If you are having problems installing Service Pack or software updates on Windows Server 2008 R2, Windows 7 or Windows Vista you are not alone. There are lots of people facing the same issue, including me, and hopefully this article will be helpful in understanding and solving the problem. I should point out that I have encountered this problem of installing Service Pack 1 (SP1) on numerous servers (all new installation) as well as existing Windows 7 client. The focus of this article is on Windows Server 2008 R2 but you can apply the same techniques on Windows 7 and Windows Vista.
It took me three full days to find a solution that worked for me. Needless to say I was searching the Web all this time and trying various solutions but some worked and others didn’t. Unlike the old Windows NT days when the patches were considered a risky business, for the past decade or so Microsoft has done a great job to make the updates and security patches fairly reliable. It’s a daunting task to deal with a gazillion updates on various systems and gain the confidence of consumers. Microsoft gained enough of my confidence that I have been configuring all my computers, including servers, to download and install the Windows Update automatically. Even though I have occasionally encountered a few crashes, overall I have been fairly satisfied with the automatic Windows Update service. Well, lately things have not been so rosy. Windows Updates are causing more problems more frequently and therefore starting this year I decided to manually update my computers because of the fear of system crashes and other unexpected results. Microsoft has confirmed my fears of Windows Update by releasing a patch to fix the patches. The patch is called Windows System Update Readiness Tool, essentially a bug fix that fixes other bug fixes. But these days vendors don’t use the term bugs any more because that is admitting that there was a problem with the software in the first place. Instead they refer to them as “patches”, “updates”, “repairs”, “fixes”, and now there is a new term “tool.” Well, you tell me which one sounds better Windows System Update Readiness Tool or Windows Update Bug Fix? Exactly my point!
Microsoft is aware that even the Windows System Update Readiness Tool may not fix the Windows Update problems with Windows Server 2008 R2 and therefore they have posted an article on TechNet for advanced diagnosing and fixing servicing corruption. The article is listed under the Troubleshooting section as Known Issues with Windows Server 2008 R2. So now we know that Microsoft is aware of this issue and have released a bug fix for the bug fixes and also admitted that the bug fix for the bug fixes may not work and therefore we may need to rely on some advance diagnostics to fix the problems with the corruption in Windows servicing store (more on this servicing store in a minute).
Let’s get back to the problem of installing SP1. As I indicated earlier, lately I have been having lots of issues with installing Windows Server 2008 R2 SP1 on several servers. As far as I recall, I have experienced this issue mostly on new server installations. The problem is that the service pack hangs after a minute or so and the installation fails. After spending a lot of time I finally narrowed the problem down to one particular update (KB2620704). I installed all the updates on my new servers (92 to be exact) and then installed KB2620704 that was causing problems. On some servers KB2620704 failed while on others I was able to install it successfully. However, even after I was able to install all the updates, including KB2620704, I still wasn’t able to install SP1. In addition, I was not able to install SharePoint Server 2010 on one of the servers because when I tried to install the software prerequisites it failed.
At one point Windows Update offered me a new update called System Update Readiness Tool for Windows Server 2008 R2 x64 Edition (KB 947821) [August 2011].
According to Microsoft:
“This tool is being offered because an inconsistency was found in the Windows servicing store which may prevent the successful installation of future updates, service packs, and software. This tool checks your computer for such inconsistencies and tries to resolve issues if found.”
In case you are wondering about the Windows Servicing Store, it’s a component that is required to successfully install the service packs.
There is something very interesting in the above screenshot. Notice that the last update on the list Windows Server 2008 R2 Service Pack 1 x64 Edition (KB976932) is only 13.6MB. If you download SP1 from Microsoft here, the size is 903.2MB. The interesting part was that I was working on several newly installed servers and only one of them showed SP1 as 13.6MB. All the other servers listed KB976932 as 95.5MB – 892.6MB, as shown in the screenshot below.
After installing KB947821 I was still not able to installSP1. I went to the SUR log to see what’s going on. See this article for more information.
