IT Consultant Everyday Notes

Just some problems/solutions storage

Tag Archives: Upgrade

SCCM: Server OS Upgrade on site server

Today I decided to test OS Upgrade on my SCCM 1810 site server. I never recommend it to my Customers preferring side-by-side as a cleaner solution, but since Microsoft listed it as a viable option I decided to see what will be an experience.

Original state: Windows Server 2012 R2 + SQL 2014 + SCCM 1810 with rollup and two updates

Target: Windows Server 2019 + SQL 2017 CU13 + SCCM 1810 with rollup and two updates

1. I started with SQL Upgrade

– SQL 2017 does not have reporting services, it should be installed separately. So, I guess ideally it make sense to backup database and recovery key for SSRS. Bot since I did not have any custom reports I decided just re-install SSRS. Note: SQL 2017 will uninstall SSRS, but leave its databases.

– SQL 2017 does not have SQL Management Studio, it should be installed separately. So I guess it make sense to uninstall SSMS before the upgrade. I did not do it, just installed the latest standalone SSMS on top, but I think it would be cleaner to uninstall the old one first.

– When I installed fresh SSMS the first time it miserably failed. I rebooted the machine and run installer again, at that time it finished successfully. 

– Since I did not delete SSRS databases and I did not bother backup recovery key I needed to create a new Reporting database with different name.

2. OS Upgrade.

– Check if there is any pending reboot

– Even though I did not have any my first upgrade failed. I rebooted the server and started again and this time OS upgraded successfully.

3. SCCM on new OS

– When I tried t start SCCM Console the connection to SCCM failed. I suspected some permission malfunctioning so I Reset the site using cd.latest folder. That did not help

– I found an forum post by Gordon Fecyk https://social.technet.microsoft.com/Forums/en-US/e1302081-fae4-4685-87ac-518636a14a24/permission-problems-after-os-upgrade-on-sccm-site-server?forum=ConfigMgrCBGeneral and checked WMI rights on my upgraded server – SMS\Site_Code was ok, but \SMS itself missed some permissions for SMS Admins group. I set the permissions as per the post and the Console connects to SCCM successfully.

image

– Software Update Point is down (in Server Console WSUS requires additional configuration. I fixed it using:

“%PROGRAMFILES%\Update Services\Tools\wsusutil.exe” postinstall CONTENT_DIR=f:\WSUS SQL_INSTANCE_NAME=”localhost”

– Reporting Point is down too – fixed by resetting reporting service access account (in properties of Reporting Service Point in SCCM Console).

Will see how SCCM will work now Smile

Still prefer side-by-side…

SCCM: In-console Update stuck in “Checking prerequisites”

I am installing quite a lot of SCCM environments these days and several times bumped into an issue when in-console update from one version of SCCM to the next one stuck on some step.

For “Downloading” Microsoft recommends to restart SMS_Executive, but for “Checkin Prerequisites” it was more difficult – Community recommended to play with SQL databases or start update from cd.latest.

None of those methods is supported by Microsoft though. (Se more here: http://gerryhampsoncm.blogspot.ca/2016/04/configuration-manager-cb-upgrades-what.html)

With version SCCM build 1706 Microsoft finally introduced a CMUpdateReset tool allowing to rectify a failed state for in-console upgrade by deleting a failing package. Here is a link to KB describing the process: https://docs.microsoft.com/en-us/sccm/core/servers/manage/update-reset-tool

SCCM: Installation on hardened server

One of my Customers asked me to migrate an existing SCCM 2012 R2 to SCCM CB. They preferred side-by-side migration.

Everything looked good until I figure out the server they gave me for the new SCCM was hardened. I guess security team did it for good but as a result I had some fun with a trivial SCCM installation.

1. They used a third-party tool to remove TLS 1.0-1.1 and old SSL leavin only TLS 1.2 available. 3DES was killed too.

As a result, when I ran prereqchk.exe /Local before SCCM installation I received errors about SQL indexing, collation page (which I knew I set correctly), sysadmin membership etc… SQL looked good, but in

prereqchk log I saw: “Failed to connect to the SQL Server, connection type: SMS Master”

and in even log I observed: A fatal error occurred while creating a TLS client credential. The internal error state is 10013.

I removed fresh Machine keys from Programdata\microsoft\crypto\RSA – did not help

I set “Use FIPS compliant algorithms for encryption”  after that the error in event log changed saying TLS 1.0 protocol is using (never new it is FIPS compliant), but it is not configured.

So, at this point I ran IISCrypto and learnt the protocols are disabled.

As soon as I enabled the old obsolete TLS 1.0 prereqchk.exe passed smoothly and I started SCCM installation

Microsoft says  only SSL3.0 should be disabled and clearly requires both TLS 1.1 and 1.2 enabled. But in my case I still needed TLS 1.0 enabled too. So it looks like a working progress for me.

