Windows 10 Fall Creators (and April 2018 version 1803, October 2018 version 1809, May 2019 version 1903) Update stuck on “Downloading Updates” from WSUS

 Active Directory, Internet, Microsoft, Windows 10, Windows Server  76 Responses »
Oct 182017
 

Well, it’s October 18th 2017 and the Fall Creators update (Feature update to Windows 10, version 1709) is now available for download. In my particular environment, I use WSUS to deploy and manage updates.

Update: It’s now May 2018, and this article also applies to Windows 10 April 2018 update version 1803 as well!

Update: It’s now October 2018, and this article also applies to Windows 10 October 2018 update version 1809 as well!

Update: It’s now May 2019, and this article also applies to Windows 10 May 2019 update version 1903 as well!

I went ahead earlier today and approved the updates for deployment, however I noticed an issue on multiple Windows 10 machines, where the Windows Update client would get stuck on Downloading updates 0% status.

I checked a bunch of things, but noticed that it simply couldn’t download the updates from my WSUS server. Further investigation found that the feature updates are packaged in .esd files and IIS may not be able to serve these properly without a minor modification. I remember applying this fix in the past, however I’m assuming it was removed by a prior update on my Windows Server 2012 R2 server.

If you are experiencing this issue, here’s the fix:

  1. On your server running WSUS and IIS, open up the IIS manager.
  2. Expand Sites, and select “WSUS Administration”
  3. On the right side, under IIS, select “MIME Types”
  4. Make sure there is not a MIME type for .esd, if there is, you’re having a different issue, if not, continue with the instructions.
  5. Click on “Add” on the right Actions pane.
  6. File name extension will be “.esd” (without quotations), and MIME type will be “application/octet-stream” (without quotations).
  7. Reset IIS or restart WSUS/IIS server

You’ll notice the clients will now update without a problem! Happy Updating!

Outlook 2016, Exchange 2013 & 2016, password prompts, UPN and SAMAccountName troubles

 Active Directory, E-Mail, Exchange Server, Microsoft, Small Business Server, Windows 10 Mobile  19 Responses »
Sep 232016
 

There’s quite a few of us that started off deploying Small Business Server (SBS2008, SBS2011) environments back in the day, loving the handy all-in-one package taking care of everything from Active Directory and Exchange, to disaster recovery and business continuity. However, some of these old environments are starting to catch up with us. I wanted to open a discussion on a big issue I had a couple years ago in one of my first migrations from SBS 2008, to Windows Server 2012 R2 with the Essentials Experience role installed, with Exchange Server 2013.

As most of you know, SBS comes packaged to push “.local” domains on initial domain configuration. This used to be considered best practice, and most of us even configured .local’s on non-SBS environments. This has never really posed any problems for us I.T. guys, except for a few configuration considerations when setting up Outlook clients, DNS, etc…

Now if you’re like me, another thing I always configured, was user accounts that didn’t match e-mail addresses. An example would be “John Doe”, with the username of “JohnD”, and the e-mail address of “[email protected]”. Also, our buddy John Doe would have a AD UPN [email protected] (this was automatically populated on user setup)

User’s Name: John Doe

SAM Account Name: INTERNALDOMAIN\JohnD

Username: JohnD

AD UPN: [email protected]

E-mail Address: [email protected]

 

I always liked this as it provided some protection if the users password ever got compromised (in a phishing attack, fake e-mail logon page, etc…), as the password could not actually authenticate when using the e-mail address as a username (the username was never actually provided in the attack, only e-mail).

Now let’s flash forward to this migration from SBS 2008, to Windows Server 2012 R2 with Essentials Experience, and throw Exchange 2013 in to the mix. Right off the bat, everything is working fine, Outlook 2010 is working great, Outlook 2013 is working great. Then BAM, Outlook 2016 comes out!

Outlook 2016 does not allow manual or custom configuration of Exchange accounts. They do this for “reliability” and ease of configuration. This means that you HAVE to have autodiscover setup, and working fluidly. No more manual configuration. Internally inside of the LAN this is all automatic if you configured Exchange properly, but you will have to configure autodiscover externally.

Internally on the LAN, Outlook 2016 clients have absolutely no issues, and authentication is working fine (no password prompts). However, when configuring external users, while you can eventually get it configured, the user is constantly prompted for credentials on every Outlook start.

On these password prompts, you’ll notice it’s authenticating for the users e-mail address. In this example, it’s asking for “[email protected]” and you enter: “INTERNALDOMAIN\JohnD” and their password, it work for the session, but keeps prompting on every fresh Outlook start.

I did massive amounts of research and seriously I could not come across one article that actually provided all the information I needed, it almost seemed as if this problem was specific to this single environment. Of course, this makes me think I have something configured incorrectly, and I literally spend forever searching for information, checking my VirtualDirectories on my Exchange server, checking logs, wasting tons and tons of time.

