Inaccessible Boot Device after Windows Server 2012 R2 KB2919355

Earlier on this week, I finally got around to spending a bit of time towards building my home lab. I know it’s late because I started this project back in February but you know how it is.

On the servers, I am installing Windows Server 2012 R2 with Update which for the uninitiated is KB2919355 for Windows Server 2012 R2 and Windows 8.1. This is essentially a service pack sized update for Windows and includes a whole host of updates. I am using the installation media with the update integrated to same me some time with the updates but also because it’s cleaner to start with the update pre-installed.

The Inaccessible Boot Device Problem

After installing Windows Server 2012 R2, the machine starts to boot and at the point where I would expect to see a message along the lines of Configuring Devices, the machine hits a Blue Screen of Death with the message Stop 0x7B INACCESSIBLE_BOOT_DEVICE and restarts. This happens a few times before it hangs on  a black screen warning that the computer has failed to start after multiple attempts. I assumed it was a BIOS problem so I went hunting in the BIOS in case I had enabled a setting not supported by my CPU or maybe I’d set the wrong ACHI or IDE mode options but everything looked good. I decided to try the Optimized Defaults and Failsafe Defaults options in the BIOS, both of which required an OS re-install due to the AHCI changes but neither worked.

After this I was worried there was either something wrong with my hardware or a compatibility issue with the hardware make-up and I was going to be snookered however after a while of searching online, I found the solution.

KB2919355 included a new version of the storage controller driver Storport. It transpires that this new version of Storport in KB2919355 had an issue with certain SCSI and SAS controllers whereby if the controller device driver was initialized in a memory space beyond 4GB then it would cause the phyiscal boot devices to become inaccessible. This problem hit people who installed the KB2919355 update to previously built servers at the time of release as well as people like me, building new servers with the update slipstreamed. My assumption is that it’s caused by the SCSI or SAS controller not being able to address 64-bit memory addresses hence the 4GB limitation.

The problem hits mainly LSI based SCSI and SAS controllers based on the 2000 series chipset, including but by no means limited to the LSI SAS 2004, LSI SAS 2008, LSI MegaRAID 9211, Supermicro SMC 2008, Dell PERC H200 and IBM X240 controllers. In my case, my Supermicro X8DTH-6F motherboards have the Supermicro SMC 2008 8 Port SAS controller onboard which is a Supermicro branded edition of the LSI SAS 2008 IR controller.

The workaround at the time was to disable various BIOS features such as Intel-VT, Hyperthreading and more to reduce the number of system base drivers that needed to load, allowing the driver to fit under the 4GB memory space but eventually the issue was confirmed and a hotfix released however installing the hofix is quite problematic when the system refuses to boot. Luckily, we can use the Windows installation media to fix the issue.

Microsoft later released guidance on the workaround to use BCDEdit from the Windows Recovery Environment (WinRE) to change the maximum memory.

Resolving the Issue with KB2966870

Workarounds aside, we want to fix the issue not gloss over or around it. First off, download the hotfix KB2966870 which is a hotfix by request so you need to enter your email address and get the link emailed to you. You can get the update from https://support.microsoft.com/kb/2966870. Once you have the update, you need to make it available to your server.

If your Windows Server 2012 R2 installation media is a USB bootable stick or drive then copy the file here. If your installation medium is CD or DVD then burn the file to a disc.

Boot the server using the Windows Server 2012 R2 media but don’t press the Install button. From the welcome screen, press Ctrl + F10 which will open a Command Prompt in Administrator mode. Because of the Windows installation files being decompressed to a RAM disk, your hard disk will have likely been mounted on D: instead of C: but verify this first by doing a dir to check the normal file structure like Program Files, Users and Windows. Also, locate the drive letter of your installation media which will be the drive with your .msu update file on it.

Once you have found your hard disk drive letter and your boot media letter, we will use the following DISM command to install the update using Offline Servicing:

Dism /Image:[Hard Disk]:\ /Add-Package /PackagePath:[Install Media]:\Windows8.1-KB2966870-x64.msu

Once the command completes, exit the Command Prompt and exit the Windows Installation interface to restart the computer. In my case, I had to restart the computer twice for the update to appear to actually apply and take effect but once the update had been taken on-board, the machine boots without issues first time, every time. You can verify that the update has been installed with the View Installed Updates view in the Windows Update Control Panel applet.

