WDS, DHCP and different subnets

I decided that it make sense for me to jot down different things as I prepare to 70-410 and other MSFT exams from MCSA Server 2012 track, though since recently I have strange feeling that I’m trying to take MSFT exams when they about to retire šŸ™‚ .

One of the questions/topics we had since Server 2008 is WDS and there are some facts to be aware of when it comes to WDS.

  1. Port 67. WDS server uses UDP 67 and this is the same port on which DHCP server listening too. In case of coexistence of DHCH and WDS on the same server you have to configure WDS not to listen on port 67. When you add WDS role on a server which already hosts DHCP role all configuration settings for such coexistence (points 1 & 2 in this list) being configured for you automagically. But if WDS installed first and then you adding DHCP role you have to take care about this manually.
  2. Ā DHCP Option 60. Once you configured DHCP server not to listen on port 67, you have to configure DHCP option 60 which will tells DHCP clients that their DHCP server is also WDS server/PXE (Preboot eXecution Environment) server. You have to switch on DCHP option 60 and set it to “PXEClient”. In addition to this TFTP should be allowed on FDS along with BINL service (UDP 4011). Note: DHCP option 060 PXE Client does not appear unless your server has the WDS role installed.
  3. Ā RFC 1542. If your DHCP/WDS server is on a different subnet from one your client reside in then you have to have RFC 1542 compliant router between these subnets, and most modern routers are RFC 1542 compliant. Such routers can be configured to pass BOOTP broadcasts (i.e. broadcast messages which use ports 67 and 68). If you don’t have router compliant with such standard you have to leverage RRAS role and configure DHCP Relay agent.

K2 blackpearl installation – complete removal/clean up

Recently I did a lot of test installs of K2 blackpearl reusing the same machines. I.e. it was necessary for me to remove everything related to K2 blackpearl before I can install it again on the same server. Below you may find few notes/observations with regards to this.

In order to remove K2 blackpearl you just run K2 blackpearl Setup Manager on your server and select “Remove K2 blackpearl”:

K2 blackpearl Setup Manager - Remove K2 blackpearl

This will remove all K2 components from your server and will ask you for reboot. Once this is done the following things still have to be removed if your goal is to clean up everything and start from scratch:

1) Some files may still remain in the following folders:

If your goal is full clean up you can remove all these folders given the fact that you uninstalled all your K2 components via Setup Manager before hand and there is no K2 components listed in Programs and Features list (appwiz.cpl). NOTE: If you have SmartForms or other additional components you do uninstall in reverse order – last component installed being removed first and so on.

2) Self-signed certificates for K2 server and sites not being removed from Personal Machine store on your K2 server. If your goal is full clean up you may want to remove them too.

3) K2 database not being deleted too, for complete clean up you should drop/remove it on SQL server.

4) I also noticed that in my case K2WTS service has not been removed correctly by Setup Manager during removalĀ process. K2WTS service also known under display name “K2 Claims To Windows Token Service.” Here is an example how to check if it is still present after removal of K2 blackpearl via PowerShell:

Below sample output in case service is still present:

Get-WmiObject K2WTS

No output means that no service with such name found.

And this is how to remove via PowerShell:

Of course there are other ways to remove service in Windows as Remove-WmiObject available only in PS 3.0 or newer. You can also use sc.exe or even locate and delete relevant entry in registry using regedit.exe


Fixing failed Windows 10 Anniversary Update and DISM & ReFS registry hack

This blog post covers some issues I run into while installing Windows 10 Anniversary Update on one of my machines and some other issues I discovered/fixed in the process šŸ™‚

As I twitted earlier that for me Windows 10 Anniversary update failed on one of my home machines:

AnniversaryUpdate Error

Machine was really low on space on C drive and installation of update failed with error code 0x800705b4. Once I realized it I tried to use available option to move download folder to another drive and freed up enough of space on C drive – but in spite of this I kept getting thisĀ 0x800705b4 error. Back then there was no MSFT KB on this and after a while Windows Update even stopped to offer Anniversary Update to me. So I give up temporarily.

