IT Consultant Everyday Notes

Just some problems/solutions storage

Monthly Archives: December 2013

SCOM 2012: How to test e-mail notification channel in SCOM

A nice step-by-step from Microsoft is here. In addition to test the channel gives an example of basic operations.

Advertisements

SCOM 2012: Set-SCOMLicense cmdlet fails

I attempted to add my SCOM Product key to SCOM 2012 R2 installation using Set-SCOMLicense cmdlet as recommended by setup program.

It failed with the following error:

Requested registry access is not allowed

SNAGHTML209a8903

solution is to start a standard (non-SCOM) Power Shell as Administrator, run “Import-Module OperationsManager“  and retry Set-SCOMLicense from that window.

the solution was found in Michael’s blog  here

SCOM 2012: Setup failed–Account validation error

SCOM 2012 R2 installation failed with the following error:

One or more accounts provided could not be validated. Please provide valid user names and passwords

image

 

Only one account validation failed. This account was created while setup application was running; other accounts were pre-created.

To bypass the error I used one of pre-created accounts instead of the new one and the error disappeared.

SCOM: How to set Agent Proxy on all Clients

Ken posted a nice PowerShell script that can be ran on a scheduled basis to set it up (requires a single parameter – RMS name)

 

param($RMS)
## prepare OpsMgr shell 
if ((Get-PSSnapin | Where-Object {$_.Name -eq 'Microsoft.EnterpriseManagement.OperationsManager.Client'}) -eq $null) 
{ 
   Add-PSSnapin Microsoft.EnterpriseManagement.OperationsManager.Client -ErrorAction SilentlyContinue -ErrorVariable Err 
   if ($Err) { $(throw write-Host $Err) } 
} 
if ((Get-ManagementGroupConnection | Where-Object {$_.ManagementServerName -eq $RMS}) -eq $null) 
{    
   New-ManagementGroupConnection $RMS -ErrorAction SilentlyContinue -ErrorVariable Err 
   if ($Err) { $(throw write-Host $Err) } 
} 
if ((Get-PSDrive | Where-Object {$_.Name -eq 'Monitoring'}) -eq $null) 
{ 
   New-PSDrive -Name: Monitoring -PSProvider: OperationsManagerMonitoring -Root: \ -ErrorAction SilentlyContinue -ErrorVariable Err 
   if ($Err) { $(throw write-Host $Err) } 
} 
Set-Location Monitoring:\$RMS

## connect to management group 
$ManagementGroup = New-Object Microsoft.EnterpriseManagement.ManagementGroup($RMS) 
$ManagementGroup.Reconnect()

## set proxy enabled for all agents where it is disabled
$NoProxy = get-agent | where {$_.ProxyingEnabled -match "False"}
$NoProxy|foreach {$_.ProxyingEnabled=$true}
$NoProxy|foreach {$_.ApplyChanges()}

ADFS: Integration with VMWare Virtual Cloud Director

 

Milos and I tested an integration between VMWare Virtual Cloud Director (VCD) and Microsoft SSO implementation – ADFS installed on Windows Server 2012 R2. We used this ARTICLE in Dutch as a guidance.

1. Install ADFS role on 2012 R2 Server

2. Plan a name for ADS services. The name cannot be the same as the server name: if your server called server1.yourdomain.com call ADFS as sso.yourdomain.com  for example. Think abut external name if applicable. Request a certificate with EKU = Server Authentication (from WEB template) for the server. ADFS supports wildcard certificates or add all your ADFS service names to it as Subject Alternative Names (SANs)

3. Create an account for ADFS or use Group Managed Service Account (GMSA).

3.1 To create a GMSA:

Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)
New-ADServiceAccount FsGmsa –DNSHostName server1.yourdomain.com -ServicePrincipalNames https/server1.yourdomain.com

3.1 Create a test user in AD and set its email. Email is important it will be used for claims.

4. Add KDS Root Key (if not added with GMSA)

Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)

2. Go to ADFS roles and Click Additional Configuration Required. Configure ADFS (default configuration with Internal Database)

3. Add SSO.yourdomain.com to your DNS to be sure both VCD and Clients can resolve it.

4. After installation go to https://sso.yourdoamin.com/FederationMetadata/2007-06/FederationMetadata.xml and save it.

———————————   VCD SIDE   ———————————————-

5. Log on to VCD as administrator https://vcd.yourdomain.com/cloud/org/yourorg/.

6. Go to Administration-Federation

7. Select SAML Identity Provider

8. Copy content of XML file saved in step 4.

9. Go to User Management – Import Users and import a user as SAML User  with Name ID matching to e-mail of the user in Active Directory. For example user@yourdomain.com

10. Open Internet Explorer and navigate to https://vcd.yourdomain.com/cloud/org/yourorg/saml/metadata/alias/vcd save the file.

