 Guid: 6967a2e8-2e07-4c6f-a7ff-cb5f3414bad5 Lid: 35200 dwParam: 0x3F28 Lid: 59596 dwParam: 0x231090 Msg: JI20 Lid: 43212 dwParam: 0x231090 Msg: JT05 Lid: 43212 dwParam: 0x231090 Msg: JT08 Lid: 59596 dwParam: 0x231090 Msg: WM19 Lid: 59596 dwParam: 0x231090 Msg: WM20 Lid: 59596 dwParam: 0x231090 Msg: WM21 Lid: 54472 StoreEc: 0x980 Lid: 42184 StoreEc: 0x454 Lid: 10786 dwParam: 0x0 Msg: 15.01.1847.005:PNL-Mail:6967a2e8-2e07-4c6f-a7ff-cb5f3414bad5 Lid: 51578 Guid: 6967a2e8-2e07-4c6f-a7ff-cb5f3414bad5 Lid: 1750 —- Remote Context End —- Lid: 1047 StoreEc: 0x454 [Database: Database-Name, Server: Server-Name]

Solution

It’s been a while since I last saw an 0x80004005 error, last time it was because the AV software on the Exchange server had quarantined a log file, but this server was not running any third party AV. On closer inspection the problem was pretty obvious;

My ‘log-file’ partition was full, (I had something else doing diagnostic logging), once I tidied up the partition and freed up some space the database mounted without complaining.

Related Articles, References, Credits, or External Links

Exchange – Failed to mount database(hr=0x80040115, ec=-2147221227)

Event ID 3154 ‘Active Manager Failed To Mount Database’

No Mail Flow On-Premises To/From Office 365

KB ID 0001631

Problem

I upgraded my On-Premises Hybrid Exchange server recently, from Exchange 2016 to Exchange 2019. I remembered to add the new server onto the Office 365 send connector, but there was no mail flow between an on premises mailbox and an office365 mailbox?

Solution

This happens because, (even if you are using the same certificate on the new and old servers) the certificate that is used for TLS security between your on-premises Exchange server and Exchange online, does not get ’embedded’ properly on the send/receive connectors. You may see either (or both) of the following two problems.

Check The Office 365 Mail Flow

Log into Office 365 > Admin > Exchange Admin Center > Mail Flow > Connectors > Select the ‘Outbound’ connector > Validate this connector.

Herein lies the problem!

450 4.4.317 Cannot connect to remote server [Message=SubjectMismatch] [LastAttemptedServerName={on-prem-fqdn}] [LastAttemptedIP={on-prem-ip}}:25] [{outlook-FQDN}]

At first I thought the on-premises server was presenting the wrong cert for TLS, turns out it was not presenting a cert at all! You can check by executing the following command on the RECEIVE CONNECTOR;

[box]

Get-ReceiveConnector "{SERVER-NAME}\Default Frontend {SERVER-NAME}" | fl TlsCertificateName  

[/box]

If it returns no entry (like the image below), then you need to simply attach the correct certificate. To do that first get the ‘thumbprint’ of the correct certificate;

[box]

Get-ExchangeCertificate  

[/box]

Copy the correct thumbprint, and embed it with the following commands;

[box]

$tlscert=Get-ExchangeCertificate {THUMBPRINT}
$tlscertname="<I>$($TLScert.Issuer)<S>$($TLSCert.Subject)"
Get-ReceiveConnector "{SERVER_NAME}\Default Frontend {SERVER_NAME}" | Set-ReceiveConnector -TlsCertificateName $tlscertname
Restart-Service MSExchangeTransport

[/box]

Now test validation again from Office 365 portal.

Check The Office On-Premises Mail Flow

To do this, open Exchange Tools > Queue Viewer, and you will probably see something like this;

454 4.7.5 The certificate specified in TlsCertificateName of the SendConnector could not be found.

