Category Archives: Windows

All about Windows

Fixing Windows 10 Anniversary update

Let’s get to the chase…after a painful update of my Windows 8.1 to Windows 10 Anniversary and facing issues with action center, edge, start button that is not working, I decided to clean install W10A instead. I know that plain W10A install works just fine because I have done it successful on a VM on my desktop. However, even with a clean install, I still had issues with IE11 crashing when launched; when trying to install ADK, the install crashed with faulting module nvumdshim.dll. This pointed to the NVDIA graphic card driver installed by Microsoft.

Sure enough, after I downloaded the latest drivers from NVDIA and installing it, everything was working well on my W10A desktop. Given this, I suspect a lot of the update problems with W10A is probably related to graphic drivers.  Another clue is that some users were able to get their action center, start menu, etc working after booting up in safe mode and then booting to normal Windows again. Windows uses a basic video driver in safe mode which could explain why it was working in safe mode, but I am not sure why it may work again after rebooting to normal mode, but I suspect that system will crash again in no time and it is not permanent fix.  Read the rest of this entry »

Leave a comment

Posted by on December 29, 2016 in Windows


Tags: ,

Windows Anniversary update broke my network and start menu

The case against Windows Anniversary update goes on (read the comments):

Two days ago, I was forced to receive the Windows Anniversary update like many other people. And like a lot of folks, I really need my computer at the point in time but the screen just asks me to wait as Windows is update… what can we do?

Fast forward, the update completed and machine reboot. Logged in to my machine and 3 major items did not work:

  • Start menu
    • There was no response when clicking on the Windows start button or the search button after the update. In other words, I have no view of my installed applications or access to launch any applications other than those already in the task bar. Of course, I could still run the applications directly via command prompt or the file explorer
  • Network
    • My network stopped working. When I looked into the network adapters, I could see my wireless and LAN adapter. I normally disable the wireless and use the LAN. However, I also had Hyper-V running and the virtualised adapters had disappeared. Those were the ones used for network connectivity.
    • I could not find the adapters in device manager and found that the update had removed Hyper-V without proper uninstallation obviously.
    • By removing Hyper-V, the virtualized adapters where also removed, leaving my physical adapters with no bindings to any protocols or services
    • By rechecking the protocols, e.g. IP4 and network services, network connectiviity came back.
  • Action center
    • When initially troubleshooting the network issue, I tried to turn on my wireless adapter to configure it for my network. Sadly, because the action center will not launch, I could not view the network available to connect my wireless adapter to. Of course, this can be done via command line, but what about the end-users?
    • I also cannot clear the notification icon on the tray as action center will not launch.

After readig a bit about all the problem, I decided to try creating a new profile to see if it will solve at least the start menu and action center issue. However, that did not work.

Luckily, Windows offered back out and recovery option which worked for me. So I managed to recovery my Windows and got back my previous version.


Leave a comment

Posted by on September 26, 2016 in General, Windows


Fixed: “The security database on the server does not have a computer account for this workstation trust relationship”

I have been playing with my own little AD domain sandbox in hyper-V and came across this error when trying to logon to a domain member server using an account with Domain Admin rights:

“The security database on the server does not have a computer account for this workstation trust relationship”

This is strange because my setup is not very complicated, just one forest DC, one domain DC and a member server. Of course, the first thing I tried is to reset the computer account and also to rejoin the server to the domain, which didn’t work Read the rest of this entry »

Leave a comment

Posted by on July 20, 2016 in Windows



ESXi host performance issues and the importance of thermal paste

A totally interesting read on how the team in VMware resolved an issue with a non performing HP blade. The final take away from this is:

  • Thermal paste really can impact performance!
  • HP Active Health System logs should (but don’t) include when CPU’s clock down to prevent overheating.
  • CPU clock throttled error message don’t appear in ESXi logs.


Leave a comment

Posted by on July 1, 2016 in Operations, vmware, Windows


Tags: ,

Failover Cluster Node Cluster Startup Order in Windows Server 2012 R2

An excellent discussion about Windows cluster failover and startup scenario:


Leave a comment

Posted by on February 5, 2016 in Windows


Ramdisk device creation failed error after changing memory size on VM

The other day I was performing a routine tasks. I increased the memory for one of my virtual vCenter machines, running Windows 20008R2, from 16 GB to 26 GB. After making that change, I boot up the machine and it immediately halted with the dreaded message

Ramdisk device creation failed due to insufficient memory

This is a really routine change and so it doesn’t makes any sense why the machine would act up? I checked on the internet for some solutions and nothing seemed to help. So I changed the size back to 16, rebooted and still the same error appear. When I went back to look at the memory settings again, I realized that during the initial change, the size had changed from GB to MB!

What a schoolboy mistake to make! But then again it is a reminder to us all that when something fails after you made a change, it is most likely that change that caused the problem you need to go back to basics and forget about your assumptions to get to the bottom of it.

