Restore missing K2 Server Console Mode Shortcut

Recently I’ve seen failed K2 blackpearl installation which went seemingly well but logged an error on Configuration Analysis stage for  K2 blackpearl Server Running task. The warning message was quite helpful listing all possible reasons which may cause issues for K2 service startup: disabled service or service account, wrong credentials, missing logo as a service rights for K2 service accounts or conflicting ports configuration (required ports are busy by something else). And we all know that we have detailed setup logs to check what went wrong during installation, right?

Nonetheless assuming you focused on inability to start K2 service, then as it fails even before initializing itself and its logging which would be the case in scenario with aforementioned warning in K2 blackpearl Configuration Analysis (Windows Services snap-in will show you “Service on local computer has been started then stopped” message), your first action should be attempt to run it in console mode and see what exactly is wrong/what it complains about 🙂

Unfortunately in my specific case Setup Manager also failed to create K2 Server Console Mode Shortcut, which should give you a hint that this is likely credentials issue. In case K2 Server Console Mode Shortcut is missing it can be created manually using the following command:

Refer to related section of K2 help for details. Simply by looking at the command above there are not a lot of things which can go wrong here – missing service executable file (definitely should lead to more warnings on the final stages of setup) or wrong credentials (those in theory can be locked during final stages of setup at the stage when it tried to register service/create shortcut). Anyhow if you run into something like this just restore console mode shortcut to investigate your problem with service startup further.


Windows Server 2016 Nano Server – Just enough OS model

I’ve recently spent some time exploring Windows Nano Server installation option and wrote detailed blog post for StarWind blog entitled  “Windows Server 2016 Nano Server – Just enough OS model” you can read it here. Article covers Nano Server basic concepts and compares this installation type with conventional Full Server and Server Core installation options – if you find this topic interesting please read on @ StarWinds Blog.


Containers: basic premise/promise of this technology

Recently I finally found some time to catch up on containers and Docker basics and concepts and I glad that I went through some introductory information as with all this hype around containers it is sometimes difficult to wrap your head around basic premise/promise of containers technology. In fact there is even confusion if containers and Docker are the same thing or something that has to be distinguished from each other… 🙂 So I decided to jot down just basic idea of containers technology + a bit of related background info which is helpful for understanding it.

So classic IT services architecture with HW servers has been transformed by arrival of hyper-visors/virtualization technologies (which to many is synonymous with VMware) and containers is next stage of the same transformation/another chapter in the quest for efficient IT service delivery (which to many synonymous wit Docker).

What has been solved by virtualization is gross under-utilization of hardware – by placing multiple VMs we can have good load of existing hardware, higher density and reduced admin overhead thanks related with managing multiple hardware servers. After about fifteen years of evolution this technology produced a lot of extra benefits like live migration and snapshots. At the moment virtualization it is fully mature and production ready technology.

Containers attempts to attach some remaining source of admin overhead and CAPEX/OPEX which survived after we decimated number of HW servers in our environments thanks to virtualization. This is something we used to accept as normal state of things or maybe as necessary evil – we throw away HW servers and run VMs, but each VM requires OS on its own – which means administrative overhead, attack surface, licensing OPEX/CAPEX. Containers architecture tries to eliminate this layer of VMs OSs which solely exist to run applications we need to run. Just look at the conceptual picture of containers architecture and you will see that conceptually it is much more simpler (and in system design simple means better):

Image source: ZDNet

So we use one host OS and next docker engine provides containers which can be fired off much faster as you don’t need to fire off guest OS before your real app can be started – your base OS is already running and container starts somewhat as application. So concept is nice and simple, though any curious IT person would immediately come up with questions about quality of isolation of containers, stability of docker engine and how such architecture survives crash of base OS or docker engine. Is it production ready or not? This is the topic for separate blog post or two and in this one I just wanted to highlight basic promise/concept behind containers.


Unable to activate/uninstall K2 App: RemoveApp does not exist as a method of this SmartObject Instance

Sometimes when trying to activate or uninstall K2 4.7 App from App Catalog level or from the Site Collection level you can get the following error:

If you enable SmO logging you can trace that error actually happens on SmO level, more specifically with SharePoint Integration Helper Methods SmO and its Activate Site Collection method:

 System > SharePoint 2013 Integration > SharePoint Integration Helper Methods

*NOTE: Issue happens with Activate Site Collection method, not with Activate Site Collections one.

