Forum Widgets
Latest Discussions
Server 2022 - errors 0x8007000d, 0x800f0922 during updates and 0x800f0922 when uninstalling roles
Hello, I'm experiencing persistent update issues on a Windows Server 2022 (21H2, build 20348.3207). The problem started immediately after installing the latest Servicing Stack Update (SSU build 20348.3320). Since then, I'm consistently receiving these errors: 0x8007000d when performing Windows Update. 0x800f0922 during installation of cumulative updates. I have already attempted extensive troubleshooting, including: Resetting Windows Update components (SoftwareDistribution, catroot2 folders) Running DISM /Online /Cleanup-image /RestoreHealth and sfc /scannow (both complete successfully without finding errors) Attempting manual installation of updates Clearing and verifying the component store Checking registry entries and group policy settings Verifying date/time settings Attempting an in-place upgrade from ISO (which also fails) None of the above steps have resolved the issue. Additionally, the installed SSU (build 20348.3320) cannot be removed manually. Could someone please assist or provide guidance on further diagnostics or solutions? Thank you very much in advance!
Windows Server 2019 and .NET 4.8?
Hello, On a fully updated Windows Server 2019, roles and features allow me to install only .NET 4.7. One of the solution we are using require .NET 4.8 (Adaxes). When I install .NET 4.8 using the installer available here https://support.microsoft.com/en-us/topic/microsoft-net-framework-4-8-offline-installer-for-windows-9d23f658-3b97-68ab-d013-aa3c3e7495e0 It works, I can install Adaxes, but it break ServerManager as well as Azure AD Connect. What's the correct procedure to install .NET 4.8 on Server 2019 without breaking anything else? Thanks a lot
Windows Server 2025 | Kerberos Local Key Distribution Center (LocalKDC) service fails to start
I have found that this service was disabled before the December update, for some reason it has gone to automatic and cannot be started, maybe this behavior is normal if you are not using this feature. After the January security patch the service still does not start, I think microsoft should report this problem. This happens on a clean installation without any role installed, I know there are many users with this problem. The January patch has not fixed it.WS2025 - LocalKDC Service Stopped
I have found that this service was disabled before the December update, for some reason it has gone to automatic and cannot be started, maybe this behavior is normal if you are not using this feature. After the January security patch the service still does not start, I think microsoft should report this problem. This problem occurs in a clean installation without any role installed or configured. If you try to start the service it shows the following error
Conflicting entries in dfsr schema preventing migration from frs to dfsr
Hello, I am having issues converting from frs to dfsr in a domain with 10 domain controllers a mix of 2012r2 and 2016 domain controllers ForestMode : Windows2012R2Forest DomainMode : Windows2012R2Domain Schema version 88 In the initial phase dfsrmig /setglobalstate 1 the sysvol suscription should be created but it fails with a error 87 syntax incorrect. I have check dfsr through dfs management and if I select add replication group to display the below is the error There are no replication groups in this domain. The Active Directory Domain Services schema must be extended before a replication group can be added to this domain. If i manually attempt to create a replication group I get the message below The active directory domain service schema on domain controller xxxxxx cannot be read. This error might be caused by a schema that has not been extended or was extened improperly, An attribute schema object cannot be found. even in powershell if I run get-dfsreplicationgroup -groupname * The Active Directory DomainServices Schema on domain controller xxxxxx cannot be read. I checked the schema entries using adsi edit and there a multiple cn=ms-dfsr entries that have cnf(guid) after the cn-ms-dfsr entries. I have attempted to move the schema master role but have not had any success. I have searched every forum I can find and it looks like schema entries are permanent once they are put in place. I have even opened a support ticket with microsoft support TrackingID#2503070040000116 and they have worked with me once and completely stopped responding. My current next steps are to remove all domain controllers except for the one holding the fsmo roles in hopes possibly the schema cnf will clear or if they don't I can take snapshots/checkpoints and attempt to add the correct missing schema entries that are currently appended with the cnf(guid). I figure this way I can make a change and roll back the one domain controller to the snapshot checkpoint. Eventhough I have found some forums and articles that indicate that you can remove schema entries from the schema partition using adsi edit it isn't possible on any server os newer than 2000 server. Any guidance and recommedations that can be provided would be greatly appreciated. I have really been let down by official microsoft support as they have ignored any contact and emails after a initial working session when they had me set the domain naming contect system global settings msflags to 0 which did nothing to resolve the issue and they have avoided providing any support since then..Net Core IIS App runs on Server 2016, not on Server 2022
We have an IIS App, a .Net Core application that runs fine on Server 2016. We have .Net framework 4.8 on both servers, IIS 10 on both servers and .Net Core 6.0. What happens on Server 2022 is that we receive an error that says can't reach this page in the browser. We have checked windows firewall rules, event logs, IIS logs and are stuck on this. Any suggestions are appreciated.Edit subnet mask or scope in dhcp server running in windows server - Solved
it's not possible to directly change the subnet mask of an existing DHCP scope in a running Windows DHCP server. Here are the steps: 1. Export the Existing Scope Configuration: Open a command prompt with administrative privileges. Type the following command to export the scope configuration to a text file: netsh dhcp server \\<DHCP_Server_Name> scope <Scope_IP_Address> dump > C:\dhcp.txt 2. Modify the Configuration File: Open the dhcp.txt file in a text editor. Locate the line that specifies the subnet mask (e.g., SubnetMask 255.255.255.0). Change the subnet mask to the desired value. Save the changes to the file. 3. Delete the Old Scope: In the DHCP management console, right-click the scope you want to modify and select "Delete." 4. Import the New Scope: In the command prompt, type the following command to import the modified configuration: netsh exec c:\dhcp.txt 5. Verify the Changes: In the DHCP management console, check if the scope has been re-created with the new subnet mask. Right-click the scope and select "Properties" to confirm the subnet mask change. (Major Point - Ensure that your existing network address and subnet network address remain the same after making changes. If they are not the same, you need to modify the entire network address in the text file. For example, if the original subnet is 255.255.255.0 and the network address is 10.1.10.0, and you change it to 255.255.252.0, then the network address should also be updated to 10.1.8.0. Therefore, you must replace all instances of 10.1.10.0 with 10.1.8.0 in the entire text file (using Ctrl+H for the replacement). Thats it....BLOG: CVE-2024-38063 - Disabling IPv6 binding = fix - or not?