KB2992611 Winshock Update and the Broken Cipher Suites

Last week, Microsoft released an update under KB2992611 in response to a security bulletin MS14-066 to address a flaw in SChannel reported to Microsoft. As part of KB2992611, Microsoft not only patched the flaw in SChannel but they also added four new encryption cipher suites. The suites added were as follows:

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256

Although it was a nice gesture to add some new cipher suites to Windows, there was a knock on effect to installing KB2992611 and adding these new cipher suites as it appears that Google Chrome for one, possibly more browsers depending on the version you have, do not accept these ciphers and the addition would cause browsers to fail to connect to websites and causing TLS sessions to be dropped. There are also other issues although less widely reported about the installation of KB2992611 causing SQL and ODBC based data connections within applications to drop dramatically in performance.

To address the problem, Microsoft have re-released KB2992611 with KB3018238 which is a secondary update which changes the default state of these new ciphers to disabled. It’s important to note that disabling the new ciphers does not remove the fix for the vulnerability in SChannel which is addressed by the original hotfix. Some people are suggesting uninstalling KB2992611 to workaround the issue but doing this will open the SChannel vulnerability again. After hearing conversations about these updates today, there is much confusion about the situation. Microsoft have not pulled KB2992611 and replaced it with KB3018238 but they have instead added KB3018238 as a secondary update. This is in contrast to replacing the update with a version 2 release which is commonplace when there are issues with updates.

If you have already installed KB2992611, you will be offered KB3018238 via Windows Update. Installing KB3018238 will disable the four new cipher suites by default to restore compatibility however you will have the option to re-enable them if you wish via the normal means for editing and selecting cipher suites. The fix for SChannel will remain in place. If you have not yet installed KB2992611, then via Windows Update, you will see KB2992611 advertised as an update for installation but upon installation, both KB2992611 and KB3018238 will be installed and both will be listed in the View Installed Updates pane in Control Panel. In this case, you will have both the cipher suites disabled and that SChannel vulnerability patched.

If you are having issues with SQL Server or ODBC connection based applications, there is no fix for this problem currently and the solution to this is community opinion to remove the previously installed KB2992611 which appears to restore order to the force. Hopefully Microsoft will address whatever the underlying issue with SQL Server and ODBC and the interaction with this fix to SChannel in future update.

In addition to KB3018238 to fix the issues with SChannel, Microsoft yesterday released two other updates. KB3011780 has been released to address a flaw in Kerberos which effects the Key Distribution Center (KDC). This is a service which runs on Domain Controllers so this update is considered critical. Another update under KB3000850 has been released as a November 2014 Rollup Update for Windows 8.1 and Windows Server 2012 R2. This rollup includes all previously released updates for the operating systems and includes the KB2992611 but it is not clear whether it includes the original release of KB2992611 or KB2992611 and the secondary KB3018238 update.

To download KB2992611 with the secondary update KB3018238 visit http://support.microsoft.com/kb/2992611. For the Kerberos update KB3011780 visit http://support.microsoft.com/kb/3011780 and lastly, for the November 2014 Rollup Update, visit http://support.microsoft.com/kb/3000850.

Friends in the 21st Century

I’m known for liking to have a good old moan about things and I’m also known for being a bit old fashioned in my ways and values despite my age. I don’t normally get involved in talking about that part of me on my blog as I like to keep it technical here but when something overlaps into technology, it’s hard not to get it out there.

When I was growing up, we had friends and friends were people who you went out with and socialised together, people who you’d call on the phone to see how they were doing or how their life was going. Now, in the year 2014, what on earth has happened to the concept of friends? Did the old definition get completely unwritten and nobody told me? I checked the Oxford dictionary and the definition for the noun friend reads as follows:

A person with whom one has a bond of mutual affection, typically one exclusive of sexual or family relations

The synonyms show you that a friend is someone close to you with words like intimate, confidante, soul mate and brother or sister given and Oxford tells us that the origins of the word friend are Germanic and the meaning ‘to love’.

Just this weekend, I met someone at a party and I spent no more than fifteen minutes sum total time talking to said individual. I didn’t dislike him at all so there’s no problems there, but does meeting a stranger at a party and spending net fifteen minutes with them really constitute a friendship these days and how does that effect the things that we should be holding closest and dearest to us?