To fix this, the procedure is much the same as above, only this time you perform the procedure on the SEND CONNECTOR ;

Note: I’m assuming you are using the same Thumbprint you used above,

[box]

$tlscert=Get-ExchangeCertificate -Thumbprint {THUMBPRINT}
$tlscertname = (‘<I>’+$tlscert.issuer+'<S>’+$tlscert.subject)
Set-SendConnector -Identity "Outbound to Office 365" -TLSCertificateName $tlscertname
Restart-Service MSExchangeTransport

[/box]

By the time you go back to Queue viewer the queues should have started to empty.

Related Articles, References, Credits, or External Links

NA

Cisco Catalist Upgrading 2900, 5500 and 3700 Stacks

KB ID 0001630

Problem

People are often nervous about doing this, I’m not sure why because Cisco have made it painfully simple now. That’s because instead of the old /bin files we used to use, you can now upgrade a switch (or a switch stack) using a .tar file with one command, (and it will also upgrade all the stack members and the firmware on any other network modules you have in the switches at the same time).

Yes it does take a while*, and for long periods of time theres no updated output on the screen, which is worrying if you’ve never done it before.

*Note: The procedure below was updating two 2960-X switches and took about 45-50 minutes. If anyone wants to post any further timings below as a help to others, state the switch types and quantities, and versions you used, etc.

Solution

First things first, BACK UP YOUR SWITCH CONFIG. I also have a habit of copying out the original .bin file from the flash to my TFTP server as an extra ‘belt and braces’ precaution, in case everything ‘Goes to hell in a hand cart!’

I find it easier to do this with the update file on a USB Drive, (format the drive as Fat32). If you dont have a USB Drive, or the switch does not have a working USB port then don’t panic, you can use ftp or tftp to upgrade also.

Place your new upgrade .tar file on your USB Drive and insert it into the master switch, you should see the following;

[box]

Dec 19 13:13:18.466: %USBFLASH-5-CHANGE: usbflash0 has been inserted!

[/box]

Note: If yours says usbflash1, or usbflash2 etc. Then that’s just the switch numbering in the stack, use the number it tells you!

Make sure the switch can see your upgrade file;

[box]

Petes-Switch# dir usbflash1:
Dec 19 16:56:45.712: %USBFLASH-5-CHANGE: usbflash0 has been inserted!

Directory of usbflash0:/
 -rw- 37488640 Nov 25 2019 10:08:34 +00:00 c2960x-universalk9-tar.152-7.E0a.tar

8036286464 bytes total (7997743104 bytes free)

[/box]

You can execute the entire upgrade with this one command;

[box]

Petes-Switch# archive download-sw /overwrite usbflash0:/c2960x-universalk9-tar.152-7.E0a.tar

[/box]

Note: If using tftp then use archive download-sw /overwrite tftp:/{ip-of-tftp-server}/{image-name}.tar instead.

It will take quite a long time, as soon as it says extracting xyz….go and have a coffee, wait until it says ‘All software images installed.’

[box]

---LOTS OF OUTPUT OMITTED FOR THE SAKE OF BREVITY---
New software image installed in flash2:/c2960x-universalk9-mz.152-7.E0a
Deleting old files from dc profile dir "flash:/dc_profile_dir"
extracting dc profile file from "flash:/c2960x-universalk9-mz.152-7.E0a/dc_default_profiles.txt" to "flash:/dc_profile_dir/dc_default_profiles.txt"
Deleting old files from dc profile dir "flash2:/dc_profile_dir"
extracting dc profile file from "flash2:/c2960x-universalk9-mz.152-7.E0a/dc_default_profiles.txt" to "flash2:/dc_profile_dir/dc_default_profiles.txt"
All software images installed.

