IT Consultant Everyday Notes

Just some problems/solutions storage

SCCM: Task Sequence Import fails (System.NullReferenceException)

I am leading a Windows 10 migration project currently. We prepared TAsk Sequences in Dev environment and SCCM admin tried to export/import them from Dev to Prod. Export was successfull, but Import miserably failed with

System.NullReferenceException

Object Reference not set to an instance of an object.

As usual very nice and descriptive SCCM error.

Fortunately Mike Terrill bumped into it before and wrote about it: https://miketerrill.net/2016/07/31/import-task-sequence-failure-cm-1606/

Note: When we tried to open a zip file containing TS archive using internal Windows Zip packer it failed. We used 7zip – it opens/saves the archive successfully.

Azure: Azure AD Application Proxy. Kerberos issue

One of my Customers asked about MFA for his on-prem Outlook. I offered several solutions, one of them – publish OWA site via Azure AD Application Proxy and pre-authenticate with Azure AD and MFA.

To be sure the configuration will work I built a Lab and tried to configure SSO for Internal Windows Authentication (IWA).

This configuration requires I configure Kerberos Constrained Delegation (KCD) in Active Directory and configure Delegation in Properties of a machine where I have my Azure AD Proxy Connector installed.

Everything looked easy on paper byt when I tried it in Active Directory Users and Computer MMC I received nice error: “The server is unwilling to proceed the request”

SNAGHTML76853a10

After unsuccessful googling I opened a case with Microsoft – that was a brand new domain, just couple of servers and I definitely expected everything working out of the box.

After couple of days of troubleshooting the only solution MS suggested was using an Active Directory Administrative Center instead of MMC. Even with that the first attempt failed with “Unknown error”. After the Center was restarted we could finally configure the delegation. No root cause found.

Azure: How to configure MFA when Classic Portal is not available

My company provides CSP Azure subscription for our Customers. To make life more exciting Microsoft remove Classic Portal support from CSP. So we can use new and shiny ARM-based portal only.

When time come to configure Azure AD fun begins. Azure AD node is available in the new portal as ‘preview’ and miss some features from the old portal. Recently I had fun with license assigning, today I needed to assign MFA to accounts. Fun, fun, fun….

Anyway, as in the first case office.portal.com helped. This portal is available for CSP and have some missing features of the classic portal. For example to add MFA to a user:

 

1. start office.portal.com

2. goto Users->Active Users

3. Click ‘More’

image

4. Click “Setup Azure Multi-factor auth’ That will open MFA portal for you

5. Configure MFA for a user or users in bulk

Azure: Use SAS token as a parameter

I recently bumped into an issue trying to pass a Shared Access Signature (SAS) token to my ARM template to be able to connect sub-templates securely. Even though SAS token looked perfectly fine in Powershell New-AzureRMDeployment cmdlet failed with the following error: Error: Code=InvalidTemplate; Message=Deployment template validation failed: ‘The provided value for the template parameter ‘_artifactsLocationSasToken’. I tried both securestring and string- no luck. A colleague of mine Jules Ouellette helped me with a solution – the token is generated as an object and must be converted to a string before passing as a Parameter: _artifactsLocationSastoken = $artifactslocationsastoken.toString()  After that conversion the token was successfully accepted as a parameter. 

SCCM: SUP is not working due to WSUS crash

Interesting case – WSUS built for SCCM SUP crashed regularly. It started from once in a month, after that more and more often and finally WSUS application pool could not stay and hour. Recommended solution was to recycle WSUS application pool. But that was not really a solution since permanent monitoring is required.

It turned out to be a known issue for SCCM 2012 (looks like SCCM CB is affected too) and Microsoft recommends to enlarge App Pool private memory to 4 (or in some cases to 8!) GB. Sounds a bit crazy for me but at least WSUS is up and running now.

More technical details in the following article: https://blogs.technet.microsoft.com/configurationmgr/2015/03/23/configmgr-2012-support-tip-wsus-sync-fails-with-http-503-errors/

SCCM: Clean encrypted drive before TS start

One of my Customers happens to have a McAfee encrypted drives on Laptops and Desktops he plans to migrate to Windows 10. Unfortunately McAffee version was not cooperative with SCCM and he was ok to clean the drives.

To achieve that I added a file called diskpart.txt on my file server (where my Network Access Account has access)

The file contains two lines:

Select disk 0
Clean

After that I customized the boot image by adding a pre-start command and pointing the boot image to the shared folder containing my configuration file:

image

The script is invoked after you press ‘Next’ on OSD dialog logon page but before you select any Task Sequence.

Did the trick for me.

SCCM: MDT boot image update failed: “Unable to mount the WIM, so the update process cannot continue”

Today I bumped into the abovementioned issue. I added some TS’ in my MDT 2013 Update 2, tweak settings for the boot image, tried to rebuild it and voila – the error.

Fortunately the fix was easy enough – I started Deployment Workbench ‘as Administrator” and this time the image was re-built successfully.

SCCM: OSD UDI – UI++ issue

I am not a big fan of SCCM/MDT integration and decided to use a little tool from MVP Jason Sandys. UI++

The tool provides a UDI interface for pure SCCM Task Sequences.

I configured XML file the tool is used and tried my TS. Dialog boxes popped up and I was able to select the applications, but when SCCM tried to installed the selected apps the TS failed with

No matching policy assignments received.
Policy download failed, hr=0x80004005

It turned out I forgot to allow Application installation without being advertised. I checked the box and the Application is installed as expected now…

image

Azure: Azure Database bacpac import failed with “The connection is broken and recovery is not possible.”

One of my Customers asked me to implement Azure PAAS database for PoC. I am not a SQL guru and when the database was set I went to google to see how to migrate data.

 

Microsoft recommends to use export/import data using bacpac file.

So we exported db to bacpac file (took 1.5 hour for a small 500MB DB). , copy it to azure VM and after that I tried to use SQL Management Studio to import the bacpac into the new Azure database as described here: https://docs.microsoft.com/en-us/azure/sql-database/sql-database-cloud-migrate-compatible-import-bacpac-ssms

 

The attempt miserably failed with the following error:

“An Exception occured while executing a Transact-TSQL statement or batch (Microsoft.SqlServer.ConnectionInfo)

Additional Information:

The connection is broken and recovery is not possible. The client driver attempted to recover connection one or more times and all attempts failed. Increase the value of ConnectRetryCount to increase the number of recovery attempts. (Microsoft SQL Server)

Cannot open database “mydatabasename” requested by login. The login failed. Login failed for user ’myusername’. (Microsoft SQL Server, Error: 4060)

 

Unusual resolution: I tried to restore the bacpac to an existing database. This attempt naturally failed with error “database already exists. Try to restore into a new database”. After that I put a name of the saved database and this time bacpac was restored successfully (it took ~1 hour again Smile )

SCCM: How to convert Package to Application using Package Conversion Manager (PCM) on SCCM CB

PCM does not support SCCM Console newer than SCCM 2012 SP1. Jason Sandys published and article for SCCM R2. I used the same approach for SCCM CB (1607) and it seems to be working fine.

 

Step-by-step from Jason is here: http://blog.configmgrftw.com/package-conversion-manager-and-configmgr-r2-sp1-or-sp2/