IT Consultant Everyday Notes

Just some problems/solutions storage

Monthly Archives: September 2012

Server 2012: Failover Cluster configuration – HA File Share cannot see source path

File Server is one of the roles for Microsoft Failover Cluster. There is a convenient GUI wizard to add and configure the role.

Issue: When you create an HA share on File Server Cluster resource you cannot add any path to host it.

Resolution: Either run Failover Cluster management console from the node currently hosting File Server resource storage, or move the File Server resource to get Failover Cluster Management Console and the storage on the same node.

Note: I observed the issue on a full GUI version of the Server, interesting how it works with core and remote console?

Advertisements

SCCM 2012: Clients cannot install deployed update packs. Error 0x87D00692

Issue: SCCM Clients cannot install deployed updates.

Resolution: Check your deployment status either in console, or using SCCM report  (Software Updates – E Troubleshooting/Troubleshooting 2 – Deployment errors)

image

The cause of failure is “GPO conflict”. Domain GPO overwrites SCCM Client settings and points the machine to corporate WSUS server. That is why Client cannot use SUP for update evaluation. It is necessary to either set GPO settings for Intranet Windows Update Server to “Not Configured” and let SCCM client configure local policy properly or put SUP FQDN and port instead of WSUS into GPO. If you are in migration and not ready to repoint all machines to SCCM  you can configure GPO to repoint the settings to SCCM for SCCM clients only using WMI filter (see more here )

Driver Packs for SCCM OSD

Placeholder for Driver Pack collections for SCCM OSD

Lenovo: Lenovo forum

Dell: Dell Enterprise Client Wiki

HP: Deploymentresearch Blog

Speed up graphics in Windows Servers running on VMWare platform

Found an article explaining procedure of speeding up graphics on VMWare-based VMs (in addition to VMWare Tools installation). The matter in face even with installed VMWare tools the machines are mot using WDDM driver. Bust they can be installed manually from C:\Program Files\Common Files\VMware\Drivers\wddm_video. The drivers can also be injected in WinPE images.

SCCM 2012: Image Offline Servicing

Issue: An OSD Administrator (user with “Operating System Deployment Manager” role in RBAC) cannot add updates to a reference image imported into SCCM. Attempt fails with “SMS Provider error”

Resolution: The reference image was created by a user with “Full Administrator” RBAC role. OSD Administrator re-imported the same image to SCCM and could successfully service it after that. Looks like limited users cannot change objects created by “Full Administrators” even though they have access to them

SCCM 2012 Powershell: You must use 32-bit!

Rafael has a nice post about using PowerShell in SCCM 2012 SP1 (beta). You must actually use 32-bit PowerShell to import module!

More here

SCCM 2012: Software Update Download failed with ERROR: There was an error downloading the software update. (12029)

Issue: I tried to download updates creating a new Software Update Package using a remote SCCM console. SCCM created a folder for the first update under the Package Source folder, but could not download content – failed with ERROR: There was an error downloading the software update. (12029)

Resolution: I checked PatchDownloader.log located in %UserProfile%\AppData\Local\Temp\3 folder and found the error saying the content cannot be downloaded from Microsoft Update site.

There is a proxy in the environment. I set proxy settings in IE and content was downloaded successfully.

Note: There is a Proxy Settings in properties of Software Update Point in SCCM. Do not forget to set it up if there is no direct connection to Microsoft Update sites from your SCCM SUP. This settings affects SUP/Microsoft synchronization process only!

To download Software Update Content you have to have proxy configured in IE on the machine you use to run the SCCM console. At least that solve the issue for me.

How to publish Certificate Revocation List (CRL)

If you are sing your own PKI infrastructure it is important to have your CRLs available for your certificates users, so they can check Certificate Revocation List published by your CA.

