IT Consultant Everyday Notes

Just some problems/solutions storage

USMT: Archive viewer

Mike Morawski wrote a nice wrapper for Migercover tool to browse .MIG files created by USMT/EasyTransfer. I am using that to check what exactly will be copied and tune up the config files.

The tool can be downloaded from Mike’s blog here: http://www.migee.com/2011/01/17/mig-recover-and-viewer-utility-alpha/

Please note, Mike is talking about USMT3/4 and the tool was not updated for a while. But it works for my USMT 10 at least for the current version 10.0.16299.15.

Advertisements

Azure: Clone VSTS Git repository to Visual Studio failed with error 400

I recently started to play with Azure Deployments via Visual Studio Team Services. The idea is having a source control for my ARM templates and keep my projects nice and tidy in one place.

I saw James Bannan presented on IT/DEV 2017 conference and liked this approach. Unfortunately, it is not clearly documented, or maybe I just cannot find a proper information since I am not a developer.

Anyway,  I integrated my Visual Studio 2017 with VSTS; that created a Git instance for me. From the VSTS portal I creted a new Project and tried to clone it to my VS2017. It miserably failed with Error 400.

Resolution: It turned out the clone process does not like spaces in project name :0 . fortunately there is a workaround I found here it describes a similar issue with cloning from tfs, but since the issue is actually on VS side it works for VSTS too. You basically need to cancel cloning in VS window and select “Clone Repository” from Project section. This will replace spaces in URL with %20 and in this case it finishes successfuly.

SCCM: Side-by-side migration. Changing Site for Clients.

I do site migrations for my Customers from time to time. Most often SCCM 2007/2012 to SCCM CB. The procedure is well documented and in generally works well. But the last step – move SCCM Clients from the old site to the new site is not very clear.

What I normally did is using Jason Sandys’ startup script (https://home.configmgrftw.com/configmgr-client-startup-script/)to re-install am SCCM Client with the new site code. But that always looked like a bit too much for me.

These days I am participating IT/DEV Connection conference and raised this scenario for panel of SCCM experts we have here. Here is the main points of the discussion:

1. Do not use SCCM ADMX template in GPO to change SCCM code only. Sometimes does not wrk, just breaks the client.

2. Jason’s script is probably the best way to re-point the client for today

3. Wally also mentioned we can create a package for a NEW client with the new site code on the OLD SCCM and deploy it. That will update the Client binaries and repoint it the same time.

4. Some people recommended to manage site assignment via site Boundaries (in this case we should separate boundaries for old and new SCCM). But as far as I remember it is not recommend even by MS itself.

So the bottom line is: after side-by-side migration we need to reinstall the Client using either Jason’s script above or method recommended by Wally.

Classic Azure AD Portal Access for CSP subscriptions

By default CSP users are OOL. But the Classic portal may be necessary. Here is a workaround: https://dirteam.com/sander/2017/07/03/creating-an-mfa-provider-when-you-have-csp-or-dreamspark/

PKI: Chrome 58 gives a warning with HTTPS connection to a Web Server

Scenario: Web Server protected by a certificate issued by Internal Certification Authority (Microsoft ADCS).

Certificate has a single Subject Name on it Internet Explorer works fine, only Chrome is affected

 

Warning:

This Server could not prove that it is <server name>; its security certificate is from [missing_subjectAltName]. This may be caused by a misconfiguration or an attacker intercepting your connection.

Resolution: I reissued the certificate and added Subject Alternative Name (SAN) with the same FQDN to it. After that I assigned the new certificate to the Web Server interface and restarted IIS. Chrome connects to the web server without any warnings now.

 

More about SAN: https://technet.microsoft.com/en-us/library/ff625722(v=ws.10).aspx

PKI: Enterprise PKI MMC displays a Subordinated CA as offline

I built a two layer PKI infrastructure and brought an Enterprise PKI MMC to verify the infrastructure health. All is ok but an Issuing CA. That was displayed with Status: ‘Error” and the message was “This CA is currently offline or unavailable”.