[/box]

Now let’s do a couple of checks just for our ‘peace of mind‘, first make sure the images are in all the relevant switches flash storage;

[box]

Petes-Switch#dir flash1:
Directory of flash:/

    2  -rwx        5486  Dec 19 2019 16:55:40 +00:00  private-config.text
    3  -rwx          33   Aug 7 2019 08:28:12 +00:00  pnp-tech-time
    4  -rwx       11114   Aug 7 2019 08:28:14 +00:00  pnp-tech-discovery-summary
    5  -rwx        3096  Dec 19 2019 16:55:40 +00:00  multiple-fs
  699  drwx         512  Dec 19 2019 17:35:25 +00:00  c2960x-universalk9-mz.152-7.E0a
  480  drwx         512  Dec 19 2019 17:35:28 +00:00  dc_profile_dir
  696  -rwx         796   Aug 9 2019 09:48:30 +00:00  vlan.dat
  698  -rwx        7539  Dec 19 2019 16:55:40 +00:00  config.text

122185728 bytes total (84392960 bytes free)
Petes-Switch#dir flash2:
Directory of flash2:/

    2  -rwx        5486  Dec 19 2019 16:55:40 +00:00  private-config.text
    3  -rwx          33   Aug 7 2019 08:32:38 +00:00  pnp-tech-time
    4  -rwx       11126   Aug 7 2019 08:32:40 +00:00  pnp-tech-discovery-summary
    5  -rwx        7539  Dec 19 2019 16:55:40 +00:00  config.text
    6  drwx         512  Dec 19 2019 17:35:26 +00:00  c2960x-universalk9-mz.152-7.E0a
  481  drwx         512  Dec 19 2019 17:35:28 +00:00  dc_profile_dir
  696  -rwx        3096   Aug 8 2019 10:21:29 +00:00  multiple-fs
  697  -rwx         796  Dec 11 2019 10:55:22 +00:00  vlan.dat
  698  -rwx        7514  Dec 19 2019 16:55:40 +00:00  config.text.backup
  699  -rwx        5486  Dec 19 2019 16:55:40 +00:00  private-config.text.backup

122185728 bytes total (84378624 bytes free)

[/box]

Note: Repeat for each switch in the stack, if you have further switches.

Why does it not have .tar or .bin on the end? Because it’s a folder 🙂

The let’s make sure the ‘boot variable‘ in the device is set to use the new image;

[box]

Petes-Switch# show boot
BOOT path-list      : flash:/c2960x-universalk9-mz.152-7.E0a/c2960x-universalk9-mz.152-7.E0a.bin
Config file         : flash:/config.text
Private Config file : flash:/private-config.text
Enable Break        : yes
Manual Boot         : no
Allow Dev Key         : yes
HELPER path-list    :
Auto upgrade        : yes
Auto upgrade path   :
Boot optimization   : disabled
NVRAM/Config file
      buffer size:   524288
Timeout for Config
          Download:    0 seconds
Config Download
       via DHCP:       disabled (next boot: disabled)
-------------------
Switch 2
-------------------
BOOT path-list      : flash:/c2960x-universalk9-mz.152-7.E0a/c2960x-universalk9-mz.152-7.E0a.bin
Config file         : flash:/config.text
Private Config file : flash:/private-config.text
Enable Break        : yes
Manual Boot         : no
Allow Dev Key         : yes
HELPER path-list    :
Auto upgrade        : no
Auto upgrade path   :

[/box]

All looks good save the config and reload the stack.

[box]

Petes-Switch# write mem
Petes-Switch# reload
Proceed with reload? [confirm] {Enter}

Dec 19 17:38:50.952: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload command.

[/box]

Time for another coffee while it’s reloading the stack, when it’s back up you can check it was successful like so;

[box]

Petes-Switch# show version
---LOTS OF OUTPUT OMITTED FOR THE SAKE OF BREVITY---
Switch Ports Model                     SW Version            SW Image
------ ----- -----                     ----------            ----------
*    1 54    WS-C2960X-48TS-L          15.2(7)E0a            C2960X-UNIVERSALK9-M
     2 54    WS-C2960X-48TS-L          15.2(7)E0a            C2960X-UNIVERSALK9-M

[/box]

Related Articles, References, Credits, or External Links

NA

XenServer: Enable SNMP

KB ID 0001629

Problem

We had to enable SNMP on a XenServer today, I’d never even logged onto one, but it turns out, much like ESX, it’s just a Linux server, at least the good folk at Citrix included nano on there so I didn’t have to struggle with the vi editor!