Dear community, in today's LinkedIn Stream and other social media you might have noticed a recent CVE and the recommendation to disable IPv6 in Windows Server and Windows Client. We are talking about this one: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063 Reading the advisory carefully, Microsoft, strictly speaking, does not directly recommend disabling (technically remove binding) of IPv6. Citing: "Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors might be helpful in your situation: Systems are not affected if IPv6 is disabled on the target machine." Maybe I am a bit nitpicking here about old experiences and would greatly appreciate a refreshed Microsoft statement on the disablement (unbinding) of IPv6 and the side-effects in 2024. What we have learned in the past - do no disable IPv6 easily. - yes, you can face issues with IPv6 being on by default and unexpected or misconfiguration. Often caused by DHCPv6, especially in the combination of critical domain controllers, Dual Stack ISPs and SoHo routers messing up your DNS. What's the fuss about IPv6? I am not actively using it in corporate / at home. IPv6 is being used in Windows. More specifically non-routable fe80 addresses and loopback ::1 for internal purposes of Windows or other software. One may complain use cases are - unrightfully - not well and transparent documented. Have a read in the past Here are some references that Copilot brings up. Trust my memory, I've read more like this. https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ipv6-for-the-windows-administrator-why-you-need-to-care-about/ba-p/256251 https://community.spiceworks.com/t/is-it-a-bad-practice-to-disabe-ipv6/781811/9 https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows My personal conclusion Hold on, we need patches for this CVE, but we should not disable IPv6 easily. Please disable IPv6 temporarily, when you cannot patch this CVE immediately / in time. Take notes which system you have had to disable and consider re-enabling once patches have been tested and applied. If you are using IPv6 knowingly, note the NIC configs. They will be lost when using static settings rather DHCPv6. I am sad to see that NetSec people, undoubtedly experts in their area, jump on the bandwaggon esp. on Social Media to easily disgrace the IPv6 by default enablement of Windows Client and Windows Server, telling you the easier story: "Disable IPv6 and you are good / if you do not need it." Let me counter: You might not know you're "needing it" it in the first place. Whenever you are changing system defaults in Windows, mind that Microsoft and other software vendors may not consider these changes in their testing. And the Crowdstrike Black Friday showed us clearly how outlier system configs and unwell testing goes along. Not very well. IPv6 usage and defaults today One of the most recent example that Microsoft is using IPv6 can be found in the Azure Arc Agent (Connected Machine Agent) changelog: "Better handling when IPv6 local loopback is disabled" source: https://learn.microsoft.com/en-us/azure/azure-arc/servers/agent-release-notes How can I disable IPv6, if required? Many roads led to Rome. Windows + X > Terminal / PowerShell (Admin) #save current NIC config into a simple text file Get-NetAdapterBinding -ComponentID "ms_tcpip6" | where Enabled -eq $true | Out-File $env:temp\original-ipv6-config.txt #disable IPv6 on all adapters Get-NetAdapterBinding -ComponentID "ms_tcpip6" | where Enabled -eq $true | Disable-NetAdapterBinding And how to revert the change? Windows + X > Terminal / PowerShell (Admin) #enable IPv6 on all adapters (mind the text file) Get-NetAdapterBinding -ComponentID "ms_tcpip6" | where Enabled -eq $true | Enable-NetAdapterBinding TL:DR Microsoft is using fe80 addresses and loopback ::1 addresses for internal reasons. IPv6 is preferrably used over IPv4 when it is bound to a network adapter, including said special non- routable addresses. Please disable IPv6 temporarily, when you cannot patch this CVE immediately / in time. Take notes of current config. Please share the word and mind that disabling IPv6 can turn your OS into an outlier system, causing immediate or later issue due lack of testing by Microsoft or other software vendors, assuming the defaults, which is IPv6 being turned on.
