IT Consultant Everyday Notes

Just some problems/solutions storage

SCCM 2012R2: Manage CentOS 7.0 Clients

SCCM: Updates published via SCUP fail with Error = 0x800b0109

System Center Update Publisher (SCUP) is a nice mechanism to deploy third-party updates via SCCM. SCUP implementation is well documented for example here by Kent Agerlund.

One of the requirements is allowing Update Client to install updates signed by “Trusted Publisher” in our case – SCUP.

Without that third-party update deployment will fail on “Preparing for installation step” and you can see above-mentioned error in “details” section of error in GUI and in WUAHandler.log

 

For Domain-joined machines it is pretty easy and can be done via GPO as described by Microsoft: here

but you cannot do that for workgroup/DMZ machines.

One of workarounds is creating a package with registry modifier and deploy it

or, you can use Compliance Settings introduced in SCCM 2012 (improved Desired Configuration Management from SCCM 2007) to let SCCM remediate the setting if machine is not compliant.

for that, first create the registry setting we plan to monitor on SCCM server (if it is not present)

SNAGHTML5ca352bda next, create a new Configuration item under Compliance Settings node:

image

leave default for Supported Platforms and create a setting to monitor (use Browse to navigate to the registry setting we created earlier)

image

Under Compliance Rule tab add an additional rule and allow remediation for it

image

You should have two in result:

image

finish new CI wizard, create a new Baseline and add the CI to it (alternatively you can add the new CI to one of your existing CIs)

image

Finish New Baseline wizard and deploy the Baseline to a collection (I use All Desktop and Server Clients)

image

Members of the collection should receive the new Baseline on next Machine Policy refresh

Test: on one of the Clients set registry setting to 0

SNAGHTML5caba991

Now, go to SCCM Client on that machine and re-evaluate the baseline

image

Client should find the non-compliancy and remediate it (since it was allowed in CI and Deployment). Check the registry settings – it should be 1 now:

SNAGHTML5cada88e

Third-party updates should be installed successfully now.

image

SCOM: SNMP Configuration

Truesec company sends useful newsletters.

One of the latest (Sept 25th, 2014) contains an advice related to SNMP monitoring with SCOM (by Kare):

The right way of Network Monitoring in SCOM 2012R2

Monitoring Network devices in SCOM 2012R2 is plain simple but unfortunately have a kind of bad reputation. Let me try to clear things out.

You do NOT have to install any SNMP features from Microsoft nor start any SNMP trap service.

This is a common misunderstanding, and unfortunately even in a lot of blogs and books around state you should install SNMP = Don’t. Please just create a discovery and then your Microsoft Monitoring Service (Healthservice.exe) begin listening and using port UDP: 161, 162 (bi-dir) and ICMP as well. This work without installing anything else than SCOM 2012 R2.

Monitoring Netapp, HP and Dell with Windows SNMP

In some situations of HW monitoring the Monitor agent/Proxy only works with Microsoft Windows SNMP, then you need to install Microsoft SNMP on the box that communicate with Netapp/HP/Dell. In this case, either dedicate a Management Server to a Resource Pool and let this Pool take care of the HW SNMP or dedicate a “Machine” to act as a proxy. Otherwise, you end up having two SNMP/ICMP interfaces receiving information not exactly knowing who is taking care of what.

So two things to remember – Do not install any SNMP and if monitoring HW that needs Windows SNMP – keep it away from the Management Server or create a dedicated Resource Pool.

//Kare

MDT: Install Windows 10

 

Windows 10 installation miserably fails with MDT 2013 (dism is not compatible). An unsupported workaround is here

SCCM 2012: SCUP cannot create self-signed certificate when installed on Windows Server 2012 R2

 

When install System Center Update Publisher (SCUP) 2011 on Server 2012 R2 you cannot create a self-signed certificate. This is by design, since WSUS 4.1 shipped with Server 2012 R2 does not support issuing of self-signed certificate. More on this subject is here.

Workaround: Generate a certificate from internal certificate authority (CA) as described: “System Center Updates Publisher Signing Certificate Requirements & Step-by-Step Guide

SCUP Support Statement update is here

 

UPDATE: WSUS team published a workaround, describing how you can re-enable the old behaviour. There is a note though saying self-signed API is considered and obsolete and can be removed at any moment

PowerShell: PowerShell ISE stopped to work

Issue: PowerShell ISE stopped to work. Pop ups the following error:

The application cannot start because it could not access the user settings file: ‘C:\Users\USERNAME\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\user.config’

Resolution: I renamed the file on the path indicated in the error and ISE recreated one on the next start

 

Original solution was found here

SCCM 2012: OSD Windows 8 : First logon fails with "The universal unique identifier (UUID) type is not supported"

When you deploy Windows 8/8.1 using SCCM 2012/2012 R2 the first logon fails with abovementioned error.

Microsoft has a KB about that: http://support.microsoft.com/kb/2976660 describing two workarounds. The easier way is to force a reboot at the end of TS using SMSTSPostAction variable in the TS set to “shutdown /r /t 0”

image

SCCM 2012: Certificate requirements

Lync: Wireshark and Netmon plugins for STUN troubleshooting on Lync Edge server

James Cussen published a useful plugin for Wireshark network analyzer. You can use Microsoft Network Monitor, it has Lync plugin pack too.

 

Wireshark plugin: http://www.mylynclab.com/2014/05/microsoft-lync-wireshark-plugin.html

 

Microsoft  NetMon Lync plugin pack: http://www.microsoft.com/en-us/download/details.aspx?id=22440

Lync 2013: Front end server start fails

One of my Lync 2013 FE did not start after update to August 2014 CU.

The error pointed to certificate:

 

Event Id: 14397:

A configured certificate could not be loaded from store. The serial number is attached for reference.

Extended Error Code: 0x800B0109(CERT_E_UNTRUSTEDROOT).

—————————————————————————————————

Event Id 14646:

A serious problem related to certificates is preventing Lync Server from functioning.

Unable to use the default outgoing certificate.
Error 0x800B0109(CERT_E_UNTRUSTEDROOT).
The certificate may have been deleted or may be invalid, or permissions are not set correctly.
Ensure that a valid certificate is present in the local computer certificate store. Also ensure that the server has sufficient privileges to access the store.

——————————————————————————————————

details page (for Event Id 14397) shows the certificate number. I tried to find it using PowerShell

Get-ChildItem -Path CERT: -Recurse | FT Subject, SerialNumber | FindStr <NUMBER FROM EVENT VIEWER>

It returned an empty string. So I rerun it without |findstr … and checked output. Naturally I saw one of cert number is similar to whatever was in event id  BUT

1. it was backward and

2. each two bytes were changed in place

It is confusing, eh? so I will try to give an example:

Number in Event viewer:    ABCDEFGH12

Certificate number: 12GHEFCDAB

After that I found the certificate in question – it is my pool cert which works just fine of my first FE server…

I checked the certificate using Cert MMS – it looked ok and fully trusted. Trusted root – GeoTrust Global CA was on its place.

Resolution: An intermediate certificate (GeoTrust SSL CA – G2) was not under “Intermediate Certification Authorities”. I copied it from my first server store to the second one and restarted the front-end on the second server. It started successfully this time.

Follow

Get every new post delivered to your Inbox.