I noticed the log pointed to the KB2620704 which I knew was a problem right from the start. On the server where I was able to install KB2620704 everything was fine but on the server where I wasn’t able to install SP1 I knew I had to install KB2620704. I was left with only 2 updates (KB2620704 & the SP1 update KB976932) so I unchecked KB976932 and tried to install KB2620704 but it failed with the error Code 800F0818.
Now you may get lucky after installing KB2620704 but I wasn’t. Here’s what I did next. Per TechNet article Advanced guidelines for diagnosing and fixing servicing corruption I looked at the two files listed at the end of the checksur.log.
Next I started cmd.exe as an administrator and backed up the two files as a precaution.
copy %windir%\servicing\packages\Package_for_KB2620704_SP1~31bf3856ad364e35 ~amd64~~18.104.22.168.mum c:\temp
copy %windir%\servicing\packages\Package_for_KB2620704_SP1~31bf3856ad364e35 ~amd64~~22.214.171.124.cat c:\temp
Then I took ownership of these files so I can copy these files from another server.
takeown /f %windir%\servicing\packages\Package_for_KB2620704_SP1~31bf3856ad364e35 ~amd64~~126.96.36.199.mum
takeown /f %windir%\servicing\packages\Package_for_KB2620704_SP1~31bf3856ad364e35 ~amd64~~188.8.131.52.cat
Next I used icacls to grant administrators permissions to overwrite the files.
icacls %windir%\servicing\packages\Package_for_KB2620704_SP1~31bf3856ad364e35 ~amd64~~184.108.40.206.mum /grant administrators:F
icacls %windir%\servicing\packages\Package_for_KB2620704_SP1~31bf3856ad364e35 ~amd64~~220.127.116.11.cat /grant administrators:F
Finally, I logged out and then logged back in so I can copy the two files from another server where I was able to successfully install KB2620704 to the server. Even though I was logged in with a domain account that was a member of the local administrators group the permission to copy the files was denied. I went to Windows\servicing\packages folder in Windows Explorer and gave my domain account full-control permissions to the packages folder. I removed this permission after I was able to copy the two files. I ran the update for KB 2620704 and it was finally successful.
I then tried to install SP1 (KB976932) again. By that time I knew all these KB article numbers better than my address and phone number. Fortunately, this time it worked and I was able to install SP1 on my Windows Server 2008 R2. It only took about 40 hours in three days. Piece of cake!
SharePoint Server 2010 Installation
The rest of the article only applies to you if you are installing SharePoint Server 2010 on a new server. Once the service pack was installed, I should be able to install SharePoint, right? Wrong! This time the software prerequisites tool was able to install a couple of prerequisites, including the Web Server (IIS) Role, but was unable to install the hotfix KB976462.
Okay, no problem. I downloaded the hotfix KB976462 for my x64 system (Windows6.1-KB976462-v2-x64.msu) from here and tried to run it but got an error “The update is not applicable to your computer.” Here’s how I worked around that hurdle. I followed the instructions in yet another KB article KB934307.
Here are the download links for Windows System Update Readiness Tool for Windows Server 2008 R2, Windows 7 and Windows Vista (KB947821).
Here’s another related article KB947366 that might also help.
A hotfix for the.NET Framework 3.5 Service Pack 1 is available for Windows 7 and for Windows Server 2008 R2 as a prerequisite for Microsoft Office SharePoint Server 2010.
This is the hotfix mentioned in the above link. It’s called SharePoint Shared Services Roll-up for Windows Server 2008 R2. Instead of going through all the hoops, you can download this hotfix from the following link.
And finally here’s an article which describes the Windows Update Stand-alone Installer. I was able to use the information in this article to get over the last hurdle.
Authentication prompts have been a pain in the neck for a lot of SharePoint users over the years both in SharePoint 2007 and SharePoint 2010 environments. There are several reasons for the prompts. I can’t cover all the possible solutions but I have documented multiple solutions to different authentication prompt issues.
In SharePoint 2010, you have multiple site collections on your intranet that you access on a regular basis. When you access these sites remotely from an external network and connect to the first site you are prompted for authentication. You logon successfully. Then you try to connect to the second, third and fourth Site Collection but you are prompted for authentication each time. You want to have access to all the sites without being prompted for authentication each time.
