Tuesday, April 11, 2017

[SOLVED] Cisco VPN Client on Windows 10 (Including the new build 15063 Creator's Build) - This works!

***Updated 04/11/2017 for build 15063 Creator's Update**
***Please see my edits below for notes on build 1607 and build 1511.**

Here's how to get it working in 2 easy steps:

1. Download and install the Sonicwall 64-bit VPN client from HERE (as of this writing). **NOTE: Make sure you are using the latest version of this client.  Older versions may not work properly.

2. Install the Cisco VPN client.  Edit:  If you get an error that it cannot run on this operating system then just extract the .exe file using WinRar or a similar program and run the .msi file.  Problem solved.
3. Perform a quick registry edit: (This step is almost always not optional any longer)
  • Open Regedit
  • Browse to the registry key HKLM\SYSTEM\CurrentControlSet\Services\CVirtA
  • Select the display name to modify:
    • x86 - "@oem8.ifn,%CVirtA_Desc%;Cisco Systems VPN Adapter" to "Cisco Systems VPN Adapter"
    • x64 - "@oem8.ifn,%CVirtA_Desc%;Cisco Systems VPN Adapter for 64-bit Windows" to "Cisco Systems VPN Adapter for 64-bit Windows"
  • Reboot

The first two steps worked for me without the need for registry edit.  I checked and the settings were already spelled correctly on my machine.  Full disclosure my systems are clean Windows 10 installs without being upgrades.

Without installing the Sonicwall client first you will get Error 433 after trying to connect.  Checking the logs shows that it cannot download the key to complete the secure connection.

What happens is that the Sonicwall client adds the DNE Lightweight filter network client on the machine.  I tried getting it directly from Citrix and installing it that way but was unsuccessful.

Using this method you can now get some more use out of the Cisco VPN client.  If you prefer you can uninstall the Sonicwall client afterward.  I've been told by several people that the DNE software remains even after the Sonicwall client is removed.

Build 15063 Creator's Update EDIT: Updated 04/11/2017

WARNING:  You should uninstall the Cisco VPN client prior to running this upgrade so repairing it afterward will make it much easier.  All of the steps above still work on this latest "Creator's Build" upgrade of Windows 10.

Now for the not-so-fun-details.  I didn't uninstall prior to the upgrade and proceeded to spend the next 30 minutes clearing out registry entries until I finally found the right one to let me reinstall the product using the .MSI file.  After doing that, and making the registry edit, my VPN client is again working properly.

Version 1607 Build 14393.10 EDIT: Updated 08/03/2016

All of the steps above still work on this latest "Anniversary" build of Windows 10.  As with the 1511 build mentioned below, you will have to run a repair on the program or just do a clean install to get it working because Microsoft yet again determined that they would control which program we use.

You can go HERE to download the latest version of the media downloader and get version 1607.

And not to be left out HERE is a link to all of the new features in 1607 for IT pros.

As I update my Windows 10 machines I'll post updates if there are any issues or errors I run across with this build.  As I always say.... good luck.

BUILD 1511 EDIT: Updated 1/20/2016

I'm getting a lot of feedback about networking being broken after 1511.  I would highly advise you remove the Cisco VPN client and Sonic Global client software prior to installing build 1511.

I have now upgraded three different systems to 1511.  By removing both the Sonicwall and Cisco VPN software first, I had zero issues with it working properly afterward.

However, if the upgrade went through already, here's what you can do to help mitigate these issues.  There's no guarantee this is going to work but I have had two instances where the Cisco VPN software was removed by the 1511 upgrade and I was able to get it working by following the next steps below:

First just reinstall the VPN client using the .MSI file and not the .EXE file.  This will bypass Windows 10 checking the compatibility as I listed at the top.  Next just make the registry edits again and you'll be good to go.  After the registry edits, I have not had to restart but you can if you feel the need just to be sure.

If this does not work as an extra effort you will need to reset all networking on Windows 10.  Luckily this is pretty easy to do.

- Open an administrator command prompt
- Run "netcfg -d"
- Reboot and reconfigure your networking as needed.

Here's a sample of the output you will see:

Microsoft Windows [Version 10.0.10586]
(c) 2016 Microsoft Corporation.  All rights reserved.

C:\WINDOWS\system32\netcfg -d
SetupDiCallClassInstaller Erorr: 0x6
SetupDiCallClassInstaller Erorr: 0x6
SetupDiCallClassInstaller Erorr: 0x6
SetupDiCallClassInstaller Erorr: 0x6
SetupDiCallClassInstaller Erorr: 0x6
SetupDiCallClassInstaller Erorr: 0x6
SetupDiCallClassInstaller Erorr: 0x6
SetupDiCallClassInstaller Erorr: 0x6
NetSetup object deleted successfully on MUX
Successfully commited changes to the registry
Successfully commited changes to the registry
We are going to reboot now to complete the clean up. Save all of your work.

