Saturday, 19 August 2017

Server 2012 R2 BitLocker Post Install Error: Unspecified Error

The following error happened on a DC we recently set up and were going to encrypt via BitLocker:


Unspecified error

A quick search turned up a simple fix: Reboot the server a second time.

Sure enough, good to go:


As a rule, we deploy a TPM in all of our physical DCs that are deployed with our clusters. They are then encrypted using BitLocker. This greatly reduces the exposure to compromise if someone has physical access to that DC. For virtual DCs, we now have the ability to pass a vTPM through to the guests in Server 2016. We're still in the testing phase, but our plan is to have _all_ domain controllers on networks we manage encrypted!

Philip Elder
Microsoft High Availability MVP
Co-Author: SBS 2008 Blueprint Book
Our Cloud Service

Friday, 18 August 2017

A Few Thoughts on the Intel Xeon Processor Scalable Family

The original article is here: Intel® Xeon® Processor Scalable Family Technical Overview.

This quick post is for the time challenged folks trying to figure things out as far as how the new Intel Xeon Processor Scalable Family relates to the previous generation Intel Xeon Processor E5-2600 series.

Please note that all of the images below are from the above article.


The above grid gives us an idea of which processor grade goes where. Our standard go-to has been the Intel Xeon Processor E5-2620 through the E5-2640 which were at one time the mainstream processors.

The next tier for us would be the E5-26*3 and E5-26*7 series that provided high bin counts (GHz) with low core counts.

Now we can see that the mainstream processors are Silver and the performance grade are Gold.


In the charge above 2S, 4S, 8S is the number of sockets the processor supports. DPC is DIMMs Per Channel.


As we can see, there are just a few new features included in the new processor family.

Some Thoughts

There is a definite glaring omission in this new processor family: Fourth Generation PCIe :(

As we all know, the data bus is playing catch-up (blog post) to storage and to some extent networking.

While the newly introduced Purley platform has integrated PCIe NVMe ports on the server boards and backplanes there is still a lack of clarity as far as what we need to make things work on the Intel Server System platform.

The PCIe channel count bump from 32 to 48 is most certainly not enough especially with the spec stuck in Generation 3. A pair of 100Gb Mellanox Ethernet cards and a few PCIe NVMe SSDs and we're pretty much saturating the bus ... again.

And one more thing as we've not had a chance to compare apples to apples yet, the new processors look to be more expensive than the previous generation E5-2600v4 equivalents. And, it seems as the core counts go up so do the prices in an almost exponential way.

We'll post some price comparisons in another blog post.

Have a great weekend and thanks for reading!

Philip Elder
Microsoft High Availability MVP
Co-Author: SBS 2008 Blueprint Book
Our Cloud Service

Friday, 11 August 2017

Some Thoughts on Writing in Digital and the Surface Pro 4

I personally love to write. With real pens and ink. :)

Currently, we have a pending order with a Taiwanese vendor for some TWSBI fountain pens.

The above image is from TWSBI's web site. It's a TWSBI Diamond 580 Clear. There's also a Mini version that travels a lot better.

Pilot makes some gorgeous inks. The above ajisai is a pretty neat colour that will be the go-to for regular note taking. We have several different colours on their way at the moment.

When there is a need to write in pencil the Platinum PRO-USE 03 (MSD-1500) is one of the best mechanical pencils ever made in my opinion.

When it comes to art, my primary medium is coloured pencil on various media or graphite pencil also on various media. I'm currently working on a Tiger Moth Orchid using Faber-Castell Polychromos oil based colour pencils.

All of the above is to bring about just how important the digital ink experience needs to be. While not a professional digital ink writer or artist by any means, the digital ink experience is quite important.

To date, my personal best digital pen experience for both writing and art has been with the Microsoft Surface Pro 3 with the Pro 4 (SP4) being even better.

The SP4 provides an excellent platform for one who prefers to write over type.

OneNote has an excellent recognition process that allows for hand written notes to be copied and pasted into Word. For those that take notes at meetings to provide minutes at a later date this feature works great!

It's also great for those that attend conferences to gain information. Writing the notes on the fly can be a lot faster, especially for those of us that developed a written shorthand while in university classes back in the day. ;)

Tie in the taking of pictures to use as a reference later in the day when re-working the handwritten notes into a final set and we have a pretty good method for building some pretty good written work such as articles, blog posts, or even books.

