Missing Reporting Services node in Configuration Manager Console installed on a 64-bit computer

Symptom

The entire Reporting Services node was missing on a remote configuration manager console that was installed on a 64-bit computer.

Reason

The installation of the configuration manager console was spread between the C:\Program Files (x86) and C:\Program Files folders.

Fix

Specify an installation location such as C:\ConfigMgr when installing the configuration manager console.

Posted in Uncategorized | Leave a comment

Strategy for applying post SP2 ConfigMgr client hotfixes

Recently I performed perhaps the last SCCM2007 installation that I’ll ever do and ended up applying approximately thirty post-SP2 hotfixes. Where possible, I elected for the installer to create a package for me for any client side hotfix components. I ended up with the following list of client-side hotfixes:

  • sccm2007ac-sp2-kb977384-x86-enu.msp
  • sccm2007ac-sp2-kb2509007-x86-enu.msp
  • sccm2007ac-sp2-kb977176-x86.msp
  • sccm2007ac-sp2-kb978754-x86.msp
  • sccm2007ac-sp2-kb2309968-x86-enu.msp
  • sccm2007ac-sp2-kb2516517-x86-enu.msp
  • sccm2007ac-sp2-kb2261172-x86.msp
  • sccm2007ac-sp2-kb2528650-x86-enu.msp
  • sccm2007ac-sp2-kb2276865-x86.msp
  • sccm2007ac-sp2-kb2278119-x86-enu.msp
  • sccm2007ac-sp2-kb979199-x86.msp
  • sccm2007ac-sp2-kb2659258-x86-enu.msp

When the above hotfixes were included in the PATCHES= option, the SCCM 2007 Client installer returned with a 1603 error. An examination of the log files revealed the following:

  • KB977384 obsoleted by KB2516517
  • KB977176 obsoleted by KB2276865
  • KB2261172 obsoleted by KB2528650
  • KB2528650 obsoleted by KB2659258
  • KB979199 obsoleted by KB2659258

My initial strategy was to rearrange the hotfixes by taking this information into account. Unfortunately this strategy did not lead to any type of success. I decided to rethink my strategy and looked for a way of obtaining more information from the hotfix installation logs. My new strategy was to install the hotfixes manually one by one in the order that I had originally chosen.

The command to install a particular hotfix was based on the following example syntax:

msiexec.exe /p sccm2007ac-sp2-kb977384-x86-enu.msp /L*v %TEMP%\sccm2007ac-sp2-kb977384-x86-enu.msp.LOG /q REINSTALL=ALL REINSTALLMODE=mous

During testing I received a “Attempting to install downlevel patch for feature UpdatesAgent” failure message for the following hotfixes:

  • sccm2007ac-sp2-kb2309968-x86-enu.msp
  • sccm2007ac-sp2-kb2278119-x86-enu.msp
  • sccm2007ac-sp2-kb979199-x86.msp

What I did next was to simply place these three hotfixes at the start of my patching list. This led to a successful installation.

My final patching order was as follows:

  • sccm2007ac-sp2-kb2309968-x86-enu.msp
  • sccm2007ac-sp2-kb2278119-x86-enu.msp
  • sccm2007ac-sp2-kb979199-x86.msp
  • sccm2007ac-sp2-kb977384-x86-enu.msp
  • sccm2007ac-sp2-kb2509007-x86-enu.msp
  • sccm2007ac-sp2-kb977176-x86.msp
  • sccm2007ac-sp2-kb978754-x86.msp
  • sccm2007ac-sp2-kb2516517-x86-enu.msp
  • sccm2007ac-sp2-kb2261172-x86.msp
  • sccm2007ac-sp2-kb2528650-x86-enu.msp
  • sccm2007ac-sp2-kb2276865-x86.msp
  • sccm2007ac-sp2-kb2659258-x86-enu.msp

Note: There is a documented dependency that sccm2007ac-sp2-kb977384-x86-enu.msp MUST be installed before sccm2007ac-sp2-kb2509007-x86-enu.msp

Posted in Uncategorized | 1 Comment

Network Device Enrollment Service (NDES) Installation Bug

Issue

When you add the Network Device Enrollment Service (NDES) role service [part of Active Directory Certificate Services] to a Windows Server 2008 R2 server, the console may crash after you specify a registration authority.