Press any key to continue…

I hope this helps out with the additional headaches caused by 1511.  As always if I find any more useful information with future updates to Windows 10 that affect this software, I'll be sure to update the post.

Good luck!

Friday, March 10, 2017

[SOLVED] How to Resolve Error 8614

I ran into this issue with two Domain Controllers that would not replicate.  DC2 was getting this error: "The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime"

Below are the steps I went through in order to remedy this situation and worked like a charm.

1. Verify which Domain Controller raised the 8614 error by using:

> repadmin /showrepl
> repadmin /showreps

* Run this command line in any DC not DC-A.

* In addition, open Event Viewer, in Applications and Services LogsDirectory Service, you will see an error with event ID 2042

According to Mirosoft knowledge base, it's maybe because the domain controller contains what so called lingering objects: http://support.microsoft.com/kb/2020053. This is the most possible reason for the error, because everything else are OK (time, default tombstone lifetime).

2. So, I have to remove those lingering objects from all DCs:

> repadmin /removelingeringobjects DC-A.MYDOMAIN.COM 5b0b944e-de7b-4f96-942b-1e040169db36 "CN=Configuration,DC=MYDOMAIN,DC=COM"


+ 5b0b944e-de7b-4f96-942b-1e040169db36 : the GUID of DC-A. You can get it from the command repadmin /showrepl DC-A.

+ "CN=Configuration,DC=MYDOMAIN,DC=COM": NC in which DC-A raise the error (from the output of the command repadmin /showrepl)

* Repeat in all other DCs in forest.

3. Evaluate setting strict replication on all DCs in forest:

> repadmin /regkey * +strict

4. Set "Allow replication with divergent and corrupt partner = 1" on all DCs:

> repadmin /regkey * +allowDivergent

5. Flush DNS Cache and restart netlogon service in DC-A:

> ipconfig /flushdns

> net stop netlogon

+ rename netlogon.dns and netlogon.dnb file which locate in C:\Windows\System32\

> ipconfig /flushdns

+ > net start netlogon (this command will re-create netlogon.dns and netlogon.dnb files)

> ipconfig /registerdns

6. Check the replication of all DCs again using repadmin and Event Viewer

> repadmin /showrepl

7. Delete "Allow replication with divergent and corrupt partner" or set "Allow replication with divergent and corrupt partner = 0" in the registry of all DCs.

> repadmin /regkey * -allowDivergent

8. Check the replication of all DCs again using repadmin and Event Viewer

If you performed everything correctly, the Domain Controllers will now replicate successfully.

Tuesday, March 07, 2017

How to install a HPE CPxxxxxx.scexe firmware update on your ESXi Host

Follow the steps below to make it happen:
(The most common reason for failure is caused by the missing executable permission)
  • Enable SSH on your ESXi host (configuration tab, Security Profile, Properties)
  • Copy the CPxxxxxx.scexe file to /tmp on your ESXi Host using eg. WinSCP
  • Logon as root at your ESXi host and change to /tmp
  • Check with “ls” if your CP file is there
  • Change file permission to executable: “chmod +x CPxxxxxx.scexe”
  • Run the file: “./CPxxxxxx.scexe”
After you have completed these steps, reboot the host and you are done.

Good luck!

Thursday, October 06, 2016

Windows Server 2016 Licensing Explained

Microsoft Windows Server 2016 became officially available recently on 9/26/2016 and as I'm sure you have heard the licensing changed from a per processor model to a per core model.

Before you read any futher here's a simple thing to keep in mind when purchasing this new licensing model:

Once you have enough cores purchased (16 core minimum) to cover the metal, every 8 packs (16 cores) of licensing cover 2 more virtual machines.

The first thing that people have had a hard time understanding is the new "Per Core" licensing and even with Microsoft's own explanation it seemed impossibly hard to understand so I'm going to try to break it down simply so everyone can get a quick grasp on how it works.

Server 2016 licensing is sold in 2 core packs.  The very minimum no matter how small your server is a 16 core purchase.  Microsoft says this would be the same cost as Server 2012 R2 Standard licensing.

You purchased a small server for a business that has only 4 cores and 8G RAM.  The correct licensing for Server 2016 would be 16 cores purchased.

You MUST cover all cores on the server prior to taking into consideration the number of virtual machines if it is a VM host.