Yesterday I decided to give it another try and as Anniversary Update was no longer offered via Windows Update I downloaded Windows 10 Upgrade Assistant from support.microsoft.com:

AnniversaryUpdate Download Tool

Once downloaded, this tool provides you with wizard style UI for upgrade:

AnniversaryUpdate Upgrade Assistant

This tool allowed me to re-try installation of Anniversary Update, but I end up with the sameĀ 0x800705b4 error. This time Google I some how come across to an official MSFT KB dedicated to this error. I guess I wasn’t able to find this useful KB earlier as I tried to search something specifically applicable to Anniversary Update whereas it was rather generic Windows Update error.

First suggestion from above mentioned KB was “sfc /scannow” executed from elevated command prompt seemingly helped me, but I’ve got credentials prompt at update installation stage. At this pointĀ I decided to give a call to MSFT support, or rather I opt out to request call back from them which I received relatively quickly – and it helped me to move on further. I was explained that I have to activate my Windows using my Windows 8.1 key I had by means of issuing the following command:

This brings you the following Windows which allows you to activate your Windows system:

AnniversaryUpdate slui 3

Once activation succeeded I was advised to start update process from scratch, and I also get a recommendation to use update from installation media to speed up this process. I opt out to continue with Windows 10 Upgrade Assistant.

But alas once I did activation I run into the same error and “sfc /scannow” was not able to fix it, and I proceed to suggestion #2 from MSFT KB – use DISM toĀ Ā to fix Windows Update corruption errors. And solution is to run this:

KB also states that you have to use repair from source here but I decided to try online repair first and run into the following problem:

DISM Error 50

Error message here is rather non descriptive and give little hints what is wrong for real. And I realized that I already struggled with this back when I tried to play with Windows To Go and give up on this. But since then answer to this appeared in the Internet:

BEST FIX: Error 50 DISM does not support servicing Windows PE with the /online option

Essentially this error caused by misplacedĀ MiniNT key in registry which makes DISM thing that you try to service Windows PE installation. And truth to be told I have nobody to blame for that except me as I did a little unsupported trick to enable ReFS support on Windows 8.1 long time ago and I seen some other issues caused by this unsupported registry hack. So take away here is that it you use this enable ReFS trick either enable it to format drives, then remove registry key or if for some strange reason you may want to keep it be prepared to issue like non-working Windows Restore and this DISM error 50.

Anyhow once I removed MiniNT key DISM cleanup-image worked well for me and I was able to install Anniversary update, albeit not without another minor glitch which cause disproportionate amount of fuss in the Internet (example) – look like people don’t see how Anniversary Update being rolled out smoothly on 80%+ of super-diverse hardware base and moaning about individual issues with random configurations/old hardware saying that MSFT does a poor job here. Just for your reference on two other machines I have this update installed without slightest issues automatically (and one of them was really old Dell desktop with customized configuration). Glitch I’m talking about is that during update installation on a first boot I got an endless spinning circle on a black background and being experienced with this I waited up to 4 hours, then looked and the interned where a lot of folks report that it was necessary to unplug different Bluetooth USB dongles to get around this issue, and some even report that they were guided by MSFT to do 3-times hard power off to go to recovery mode… šŸ™ Just in case I removed my Logitech Unifying receiver from USB port and waited a bit more (~15 mins or so), then just powered down my desktop and switched it on again – system started just fine.

So with a bit of help here and there my entire house hold now runs Windows 10 Anniversary update (2 desktops & 1 laptop). I hope this blog post may help those who run into similar issues.


How to: Drop multiple databases via SQL Script (no worries backup/restore is covered too :) )

Recently I did rather a lot of test requiring me to work with non-consolidated K2 DBs. Test included multiple DB restore/delete operations and I realized that I need some script to quickly drop all my K2 DBs and start from scratch. Here is this script:

Script selects every database prefixes with “K2” and you just need to copy its output into new query window and execute.

And in case you tend to backup things before you delete them, similar script for backup:

And for restore you can use the script below. Unfortunately it uses hard coded file paths but assuming your back up files have default DB names (and for example were created by the script above) you can get away with minimum find and replace adjustments (path to backup files and your SQL instance data directories may need to be adjusted). Here is the script for restore:


How to create self-signed certificate for K2 NLB cluster add it to trusted root CA on client machines via GPO

I’ve recently recorded a video covering this topic, but I think it also makes sense to write a bit here, if only for giving you ability to copy paste related commands šŸ™‚

When you install K2 blackpearl NLB cluster K2 Setup Manager can create K2 sites for you and it also creates HTTPS bindings for it. But K2 Setup Manager create individual self-signed certificates for each of the NLB cluster nodes which leads to ugly certificate security warning whenever you try to access K2 Workspace or any other K2 site.