Leave a comment

Posted by on October 19, 2015 in vmware, Windows


vCenter server SQL database custom DB schema and Windows authentication

What is the standard method of provisioning a new SQL database for your vCenter server? In most organisation, it would be something like this:

  • DBA will create a new SQL login account
  • DBA will create the blank database (with required configurations, of course) and grant db owner role to the account
  • You install vCenter and specify to use SQL login credentials

This is probably this simplest and quick way to setup the SQL database. Now what if, due to regulatory commitments and best practices, your DBA tells you that you had to use Windows authentication instead and NOT use the db owner roles?

Well, switching over to Windows authentication is straight forward enough, but how not to use the db owner role? Well, if you are installing a brand new vCenter, then the setup is quite straight forward. In the vCenter 5.5 installation guide, sections “Create a SQL Server Database and User for vCenter Server” (page 33) and “Use a Script to Create a Microsoft SQL Server Database Schema and Roles” (page 36) details how this can be done.

This will create a custom DB schema to grant permission to the vpxuser account. With the new custom DB schema, the vpxuser must be in VC_USER_ROLE for regular operations and VC_ADMIN_ROLE during installation and upgrades

Now if you have an existing vCenter 5.x server and need to migrate over to a custom DB schema, more work is required. The main details are described in VMware KB 1036331. There are no shortcuts, you do need to read through the steps and work out together with your DBA on how to get it migrated.


1. The KB contains two attached files, IMHO, if redundant since it already exists in

2. After unzipping, rename all the files by remove “Upgrade-Remove-DBO-Role” prefix. If you keep the file name as is, the script will fail.

3, For both VCenterUSER and VCUSER, you can only use a local SQL account, the script will fail if VCenterUSER is a domain account, i.e. domain\user syntax. If you are already using Windows authentication, you need to modify the script before use.

The steps can be summarized as follows (assuming that you are migrating to a custom DB schema AND from a local SQL account, since I already mentioned that you will probably fail if you use the attached script with Windows authenticated account, without modifying the script:

Phase 1 (Migrating to custom DB schema)

  1. Stop all vCenter server services
  2. Modify both the verify and upgrade scripts with correct values and send them to your DBA
  3. DBA will execute the verify scripts for any errors
  4. If there are no errors, DBA will execute the upgrade script
  5. Start vCenter server services and perform sanity checks on the vCenter, e.g.perform some vmotion

Phase 2 (Migrating to Windows authenication)

  1. Again, stop all vCenter server services
  2. Get DBA to run the SQL script below
  3. Get DBA to change all scheduled tasks from local use to the domain account
  4. In Windows, type “runas /user:<domain service account> cmd”, this will start an elevated cmd prompt
  5. Navigate to C:\Windows\System32 and run odbcad32.exe (Alternatively, you can look for the ODBC icon and runas a different user)
  6. Reconfigure ODBC for Windows authentication and test your ODBC connection
  7. Restart all vCenter servicer services
  8. Perform sanity check on vCenter, e.g. run some vmotion.
USE [master]
CREATE USER [domain\vpxuser] FOR LOGIN [domain\vpxuser] WITH DEFAULT_SCHEMA=[VMW]

Note: If you are also migrating the VUM service account to Windows authentication, you need to launch (runas) the 32-bit ODBC in C:\Windows\SysWOW64 instead.


Posted by on April 10, 2015 in vmware, Windows


Tags: ,

Caveat of using msdeploy to sync web or ftp sites in IIS7

MSdeploy.exe is an important tool that you can use to sync web sites or ftp sites. I was testing msdeploy to keep two IIS7 FTP sites in sync. I used the following command:

msdeploy -verb:sync -source:apphostconfig="ftproot" -dest:apphostconfig="ftproot",computername=2ndserver

The sync works of course, but at the same time I found that one of my folders in d:\data was also syncing to the 2nd server. It had delete all other folders and files in the d:\data on the 2nd server!

The reason it seems is that the sync verb will sync everything including physical folders defined by your FTP virtual directory! The problem was that I had created an FTP virtual directory whose physical path is d:\data. This caused msdeploy to also sync any FTP vdir physical path to the 2nd server and with undesirable effects if you don’t want this to happen. If you only want to sync the FTP vdir but not the sync the contents of the physical folders, you need to get msdeploy to skip folders with the following:

msdeploy -verb:sync -source:apphostconfig="ftproot" -dest:apphostconfig="ftproot",computername=2ndserver -skip:objectName=dirpath,absolutePath=".*"
Leave a comment

Posted by on March 19, 2015 in Windows



vSphere SSO 5.5 does not add default domain after installation and vdcidentitysource nuance

We are in the midst of upgrading vCenters to 5.5 from 5.0. The biggest difference is the inclusion and requirement for SSO server.

The default install of the SSO server is simply enough. After install SSO, we would go ahead to install vCenter server (or upgrade it), it would fail during installation. The reason for failure is the vCenter service would fail to start up with the domain system account. Logging on from web sphere client, we could see that the default computer domain (let’s call this MYAD), which is also the same domain as the system account, was not added as the identity source in SSO. As a result, the system account could not authenticate via SSO and service will not start during installation. Once we added the domain into SSO, the services started up fine. So this is indeed a case of missing identity source in SSO.

