Sounds familiar
"The goal is not to provide the best service, but to provide the only service"
Reacher Gilt, CEO The Clacks
Microsoft has patched the patch that broke chunks of Windows and emitted fixes for a Patch Tuesday cock-up that left servers rebooting and VPNs disconnected. There was a time when out-of-band updates from Microsoft were considered a rarity. Not so much these days. On the receiving end of the company's attention were Windows …
I can understand your point about restoring from a snapshot, but easier said than done when you're 12-24hrs in before the issue is realised on a Domain Controller and things have changed moved along, and restoring to a previous time will cause more issues than just uninstalling the patches.....
Regardless of the backend, M$ is crystal clear that restoring from a snapshot is a great way to hose your active directory. The AD synchronization code is was built by the clinically insane, and includes what is essentially a one way incrementing counter/timestamp. If you have the mandatory secondary DC, and the two have synced since the snapshot, when you restore the DC it will start on the old values and the sync code breaks.
Congratulations! You have won Active Directory database corruption! Please proceed to obscure technet articles to discover the joy of trying to clean it up line by line at the command line and the joy of typing GUID's in manually. Have a nice day! Or just tie a noose for yourself out of the nearest cat 5 cable.
I'm close to replacing our DC's with a SAMBA server just so that I can have a safe and sane restore capability that isn't dependent on code that was deranged 30 years ago and hasn't really changes since.
Since server 2012 you can restore from a snapshot as long as you are running an appropriate hypervisor that supports the msDS-GenerationID attribute, which is pretty much any recent version of any of the mainstream hypervisors.
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ada2/11b969e5-180c-4c16-89b4-2a2bf3317660
But when you do that, what happens to the Workstation Passwords? Last I looked ---
MS domain computers are validated by a (binary) password, (the process is exactly the same as user login), which is replaced/updated every month (or at a configured interval). Once the client password is updated, it doesn't match your snapshot from last month -- which might have been 2 minutes ago. Not a disaster, but all the client machines have to be re-joined to the domain.
You do have at least TWO domain controllers, right? Set burflags appropriately and roll back all but the one you want to be authoritative! Problem sorted.
Or you could consider migrating to a less “agile” platform like RHEL, Debian or Ubuntu where stuff generally doesn’t randomly break when receiving patches.
"But when you do that, what happens to the Workstation Passwords?"
Nothing. Everything keeps on working as normal. If the generation ID is incorrect as the result of a snapshot restore, it will just do a non-authoritative restore from another DC and keep on working.
If you do something silly like only have one DC, or snapshot restore all your DCs at the same time you can probably get yourself into trouble, but otherwise nothing to see here.
More details here if you are interested:
https://blogs.msmvps.com/acefekay/tag/msds-generationid-attribute/
You don't have to rejoin to the domain if you manage to break the trust relationship. Just logon with a local admin account and use Powershell or NETDOM to reset the password (or run the Powershell/Netdom command using your remote management tool):
Reset-ComputerMachinePassword -Server DomainController -Credential DomainAdmin
Netdom resetpwd /Server:DomainController /UserD:DomainAdmin /PasswordD:Password
I installed KB5009719 (.NET security rollup) on my Win7 box last week and it broke the AVIdemux video software somehow.
Upgrade from v2.7 to v2.8 didn't help, but rolling back the update fixed things.
If only I could get Media Companion to run via Wine (developer says it can't be done) then I could jump ship to Mint full time and be done with this. Oh, and on another box where I'm having to do a reinstall, the copy of Office 2010 that I paid for refuses to activate - WTF? It may be out of support, but I bloody paid for it and I sure as hell won't be taking out a 365 (ymmv) subscription as an alternative.
I've used only linux for almost 20 years now, and in IT consulting have to exchange files regularly with clients that of course only use MS Office. OpenOffice worked well enough mostly, and now with current LIbreOffice have almost no issues with import/export of native docx/xlsx files. Of course MS Office supports native odt and ods files for Word/Excel native import, which works well too, and so does even 365 online word/excel.
Give it a try, I think you'll be pleasantly surprised these days. The great equalizer is export to pdf if nothing else, which I tend to do for formal docs anyways.
If you have applied service pack 2 to Office 2010, you can't activate using the applications.
