Thursday, June 2, 2016

Event 10016 DCOM Errors on Windows 10 with CrashPlan

Event 10016, DistributedCOM

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
 and APPID
 to the user domain\user SID (S-1-5-21-*) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

These Errors occur when CrashPlan runs as the user and tries to backup open files with the Volume Shadow Copy Service (VSS).

To fix the issue, change the permission in the registry then set the permission in DCOM.


  1. Use RegEdit to change the ownership and security of the Application Registry Key
  2. Browse to HKEY_CLASSES_ROOT\AppID\{56BE716B-2F76-4DFA-8702-67AE10044F0B}
  3. RightClick > Select Permissions > Click Advanced > Change the owner to Administrators
  4. Check the box to replace ownership on child objects
  5. Click OK
  6. Allow Full Control for the Administrators Group
  7. Click OK to close
  1. Use dcomcnfg to set the Local Launch and Activation permission for VSS
  2. Browse to Component Services > Computers > My Computer > DCOM Config > Volume Shadow Copy Service
  3. Right Click > Properties > Security Tab > Launch and Activation Permissions
  4. Select Customize > Click Edit
  5. Add the user account that is getting the error > Select Allow Local Launch and Activation
  6. Click OK
  7. Click OK to close

Tuesday, November 24, 2015

Create a new VM from an image

I have two standalone Hyper-V hosts and I needed to create multiple VMs on each host. I don't have SCVMM or any other management suite, so I decided to script the build. Being the good lazy sysadmin that I am, a quick search landed me on Jeffery Hicks page at

Mr Hicks script did almost exactly what I wanted, except he is building from an ISO image. I wanted a fully updated image that was ready to go. This means creating a template and syspreping the system. Now that I have a fully updated Server 2012 R2 vhdx image we can modify the script to use a copy of this as the base for our new systems.

Possible Feature enhancements

  • Currently this script needs to be run from the Hyper-V host, but I plan on improving it to run remotely
  • Add a loop to create multiple machines at once
  • Expand the menu to include Win7, Win8.1, Win10, Server 2008 R2, Server 2016 images

The Script

#requires -version 3.0
Provision a new Hyper-V virtual machine based on a template
This script will create a new Hyper-V virtual machine based on a template or
hardware profile. You can create a small, medium or large virtual machine. All
virtual machines will use the same virtual switch and the same paths for the
virtual machine and VHDX file.  

This script requires the Hyper-V 3.0 PowerShell module.
Credit goes to Jeffery Hicks

PS C:\Scripts\> .\New-VMFromTemplate lab101 -VMType small -passthru
Name       State CPUUsage(%) MemoryAssigned(M) Uptime   Status
----       ----- ----------- ----------------- ------   ------
lab101     Off   0           0                 00:00:00 Operating normally

    [Parameter(Position=0,Mandatory,HelpMessage="Enter the name of your new virtual machine")]

#define parameter values based on VM Type
Switch ($VMType) {
    "small" {
    "medium" {
    "large" {
} #end switch

Write-Verbose "Creating new $VMType virtual machine"

$SwitchName = "v207"
$VMRoot = "D:\Hyper-V"
$VMPath = "${VMRoot}\${VMName}"
$VHDimage = "D:\sysadmin\images\Server2012R2.vhdx"
$VHDPath = "${VMPath}\Virtual Hard Disks\"
$VHDName = "${VMPath}\Virtual Hard Disks\${VMName}.vhdx"

mkdir $VHDPath

Convert-VHD -Path $VHDimage -DestinationPath $VHDName

#define a hash table of parameters for New-VM
$newParam = @{
#define a hash table of parameters for Set-VM
$setParam = @{
if ($Passthru) {
Try {
    Write-Verbose "Creating new virtual machine"
    Write-Verbose ($newParam | out-string)
    $VM = New-VM @newparam
Catch {
    Write-Warning "Failed to create virtual machine $Name"
    Write-Warning $_.Exception.Message
    #bail out

if ($VM) {
    Try {
        Write-Verbose "Configuring new virtual machine"
        Write-Verbose ($setParam | out-string)
        $VM | Set-VM @setparam
    Catch {
    Write-Warning "Failed to configure virtual machine $Name"
    Write-Warning $_.Exception.Message
    #bail out

Monday, November 23, 2015

Install .NET Framework 3.5 on Windows 8.1

There are some legacy applications that require .NET Framework 3.5 or older on Windows 8.1. This is a feature that you should be able to add via Windows Feature or download from Windows Updates, but that didn't work for me.

Windows 8.1 Enterprise failed to .Net 3.5 using either method, so I went back to the source. Using the Win8.1 Ent media on USB flash drive, you can add the feature by specifying the source folder.

From and Administrative command prompt:

# Set the drive letter for your flash drive, in my case e:
DISM /Online /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess /Source:e:\sources\sxs

I created a batch script with this command and added to the root of my Win8.1 flash drive to save time in the future.