Sometimes clearing your browser’s cookies and cache or starting your browser using another user account or incognito / InPrivate mode helps to resolve this issue. But when those methods does not work  you may try to execute this method manually in the SmO Tester tool using K2 service account. The only required input property which you need is the SiteURL, the rest of the fields can be blank. This action should result in an output message “Success”. Once that’s done, you can go back to your SharePoint AppCatalog and Activate or Uninstall the K2 App from there – this time it should not give you any errors.


The trust relationship between this workstation and the primary domain failed – proper fix

All to often I see people doing wrong corrective action whenever they encounter “The trust relationship between this workstation and the primary domain failed” error, it seems that even some Microsoft documentation gives you bad advice. What you have to do if you got this error is use proper resolution methods instead of lengthy and wrong join workgroup, then join to domain again approach.

In case you working with multiple VMs joined to domain and play with snapshots you may very likely run into this error at some point. Here is the screen shot:

This error caused by the fact that your computer account secure channel is broken. All computers joined to domain have SID along with their “username” and password albeit you never touch or input those things in any explicit way. Un-join and re-join again to domain procedure will create new SID for your computer which may be not the thing you want. When you log on to domain with user name and password secure channel is being established, but it can be broken in the following scenarios:

  • Machine was offline more than 30 days since last computer password reset (it happens automatically for machine approximately every 30 days when it is online)
  • OS was reinstalled (this process creates new machine SID)
  • LSA on the machine is out of sync

Key thing to remember when you got this issue is never join workgroup and then to domain again as this process creates new SID and your machine will lose all its group memberships (if it had any, of course).

Right fixes:

  1. ADUC > Reset Computer, then rejoin machine to domain
  2. dsmod computer -reset, rejoin: dsmod computer “cn=COMPUTER-NAME,ou=Computers,dc=domain,dc=com” -reset
  3. nltest (no rejoin or reboot required): nltest /server:COMPUTER_NAME /sc_reset:domain\domain_controller_name
  4. PowerShell way: Test-ComputerSecureChannel -Repair (no rejoin or reboot required)

I strongly recommend you to remember option 4. So if you see “The trust relationship between this workstation and the primary domain failed” you know that secure channel is broken, you just logon as local administrator on this machine and run this:

Once done logoff your local user and logon back using domain credentials, problem solved!


How to: quickly check which installation type of Windows Server you are using?

Just a quick how to post. When you do more and more remote management with PowerShell it may be necessary for you to quickly check if you run Full Server or Core or Nano. And unless you never logon locally to the box you and you only managing it via PowerShell then you may be not very sure if it is running Full Server, Minimal Management Interface, Core or Nano. There is a ServerLevel registry key available starting from Windows Server 2012, and quick look up for its value will answer this question:

Sample output you may see in case of Nano Server:

Another use case for this key is when you writing a script and need to adjust its behavior depending on whether it is being executed on Full Server, Core or Nano.


Uninstalling assembly from .NET v2 GAC – Assembly Cache Viewer “Access Denied”

Most annoying and confusing part of installing K2 coldfixes (those which involve manual steps) is adding/removing assemblies from GAC – I keep seeing people utterly confused by this process and even despite doing this regularly myself keep bumping into different hurdles from time to time. And judging by amount of questions in the Internet a lot of people experience issues with adding/removing libraries to GAC too.

There is couple of issues with .NET v2 GAC which has so called “Assembly Cache Viewer” representation when you get while browsing to “C:\Windows\Assemlbly” folder. As with any thing designed with some good intentions it is a mixed blessing and especially so when it meets with UAC 🙂 On the one hand it allows for easy uninstall/registration by means of drag and drop, on the other sometimes you can’t uninstall items without cleaning up registry key first and sometimes you have hard time thanks to UAC and Explorer process being always run without elevation.

On my test boxes UAC is normally disabled completely making it easy to work with Assembly Cache Viewer, and in some other cases just disabling UAC by moving respective slider in control panel + reboot solves this or for those avoiding reboots killing explorer and then running it in elevated mode does the trick. But recently I bump into especially annoying scenario where previous battle tested workaround didn’t work for me. Symptoms – you trying to uninstall assembly from .NET v2 GAC – Assembly Cache Viewer and getting “Access Denied”, like that:

Running Exploerer in elevated mode doesn’t help, and if you look at UAC slider in control panel it is already moved to the lowest position pretending to be disabled. Welcome to the world of corporate GPO managed IT environments. This means that User Account Control: run all administrators in Admin Approval Mode policy is Enabled. Solution? gpedit.msc > Security Settings > Local Policies > Security Options > User Account Control: run all administrators in Admin Approval Mode, set this policy to disabled and reboot your machine. Yes, reboot is required. This is really good example of issues that sometimes on a user side/GUI GPOs just silently block stuff with no clear indication of this, consequently even for IT pros it takes some time to figure out that things are failing thanks to those things (think of UAC or IE Enterprise Mode) and unfortunately quickly solving these tiny hiccups largely depends on whether you seen this before or not 🙂


Updated K2 4.7 build is available on

.3 build of K2 4.7 just become available on K2 portal in software downloads section, if you are about to upgrade to 4.7 make sure that you have latest installer bits so that you can benefit from included fixes (OK, in this case this is only one fix, but nonetheless). This specific .3 build resolves the issue when after running the K2 smartforms Setup Manager to re-configure or repair your K2 environment, the SharePoint integrated workflows association to their respective SharePoint lists are broken. That issue has solution/fix but using latest installer build you wont even notice it – so please do have latest installer build before starting your upgrade. Refer to official K2 KB for details: “Upgrading to K2 4.7 breaks the association between K2 workflows and SharePoint Lists and Libraries

By the way unlike it was with some earlier minor installer build updates K2 made big strides in documenting this publicly – great to see improved transparency and documentation around minor installer builds.

So in case you planning your 4.7 upgrade today your build number supposed to be 4.16060.2000.3. But in case you going to do it later make sure you are using latest bits (in case your server has internet connectivity installer will also report presence of newer version to you – even if it is minor build update, please not ignore it).


24411 User is not allowed to open worklist item

I recently seen quite an interesting issue which was a bit confusing for author of workflow and took a bit of time to fix (I guess because error message is a bit misleading maybe).

Assume you just deployed a K2 process with Default Client Event inside which assigned to Process Originator as a destination user. What could be simpler? But when process originator tries to open this task using SmatForm Task List (open SmartForm action) he gets an error:

Worklist item could not be opened. 24411 K2:DOMAIN\K2_Service_Account is not allowed to open the worklist item with SN=X_YZ

That’s a bit unexpected, right? Especially when you see K2 service account mentioned in error message instead of real user who tries to open this task. You can guess that somehow user credentials dropped/lost and K2 service account is being used to access task for some reason. The question is why?

The cause of this turned out to be the following setting in K2 SmartForms runtime site web.config file:

<add key=”ConnectAsAppPool” value=”true” />

Once you change above-mentioned setting to “false” things are back to normal and you see expected behaviour without 24411 error upon smartform open actionsmartform open action SmartForm open action.


Exam 70-741: Networking with Windows Server 2016 beta exam

I’ve recently took exam 70-741 which is currently still in beta. I heard some feedback that this exam is quite tough, and honestly giving the fact that sub-net calculation skills tend to fade away without regular practice along with “great constants” (especially new set of IPv6 prefixes and other things you have to remember) I expected to be the difficult one.

Though after watching George Dobrea’s (@gdobrea) 70-741 preparation session recorded at TechEd NA I realized that I rather like practical focus on the exam – much better have network only stuff in one exam instead of having it dispersed across all the other exams in tiny nuggets as we have it in previous generation of certification exams from Microsoft. I really like the way they structured it now, and even early retake of 1 exam requirement is rather good/expected.

After taking beta exam itself I would say that I really liked it as question are really practice focused with short and concise possible answers and really test both your understanding of how it works as well as how to work with it (PowerShell/GUI).

I’m not sure whether I passed or not (for beta exams results being sent to you only after release date and only if you passed this exam) – but overall I didn’t feel like I failed despite plethora of questions about new things and some old things I didn’t remember well enough. Examples of things exam touches on which require revision for me are TrustedAnchors DNS zone, IPAM in general, DNS scavenging, root DNS server and Network Controller.

And just one more observation: The way MSFT orchestrates their product launches for last three product generations or so is really remarkable example on how to do it for any software company. They have it all: well before fancy launch events there is a work and engagement with community and early adopters, exams, training courses and books are prepared to be published just around the release date and by now already traditional free ebooks “Introducing …” available well before the release date clearly communicating selling points and positioning of product (touching on technical topics quite well but mainly giving you a big picture). Probably not any software company has that scale to afford all of this, but if you are vendor of enterprise grade software with established client base you may learn how to do launches from Microsoft – probably no surprises here, at the end of the day this is a company shipping software products since November 1985 release of Windows 1.0 – surely they know how to do this. But by now they really achieved remarkable mastery in product launch process which I can’t help noticing.