Solution

First from the web console ensure that SSH access is enabled > Remote Services Configuration > Enable/Disable Remote Shell.

SSH into the host and execute the following commands to start the SNMP daemon,  take a backup of the config file, and finally edit the ‘live’ config file.

[box]

chkconfig snmpd
cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.backup
nano /etc/snmp/snmpd.conf

[/box]

You can delete EVERYTHING (At the beginning of the file press CTRL+6 to mark the file, then Press ALT+Shif+T (or ALT+T) to cut the text away). Then type in;

[box]

rocommunity {SNMP-String} {IP address or range with /{bits}}

i.e.
rocommunity public 192.168.1.0/24

[/box] 

Save and Exit (CTRL+X > ‘Y’ > {Enter}). Now you need to edit the firewall on the host (iptables). To allow the IP addresses of your SNMP collector(s).

[box]

nano /etc/sysconfig/iptables

[/box]

At the bottom, (usually) you will see a deny for ICMP, put an entry for each collector BEFORE that in the following format;

[box]

-A RH-Firewall-1-INPUT -s {Collector-IP-Address} -p udp -m udp --dport 161 -j ACCEPT

[/box]

Save and Exit (CTRL+X > ‘Y’ > {Enter}). then restart iptables and the snmp daemon.

[box]

service iptables restart
service snmpd restart

[/box]

If you are polling it though a firewall you can test it locally using this piece of freeware, (I use this to test, but remember to add the local IP you are testing from to the sump config and the iptables!)

Related Articles, References, Credits, or External Links

NA

The Term ‘Uninstall-WindowsFeature’ is not Recognized

KB ID 0001628

Problem

I was removing Windows Defender from a lot of servers that had just been deployed, (while doing and AV rollout). So I had a remote session open to all the servers and issued the command on each one, and moved onto the next one. when I went back, about three or four of them had failed with the following error;

PS C:\Users\Administrator> Uninstall-WindowsFeature -Name Windows-Defender
Uninstall-WindowsFeature : The term ‘Uninstall-WindowsFeature’ is not recognized as the name of a cmdlet, function,
script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is
correct and try again.
At line:1 char:1
+ Uninstall-WindowsFeature -Name Windows-Defender
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Uninstall-WindowsFeature:String) [], CommandNotFoundException

This is strange, the servers were a mix of 2016 and 2019 but were all freshly built, I Googled the error and was told I needed to import the servermanager module, again I thought this was strange,  as most of them had worked but OK, then I got this;

PS C:\Users\Administrator> Import-Module servermanager
import-module : The specified module ‘servermanager’ was not loaded because no valid module file was found in any
module directory.
At line:1 char:1
+ import-module servermanager
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (servermanager:String) [Import-Module], FileNotFoundException
+ FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand

Solution

As is usually the case, I’d been a doofus! I assumes as I ‘rattled though each server I’d opened the x64 bit version of PowerShell, but as you can see (from the window headers above) that’s NOT the case!

Sometimes the problem is simply PEBKAC, (Problem Exists Between Keyboard And Chair).

Related Articles, References, Credits, or External Links

NA

Windows In VMware Fusion ‘Cannot Access Shared Folders’

KB ID 0001627

Problem

Every so often I have a problem with the Windows 10 VM that I run on my mac in VMware Fusion, last time I needed to upgrade to Fusion 11.5, before that it was a registry fix. This time I could not access any files or folders on the parent mac.

Network Error
Windows cannot access \\vmware-host\Shared Folders\{Folder-Name}
You do not have permissions to access \\vmware-host\Shared Folders\{Folder-Name}. Contact your network administrator to request access.

Solution

Removing and re-adding the share in VMware Fusion didn’t fix the problem, in the end I had to grant VMware Fusion, ‘Full Disk’ access before the problem ceased.

System Preferences > Security & Privacy > Privacy > ‘Unlock’ > Full Disk Access > Tick ‘VMware Fusion.app”.