To address this you have to do the following:

1) Create new self-signed certificate for your K2 NLB cluster name using New-Self signed certificate cmdlet:

You have to do this on one of your K2 servers. This cmdlet will create new self-signed certificate and place it to Personal certificates store of your server. Copy certificate hash from output of this command – you will need it for next steps.

2) Next you want to obtain appid of your current K2 HTTPS app/binding using the following command (use elevated CMD for this):

Copy appid from the output to use it in step 3.

3) “Delete”/un-assign current SSL certificate from your HTTPS binding (one which was assigned by K2 Setup Manager):

Insert your certificate thumbprint copied on step (1) and appid obtained on step (2) into the following command and execute it from elevated command prompt:

At this point we created self-signed certificate and assigned it to HTTPS binding for K2 on our first server. But we still going to get certificate warning because our certificate is self-signed and not trusted. To address this it is necessary to import it into Trusted Root Certification Authorities on all machines which we will be using to access K2 sites.

4) At this step we will export certificate into P7B file to further import it intoĀ Trusted Root Certification Authorities. Execute the following in PowerShell:

This will create “servercert.p7b” file in the root of C drive. For testing purposed you can add it intoĀ Trusted Root Certification Authorities manually on your K2 server – right-click on it, select Install Certificate > Next > Ā Place all certificates in the following store > Browse >Ā Trusted Root Certification Authorities > OK > Next > Finish.

At this point you should be able to access K2 Workspace via NLB name from your 1st K2 server assuming all above listed steps were performed on it and you not hit second node of your K2 NLB cluster by chance. To exclude the latter, you can take this node off-line or Stop in NLB Cluster Manager:

K2 NLB Stop Node

5) Now we can just deploy our P7B certificate file toĀ Trusted Root Certification Authorities on all machines in our domain usingĀ GPO certificate deployment option (Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities):

K2 NLB Import Certificate GPO

Once you created this GPO and linked it to appropriate OU (one which contains machines from which you accessing K2 sites), you can update your local group policies on your client machines and access K2 sites via NLB name using HTTPS without any certificate related warnings.

6) Final touch šŸ™‚ We need to add certificate created on step (1) to the second K2 server and configure it for use for K2 HTTPS binding on this second server. P7B file we created earlier does not fit for this purpose and we need export certificate once again including private key this time.

Run MMC on K2 server one and add Certificates snap-in targeting Computer Certificates store:

K2 NLB Open Computer Cert Store

Locate your K2 NLB cluster certificate created on step (1) and export it including private key:

K2 NLB Export Certificate

Make sure you select “Export Private Key”, specify password on certificate and in the end you should get PFX file. Copy this PFX file to your second server and install it to personal certificates store for this machine, then use IIS console and select this certificate to be used for K2 sites HTTPS binding.

That’s it – you created self-signed certificate for K2 NLB cluster name, configure it to be used on all your nodes and added it to the Trusted Root Certification Authorities on all your machines via GPO.

Here is the video which walk you through all these steps:


How to: Join Windows Server 2012 Core to domain

Since Windows Server 2012 allowed add/remove of GUI “on the fly” viaĀ Uninstall-WindowsFeature/Ininstall-WindowsFeature and their aliases amount of questions “How do I do X in Server Core” decreased drastically as there is now universal lazy man response to this – temporarily add GUI do thing X and remove GUI again. Not always time efficient but effective šŸ™‚

Anyhow almost everything can be done without GUI. Here is your option to perform domain join operation for server core box:

1) Old-school crutch sconfig šŸ™‚ Option (1):


You may see that it actually uses in netdom.exe in the background when it asks for password:

sconfig domain join

It even suggest you to change computer name in case you forgot do it in advance:

sconfig domain join - computer name change prompt

Assuming you entered correct password and DNS/IP settings allow you to locate and reach out domain controller you will receive reboot prompt in the end of this process:

sconfig domain join - restart prompt

Once restart is performed you can verify the results either via WMIC or PowerShell:

sconfig domain join - verify via WMIC or PS

2)Ā Add-Computer commandlet.

3) djoin command. This one allows to perform offline domain join.


There is also related dsadd command but this can only be used to pre-create computer account in domain.Ā This utility will create a computer account in the domain, but will not join the local computer from a workgroup to a domain.



