Stefan Hazenbroek

ConfigMgr: SMS SRS web service is not running on SRS Reporting point server when using SQL 2008 R2

2011-07-04T08:18:00.001+02:00

Hi,

Since about a year SQL 2008 R2 is a supported platform for System Center Configuration Manager. However, when you use the Reporting Services Server as apposed to the ConfigMgr Reporting you get an error every hour, stating your Reporting Services Point cannot be reached. When you connect to the point, it works without a problem though.

The exact message from the ConfigMgr console is:

SMS SRS web service is not running on SRS Reporting point server

The error has error message 7403.

Some time ago the SQL Server product team released a new Cumulative Update (CU) for SQL Server 2008 R2, which fixes the issue.

If you are encountering above mentioned issue, please download CU4 from http://support.microsoft.com/kb/2345451 and install it on the SQL server used for hosting the Site Database and Reporting Services.

Hope this helps.

Regards,

Stefan Hazenbroek

ConfigMgr: Deploy Internet Explorer 9 as part of a Task Sequence

2011-06-25T17:30:00.000+02:00

Hi,

When installing Internet Explorer 9 during OS Deployment the installation gives a weird issue after the machine is fully deployed. When a non-administrative user logs in to the machine, the Internet Explorer shortcutshows up as a "blank" icon and the target points to a non-existent path like T:\. When an Administrative user logs on to the computer before a non-administrative user does, everything will be okay.

This error seems to be caused by an issue in the Active Setup part of Internet Explorer 9. Please see this post by Steven Bone explaining what Active Setup is and means.

Workaround
As long as there is no bugfix available for this issue, you can deploy Internet Explorer 9 correctly via a task sequence following these steps.

- Install Internet Explorer 9 in the task sequence by using the .msu file.
- After a reboot, create the following two task sequence actions:
Task Sequence Step 1:

reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f

The task sequence step (Run Command Line) should look like this:

Task Sequence Step 2:

reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "NoIE4StubProcessing" /f

The task sequence step (Run Command Line) should look like this:

In my case I have to tick the box "Disable 64-bit file system redirection" because I am deploying Windows 7 x64 workstations.

I hope this helps in deploying Internet Explorer 9 successfully.

Regards,

Stefan Hazenbroek

ConfigMgr: OSD Domain Join fails when Computers CN/OU is chosen

2011-05-30T12:27:00.000+02:00

Hi all,

When I build up an environment, I always try to keep everything tidy and as close to reallife as possible. This made me find out the fact that ConfigMgr's OSD domain join will fail when you choose for the Computers CN as a container instead of a "real" OU.

So, when you have a task sequence to install Windows (whatever version) within SMS 2003, SCCM 2007 or even SCCM 2012, if the domain join fails without an error in the Advertisement status, this is most likely the problem.

Open up the Apply Network Settings step in the Task Sequence and change the OU to a real OU, or to blank when the computers should be put in the Computers CN.

I hope this helps.

Regards,

Stefan Hazenbroek

BitLocker: Microsoft BitLocker Administration and Monitoring beta available for download

2011-03-24T19:59:00.000+01:00

Microsoft has just released the Microsoft BitLocker Administration and Monitoring (MBAM) beta to the public. This beta can be downloaded by subscribing to the Connect site of Malta.

For more information about MBAM, check out the following link: http://windowsteamblog.com/windows/b/springboard/archive/2011/02/09/microsoft-announces-microsoft-bitlocker-administration-and-monitoring-mbam.aspx

In the following posts I'll cover the installation and configuration of MBAM.

Regards,

Stefan Hazenbroek

W7/2K8 R2 SP1: Remove unneeded Service Pack files

2011-02-25T12:45:00.001+01:00

As you might know SP1 for Windows 7 and Windows Server 2008 R2 has been released recently. This SP contains all prior updates released through Windows update and some important updates aside from that.

In this short blogpost I will explain how you can remove the installation files of the SP so you can keep your installation tidy. This is particularly handy when you want to create an image of the installation so you can have your pc's deployed with SP1 included from now on.

Now, off we go.

1. First, open My Computer.
2. Right click on your C-Drive (or the drive on which Windows is installed on, for the sake of argument I'll assume this is C).
3. Choose Properties.

4. Clik Disk Cleanup.

5. Click Clean up System Files.

6. Tick Service Pack Backup Files so the checkbox is selected. As you can see this will cleanup about 540M on my pc.

I hope this helps.

Regards,

Stefan Hazenbroek

ConfigMgr: Drivers not applicable.