It seems that Microsoft neglected to include countries such as CY (Cyprus) in the drop down, and if you manually specify CY then the console will crash and abort installation.

Posted in Uncategorized | Leave a comment

Security Event Log Collection from a Domain Controller

I recently decided to implement this in my lab to see if it was possible. An extra step is required beyond the typical instructions provided by Microsoft.

In this scenario we have a domain controller (DC1) that we want to configure as an event forwarder. We also have a member server computer (SRV1) that we want to configure as an event collector.

Procedure

Configure Event Forwarding on DC1

1. Enable Windows Remote Management

winrm quickconfig

Note: The quickconfig option is fine because a domain controller usually only has one interface. On computers with multiple interfaces I prefer to use different options so the service only listens on needed IP addresses.

2. Add the computer account of the collector to the “Event Log Readers” builtin local security group.

Note: On a domain controller you need to do this from something like “Active Directory Users and Computers”

3. Add the SID of the Network Service account to the Channel Access permissions of the Security Event Log.

The reason for doing this is that the Windows Remote Management service runs under the Network Service account.

The safe way to perform this step is to first run the following command and determine the current permissions:

wevtutil gl security

By default, the permission is:

O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)

In this case, the command to set the required permission is (we simply append the new permission to what was obtained with the previous commend):

wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)

Note: S-1-5-20 is the well known SID for the Network Service account

Configure Event Collection on SRV1

1. Configure the Event Collector service

wecutil qc

2. Create the event subscription

  • Subscription Type: Collector Initiated
  • Source: DC1
  • Events to collect: In the filter set the “Event logs” field to “Security”

Testing

After approximately 15 minutes you should start to see events in the Forwarded Events event log on SRV1. If you don’t see these then try the following:

On DC1, open the Applications and Services Logs -> Microsoft -> Windows -> Eventlog-ForwardingPlugin -> Operational event log and look for Event ID 100. If you are getting Event ID 102 then you may need to restart either or both DC1 and SRV1.

Posted in Uncategorized | 2 Comments

Lync Server 2010 / Exchange Server 2010 UM Integration – Certificate Issue

Symptom

I recently came across an interesting issue when trying to integrate Lync Server 2010 with Exchange Server 2010 SP1 Unified Messaging.

The symptom was that, whenever we tried to transfer a call from the Auto Attendant to a Lync Server telephone extension, we would get two warning messages logged in the Application log on the Exchange UM server, that were similar to the following:

Event 1079, MSExchange Unified Messaging
The VoIP platform encountered an exception Microsoft.Rtc.Signaling.OperationFailureException: An exception was detected that the platform was not expecting.  This may be because of abnormal shutdown, lack of resources, or failure of application code. —> System.Security.Cryptography.CryptographicException: Invalid provider type specified.
 
Event 1136, MSExchange Unified Messaging
An error occurred while transferring a call to “test1@bongo.com”. Additional information: The call transfer type is “Blind.”, the transfer target is “phone number”, and the caller ID is: “6c53752d10394feeab50e8656010afdd”.

 

The first warning message was the key to our issue.

Some background information

When we created certificates for the Exchange UM and Lync servers, we did so using a modified Version 3 Web Server template from an Enterprise CA running Windows Server 2008 R2, Enterprise Edition.

Traditionally, Windows applications have used a cryptographic API called CryptoAPI. CryptoAPI makes use of providers called cryptographic service providers (CSPs). CSP’s typically implement cryptographic algorithms and provide key storage.

Windows Server 2008 introduced a new cryptographic API called Cryptography Next Generation (CNG). CNG is the long term replacement for the CryptoAPI. Unlike CryptoAPI, CNG separates cryptographic providers (algorithm implementation) from key storage providers (key storage). Key storage providers (KSPs) can be used to create, delete, export, import, open and store keys.