Side Note: Another aspect of writing versus typing is in memory retention. Retention seems to be _a lot_ better when notes are taken live with a pen versus typing those notes in. Retention gets even better if the "crib" notes and pictures are re-worked later that day into a final set of notes.

At some point time will be spent with the Microsoft Surface Studio. It seems to be about the best platform out there for the artistically inclined. We certainly know of quite a few engineering, architectural, and other such firms either switching or looking to switch to the Surface Studio.

The one catch though is that it is difficult to let go of pen and paper when it comes to art. For some, the "analog" versus "digital" art "discussion" can be quite "religious" in nature. ;)

Suffice it to say, if looking for a new ultra-portable system that will run most work related applications and provide an excellent platform for the written word the Surface Pro 4 is the one to choose.

Philip Elder
Microsoft High Availability MVP
Co-Author: SBS 2008 Blueprint Book
Our Cloud Service
Twitter: @MPECSInc

Friday, 4 August 2017

Edge Browser: Reset After Malware How To

Every time a client of ours opened Edge they would receive a big red screen with "Edge has been compromised".

With the Edge option to open previous tabs/pages there is no real way to get out of the loop. We cleaned out the Edge temporary files folder and the problem still happened.

So, to fix it we needed to nuke & pave.

We do that by running the following two steps on the problematic machine:

1: Delete:

2: Elevated PowerShell all on one line:
Get-AppXPackage -AllUsers -Name Microsoft.MicrosoftEdge | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml" -Verbose}

3: Start Edge

With the above process complete the user should get the "Welcome to Edge" message and tabs.

NOTE: This process essentially removes and re-installs Edge. _ALL_ settings, saved passwords, and such are removed!

Philip Elder
Microsoft High Availability MVP
Co-Author: SBS 2008 Blueprint Book
Our Cloud Service
Twitter: @MPECSInc

Tuesday, 1 August 2017

Exchange: ERROR: The internal transport certificate cannot be removed... FIX

We recently renewed an Exchange server's trusted certificate.

When we went to remove the old certificate in EAC we received the following error:

A special Rpc error occurs on server SERVERNAME: The internal transport certificate cannot be removed because that would cause the Microsoft Exchange Transport service to stop.
To replace the internal transport certificate, create a new certificate. The new certificate will automatically become the internal transport certificate. you can then remove the existing certificate.
Searching turned up a lot of suggestions to just delete the old certificate in the Personal certificates store. Somehow, that did not strike as being the correct methodology since the error makes it clear that the old certificate is still in use.

The proper methodology is to run the following PowerShell in the Exchange Shell to create and bind a new self-issued certificate. Since the certificate is bound to internal services there are no trust issues as indicated by the error message.

New-ExchangeCertificate -IncludeServerFQDN -IncludeServerNetBIOSName -Confirm:$False

The result would be something like this:

Once the command has completed we were able to delete the expired third party certificate in EAC.

Philip Elder
Microsoft High Availability MVP
Co-Author: SBS 2008 Blueprint Book
Our Cloud Service
Twitter: @MPECSInc

Monday, 24 July 2017

Intel JBOD2224S2DP - Troubleshooting Redundant Path Fail

We have an Intel JBOD2224S2DP that has seemingly dropped one of its expanders as we are seeing a MPIO path error on both nodes in a Hyper-V/Storage Spaces cluster (2x nodes + 2x JBODs).

First step is to get the SAS IDs for the expanders by pulling the cover:

With IDs in-hand the next step is to figure out which one has failed.

We do this by downloading the latest firmware for the JBOD and copying the contents to a \TMP folder on the server or server node.

Open an elevated CMD on the server/node and:

CD \TMP\Windows [ENTER]
cmdtool2_64 -adpsetprop ExposeEnclDevicesEnbl 1 -aall [ENTER]
xflash -I get avail [ENTER]

And, voila! We have our culprit:

The problematic expander is the one on the right.

The final step to run on the server/node:
cmdtool2_64 -adpsetprop ExposeEnclDevicesEnbl 0 -aall [ENTER]

Now, off to call Intel to see about a warranty replacement or to find one out there somewhere. ;)

UPDATE 2017-08-16: As it turns out, we replaced the seemingly problematic expander and still had the error. After swapping the RS25GB008 HBA pair between nodes the problem followed the HBAs. After a bit more testing we found that one of the RS25GB008 HBAs had a bad port.