Your server has 2 processors that are 12 cores each.  Total of 24 cores.  You plan on only running 2 virtual machines on this server.  You must purchase 12 x 2 packs of Server 2016 core licensing.  If you move up to 4 virtual machines guess what?  You're going to need to purchase another 4 packs of licensing to cover the next two.  This is a total of 16 packs and every 8 packs = 2 VMs.

After you have covered the number of cores on the physical server, every 8 packs (16 cores of licensing) after that will give you two more virtual machines of no more than 8 cores each.

Your plan is to run 5 virtual machines on a server with 2 x 8 core processors.  You must purchase the initial 8 packs (16 cores) to cover the server's physical processors.  Then from there you must purchase another 8 packs for the next 2 virtual machines and then another 8 packs for the 5th virtual machine leaving you 1 more virtual machines you can build without needing more licensing.

So far this news isn't extremely terrible but there are two more things on top of all of this you need to know.

1. Once you approach the 8th virtual machine, it becomes more cost effective with the new licensing model to purchase the Datacenter edition.  The cost is going to be very high for customers so virtual server sprawl is going to start being a real issue.

2.  Microsoft says you MUST license a virtual host to carry all of your virtual machines in the event of a failure of one host.  This is a massive cost purchase in the event of a multi-host virtual environment.

Let me explain that one a bit better.  You have a decent sized business with three VMware hosts.  Each host has 2 x 10 core processors and you're running 24 virtual machines evenly spaced out over all three hosts so you have a 3 x 8 scenario with your virtual machines.

Microsoft now says you must purchase not just a total of 96 packs (remember 2 cores per pack) but you must purchase a total of 96 packs x 3 hosts in the event that two of them were to go offline and you have to run all of your VMs on one host and because you can vMotion them around.  This simply means a business would now need to purchase 288 cores of licensing to be properly licensed.

I know this is a bit wordy but I hope it makes a little better sense than all of the other confusing information out there about it.  I'm confident this is correct as our licensing supplier has been through the offical training and this was how it was explained to me.

Good luck.

Monday, September 19, 2016

ESXi 6 - The Primary GPT table states that the backup GPT is located beyond the end of the disk

I was attempting to reinstall ESXi 6.0 on a server that had a previous datastore on a RAID 5 array.  The array was missing a disk so I destroyed and recreated the array minus the missing disk and decided to just do without the storage of the one disk.

When I attempted to add the array into my fresh ESXi 6 load I got this error:

Call "HostDatastoreSystem.QueryVmfsDatastoreCreateOptions" for object "ha-datastoresystem" on ESXi "xxx.xx.xxx.xxx" failed

Not knowing how to fix this I did some research and found out a quick and easy repair.

1. Enable SSH on the VMware host.
2. Connect and run "ls -lha /vmfs/devices/disks" and this will list your disks with their disk ID.
3. Run the following command on the disk "partedUtil getptbl /vmfs/devices/disks/naa.5000c501234597a333"

This will return the following output if you have chosen the correct disk:

Error: The primary GPT table states that the backup GPT is located beyond the end of disk. This may happen if the disk has shrunk or partition table is corrupted. Fix, by writing backup table at the end? This will also fix the last usable sector appropriately as per the new reduced size. diskPath (/dev/disks/naa.5000c501234597a333) diskSize (286748000) AlternateLBA (570310655) LastUsableLBA (570310622)
Warning: The available space to /dev/disks/naa.5000c501234597a333 appears to have shrunk. This may happen if the disk size has reduced. The space has been reduced by (283562656 blocks). You can fix the GPT to correct the available space or continue with the current settings ? This will also move the backup table at the end if it is not at the end already. diskSize (286748000) AlternateLBA (570310655) LastUsableLBA (570310622) NewLastUsableLBA (286747966)
Error: Can’t have a partition outside the disk!
Unable to read partition table for device /vmfs/devices/disks/naa.5000c501234597a333

Apparently deleting the RAID array didn't fully erase all of the previous partition information.  Now it needs to be cleared manually.

4. Run the following to clear it:  "partedUtil setptbl /vmfs/devices/disks/naa.5000c501234597a333"

That's all there is to it.  By creating a msdos partition on the disk it will clear the previous error and allow esxi to create a datastore there with no errors.

Good luck!

This is ve

Friday, July 01, 2016

[SOLVED] Blank Screen after ECP Login Exchange 2013/2016


After logging into the Exchange ECP with the correct credentials you get just a blank screen with no errors messages.  This will almost always happen if you remove a certificate using the certificates MMC or even sometimes if you remove one using the ECP.

Below is what you need to check to fix this problem:

Since this change is not reflected in the backend website you have to make sure that the Exchange ECP site is looking at the same certificate in both locations.