Finally after checking my configurations 6-10 times each and spending weeks, I realized it had nothing to do with anything configured incorrectly.

Outlook 2016 does all the configuration automatically, and expects to find everything it needs via auto discover. Putting it simple, the user’s UPN must match their e-mail address.

This means we have to change John Doe’s Active Directory UPN to match his e-mail address. The SAMAccountName still remains the same, so his login to his computer will not change, however after the change he will now be able to log in both with INTERNALDOMAIN\JohnD and [email protected].

First we have to add the UPN suffix (which is the actual e-mail address domain name) to the Active Directory Domain and Trusts. Instructions are available here: https://support.microsoft.com/en-us/kb/243629. Please note Microsoft has since deleted the original knowledge base article so I created a blog post to outline the instructions here: https://www.stephenwagner.com/2018/10/16/how-to-add-an-alternative-upn-suffix-to-an-active-directory-domain/.

After adding your e-mail domain to the UPN suffix list. When you go in to “Active Directory Users and Computers”, and view a user’s properties, you’ll notice in the UPN section, you can drop it down and change it from internaldomain.local, to contoso.com (using my example domains). You can also change the username inside of the UPN.

 

Essentially for Johny boy, his AD properties window now looks like:

User Logon Name:

[email protected] (we changed the name, and chose the external domain in the drop down to the right)

User logon name (pre-Windows 2000):

INTERNALDOMAIN\ JohnD (we left this the way it was)

 

John can now login either using “INTERNALDOMAIN\JohnD” or “[email protected]”. As far as John is concerned we haven’t changed anything and he still logs in using the same format he always has, totally unaware of any changes.

Surprise surprise, autodiscover is now fully functioning for this user. Not only for easy configuration on mobile devices (iPhones, Windows Phones, etc…), but he can now load up Outlook 2016 away from the LAN on the Internet, type in his e-mail address, password, and BAM he’s good to go!

I am a little bit unsettled in the fact that the e-mail address now becomes a fully accepted username on the domain (for security reasons), but I guess we’re stuck with that!

 

In short, our problem is:

  1. Username doesn’t match e-mail (JohnD username, [email protected] email)
  2. Running Outlook 2016 and forced to use auto-discover, repeated password prompts
  3. Running .local domain internally, while using different domain externally

In Short, to fix this:

  1. Add UPN Suffix to Active Directory
  2. Change users properties so that UPN matches e-mail address, DO NOT CHANGE the old DOMAIN\Username setting

Other Considerations:

  1. Password prompts on Outlook clients can mean a whole bunch of different problems totally unrelated to this configuration and issue. Always fully diagnose the issue and confirm the issue before applying fixes. Password prompts can mean authentication problems, problems with Exchange’s virtualdirectories, issues with autodiscover, issues with certificate configuration, etc…
  2. If this is your specific issue, you can write a script to run through and update the UPNs on all the accounts. I generally don’t like scripts touching user accounts, so I’m slowly rolling out these changes per user when upgrading them to Outlook 2016. Doing this one by one as we upgrade, allows us to make sure that none of their mobile devices are affected by the UPN change.
  3. Since we are changing UPNs, this could have a major effect on any 3rd party applications that integrate with Active Directory that use UPNs. Always test, and make sure you don’t break any integration points to your 3rd party applications or line of business systems.

 

Windows 10 – There’s already an account set up to use email address

 E-Mail, Microsoft, Windows 10  7 Responses »
Sep 082016
 

If you’re like me, you probably have your Microsoft account configured the same as your e-mail address. While many people use @live.com or @hotmail.com addresses, some of us prefer to use our actual real e-mail addresses as Microsoft account logins.

Recently, I did a fresh install of Windows 10 on my Microsoft Surface Pro. After joining the Surface to my domain, and attached my Microsoft account, I went to add my Exchange account (which is the same e-mail address I use for my Microsoft account). When trying to add, I was presented with:

There’s already an account set up to use <e-mail address>. (Account Name)

This message stopped me from configuring my Exchange account with the Windows 10 Mail, Calendar, and People apps. Researching this, I noticed numerous other people reporting this problem on multiple forums, however no one had a fix.

It appears there is a conflict with the Microsoft Account (which of course has it’s own mail, calendar, and contacts), and a separate account with the same e-mail address.

To resolve this, I restarted the machine, and logged in using a different account. I then went to “System” under control panel, “Advanced System Settings”, “Advanced” tab, then “Settings” under “User Profiles”. I then proceeded to delete the user profile and restart the system. I confirmed the user profile was fully deleted and then logged back in. Now at this point, the key is to create the Exchange (or any other mail account) before you actually attach your Microsoft account to your system login account. By configuring the e-mail account first, it will avoid this issue.