 

At the same time I could right-click it, select manage and it brought a very nice working CA MMC for me. So the CA is up and running and works fine, but for some reasons shown as offline in Enterprise PKI MMC.

Google did not bring too much, but search in Technet Forums gave a clue: https://social.technet.microsoft.com/Forums/en-US/fc8f6eba-447e-4e3f-a833-3b71bb3fc575/enterprise-pkiviewmsc-error-for-new-subca?forum=winserversecurity

I granted all permissions to my Domain Admins (this is Lab, otherwise it would be a custom security group). By default it was Manage CA and Issue and Manage Certificates only.

SNAGHTML48ce8f7f

and restarted the Certificate Services. After that Enterprise PKI became nice and green.

SCCM: SCUP 2011 on Windows Server 2016

found a nice post ( http://www.slr-corp.fr/2017/02/tips-tricks-installing-system-center-updates-publisher-scup-2011-windows-server-2016/) describing how to Install SCUP 2011 on Server 2016. Normally installation fails due to WSUS version check, but if you change WSUS version to  6.3.9600.1777 in registry (HKLM\SOFTWARE\Microsoft\Update Services\Server\Setup VersionString) for time of SCUP installation you can apparently finish SCUP installation. Of course without any support from MS Smile

or, as mentioned in the post comments just run SCUP .msi with /qb switch Winking smile

Meanwhile people continue to vote for this feature for SCCM CB here: https://configurationmanager.uservoice.com/forums/300492-ideas/suggestions/8803711-3rd-party-patching-scup-integration-with-sccm-co

SCCM: Task Sequence Import fails (System.NullReferenceException)

I am leading a Windows 10 migration project currently. We prepared TAsk Sequences in Dev environment and SCCM admin tried to export/import them from Dev to Prod. Export was successfull, but Import miserably failed with

System.NullReferenceException

Object Reference not set to an instance of an object.

As usual very nice and descriptive SCCM error.

Fortunately Mike Terrill bumped into it before and wrote about it: https://miketerrill.net/2016/07/31/import-task-sequence-failure-cm-1606/

Note: When we tried to open a zip file containing TS archive using internal Windows Zip packer it failed. We used 7zip – it opens/saves the archive successfully.

Azure: Azure AD Application Proxy. Kerberos issue

One of my Customers asked about MFA for his on-prem Outlook. I offered several solutions, one of them – publish OWA site via Azure AD Application Proxy and pre-authenticate with Azure AD and MFA.

To be sure the configuration will work I built a Lab and tried to configure SSO for Internal Windows Authentication (IWA).

This configuration requires I configure Kerberos Constrained Delegation (KCD) in Active Directory and configure Delegation in Properties of a machine where I have my Azure AD Proxy Connector installed.

Everything looked easy on paper byt when I tried it in Active Directory Users and Computer MMC I received nice error: “The server is unwilling to proceed the request”

SNAGHTML76853a10

After unsuccessful googling I opened a case with Microsoft – that was a brand new domain, just couple of servers and I definitely expected everything working out of the box.

After couple of days of troubleshooting the only solution MS suggested was using an Active Directory Administrative Center instead of MMC. Even with that the first attempt failed with “Unknown error”. After the Center was restarted we could finally configure the delegation. No root cause found.

Azure: How to configure MFA when Classic Portal is not available

My company provides CSP Azure subscription for our Customers. To make life more exciting Microsoft remove Classic Portal support from CSP. So we can use new and shiny ARM-based portal only.

When time come to configure Azure AD fun begins. Azure AD node is available in the new portal as ‘preview’ and miss some features from the old portal. Recently I had fun with license assigning, today I needed to assign MFA to accounts. Fun, fun, fun….

Anyway, as in the first case office.portal.com helped. This portal is available for CSP and have some missing features of the classic portal. For example to add MFA to a user:

 

1. start office.portal.com

2. goto Users->Active Users

3. Click ‘More’

image

4. Click “Setup Azure Multi-factor auth’ That will open MFA portal for you

5. Configure MFA for a user or users in bulk