K2 Community Articles

Since K2 Community Articles were introduced one year or so ago this channel allowed to bring a lot of great content to K2 community site. Of course quality varies across the board for these articles but bottom line is that K2 community benefit from quickly available, relevant information on real world K2 issues. I see a lot of folks solving their problems without logging support ticket or discover relevant information at the early stage of investigation of their issues, often without any help of K2 support engineers.

I authored some of these articles and edited others, and as I found it difficult sometimes to locate one or another K2 community article I worked on I decided to list all of these articles here. And I think I also list links to some really good articles authored by other people.

Good entry point to check out latest Community Aricles on K2 community site can be this page, where you can see such things as popular threads in the K2 Community, latest community articles as well as most kudo’d authors and articles.

In case you see any mistakes (technical or just typos/grammar šŸ™‚ or have any questions about those articles feel free to let me know about them via comments under this post.

Currently I just listing articles in no particular order but I maybe categorize/rearrange them at some later point.

K2 blackpearl service high RAM usage

K2 Host Service CPU usages close to 100%Ā 

Thread pool locking issues when using K2 Client API inside of workflow

Unresponsive K2 Workspace – Server run out of worker threads

IPC Event processing delays

Workflow permissions not working correctly when configured via group

Analysis fails after upgrading from 4.6.x to 4.6.8: Constrained delegation is not enabled for the Active Directory account


“Value cannot be null. Parameter name: token” for K2 links on SP2013 site in SP2010 compatibility mode

When youĀ migrate Sharepoint and K2 you may run into a problem where all K2 links for your site just give you “Value cannot be null. Ā Parameter name: token.” I end up having issue after just changing site collection compatibility range (for testing purposes, here is how to do it) and then creating new site within it in SP 2010 compatibility mode. Immediately it was possible to see that something is wrong/missing:

K2 - Value cannot be null for SP 2010 Compatibilty mode site

Here is how to fix this. What you need to do isĀ configure classic windows claims to work with K2 from SharePoint Claims enabled site with K2 (see my earlier blog post on how to configure claims authentication for your siteĀ also there is related K2 help section). To configure classic windows claims for K2 you have to do the following:

1) RetrieveĀ SigningCertificateThumbprint by issuing the following command in SharePoint 2013 Management shell:

Copy returned value to use it on step 2.

2) Open SQL Server Management Studio and edit SQL script below by replacing value “CAEF8EEA3D68074C347AC9584E60C6FC406C8AAB” with one retrieved on step (1) in your environment.

3) Next you can check Identity.ClaimsIssuer table in K2 database:

It should contain SharePoint Windows STS with appropriate thumbrint value:

K2 - Value cannot be null for SP 2010 Compatibilty mode site - Issuers

Once this is done that “Value cannot be null. Ā Parameter name: token” should gone. It seems that in my case thumbprint value changed in my environment (i.e. I’m pretty sure that entry for SharePoint Windows STS did exist in my ClaimIssuer table) though I’m not sure what triggered that change.


Excel opens empty when you try to open a file downloaded from the Internet

I’m regularly have to download some Excel files from the internet and it is quite annoying when it sometimes starts open an empty file like this:

Excel 2016 - Opens blank

It looks really confusing as it does not show you any errors or warnings (Excel thinks that it did what you wanted and all is OK? šŸ˜‰ ). But actually this is protected view in action. Though what I’m really don’t understand where all the warning supposed to accompany this mode šŸ™‚

So in case you want to open your Excel files downloaded from the internet you have to navigate to File > Options > Trust Center > Trust Center Settings > Protected View:

Excel 2016 - Opens blank - Protected View

The problem is that when you try to open Excel file downloaded from your browser without saving it firs you are subject to two restrictions at once (highlighted in yellow above): first your file is marked as downloaded from the Internet and second it is being placed somewhere in temporary Internet files which consider as potentially unsafe location. So just un-check these things and you will be able to open your Excel files downloaded from the internet without need to save them somewhere first. There will be some warning/prompt where you will be able to say open anyway and file opens just fine after this.