On Facebook right now, I have 60 friends. All of these people are either family or friends who are actually people that I am some-which-way interested in hearing from or actually care to read what they have to say (although I do wish sometimes that I could unfriend some people for the amount of share this and look at rubbish they post).

I did a straw poll on Twitter earlier today and granted, my follower base isn’t particular large and those who do follow me are going to be biased to me in a like minded sense, but both of the people who responded said the same thing: they only friend with people on Facebook who they actually know so why are a lot of people out there so willing to throw friend invitations on Facebook around like sweets and confetti? Surely a friendship on Facebook should be something reserved for the people who you actually hold in that esteem? Not only does having a mammoth collection of friends clutter your News Feed with information and status updates that you largely are going to ignore and not care about, but you are also exposing yourself to people who you don’t really know. Not that I am trying to victimise her in this post, but my wife has currently, 320 friends on Facebook and whilst she definitely has a wider circle of friends and people she interacts with more people than me, is it really five times greater than mine or is she collecting friends for the sake of it (bearing in mind here that she accepted the friend request from the same person I received an invitation from at the weekend)?

Facebook Contact Privacy Settings

I took a couple of screenshots of my Contact Info page from my Facebook profile earlier today and overlayed them on top of each other so that I can show the whole scene in one picture. As you can see from the picture, my contact information shared with friends and this includes my mobile and home phone number, my home address and although not shown (as it’s further down the page beyond the fold) my email address is also shared with friends.

I know that the protagonist amongst you will say that you can customise this and change who can see your information but that then brings its own questions. Firstly, who actually thinks about what that person might be able to see before accepting the friend request in that the decision to accept or decline for most has probably become a reflex action and secondly, what are the privacy options if you wanted to limit that persons access to your information? I took a look at the privacy options for my phone number and the choices are Friends of Friends, Friends, Only Me or Specific People.

Friends of Friends is just utter lunacy. Why would I want to share my phone number with the friends of my friends when I have no control over who they friend in turn? Friends Only is a logical option and Only Me defeats the purpose of adding the information to your profile in the first place. Specific People is the ideal option if you are a bit of a friend collector or very privacy conscious but who really is going to remember to after accepting that friend request, go and edit the list of people who are allowed or denied to see your information? What’s more, I highly suspect that this isn’t a setting which you can edit from the mobile applications which makes it hard to administer the value too.

Contact information and information about where you live, your email address and other personal data nuggets are important pieces of personal information, Personally Identifiable Information (PII) as the world has come to know it and this information should be protected at all costs, not made available to somebody at the acceptance of a friend request. If the Facebook account of somebody in your friends list was hacked, then your information could become part of the next wave of phishing scam or telephone nuisance.

Aside from the PII though, there is the day to day aspect of do you actually want to see what said individual is posting status messages about or do you want to know what they liked and shared and the answer is most likely probably not, especially if you are already dealing with a high volume of News Feed clutter already. The side of this issue is more personal and the response will vary from person to person according to how much of their lives they want to publicise, but do I want people who I only know in the most lose of senses to know what I am doing and do I want my status updates appearing in their News Feed? If I post a message that I’m having a great day out with my kids because I want to share the fact that I’m having a great time, enjoying a day with my family, how do I know that I only met for fifteen minutes isn’t a professional crook and now armed with knowledge that I am out for the day with my kids and my home address, isn’t going to come and burgle my house for all my prized, hard earned possessions and the blunt answer is that you don’t know these things because the people you friend on Facebook, you probably don’t know enough about them to make that judgement call.

For all my rambling in this post, the crux of the issue for me is that the definition of friends seems to have negatively evolved as social media has made people far more accessible to other people. I think that it is a good thing is many respects as it allows us to connect with people that they care most about in ways that they couldn’t have done previously and people in this category are truly the real friends in life. On the other side though, I also think that there is a high degree of over-sharing that goes on and people, people are making their lives too publicly accessible for the consumption of those that they barely know at all and they aren’t considering the implications of clicking that little blue accept button before they do it which not only means each time you look at Facebook you have to wade through the endless scrolling page of tripe to reach the good stuff and consequentially wasting your own time, you are also exposing yourself and your information to people. If I wouldn’t give somebody I met at a party my phone number, why would I connect with them as a friend on Facebook because they are tantamount to the same thing.