When you create a certificate for Exchange Server 2010 Unified Messaging with SP1, using a modified Version 3 Web Server template, it is quite possible that a KSP is used instead of a CSP.  This is what happened in our case.

For the Unified Messaging server, this is not an issue because CNG support was introduced with Exchange Server 2010 SP1. Unfortunately, several applications, including Lync Server 2010, have issues with certificates created using a KSP.

Verifying the Issue

We ran the following command from an administrative command prompt on both the Lync and Exchange Unified Messaging servers:

certutil -store my

On the Lync server, the following output was produced:

================ Certificate 0 ================
Serial Number: 1b89a124000000000029
Issuer: CN=Bongo Issuing CA, DC=internal, DC=bongo, DC=com  
NotBefore: 08/11/2011 5:54 pm  
NotAfter: 07/11/2013 5:54 pm
Subject: CN=Lync.internal.bongo.com, O=Bongo Ltd, L=Bongoland, C=US
Non-root Certificate
Template: BongoWebServer, Bongo Web Server
Cert Hash(sha1): 53 45 85 75 a3 dd 1f be ac 37 48 17 f5 5e cb 22 f3 e0 4a 1c  
Key Container = 34b04971930a70b4646b20c4c2d3adfe_8b81c452-42c5-4f2a-8549-934c5 c7bbda9  
 Simple container name: le-2edee22b-c80c-471e-b517-99b239557e05  
Provider = Microsoft RSA SChannel Cryptographic Provider
Encryption test passed
CertUtil: -store command completed successfully.
 

On the Exchange Unified Messaging server, the following output was produced:

================ Certificate 0 ================
Serial Number: 12d673a900000000002f
Issuer: CN=Bongo Issuing CA, DC=internal, DC=bongo, DC=com  
NotBefore: 30/11/2011 5:13 pm  
NotAfter: 29/11/2013 5:13 pm
Subject: CN=exum.internal.bongo.com, O=Bongo Ltd, L=Bongoland, C=US
Non-root Certificate
Template: BongoWebServer, Bongo Web Server
Cert Hash(sha1): 58 ac 70 8d a0 ef c6 a1 eb 24 5d 1f 33 cc df d5 88 44 70 cf  
Key Container = a55403ffb55cfb95386e8826a1fa687e_88367876-51f5-48da-ad0f-1e2fb b955a2f  
Simple container name: CertReq-BongoWebServer-92f40563-8b2a-49b8-bf5f-6204287b69 dd  
Provider = Microsoft Software Key Storage Provider
Encryption test passed
CertUtil: -store command completed successfully.

 

Solution

Reissue the certificate on the Exchange Unified Messaging server, but explicitly specify:

Provider = Microsoft RSA SChannel Cryptographic Provider

Posted in Uncategorized | Leave a comment

SCOM Monitoring Using a Scripted Database Query

I recently had a request to write some code that would enable System Center Operations Manager 2007 R2 (SCOM) to perform a database query against a SQL database and then evaluate the result to determine if various systems were healthy. The first few queries were against a Microsoft SQL Server 2005 database. The remaining couple of queries were against an IBM DB2 database.

Usually, this type of request will involve writing a VB script.

After performing a search on the Internet for similar solutions (always a good idea to see if somebody else has solved the same type of problem), I came up with a couple of useful sites.

When looking at the sample code provided by these links, I noticed that the provider in all samples was “Microsoft OLE DB Provider for SQL Server (SQLOLEDB)”. This would have worked for me, but taking things one step further, I also found out that this provider has been deprecated.

Instead, I chose to use the “SQL Server Native Client OLEDB Provider (SQLNCLI10)”. Using this provider is very similar to using SQLOLEDB.

I could also have chosen to use the “Microsoft OLE DB Provider for ODBC Drivers (MSDASQL)”. During testing, the only thing I didn’t *like* about this provider is that it connects to ODBC, instead of a database. Compared to SQLOLEDB/SQLNCLI10, this means that we need to define a DSN instead of just using a connection string.