Configuring K2 NLB cluster – Part 1

I’ve just recorded YouTube video on how to configure Windows NLB for K2 NLB cluster:

Please bear with uninspiring introduction where I’m clumsily trying to explain what is DNS round robin and excuse my overuse of interjection “so” which I noticed only after review of my recording – I will try to improve my presentation skills in the future šŸ™‚ For now it is all down to “live demo” pressure šŸ™‚

The one thing I didn’t touch on in this video is anĀ Extended Affinity. Actually as soon as you configure timeout value available for Single or Network affinity in Multiple host filtering mode you start using Extended Affinity feature which was introduced in Windows Server 2008 R2.

Windows NLB Extended Affinity

Unfortunately I’m not aware about official K2 recommendations for K2 in terms of Extended Affinity (K2 documentation features screenshots from some old Windows Server version it seems) but it seems it is something you may want to leverage for K2 Workspace/SF/SP.

Also in video I was a bit imprecise in selecting Both protocols in Port rules as based on official documentation you only need TCP and your ports setup should look like this:

K2 NLB Port Rules

Configuration of port rules on the screenshot above assumes that both K2 blackpearl (K2 host server service) and K2 workspace are hosted on the same cluster.

Also I should note that, unfortunately I was not able to make Unicast mode work in VMware Workstation based environments as it is not as simple as just adding extra NIC but for testing purposes it may be sufficient to use Multicast. For production deployments you either use Multicast or if your network equipment allows IGMP Multicast for small/medium size environments. For large environments MSFT itself recommends to use more advancingĀ load balancers (one of the most popular today are those from F5, and there are a lot of K2 deployments where F5 ADCs are being used).

Just for clarity I will also quote an old note from windowsitpro.comĀ (from 2006 šŸ™‚ ) which clarifies this two NICs requirement for Unicast NLB quite neatly:

Unlike Microsoft Cluster service clusters, in which you should have separate NIC’s to separate regular traffic from the cluster heartbeat traffic, NLB members don’t need multiple NIC’s. However, many people still recommend two NICs in NLB servers, given the low cost of quality NIC’s. Additionally, multiple network cards are desirable in the following situations:

  • For inter-host communication between NLB cluster members when operating in uni-cast mode. With only one NIC NLB members are unable to communicate directly with each other.

  • If the NLB members connect to back end services, for example a Microsoft SQL Server database, it might be desirable to use separate NICs to separate the front and back end traffic.

You may also see the following error whenever you try to run NLB console directly from one of your NLB hosts:

NLB Error When Console Run from NLB host

This is known issue and you can safely ignore it. Just run NLB management console from your management workstation and you will not receive any errors then.

Links to related official K2 documentation:

(1)Ā K2 blackpearl Installation and Configuration Guide > Prerequisites > Set up NLB

Takeaways from this document:

“For a K2 Host Server cluster, use a Unicast operation mode and set the affinity to None. Since the K2 Host Server is a stateless machine, no affinity is necessary per session.”

“For a K2 Workspace Server cluster, use a Unicast operation modeĀ and set the affinity to Single. You will want to ensure that the web pages retain an affinity to the web server during the session.”

“For a K2 for SharePoint Server cluster, use a Unicast operation mode and set the affinity to Single. You will want to ensure that the web pages retain an affinity to the web server during the session.

The same is true for all server clusters that host web based components (such as Process Portals, web services, web parts).”

“As mentioned in the Network Load Balancing Setup and Configuration topic, at least two network adaptors are required when theĀ Unicast operation mode is selected.

Set up the NLBĀ configurationĀ to allow traffic through on the K2 Workflow (default of 5252) and K2 Hostserver (default of 5555) ports.”

(2)Ā K2 blackpearl Installation and Configuration Guide > Planning Guide > Additional Planning Considerations > Network Load Balancing Setup and Configuration

Main takeaway here is the following:

“Traffic to and from a SharePoint site or the K2 Workspace involves a considerable amount of communication from the Web servers to the back-end servers running SQL Server; good connectivity between them is required. It is therefore recommended that Web servers be dual-homed:

  • One network adapter handling the incoming Web requests by using NLB

  • One network adapter acting as a normal server adapter to communicate to the server running SQL Server along with the other servers within the infrastructure, such as domain controllers for authentication purposes”

(3) K2 SmartForms – Setting up NLB

(4)Ā K2 and Firewalls

(5)Ā Seemingly random 401 errors in load balanced SharePoint, Workspace, SSRS and K2 server environments

(6)Ā F5 DevCentral – Load Balancing K2 Blackpearl