IT Consultant Everyday Notes

Just some problems/solutions storage

SCCM 2012: Application Catalog WebService Point failed with “Parameter set cannot be resolved using the specified named parameters.”

 

I tried to install the abovementioned role using Powershell. I followed Microsoft example letter by letter but it still failed with a nasty PowerShell error “Parameter set cannot be resolved using the specified named parameters.”

SNAGHTML53b83032

Finally I found a spreadsheet on http://www.google.ca/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&cad=rja&uact=8&ved=0CDYQFjAE&url=http%3A%2F%2Fcm12sdk.net%2F%3Fwpdmact%3Dprocess%26did%3DMTQuaG90bGluaw%3D%3D&ei=ZVvBVMLiMIacyAT174JY&usg=AFQjCNG9mVW1L-nWqtbI813UbYzrFKCXlQ&bvm=bv.83829542,d.aWw

 

and put parameters EXACTLY in the order mentioned there. (I know, it is crazy). Surprisingly, the cmdlet works now .

SNAGHTML53bae000

Azure Automation: Send Email from Azure Automation Script via GMAIL

I am working with Azure Automation scripts. One of them stops all my Lab VMs after working hours to save some money. Script is based on one from Automation Gallery, but I wanted to add a notification feature.

There are several posts about using O365 for this, but I do not think it is a good idea since 0365 is not free.

I tried Outlook.com (AKA Hotmail) first, trying to stick with Microsoft platform, but did not get any success (authentication kept failed for me). So, the second choice was Gmail.com. From some posts I understood Azure does not have root certificates from GMAIL CA and SSL connection does not work. To workaround the issue I downloaded Google root certificate and created a Certificate Asset in Automation console

SNAGHTML9554a11d 

Interesting enough I do not need to use it in my script apparently simply existence of it is enough….

Here is the script to check if all machines are in stop(Deallocated) state and send email otherwise. The script uses a PS Credential Asset: ‘Azure Credentials’ and my MSDN Platform subscription.

I created a test account at Gmail: azure.automation.service@gmail.com and add an Automation Asset (PS Credentials) including Gmail user name and password – “Gmailcreds” that allows do not put user name/password in the script.

workflow test-mail
{  
   $Cred = Get-AutomationPSCredential -Name ‘Azure Credentials’
   $Gmailcreds = Get-AutomationPSCredential -Name ‘Gmailcerds’
   Add-AzureAccount -Credential $Cred
   Select-AzureSubscription -SubscriptionName “MSDN Platforms”   
   $vms = Get-AzureVM
   $ss=””
   ForEach ($vm in $vms ) {
      if ($vm.Status -ne “StoppedDeallocated”) {$ss=$ss+$vm.name+” – “+$vm.Status + “`r`n”}
   }
   if ($ss -ne “”) {
      $mail_body= ‘Attention! One or more VMs are in a state other than “Stopped (Deallocated)”‘ `
      +”`r`n”+$ss
      Send-MailMessage -SmtpServer smtp.gmail.com -Port 587 -Credential $Gmailcreds `
         -UseSsl -From ‘azure.automation.service@gmail.com’ -To ‘alex.ignatenko@onx.com’ `
         -Subject ‘Alarm: Azure Automation – Running VM!’ -body $mail_body
   }
}

This script can be added to schedule to run every night.

Server 2003: Migration to Azure

In my test Lab I migrated Server 2003 VM to the Cloud. The matter in fact it is not enough just copy VHD to Azure using

Add-AzureVhd [-Destination] <Uri> [-LocalFilePath] <FileInfo> [[-NumberOfUploaderThreads] <Int32> ] [[-BaseImageUriToPatch] <Uri> ] [[-OverWrite]] [ <CommonParameters>]

command in Azure PowerShell

It as also necessary to add the copied disk to inventory using:

Add-AzureDisk [-DiskName] <String> [-MediaLocation] <String> [-Label <String> ] [-OS <String> ] [ <CommonParameters>]

In my case the script looks like

SNAGHTML8b4564ad

 

The information was found in Sandrino’s blog here: http://fabriccontroller.net/blog/posts/migrating-your-windows-server-2003-workloads-to-microsoft-azure/

Lync: Script: Get-CsConnections.ps1 – See User Connections, Client Versions, Load Balancing in Lync Server

An old script, but never saw it before for some reasons – it allows to see Client versions and user distribution per Front-end Server. I use it during FE updates, to be sure there is no user connected to an updated FE.

original is here

 

SNAGHTML44045511

Windows 8.1: Disable first logon animation

Raphael Perez published a reg key to disable the animation. It can be distributed as an SCCM package during OSD:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
“EnableFirstLogonAnimation”=dword:00000000

The command line that Raphael used was a follows …

regedit.exe /S Disable_First_Run_Animation.reg

Full article

Windows 10: Upgrade Windows 7 SP1 to Windows 10 Preview

 

Aaron Czechowski published a useful post about the subj:

http://blogs.technet.com/b/configmgrteam/archive/2014/10/29/how-to-upgrade-to-win-10-using-the-task-sequence-in-sc-2012-r2-configmgr.aspx

Step-by-Step process is described here

PKI: Private Key Export failed during CA migration

I am currently lead a project for PKI migration from 2003 Servers to 2012 R2.