Friday, October 16, 2015

Generate a Certificate Signing Request (CSR) without IIS

Generate a Certificate Signing Request (CSR)

  1. Log in as an administrator
  2. From a command prompt or the run menu:
    1. To create the certificate in the local machine store (recommended):
      1. Type mmc
      2. On the File menu, click Add/Remove Snap-in.  Click Certificates in the left pane, then click Add.  
      3. Select Computer Account, then click Next.
      4. Select Local Computer, then click Finish.  
      5. Click OK.  
  3. In the left pane expand Certificates (Local Computer), expand  Personal, then click Certificates.  
  4. On the Action menu, click All Tasks, then click Advanced Operations, then click Create Custom Request.
  5. Click Next.
  6. Select Proceed without enrollment policy.  Click Next.
  7. In the Template menu, select (No template) CNG key, and verify that Suppress default extensions is not selected.  (Note:  Some software may not be compatible with CNG keys.
  8. Under Request Format, select PKCS #10.  Click Next.  
  9. Click the arrow next to Details to expand the selection.  Click Properties.  
  10. On the General tab, provide a Friendly name and Description for the certificate.  These can be anything you want.  
  11. On the Subject tab, in the Subject name box:
    1. In the Type menuselect Common name
    2. In the Type menuselect Organization.
    3. In the Type menu, select Organizational Unit.
    4. In the Type menu, select Street Address.
    5. In the Type menu, select City.
    6. In the Type menuselect State.
    7. In the Type menuselect Country.
  12. (Optional) If you want to restrict how this certificate can be used, you can select the appropriate options under Key usage and Extended Key Usage on the Extensions tab.  
  13. On the Private Key tab, expand Cryptographic Service Provider.  Select RSA, Microsoft Software Key Storage Provider.  Make sure no other options are selected. 
  14. On the Private Key tab, expand Key Options.  
  15. In the Key size menu, select a value of at least 2048.  
  16. Select Make private key exportable.
  17. Click OK.
  18. Click Next.
  19. Choose a file name and location for the CSR.  Select Base 64.  Click Finish

For more detailed information and how to add a SAN, check out the Microsoft Technet page below.

How to Request a Certificate With a Custom Subject Alternative Name

Tuesday, April 21, 2015

RDS On Windows Server 2012 R2

RDS in Server 2012 R2

RDS in Server 2012 R2 is cake wake walk, but I didn't need all the fancy features. I just needed a simple RDS server with Per User licensing for running Windows specific application from a Debian Linux.


To solve the Licensing issue, I found a TechNet blog with the fix.

Configuring License server manually

There might be situation when you want to configure License server on the RD Session Host or on the RD Virtualization Host manually since you do not have any RD Connection Broker in your environment. You have already configured RD Session Host server or Virtualization Host Server as required and now you want to configure the License server which is already installed and configured with licenses. All you are left to do is configure the License Server and the Licensing mode on the corresponding RD session Host or Virtualization Host servers.

Note The following commands must be ran from an Administrative PowerShell prompt.

To configure the license server on RDSH/RDVH:
$obj = gwmi -namespace "Root/CIMV2/TerminalServices" Win32_TerminalServiceSetting
Note “License” is the name of the License Server in the environment

To verify the license server configuration on RDSH/RDVH:
$obj = gwmi -namespace "Root/CIMV2/TerminalServices" Win32_TerminalServiceSetting
To change the licensing mode on RDSH/RDVH:
$obj = gwmi -namespace "Root/CIMV2/TerminalServices" Win32_TerminalServiceSetting
$obj.ChangeMode(value) - Value can be 2 - per Device, 4 - Per user
To validate the licensing mode:
$obj = gwmi -namespace "Root/CIMV2/TerminalServices" Win32_TerminalServiceSetting
$obj. LicensingType
* To add the license server to the 'Terminal Server License Servers' group in AD, you need to be a domain admin or have the domain admin add the computer account to the group ahead of time. I ended up doing it after and it worked, but kept reporting an error in the licensing diagnostic.


rdesktop stable version 1.8.3 appears to correct the issues I was seeing with graphics and the drive redirection, but it is having issues with spanning dual monitors if they are not the same resolution.

downloaded and compiled the latest version and using the following connection parameters, things are looking better
>rdesktop -u <username> -d <domain> -r disk:home=$HOME [-g <% or WxH> | -f <fullscreen>] rdshost.fqdn

I am not using credssp, but you need to choose during the compile to have the option

Wednesday, April 1, 2015

Broken domain trust when reverting VM to old checkpoint

I keep setting up test virtual machines for various projects, get it perfect, then set a checkpoint. Weeks go by and I finally get around to testing. Then when everything is done, revert to the last checkpoint. The VM boots and will not log on due to broken domain trust, the Machine Password has changed.

This is probably better documented else where, but this is documentation for myself with a preamble rant.

To prevent this issue, disable the machine password change in the registry. Here is a rough powershell script to run on your test lab VM's. This will be added to a configure VM master script that will do multiple functions, but I'm starting here because you have to start somewhere. 

    Disables machine password changes for virtual machines
    This script disables machine password changes for Windows 7 Guest VMs
    allowing the restoration of older snapshots without losing domain trust.
    Note : Elevated permissions are required to execute this script.
           Cross-domain scenarios are supported by this script.

    Name     : Set-DisablePasswordChange.ps1

$result = Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters' -Name DisablePasswordChange -ErrorAction SilentlyContinue
if ($result.DisablePasswordChange -eq 0)
    $result = Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters' -Name DisablePasswordChange -Value 1 -PassThru
    Write-Host "Successfully Disabled Machine Password Change"
elseif ($result.DisablePasswordChange -eq 1)
    Write-Host "Machine Password Change is already Disabled"