You need to enter the serial number in the application, then from an elevated (admin) command prompt
CD "C:\Program Files (x86)\Microsoft Office\Office14"
cscript ospp.vbs /act
This post has been deleted by its author
Got to catalogue shopping though..
https://support.microsoft.com/en-gb/topic/kb5010797-out-of-band-update-for-windows-server-2012-january-17-2022-1f14f497-8404-404d-8d78-0c962c9e486d
https://support.microsoft.com/en-gb/topic/kb5010794-out-of-band-update-for-windows-8-1-and-windows-server-2012-r2-january-17-2022-a92500fb-f227-400e-b70e-f7dd50386fd3
About fifteen years ago, Borkzilla was famous for teaching us to wait for v1.1 - it looks like today's new generation of admins need to update their training courses.
NEVER install a Borkzilla patch the day it comes out. Wait a few days. Find out what the feedback is.
It's incredible that people just blindly go and update their business-critical software when Borkzilla has publicly recognized that it has no more Q&A department.
HELLO ?! YOU ARE THE TESTERS.
If you want to risk your network, go ahead, but don't come back griping about how the latest "patch" borked your network.
Live and learn.
Lovely sentiment. I used to wait too but unfortunately Win10 loves to just install updates and restart on it's own. Even where I've taken measures to prevent it, I'll come in and find my office PC has restarted on a whim.
So for your average punter, they are doomed to suffer this fate until the year of the Linux desktop (are we still expecting it to happen?)
This one took a little too long though. Patches issued on Tuesday, tested, no problems seen in our environment, updates pushed to next test machines over the weekend. Discover on Monday there's an out-of-band patch that compromises your testing strategy, even if no adverse affects were actually seen.
My son is a teacher at an elementary/middle (4th~6th grades) school & has been venting his frustrations about just how bad Win10 has been.
"Win 10 ate my homework" is no longer a potential excuse, it's a *legit* reason for students not to have an assignment, teachers to be unable to grade/issue assignments, or even to create lesson plans in the first place.
His school has an IT department, but it's one guy for the physical network & one for the software. Keeping all 1,000+ machines updated means that *one* person is being driven to either an early retirement or possibly an early grave. Having all of those freshly updated machines simultaneously fall over for the exact same supposed MS "fix" means that poor sob is probably crying into his beer at the mere thought of having to re-patch all those just-patched machines.
I felt vindicated on one hand, sad as hell on the other, when the boy said "Now I understand why you're still using Win7, Dad. This ((Win10)) shit sucks balls."
=-(
Just in time for the next update that destroys more than it fixes. Job security for some; insanity for the rest. Always waiting 7-10 days for my Home Premium Win7 updates. Hoping borks are noticed & updates updated before I download & install.
Yes. Security be damned until then. My own security is great. No negative results from waiting for last 15 years. And no change in my zero trust of M$ in those years either. Will use Win7 until I absolutely cannot. Then will convert 100% to Linux/Ubuntu. Already running & using as my backup for backups to M$...
Sounds like the school is doing it the hard way. Before COVID we had 400+ school owned and managed Microshaft machines, and run a WSUS server to control the updates. No problems.
Since COVID we've gone all BYOD, and blocked the BYOD's from doing updates via our WiFi to preserve bandwidth on the internet line. To be honest in 18 months I haven't seen any Update issues on those devices, the biggest problem is the kids installing iffy VPN solutions to get around daddy's blocks on certain sites, and the pc not reconnecting to the school network on Monday morning. - The windows 10 Network reset button is your friend here :-)
Guess everyone must bow to progress eventually. My Win7 is 32/64 bit with 64 bit in charge. Beats using a legal pad for all of that data storage. 1Tb SSD with 16 gigs of ram. Trying to outrun M$ OSes as hard as possible. Linux/Ubuntu are my future. NOT M$ 10 or 11... Too old & tired to deal with anything M$ calls "new & better".
...the company's approach to testing has thus far remained reassuringly consistent.
I am thinking a bit ahead, and warned our TQM and Dev department - we may have to look at the feasibility of going 100% over to Linux for our products, as we can standardize on a specific Linux distro, and lock it down the way we want it...
...and only allow patches on a strictly controlled basis.
This update issue will cause some major grief sooner or later...
Heck, even NT4 with SP6 is looking better and better, we never had any issues with NT4SP6 back in the day... but that is our very, very very last resort.