ISSUE: During migration one of CAs I observed an error when I tried to restore a Private Key saved on an old CA to the new CA.

 

The error said: Import private key: Active directory certificate services setup failed with the following error: Cannot find object or property. 0x80092004 (-2146885628 crypt_e_not_found)

RESOLUTION: I checked the machine local storage and found the old CA certificate there (without Private Key). The certificate was installed by GPO.  I deleted the certificate and retry Private Key import from CA installation wizard (where it failed). This time the cert was imported successfully.

SCCM 2012R2: Manage CentOS 7.0 Clients

SCCM: Updates published via SCUP fail with Error = 0x800b0109

System Center Update Publisher (SCUP) is a nice mechanism to deploy third-party updates via SCCM. SCUP implementation is well documented for example here by Kent Agerlund.

One of the requirements is allowing Update Client to install updates signed by “Trusted Publisher” in our case – SCUP.

Without that third-party update deployment will fail on “Preparing for installation step” and you can see above-mentioned error in “details” section of error in GUI and in WUAHandler.log

 

For Domain-joined machines it is pretty easy and can be done via GPO as described by Microsoft: here

but you cannot do that for workgroup/DMZ machines.

One of workarounds is creating a package with registry modifier and deploy it

or, you can use Compliance Settings introduced in SCCM 2012 (improved Desired Configuration Management from SCCM 2007) to let SCCM remediate the setting if machine is not compliant.

for that, first create the registry setting we plan to monitor on SCCM server (if it is not present)

SNAGHTML5ca352bda next, create a new Configuration item under Compliance Settings node:

image

leave default for Supported Platforms and create a setting to monitor (use Browse to navigate to the registry setting we created earlier)

image

Under Compliance Rule tab add an additional rule and allow remediation for it

image

You should have two in result:

image

finish new CI wizard, create a new Baseline and add the CI to it (alternatively you can add the new CI to one of your existing CIs)

image

Finish New Baseline wizard and deploy the Baseline to a collection (I use All Desktop and Server Clients)

image

Members of the collection should receive the new Baseline on next Machine Policy refresh

Test: on one of the Clients set registry setting to 0

SNAGHTML5caba991

Now, go to SCCM Client on that machine and re-evaluate the baseline

image

Client should find the non-compliancy and remediate it (since it was allowed in CI and Deployment). Check the registry settings – it should be 1 now:

SNAGHTML5cada88e

Third-party updates should be installed successfully now.

image

SCOM: SNMP Configuration

Truesec company sends useful newsletters.

One of the latest (Sept 25th, 2014) contains an advice related to SNMP monitoring with SCOM (by Kare):

The right way of Network Monitoring in SCOM 2012R2

Monitoring Network devices in SCOM 2012R2 is plain simple but unfortunately have a kind of bad reputation. Let me try to clear things out.

You do NOT have to install any SNMP features from Microsoft nor start any SNMP trap service.

This is a common misunderstanding, and unfortunately even in a lot of blogs and books around state you should install SNMP = Don’t. Please just create a discovery and then your Microsoft Monitoring Service (Healthservice.exe) begin listening and using port UDP: 161, 162 (bi-dir) and ICMP as well. This work without installing anything else than SCOM 2012 R2.

Monitoring Netapp, HP and Dell with Windows SNMP

In some situations of HW monitoring the Monitor agent/Proxy only works with Microsoft Windows SNMP, then you need to install Microsoft SNMP on the box that communicate with Netapp/HP/Dell. In this case, either dedicate a Management Server to a Resource Pool and let this Pool take care of the HW SNMP or dedicate a “Machine” to act as a proxy. Otherwise, you end up having two SNMP/ICMP interfaces receiving information not exactly knowing who is taking care of what.

So two things to remember – Do not install any SNMP and if monitoring HW that needs Windows SNMP – keep it away from the Management Server or create a dedicated Resource Pool.

//Kare

Follow

Get every new post delivered to your Inbox.