IIS Default Site SSL Certificate

IIS Back End SSL Certificate

The certificate choice in both of these locations have to match exactly then the issue is resolved.

Good luck!

Thursday, April 28, 2016

[SOLVED] Windows 10 File Explorer Not Responding, Freezing, Locking Up

So lately this problem for me has gotten out of hand.  After some research on the web and a couple of Microsoft articles here's what you can do to fix this issue:

1. Open Control Panel
2. Select File Explorer Options
3. Click on CLEAR at the bottom beside of "Clear File Explorer History".

Apparently bad data in this windows can cause Explorer to freeze up.

One more thing.  If this doesn't work then change the option at the top of the File Explorer Options to open to "This PC" instead of the default which is quick access.

Hope this helps if you're running into this issue.

Monday, January 04, 2016

UCS login Error: Java.io.IOException: Invalid HTTP Response

So trying to check our UCS server I ran into this issue today.

If you aren't running the latest UCS software then certain versions of Java will toss this error.  If you need to get logged in and don't have the option for updating the UCS software right away then here's how you can get around it.

Just enable HTTP via SSH and you can then login.  Remember to disable this once you have your UCS software and Java versions current because until you do everything is transmitted in clear text.

UCS# scope system
UCS /system# scope services
UCS /system/services# enable http
UCS /system/services# disable http-redirect
Warning: When committed, this closes all web sessions
UCS /system/services# commit

Once this is done now you can connect to the UCS Manager without the error.

Tuesday, November 17, 2015

Exchange Calendar Permissions Using PowerShell

With Exchange 2010 and now extended into Exchange 2013 and 2016, Microsoft added the ability to manage permissions on folders in a user's email account through PowerShell.

The most common is managing calendar permissions.  Here's an example of some commands:

To get the permission on a mailbox:

Get-MailboxPermission -Identity "Boss Hog"

To get the permissions of a subfolder:

Get-MailBoxFolderPermission -Identity "Boss Hog:\Calendar"

To change permissions on a subfolder:

Add-MailboxFolderPermission -Identity "Boss Hog:\Calendar" -user "Roscoe" -AccessRights Reviewer

To remove permissions on a subfolder:

Remove-MailboxFolderPermission -Identity "Boss Hog:\Calendar" -user "Roscoe"

Here's also a list of all of the permissions you can assign.  HERE is a link to Office support with some details on what each of these permission levels can do.

  • None
  • Free/Busy
  • Free/Busy, Subject, Location
  • Contributor
  • Reviewer
  • Nonediting Author
  • Author
  • Publishing Author
  • Editor
  • Publishing Editor
  • Owner
Hopefully this will give you some assistance when you need to edit calendar permissions without the need to login as that user account and then use Outlook to make the edits.  Granted that's the GUI route but this works best from an Exchange administrator's perspective.

Good luck!

Thursday, August 27, 2015

Convert Cisco 1700/2700 Series APs to Autonomous Mode

For smaller environments it's not always cost effective to buy a WLC so the need arises to put the APs into autonomous mode.

Since the 1700/2700 series APs ship in lightweight mode, here's how to change them over to autonomous mode:

1.  Log in to www.cisco.com
2.  Click on "Support" at the top of the page.
3.  Click the "Downloads" button.
4.  Select "Wireless" from the left side.
5.  Select "Access Points".
6.  Select "Cisco 1700 Series Access Points".
7.  Select Cisco Aironet 1702i Access Points".
8.  Click "Autonomous AP IOS Software".  As of this writing the latest version is 15.3.3-JBB1(ED)
9.  Connect to the AP using a console cable.
10.  Power on the AP.  If you have a POE switch then that way is best.  If not use a power injector or power cord for the AP.
11.  Start a TFTP server on your laptop or PC and set the LAN interface to
12.  Open a serial connection to the AP.  Once the boot up finishes log in.  Remember the default password is Cisco.
13.  Enter the following commands in this order:

  • enable
  • debug capwap console cli
  • debug capwap client no-reload
  • capwap ap ip address
  • capwap ap ip default-gateway
  • archive download-sw /force /overwrite tftp://
14.  Once the upload, extraction, and installation is complete (3 to 5 minutes) the AP will restart.
15.  Once the restart is completed log in and do a show version command.
16.  Verify the AP now provides access to the full suite of IOS commands.
17.  Configure as needed.

If you get any errors from the AP while it is still in lightweight mode during this process I find it easiest to just put these commands into a text file and then paste them into Putty vs trying to type them in with the lines scrolling.

I hope this helps you get your APs setup faster and don't have to deal with a complicated process.

Good luck.