Add the intranet sites to the Local intranet zone in Internet Explorer (IE).
Now once you logon to the first intranet site, you should be able to access all the other sites in different Site Collections without entering your username and password.
NOTE: There are lots of other scenarios where you may experience multiple authentication prompts and depending on the scenario you may have to use a different solution. One setting that you should be aware of is located in the Internet Explorer’s options.
NOTE: You can deploy this setting to client computers using Group Policy. Go to User Configuration -> Policies -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Trusted Sites Zone. In the right-hand pane locate “Logon options” double-click it. First Enable the option and then in the drop-down box select the option “Automatic logon with current username and password.” On the client computer run gpupdate /force at the command prompt to refresh the Group Policy.
Prompt for Credentials When Accessing FQDN Sites From a Windows Vista or Windows 7 Computer
There is another issue that you may run into that is documented in the KB article 943280. Sometimes you may get prompted for authentication when you open a Microsoft Office document in SharePoint. Here are the steps documented in the KB article 943280 to resolve the issue in Windows 7 clients.
- Click Start, type regedit in the Start Search box, and then press ENTER.
- Locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Paramet ers
- On the Edit menu, point to New, and then click Multi-String Value.
- Type AuthForwardServerList, and then press ENTER.
- On the Edit menu, click Modify.
- In the Value data box, type the URL of the server that hosts the Web share, and then click OK.Note You can also type a list of URLs in the Value data box. Here’s a sample.
- Exit Registry Editor.
After this registry entry is created, the WebClient service will read the entry value. If the client computer tries to access a URL that matches any of the expressions in the list, the user credential will be sent successfully to authenticate the user, even if no proxy is configured.
Note You have to restart the WebClient service after you modify the registry.
Things to avoid in the URL list
- Do not add an asterisk (*) character at the end of a URL. When you do this, a security risk may result.http://*.dns.live.*
- Do not add an asterisk (*) before or after a string. When you do this, the WebClient service can send user credentials to more servers. See the following examples:
- http://*Contoso.comIn this example, the service also sends user credentials to http://extra_charactersContoso.com
- http://Contoso*.comIn this example, the service also sends user credentials to http://Contosoextra_characters.com
- In the URL list, do not type the UNC name of a host. For example, do not use the following:*.contoso.com@SSL
- In the URL list, do not include the share name or the port number to be used. For example, do not use the following:
- Do not use IPv6 in the URL list.
Important This URL list does not affect the security zone settings. This URL list is used only for the specific purpose of forwarding the credentials to WebDAV servers. The list should be created as restrictively as possible to avoid any security issues. Also, because there is no specific deny list, the credentials are forwarded to all the servers that match this list.
NOTE: You can deploy the above setting to clients using Group Policy.
Disabling Authentication Prompts in SharePoint 2010
In SharePoint 2010, another thing you can try to disable authentication prompts is to modify the Web.config file.
<add verb=”OPTIONS” allowed=”false” />
<add verb=”PROPFIND” allowed=”false” />
Disable “Remember my credentials” Option
If the users check the option “Remember my credentials” and then they change their password, they will keep getting prompted for authentication. It is not a good idea to remember passwords for security reasons and when working with SharePoint you might want to disable this feature. You can disable this feature using a Group Policy. Open the Group Policy (e.g. Default Domain Policy) and go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options and enable the setting “Network access: Do not allow storage of passwords and credentials for network authentication.”
Use Credential Manager in Windows 7
Yet another method to avoid authentication prompt is to use Windows 7′s Credential Manager. Go to Control Panel -> User Accounts and in the upper left hand corner select Manage your credentials.
Select Add a Windows credential and provide the logon information.
There is no need to reboot the computer. You should be able to access the site in your browser without being prompted for logon credentials.
Here are some additional references that you may find useful.
