Windows – killyvehy

Cannot install Roles & Features (Windows 2016)

Error
Sometimes when building a Domain Controller The new roles will not install and you’ll get the error below
The referenced assembly could not be found. Error: 0x80073701

Log
Navigate to C:\Windows\Logs\CBS\CBS.log and search for STATUS_SXS_ASSEMBLY_MISSING

Quick fix
Get a new image and start over

Geek Way
Run these commands at elevated cmd

Dism.exe /Online /Cleanup-Image /CheckHealth
Dism.exe /Online /Cleanup-Image /ScanHealth
Dism.exe /online /cleanup-image /analyzecomponentstore
Dism.exe /Online /Cleanup-Image /restoreHealth
sfc.exe /scannow
powershell.exe “Get-TroubleshootingPack -path C:\Windows\diagnostics\system\WindowsUpdate | Invoke-TroubleshootingPack

If that doesn’t work get a new image

Enable Windows Debug Logs

Netlogon Debug Log
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] “DBFlag”=dword:2080ffff (hexadecimal value)
Then open a cmd and type net stop netlogon && net start netlogon to enable the debugging mode. The Debug logging writes to C:\Windows\Debug\netlogon.log

Winlogon.Log
After fresh installation of Windows Server domain controller you could see that you have no winlogon.log file which is useful to debugging AD GPO’s.
For example when you need to troubleshot SceCli events. Event ID 1202 tells you to use: FIND /I “Cannot find” %SYSTEMROOT%\Security\Logs\winlogon.log

To create it, go to regedit and go to following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
Click the key ExtensionDebugLevel and enter 2 as a Data.

After refreshing AD policies with GPUpdate you should see your winlogon.log file

“User profile was not loaded correctly” – TEMP profile created on logon

Log on as different user. Make sure the different user account is a administrator (added to the Administrators group).
Open Windows Explorer and open C:\Users. Delete the directory of “problematic” user profile and “Temp” directory, it may or may not exist.
Run the registry editor (RedEdit.exe)
Go to the following location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
You need to find the correct SID and delete it. To make sure you are deleting the right one, check the key ProfileImagePath which has the profile path. Delete the .bak key as well.
Reboot the computer and logon on as the user as before.

Batch Script: Check Bitlocker is Enabled

echo off

echo %computername% %date% %time% >> “\\fs1-software\software\windows7\powershell\bitlocker\Bitlocker.txt”

echo starting bitlocker check

manage-bde -status c: >> “\\fs1-software\software\windows7\powershell\bitlocker\Bitlocker.txt”

echo bitlocker check complete

Pause