During SSO installation, you can select to add the default domain during installation. However, in our case, this never worked. So we had to fire a support question to vmware support. After some weeks of logs and testing, this is what they concluded:

“Based on the uploaded logs, SSO cannot get domain controller info and trust info via DsGetDcName and DsEnumerateDomainTrusts windows APIs and this is causing the delay in finishing up the process of retrieving the domain join status. Installer needs the the domain join info in order to add the current machine’s domain as an IDP. In your setup, by the time we get all the DC and trust info, installer had already asked for that detail and it can’t get it. So it completes the installation without adding the IDP.

Our Engineering team has confirmed that this behavior is by design. I know that you would want this process to be automated, however, they are recommending to use the article to add the Identity Sources after the installation.”

In summary, because our domain has too many trusts, including some that are behind firewall and it took too long to collect the information during installation. Hence, SSO is designed to give up but mark installation as completed. The problem with this is that SSO install should at least warn you that the domain is not successfully added and save the headache of folks installing vCenter server afterwards but scratching their heads why it failed.

So we loaded up the batch files provided and copied all files to c:\vdcidentitysource (note that this path was in the original article, it was later amended because I found the issue with it). So when I executed “sso-add-native-ad-idp.cmd”, I got the following message:

Error: Could not find or load main class com.vmware.identify.migration.ImporterToSSo2

As this was a test environment, I revert to previous snapshot and ensure I have a really clean environment, installed SSO and executed the batch file again. Again I had the same issue. Anyhow, I found out the issue was a flaw logic in the sso_import.cmd file which sso-add-native-ad-idp.cmd calls AND also because we had installed SSO on D drive but the instructions wants you to execute from C drive.

The error occurs in the last 2 lines of sso_import.cmd:

%JAVA% -cp migrationtool.jar;exporttool.jar;"%SSO_INST_DIR%vmware-identity-idm-interface.jar";"%SSO_INST_DIR%vmware-identity-idm-client.jar";"%SSO_LIB_DIR%commons-codec-1.4.jar";"%SSO_INST_DIR%lib"\*;"%SSO_INST_DIR%\". ^
-ea com.vmware.identity.migration.ImporterToSSO2 %1 %2

The line “cd %SSO_IMP_DIR%” assumes that the current drive in the command prompt is the same as the drive in the variable %SSO_IMP_DIR%. So if your command prompt is “C:\>” and the variable is “c:\temp”, then “cd c:\temp” will change directory successfully, but if the variable is “d:\temp”, “c:\>cd d:\temp” will just change the directory in d: but will not change the current directory, you will still remain in “c:\>” prompt. As a result the java execute will end up in error.

So to execute the KB correctly, you need to place the source in the same volume as where SSO is installed. VMware support guys updated the KB after I found out this issue. 🙂

Now, executing the KB to add the missing IDP was not an instant solution, In our environment, we had to run this 3-4 times before we could successfully get the domain added as I was constantly getting “machine is not properly joined” error.

Addendum: On of our vCenter 5.0 servers, we had to deselect “add default domain” during SSO installation for it to install successfully. Selecting to add the default domain (i.e. our firm’s domain and trust) caused the install Wizard to hang at “Configuring SSO Components…” forever… No idea what caused this as there were not errors reported in the install or sso logs

Leave a comment

Posted by on March 11, 2015 in vmware, Windows, Windows CMD


Tags: , ,

HP blades and vSphere ESXi compatibility matrix

The most challenging part of having a blade enclosure system like HP c7000 blade encloure series is the getting the firmware to match the components. For example, you may start off with BL460c G7 blades and 1 year down the road decide to add Gen8 blades into the same enclosure. It is not a simple question of just plugging them in, many times it will not work as the underlyin OA firmware may not support Gen8 blades. However, one cannot just go ahead and upgrade the OA firmware without first checking the firmware versions of the G7 blades and iLOs to ensure that the new firmware is supported by each other. This is usually not too big a problem when the blades are new and estate is small, but if you have them deployed globally and over a few years, you can be assured that firmware versions will be very varied. And any attempts to standardize just say the OA firmware can difficult.

This is why HP has a compatibility matrix for its system. It used be a bit more complex (but easier) as the table would state the minimum firmware version for each component to work with each other. So you may want to upgrade the OA firmware to 3 versions higher but keep the rest the same, it would be not an issue. However, they have since streamlined this and force everyone to upgrade to a single version level. So if you want to upgrade the OA firmware to 3 version upwards, you need to upgrade all other components to the same version base.

Now if you are runnning ESXi hosts on these blades, your have to consider recommended driver versions which works in tandem with the OS version and the HP blade firmware.


Leave a comment

Posted by on August 27, 2014 in Operations, vmware, Windows


Tags: , ,