Since Intel no longer supports them and distribution didn't have any in the channel we had to go out and find some via the regular channels. They just arrived the other day and we now have MPIO on both systems without an error.

Philip Elder
Microsoft High Availability MVP
Co-Author: SBS 2008 Blueprint Book
Our Cloud Service
Twitter: @MPECSInc

Thursday, 20 July 2017

Windows Server 2016 July 18, 2017 CU is Important!

The July 18, 2017-KB4025334 (OS Build 14393.1532) Update is _important_!

There are fixes in there for a lot of cluster specific products.
  • iSCSI
  • S2D
  • ReFS
  • DeDup
  • MPIO
  • NTFS
The specifics are in the Microsoft page linked to above as is a download link.

We are in the process of updating our base Install.WIM image (blog post) with this update as I write this!

Philip Elder
Microsoft High Availability MVP
Co-Author: SBS 2008 Blueprint Book
Our Cloud Service
Twitter: @MPECSInc

Monday, 17 July 2017

Windows 10: Installing on Intel Desktop Board DX79SR

Boy, did we get a lot of grief trying to get Windows 10 to install on an Intel Desktop Board DX79SR based system!

2017-07-14 MIB - 01 Windows 10 Disk Install ERROR

Windows Setup

Windows cannot be installed to this disk. This computer's hardware may not support booting to this disk. Ensure that the disk's controller is enabled in the computer's BIOS menu.

Some pointers:

Neither post is available for comment thus this blog post plus a new discussion on the Intel Communities site: Windows 10 on Intel Desktop Board DX79SR.

What finally worked:

  1. Set up RAID in RSTe (CTRL+I)
  2. Set BIOS Boot Mode to UEFI
  3. Plug in ISO mount type enclosure with Win10 ISO mounted (we use StarTech S2510BU3ISO)
  4. NOTE: I had to use the USB2 ports as the USB3 ports did not power the enclosure during boot
  5. F10 during POST
  6. Choose DVDROM - UEFI (name may vary)
  7. Click through and choose ADVANCED Setup
  8. Click on the RAID array logical disk for the OS
    1. NOTE: If any MBR partitions exist they need to be cleaned prior to this step
    2. Use DiskPart in Repair --> CMD
  9. Click NEXT

That should do it!


Philip Elder
Microsoft High Availability MVP
Co-Author: SBS 2008 Blueprint Book
Our Cloud Service
Twitter: @MPECSInc

Thursday, 13 July 2017

Mellanox PPC SwitchX Update v3.6.4006

Mellanox has released a firmware update for their SwitchX switches: v3.6.4006.

We've already updated our two SX1012 switches to v3.6.3508 as per our blog post Mellanox Prep for RoCE RDMA. That means that we'll be able to upgrade without any intermediary steps as per the section Upgrade From Previous Versions.

When looking into the Release Notes for the new firmware version we see:

Note that in our case we are running ConnectX-3 Pro ( MCX354A) adapters. So, we'll be keeping firmware 2.4.5030 on those NICs until such time as Mellanox lets us know that we are able to bump them up to 2.4.7000.

Looking in the Changes and New Features section there doesn't seem to be anything specific to us however there are quite a few items listed for versions between v3.6.3508 and v3.6.4006!

There are a few items in the General Known Issues section that we need to be aware of.
  • Point 32: Statistics files are reset which means graphs get reset.
  • Point 49 indicates that a faulty cable may cause other ports to delay their "rise". 
  • Point 50 is important. 40GbE passive copper cables 5m in length may experience "rise" issues if connected to a third party 40GbE NIC.
  • Point 93: Break-out Cables
    • Odd ports might suffer from Tx drops even when global flow control is enabled.
      Set the egress poll to 8M using the following command:
      “pool ePool0 direction egress-mc size 8M type dynamic”.
  •  Point 128: QoS: ETS does not work on SN2100 switch system.
I suggest checking out the Bug Fixes section near the end of the document. ;)

Philip Elder
Microsoft High Availability MVP
Co-Author: SBS 2008 Blueprint Book
Our Cloud Service
Twitter: @MPECSInc