11. Copy vcd file to ADFS as vcd.xml

————————————————–  ADFS Part   ————————————————————–

12. Configure Relying Part Trust

12.1 login to ADFS as a Domain Administrator

12.2 Open ADFS Management Console

12.2 Right-Click “Relying Party Trust” and select “Add Relying Party Trust”

12.3 Click Start

12.4 Select “Import data about the relying party from a file and point the Wizard to the file saved in step 11

12.5 Click Ok in Warning Window

12.6 Add a Display name (for ex. VCD)

12.7 Do not add Multi-factor authentication or rules. Just finish the Wizard.

12.8 Right-Click newly created Relying Party Trust and select Properties

12.9 Under Advanced tab switch Hash Algorithm to SHA-1

i13. n original step it is marked as Optional but we found iintegration does not work without it. So, open PowerShell as Administrator and run:

Add-PSSnapin Microsoft.Adfs.Powershell       <—– NOT REQUIRED FOR Server 2012 R2
Set-ADFSRelyingPartyTrust -TargetName “vCD” -EncryptClaims $False

14. Configure ADFS Claims

14.1 Right-Click Relying Party Trust created in step 12. And select Edit Claim Rules

14.2 Click Add Rule

14.2.1 Select Send LDAP Attribute as Claims; Click Next

14.2.2 Add Claim Rule Name (for example “LDAP Attribute E-Mail Address”)

14.2.3 Select Active Directory as Attribute Store

14.2.4 In LDAP Attribute column select “E-mail Addresses”

14.2.5 In Outgoing Claim Type select “E-Mail Address”

14.2.6 Click Finish

14.3. Click Add Rule again

14.3.1 Select Transform an Incoming Claims; Click Next

14.3.2 Add Claim Rule Name (for example “Transform an incoming claims”)

14.3.3. In Incoming Claim type select “ E-MAil Address”

14.3.4 In Outgoing Claim Type select “Name ID”

14.3.5 Verify Pass through all claim values is selected

14.3.6 Click Finish

At this point you should have two rules like this:

 

image

ADFS is configured and you should be able to connect to VCD via ADFS

Server 2012 R2: File Server Cluster Migration

 

I need to migrate a File Server hosted by Windows 2008 R2 Storage Server to a new 2012 R2 cluster

This GUIDE was used as informational base.

NOTE: In my test environment I do not have mount points on clustered disks so I am not sure if that scenario will work.

I have two 2008 R2 Storage Servers clustered with a File Server Clustered Resource set:

image

I can access the shares:

image

For test purposes I added a user to Share permissions and customized rights

image

 

I also built a fresh 2012 R2 Cluster (without File Server Role)

image

 

Migration:

0. In AD check the Cluster accounts have full rights to File Server accounts. Especially 2012 Cluster account to 2008 File Server Account. I.e. if my 2012 Cluster name is demvhvw12cl and my 2008 File Server Cluster called demvhvw2k8cfs I provide Full rights to demvhvw12cl  on demvhvw2k8cfs

image

1. Microsoft recommends to check if Cluster networks are configured properly – there is no Cluster communication on Storage network, for Example:

2008 Cluster:

image

 

2012 Cluster:

image

2. Start Migration Wizard from 2012 Cluster:

image

3. Select cluster to migrate FROM

image

4.  Select a role to migrate (you can take a look at Reports to see what can be migrated)

image

5. Verify configuration and start migration

image

6.

image

7. Check if migration was successful (use “View Report” button)

image

8. Put File Server role OFFLINE on W2k8 Cluster (source cluster)

image

image

9. Disconnect data LUNs from the source Cluster and connect them to the new one:

I am using ISCSI on W2k12 Server. On the screenshot it is reconnected to 2012 Cluster nodes:

image

Refresh ISCSI initiator on all nodes of W2k8 Cluster and 2012 Cluster and Connect LUNs to 2012 nodes (to ALL nodes!):

2008 Cluster nodes should look like:

image

2012 nodes:

image

10. Check what 2012 node is File Server Role owner

image

and bring connected LUNs online (all Data LUNs) on that machine (from Computer Management/Disk MAangement:

image

image

11. Start File Server Role on 2012 Cluster (right-click – Start Role):

image

12. Check the disk resources and shares are available:

File Server Name resource and IP address should be migrated

image

13. Check if custom permissions are migrated (right-click the test Share and go to Properties/Permissions)

image

14. Try to connect to the share from a test machine to be sure File Server is up and running on the new Cluster:

Auto-fill is working (good sign):

image

and files are there:

image

15. Remove File Server Resource from the old Cluster:

image