How do I enumerate the OLEDB providers on my server?

If you have Microsoft SQL Server installed then this can be done by executing the following stored procedure against the MASTER database:

EXEC master.sys.xp_enum_oledb_providers

The output is similar to the following:

List of OLEDB providers via a stored procedure call

Connection String

“Provider=IBMDADB2;Database=MyApplication;Hostname=192.168.0.1;Port=50000;Uid=<username>;Pwd=<password>

Passing Credentials to the Monitor

We have a class called “MyCompany.MyApplication.Watcher” that represents the set of computers from which we will run a script to monitor the MyApplication application.

We have a “Timed Script Two State Monitor” called “MyCompany.MyApplication.Status.Monitor” that is targeted at the “MyCompany.MyApplication.Watcher” class. This monitor contains the script that performs a database lookup against an IBM DB2 database to determine the health of the MyApplication application.

SCOM provides a secure method of passing a credential to a script using a Run-As Profile. For the purpose of connecting to a DB2 database this is not the same as running the script under different credentials. Hence care should be taken not to change the “Run as profile” setting within the monitor. Instead, we will pass the credentials to the script using script parameters.

(to be continued)

List of external links

(Note: this is a quick publish article and is not yet complete)

Posted in SCOM, SQL | Tagged , | Leave a comment

IIS 7.5 and .NET Framework 4 – Installation order does matter

1. The Issue

The MSDN documentation ( ASP.NET IIS Registration Tool ) states the following about installing .NET Framework 4 together with IIS 7.5:

The .NET Framework 4 can be installed side-by-side with previous versions of the .NET Framework on a single computer. If IIS was previously enabled on the computer, the setup process for the .NET Framework automatically registers ASP.NET 4 with IIS. However, if you install the .NET Framework 4 before you enable IIS, you must run the ASP.NET IIS Registration tool in order to register the .NET Framework with IIS and create application pools that use the .NET Framework 4.

What this means is that if you install .NET Framework 4 after installing IIS then everything gets registered properly. However, if you install .NET Framework 4 before installing IIS then you need to perform an extra step as outlined below.

2. The Solution

Run the following command from an administrative command prompt:

aspnet_regiis.exe -iru -enable

where:

-iru          Install this version of ASP.NET. If there are any existing applications that use ASP.NET, it will not change IIS configuration to use this version.

-enable          ASP.NET will be enabled in the IIS security console (IIS 6.0 or later).

3. Some Notes

  • You must ensure that the aspnet_regiis.exe file that is included in the .NET Framework 4 installation directory is used. The location of this file is as follows:
Version of .NET Framework Location of Aspnet_regiis.exe file
.NET Framework version 4 (32-bit systems) %windir%\Microsoft.NET\Framework\v4.0.30319
.NET Framework version 4 (64-bit systems) %windir%\Microsoft.NET\Framework64\v4.0.30319
  • The 64-bit version should be used for Windows Server 2008 R2.
  • From the readme file:

ASP.NET 4 must be re-registered if IIS 7.5 or the IIS 7.5 .NET Extensibility feature is enabled *after* the .NET Framework 4 has already been installed on the computer. ASP.NET 4 must also be re-registered if the .NET Extensibility feature is removed when the .NET Framework 4 is installed on the computer.

4. Verification

The following diagram shows the default application pools within IIS 7.5 on Windows Server 2008 R2. In this case, .NET Framework 3.5 SP1 has been installed (supplied with the operating system). Note that this is registered as .NET Framework 2.0.

The next diagram shows the default application pools within IIS 7.5 on Windows Server 2008 R2 after .NET Framework 4 has been installed.

(Note: 20110926 – I decided to extend this article and include screenshots for when IIS 7.5 is installed on top of a Windows 2008 R2 Server that already has .NET Framework 4)

Posted in .NET Framework 4 | Tagged , , | 3 Comments