Updated: March 22, 2012
The vSphere Command-Line Interface (vSphere CLI) command set allows you to run common system administration commands against ESX/ESXi systems from any machine with network access to those systems. vSphere CLI commands are especially useful for ESXi hosts because ESXi does not include a service console. You can use vicfg-cfgbackup.pl within vSphere CLI to backup or restore your VMware ESXi 4.1 server configuration or to reset the host to factory settings.
The vicfg-cfgbackup command backs up and restores ESXi configuration data. You can back up the host configuration, restore the configuration to the host, force the restore of the configuration, and reset the host to factory settings.
WARNING! This command is supported for ESXi hosts but not for ESX hosts.
--load <backupfile> |
You can use the following options with vicfg-cfgbackup.
Specifies the target server and authentication information if required. Run vicfg-cfgbackup –help for a list of all connection options.
–force | -f
Forces the restore of the configuration.
Prints a help message for each command-specific and each connection option. Calling the script with no arguments or with –help has the same effect.
–load | -l <backupfile>
Restores configuration from <backupfile> onto the host.
–save | -s <backupfile>
Backs up the host configuration.
Include the number of the build that is running on the host that you are backing up in the backup filename. If you are running the vSphere CLI from vMA, the backup file is saved locally on vMA. Local storage for backup files is safe because vMA is stored in the /vmfs/volumes/<datastore> directory, which is separate from the ESXi image and configuration files.
--reset | -r
Resets the host to factory settings.
–quiet | -q
Performs all operations without prompting for confirmation.
Follow the instructions below for backing up and restoring your ESXi 4.1 server configuration from your Windows computer.
Backing Up the Configuration
Restoring the Configuration
To restore your VMware ESXi 4.1 server configuration use the same vicfg-cfgbackup.pl command.
In order to restore your configuration, you need to place your new ESXi 4.1 server into evaluation mode. This may not be necessary if you have recently installed your server and have not added your license key. If you have already added your license key then simply use the vSphere Client and set the server to evaluation mode. Another thing to keep in mind if your restore fails is to use the -f option, which forces a restore.
You may have seen software that turns your Windows 7 computer into a wireless router. In the past, I have downloaded Connectify software. On paper it looked good but when I installed the free version of Connectify I discovered that I could only use WEP. There was no support for WPA2-PSK as advertised on their homepage. I am guessing they must have a paid version of Connectify that will allow people to use security. Anyone referring to WEP protocol as secure loses credibility right off the bat. WEP does not provide end-to-end security and is not considered secure by most security experts today. If that wasn’t bad, Connectify only allowed me to use a password that was limited to something like 4-12 characters and the password was limited to numbers 0-9 and letters a-f. That’s right, you can only use letters a-f. Bottom line: Do not let your friends and family install the free version of Connectify. It’s security a joke.
Recently I ran across another software, developed by a fellow MVP by the name of Chris Pietschmann. Chris is a Windows Live Platform MVP and his free, virtual router software is available from Microsoft’s CodePlex community site, which is a distribution point for open source software. The Virtual Router software turns any Windows 7 or Windows Server 2008 R2 computer into a WiFi Hotspot using Windows 7′s Wireless Hosted Network (Virtual WiFi) technology. Virtual Router allows you to wirelessly share any Internet connection (LAN, WiFi, Cable Modem, Cellular, or even dial-up modem) with any WiFi device (Laptop, Smart Phone, iPod Touch, iPhone, Android Phone, Zune, Netbook, wireless printer, etc.).
The software, written entirely in C#, does not have the password limitations of Connectify. Another good thing about the Virtual Router is that it is completely free of ads. And the best thing about the Virtual Router is that it defaults to WPA2 for secure wireless connectivity. WPA2 is one of the most, if not the most, secure wireless encryption available today.
The software is currently in its beta version. You can download beta 0.9 here.
There is a free Wake-On-LAN GUI tool available that you can use to wake a remote computer up by either using it’s IP address or it’s Fully Qualified Domain Name (FQDN). You can use the Wake-On-LAN feature to start a computer either on the LAN or through the Internet.
You can download the tool here.
Copyright ©2002-2013 Zubair Alexander. All rights reserved.
30 queries. 0.633 seconds