Environment (assuming mydomain.com is both internal and External FQDNs for the domain. If you use different names you need to add additional records for CRL location):

1. Certificate Authority (let use one level for simplicity):  caserv.mydomain.com

2. WEB server WEBSERV  (IIS hosts a web server http://crl.mydomain.com published on reverse proxy as CRL.MYDOMAIN.COM): webserv.mydomain.com

3. Windows Firewall on webserv allows File&Printer sharing

Configuration:

1. Configure CA installed on CASERV with the following extension settings (right-click CA):
– Add Location: http://crl.mydomain.com/crld/
– Add Variables (in order): CAName, CRLNameSuffix, DeltaCRLAllowed
– Location: .crl  (so you have <CAName><CRLNameSuffix><DeltaCRLAllowed>.crl in CRL Location line)

image
– Select Include in CRLs. Clients use this to find Delta CRL locations and Include in the CDP extension of issued certificates
– Do not restart Certificate Services.

Note: if your internal domain and external domain names are different use your external web server name.

– Add Location: \\WEBSERV\crldist$\.
– Variable: CAName, CRLNameSuffix, DeltaCRLAllowed
– Location: .crl
– Select Publish CRL to this location and Publish Delta CRL to this location

– Restart Certificate Services.
– Close the Certificate Authority console.

2. Create CRL distribution point on WEBSERV by performing the following steps:
– Start Internet Information Services (IIS) Manager.
– In the console tree, browse to WEBSERV\Sites\Default Web Site, right-click Default Web Site, and then click Add Virtual Directory.
Alias:  CRLD;
Path:  C:\CRLDist
– In the middle pane of the console, double-click Directory Browsing, and in the Actions pane,click Enable.
–  In the console tree, click the CRLD folder.
–  In the middle pane of the console, double-click the Configuration Editor icon.
–  Click the down-arrow of the Section drop-down list, and navigate to system.webServer\security\requestFiltering.
–  In the middle pane of the console, double-click the allowDoubleEscaping entry to change the value from False to True.
–  In the details pane, click Apply.

3. Share and secure the CRL distribution point by performing the following steps:

– Share c:\crldist as \\WEBSERV\CRLDIST$
– Set Full Control for the Share and NTFS permissions for CACERV$ machine account

4. Publish the CRL to WEBSERV by performing the following steps:

– Go to CA mmc on CASERV
– navigate to Rvoked CErtificate folder. right-click the folder, select All Tasks-Publish
– check if CRL files were created in the \\WEBSERV\CRLDis$ share
– from external computer try to get CRL using http://crl.mydomain.com/CRLD/<CRL_file_name>.crl URL

PowerShell 3: Install PowerShell Web Access

1. Install feature (here and after all commands in PowerShell console started “As Administrator”!):

Install-WindowsFeature –Name WindowsPowerShellWebAccess –ComputerName <computer_name> IncludeManagementTools –Restart

image

2. Enable PS remoting (if it is not enabled)

Enable-PSRemoting –force

image

3. Configure PSWA using:

Install-PswaWebApplication –UseTestCertificate.

image

4. Add Authorization rule:

image

5. Verify PSWA using access to /pswa">/pswa">https://<server_name>/pswa from Internet Explorer.

image

6. Use PSWA

image

detailed instruction: at Technet site

SCCM 2012: Force SCCM Client Site assignment

SCCM 2012 Client is smart enough to do not connect to pre-2012 site servers even being set with SMSSITECODE=AUTO. In reality it may happen even when you specifically set the site name but have pre-2012 sites in the same boundaries.

Of course, the best solution is do not have overlapping boundaries for sites (at least for site assignment, as it is supported in 2012 now), but in some situations (especially during migration) it is not possible unfortunately…

Another approach is to force SCCM Client Site assignment via GPO.

Microsoft provides us with two templates located on installation media in \SMSSETUP\Tools\ConfigMgrADMTEmplates folder. One of them is used to force site assignment to SCCM Client. The idea is to use this template to create a GPO with WMI filters to get it applied to machines with SCCM 2012  client installed only.

1. Create a new GPO and Add Admin Template to it:

image

2. Enable the site assignment settings and save the GPO

image

3. Create WMI filter and assign it to the GPO. Note: the filter looks for the ccmexec.exe file in c:\Windows\CCM folder. If you have the Client installed somewhere else please change accordingly.

image

image

4. Link the GPO to an OU containing your computers

5. Run GPRESULT (GPRESULT –r for Windows 7) to see if GPO is applied

image