PLEASE NOTE: By deleting your user profile, you delete all of the contents of the Desktop, My Documents, Music, Pictures, settings, etc… I’d only recommend this if you have either backed up, or are performing this on a fresh install where you currently don’t have any files.

Shaw WideOpen Internet 150 / Business Internet 150

 Internet  2 Responses »
Jul 182016
 

Last Friday I read online Shaw had released a new offering for their coax (cable) customers. Speeds of 150mbps down and 15mbps up. Checked out their website and found the accompanying business package (Shaw Business Internet 150).

Called up, requested a quote and pulled the trigger. As always Shaw sweetened the deal for me as I’ve been a long time customer and have quite a few additional services (phone, extra cable modem, numerous static IPs, etc…).

Had the install booked for today, just got everything setup. Here’s some initial speed tests I want to share with you:

 

Speedtest.Net test of Business Internet 150

Speedtest.Net test of Business Internet 150

Speedtest.shaw.ca test of Business Internet 150

Speedtest.shaw.ca test of Business Internet 150

 

I have to say I’m quite impressed! I actually had to do some tweaking on my firewalls IPS system to handle the bandwidth.

The residential plan offers 1TB of data per month, whereas I believe the business plan offers unlimited data.

Happy downloading!

 

Update: August 13th, 2016

I just wanted to post an update after running with this service for a while now. It’s been great, no changes in speed, and latency is great!

I have however identified one issue (observed at some client sites): When scheduled or emergency maintenance is performed on Shaw’s side, when the maintenance completes, the cable modem reports as being online, however the internet connection is lost and doesn’t come back up. A restart or power cycle is required on the Hitron modem to bring services back online. I noticed this around a month ago with a client, and found out as of 2 weeks ago it is a confirmed issue, and Shaw is working on resolving this with the Hitron modems.

Also, some users may be noticing issues with VPN connections. When packets go in/out that are larger than 1500 bytes and are fragmented, I noticed on one Hitron modem that the cable modem was dropping these fragmented packets. This is noticeable on VPN connections. Typically a power cycle temporarily resolves this issue, however it occurs again within a couple days. Shaw confirmed this was a firmware related issue and rolled back the cable modem’s firmware for that specific client and it resolved the issue. I have not seen this issue occur on my Hitron modem. To test for this issue, send a ping from the effected site towards the internet to a host using this command, or send a ping from the internet to an IP at the effected site:

ping enterhosthere -l 2000

This command will send a 2000 byte ICMP packet to a host. Typically MTUs on network are 1500, so the packet will be fragmented and should go through. If it drops and you know the destination should accept it, then you are experiencing this issue. You should place a support call, explain the issue and request a firmware downgrade. This may have been resolved by the time I posted this note.

Shaw FTTP (Fiber to the Premise) Business Install

 Internet  5 Responses »
Aug 232013
 

Most of you have heard about Shaw’s announcement in the past regarding their new Fiber to the Curb, or Fiber to the Premise offering, however for some reason there are no pictures, or documented customers that actually claim to have this service.

Well, I can officially say that one of my clients now has the Fiber to the Premise offering for businesses.

This all started out with me being brought on board to provide them with Managed Services. One of the main problems we’ve been having is with the current internet connection (I’m not going to mention who provides it) and how horrible the speeds and reliability are. One of my first initiatives was to see if there was any alternatives. Unfortunately, due to their location (The Foothills Industrial Area), Shaw coax was not available. I sourced out numerous other providers and we were just about to switch to a wireless internet service provider, until I decided to call Shaw one last time a week before we pulled the trigger.

To my surprise, they mentioned they just launched their Fiber offering for small businesses. The offering provided their basic coax internet service tiers and pricing, however it was provided over fiber. This is EXTREMELY attractive due to the reliability, and pricing! We had the option to go all the way to the Business Internet 250 package. Higher products were available, however these were way more expensive, included SLAs, and just wasn’t what we needed. My client opted for the Business Internet 100 package.

This morning the Shaw guys showed up, quickly brought the fiber in to the office, mounted the equipment, and we were up in running in no time (and as always they were EXTREMELY friendly, clean, and took care in setting everything up). I love Shaw for those of you who don’t know…

Anyways, here’s some pics! I’ll update this post in a week or two with average speeds.

Shaw Fiber Drop

Shaw Fiber Drop

The above picture, is the first device the Fiber plugs in to. I don’t know it’s exact purpose, but I believe it provides Shaw’s coax network over the fiber line. The coax cable then went to a Shaw Home Phone Cable modem for 2 phone lines. I believe the device also repeats, and provides a fiber connection to the Shaw Fiber modem as pictured below.

Shaw FTTP Fiber Modem

Shaw FTTP Fiber Modem

 Older Entries  Newer Entries