Related Articles, References, Credits, or External Links

NA

Windows Error Code 0x800F0954

KB ID 0001626

Problem

Seen when attempting to add a Windows Optional Feature;

Windows couldn’t complete the required changes.
The changes could not be completed. Please reboot your computer and try again
Error code: 0x800F0954

Solution

Typically you see this error if your machine is set to get its updates from WSUS. You can change the way Windows operates to get the ‘Feature addition’ files directly from Microsoft with a group policy.

  • For Local Policy: Windows Key+R > gpedit.msc {Enter}
  • For Domain Policy: (On a domain controller) > Windows Key+R > gpmc.msc {Enter} > Create a new policy or edit one that’s linked to computer objects.

Navigate to;

[box]

Configuration > Administrative Templates > System 

[/box]

Locate ‘Specify Settings for optional component installation and component repair‘.

Set to Enabled > Tick ‘Download repair content and optional features directly from Windows Update instead of Windows Server Update Services (WSUS) > Apply > OK > Close the policy editor.

Then either wait or Windows – Forcing Domain Group Policy

Related Articles, References, Credits, or External Links

NA

Gpupdate: Windows Could Not Locate the Directory Object

KB ID 0001625

Problem

Saw this on a Windows client on my test network;

User Policy update has completed successfully.
Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows could not locate the directory object OU=Top-Level,OU=computers,DC=PeteNetLive,DC=com. Group Policy settings will not be enforced until this event is resolved. View the event details for more information on this error.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

Note: You may also see Event ID 1101

Event ID 1101

Log Name: System
Source: Microsoft-Windows-GroupPolicy
Event ID: 1101
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: PNL-PROD-WIN10.pnl.com
Description:
The processing of Group Policy failed. Windows could not locate the directory object OU=PNL,DC=pnl,DC=com. Group Policy settings will not be enforced until this event is resolved. View the event details for more information on this error.

Solution

Strangely the OU that this computer was in, needed to have the ‘Read‘ right, granting to ‘Authenticated Users’ group, not sure how that got removed! Note: Remember start at the OU that’s directly on the root of the domain, of you have nested OUs.

After that everything was peachy!

Related Articles, References, Credits, or External Links

NA

Stop Windows Asking For Password After Sleep / Standby

KB ID 0001624

Problem

I’ve done a few posts that involve me demonstrating how to disable a security feature, and people have messaged me with a mix of disgust/distain/horror. But I’m sick and tired of all the machines on my test network getting locked while I’m dragged onto something else, they are test machines, with no live data on them, and there’s only me uses them anyway! 

And some people just want to log on on a morning and not have to log on again, (Oh the security horror!) But let’s be honest Tom Cruise is not going to abseil down from the rafters to steal your order forms for spanners, or whatever mundane junk you have on your PC/laptop that no one other than you, and your office is bothered about.

Note: Don’t get this confused with Windows – Disable the ‘Lock Screen’

Solution

There are two policies that control this, one is in effect if your Windows machine is plugged in, the other takes over when you are running on battery power, you can disable password prompting for one or both.

Disable Password Prompt When Computer Wakes Up

You can see this on an individual machine (local policy) or you can create a domain computer policy, and enforce this on many/all Windows clients. 

  • For Local Policy: Windows Key+R > gpedit.msc {Enter}
  • For Domain Policy: (On a domain controller) > Windows Key+R > gpmc.msc {Enter} > Create a new policy or edit one that’s linked to computer objects.

Disable When Plugged In

Navigate to;

[box]

Computer Configuration > Administrative Templates > System > Power Management > Sleep Settings

[/box]

Locate ‘Require a password when a computer wakes (plugged in)‘ > Set to Disabled > Apply > OK > Close the policy editor.

 

Disable When On Battery Power

Navigate to;

[box]

Computer Configuration > Administrative Templates > System > Power Management > Sleep Settings

[/box]

Locate ‘Require a password when a computer wakes (on battery)‘ > Set to Disabled > Apply > OK > Close the policy editor.

Then either wait or Windows – Forcing Domain Group Policy

Related Articles, References, Credits, or External Links

NA