There is another article from Microsoft. It talks about TLS 1.2 configuration for SCCM CB 1610+. But it looks like it is about post-installation TLS 1.2 support and had an issue during installation. In addition, I tried my best to understand what should I configure on Windows Server 2016 with .Net 4.7 and SQL 2016 SP1 and as far as I understood I should do nothing, it supposed just work Smile. I would prefer Microsoft present the information in some kind of matrix for different .Net versions, OS versions and SQL…

2. Everything was fine until installer tried to setup a Management Point.

This time an error in ConfigMgrsetup.log said:

Unable to find an existing certificate in the store.  Creating a new self-signed certificate…    Configuration Manager Setup    11/20/2017 11:48:55 AM    3228 (0x0C9C)
Failed to release a handle to a cryptographic key (0x80070057)    Configuration Manager Setup    11/20/2017 11:48:55 AM    3228 (0x0C9C)
Failed to release a handle to a CSP or key container (0x80070057)    Configuration Manager Setup    11/20/2017 11:48:55 AM    3228 (0x0C9C)
Failed to create the certificate (0x8009000f)    Configuration Manager Setup    11/20/2017 11:48:55 AM    3228 (0x0C9C)
ERROR: Failed to find or create SQL Server certificate.    Configuration Manager Setup    11/20/2017 11:48:55 AM    3228 (0x0C9C)

this time I spent more time troubleshooting and finally opened a case with Microsoft. The tech found local Administrators was kicked out from permissions for Programdata\microsoft\crypto\RSA  and Setup could not create a private key there. We granted Full Control to local Administrators group, re-install MP and tis time it was setup.

3. Setup, bot not properly running – both standard tests (https://technet.microsoft.com/en-us/library/bb932118.aspx?f=255&MSPPError=-2147217396) from web browser gave me Internal Server Error (HTTP Error 500.19)

Fortunately I found Heinrich’s article (http://heinrichandsccm.blogspot.ca/2013/05/http-error-50019-internal-server-error.html). I re-installed WSUS  and MP started to work. After that I ran wsusutil for postinstall configuration and it finished successfully.

And after all changes above I succeeded to install SCM 4.0 before it failed with generic 1603 error.

SCCM: What NOT to do when upgrade SCCM CB

Gerry published a piece of wisdom from Prod Team:

 

  1. Do NOT manually clean up EasySetupPayload folder for CM update that is being downloaded/processed.
  2. Do NOT manually clean up CMU without confirming the correct state and content library for the Easy Setup package.
  3. Do NOT restore the CM database/CM site server if there is an error with CM update (fix the issue and “retry installation”).
  4. Do NOT reinstall the Service Connection Point if an update is in progress.
  5. Do NOT use 1602 cd.latest to install a standalone primary site (Note: you can use this method to install a child primary to a 1602 CAS).
  6. Do NOT use 1602 cd.latest to upgrade a 1511 site or R2 SP1 (or earlier) site.
  7. Do NOT manually clean up any CM_Update* tables.
  8. Do NOT restart CMU service during installation.
  9. Do NOT keep the CMUStaging\<Guid> folder open during installation.
  10. Do NOT copy files in CMUStaging.
  11. Do NOT restart SMSEXEC during payload download (dmpdownloader.log shows if the package content is downloading). The Notification can get lost in that scenario.

SCCM: SCCM 1511 does not download 1512, 1601 TP

I decided to test auto update technology introduced with SCCM CB (currently 1511). So, I enabled Service Connector, set it to online and restart SMS_DMP_Downloader. I check the dmpdownloader log and figured out updates cannot be found even though two builds 1512 and 1601 are available at this time…

After some head scratching I decided to install SCCM TP4 instead of RTM version of 1511 (the idea behind was – 1512 and 1601 are Technical Previews, so maybe it cannot be downloaded by RTM version?)

And it looks like it is right – in dmpdownloader.log I found an interesting line:

image

and after that SCCM TP4 download the latest SCCM update (in my case 1601).

SNAGHTML30573085

So I guess you should have a Preview version to download/install/test Preview Builds Smile

SCCM 2012 R2: OSD fails after upgrade

 

I upgraded SCCM 2012 SP1 CU2 to SCCM 2012 R2 CU2 and after that my OSD TS starts to fail with:

SNAGHTML161552

401 – Unsuccessful with context credentials. Retrying with supplied credentials.   …
Network access account credentials not supplied.

401 – Unsuccessful on all retries.

 

I tried to delete/re-create Network access account – no go

Add a new account to NAA list (SCCM 2012 R2 supports multiple NAA) – no go

Made minor changes to my boot image to force boot image rebuild – after redistribution on DP TS successfully started.

 

NOTE: if you use CD/USB media you need to recreate it!