2011-01-13T14:25:00.000+01:00

Consider the following scenario. You're running SCCM 2007 SP2 with R2 (or R3 for that matter) on Windows Server 2008 and want to deploy Windows 7 cliënts. When you try to import the drivers for your Windows 7 workstations into SCCM you might run into the issue when some drivers give the error:

The selected driver is not applicable to any supported platforms

You'll only get this error when you're trying to import drivers that are Windows 7 exclusive. This issue is due to the fact that SCCM uses the internal methods of handling inf files and Windows Server 2008 does not 'know' of Windows 7 yet. Install the following hotfix from Microsoft to fix this issue.

http://support.microsoft.com/kb/978754

Remember, this is not applicable on Windows Server 2008 R2 but only for windows Server 2008.

Hope this helps.

Regards,

Stefan Hazenbroek

AD CS: Move AD CS Database and Log to a different drive

2011-01-13T14:13:00.000+01:00

What if you created a certificate infrastructure, sized it according to the requirements known at the moment and a new project comes along that requires a certifcate services Database and log that is three times the size of the original one, so it doesn't fit onto your sized harddisk. In alot of scenario's it's possible to expand the disks (using vmware, xenserver or hyper-v this is quite easy), but when you're using physical servers it's not so easy.

Or, maybe, when you installed AD CS you forgot to move it from c:\windows\system32\Certsvc. No worries, it's quite easy to change it.

In this short blogpost I'll explain how to move the certificate services database and log location after AD Certificate Services has been installed.

1. Prepare the disk, LUN or whatever you have in mind for your database and log. Ideally both will be placed on separate disks for performance reasons. Create the path for the database and log. In case it'll be placed on one disk I always assume CertDB for the database and CertDB\Logs for the logs, to keep things tidy.

2. Stop the AD Certificate Services service by running net stop certsvc from an elevated command prompt or by right clicking and selecting Stop service in the Services MMC.

3. Copy the database and the logs to their new location.

4. Open the registry editor by starting regedit and browse to HKLM\System\CurrentControlSet\Services\CertSvc\Configuration.

5. Edit the following entries:
DBDirectory (default is C:\Windows\System32\CertLog\..., change it to your new databasedir)
DBLogDirectory (default is C:\Windows\System32\CertLog, change it to your new logdir)
DBSystemDirectory (default is C:\Windows\System32\CertLog, change it to your new databasedir)
DBTempDirectory (default is C:\Windows\System32\CertLog, change it to your new databasedir)

6. Start the certification authority again by running net start certsvc from the commandline or by right clicking the AD Certification Services service and choosing Start. From this moment your DB and log should be running from the new location.

7. Verify it is running from the new location. You can do this by opening up the certification authority MMC. Right click on the name of your CA and choose Properties. Choose the tab Storage. The tab should look like this, with the location of your DB and Logs on a perhaps different drive/letter.

Hope this helps.

Regards,

Stefan Hazenbroek

FS: Disable the Restore button in Previous Versions

2010-12-28T12:39:00.001+01:00

Previous Versions (or, Volume Shadow Copy Service) is a very powerful way of letting users manage their own files in an enterprise environment. One issue however, especially for department-shares, is the possibility to restore a file using Previous Versions. There is no pretty way to disable this using a group policy or something similar, but it IS possible.

By default it is possible for users to restore files. By following the next steps you can turn this off so that only Open and Copy can be used.

Fire up the registry (regedit).
Browse to: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer to turn it on or off for the current user or HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer to turn it off for the local machine. I suggest turning this off on a user basis, so that your IT Administrators can still manage this if needed.
Create a new REG_DWORD with the name NoPreviousVersionsRestore. The value for this entry is 1.

It isn't needed for the users to log off and on again for the setting to be put into place. I suggest putting this in a group policy preference for ease of management.

Hope this helps.

Regards,

Stefan Hazenbroek

DFS: Manual removal of a DFS Link.

2010-10-23T13:31:00.001+02:00

It can happen to everybody. A DFS Link gets deleted in the wrong way by accident, and now it's stale sources are being a burden in your DFSroots directory. This can happen due to errors in namespace replication or unclean shutdowns. The directory cannot be opened or manually deleted, so how can we get rid of this?

When you try to open the directory you'll get the following error:

It makes sense to get this error, because DFS make a sort of junction point on your fileserver to relocate you to the real point. When you try to delete the folder you'll get this error:

When a DFS link gets created, a reparsepoint is created in the DFSroots directory. This is a link to the original directory. Also, see: http://msdn.microsoft.com/en-us/library/aa365503(VS.85).aspx for more information.

This reparsepoint is also what's causing the error. Normally, if you try to open a reparsepoint (like AppData in Windows 7 is), you'll get redirected to the original directory. In the case of DFS this works somewhat different, because the original directory isn't located on the same server.

To fix this we have to take some steps. First, open up Command Prompt and browse to your DFSroots directory. In my case this is C:\DFSroots. Open up your DFS namespace and look at the folder contents. This folder is what's being published when an user accesses your DFS namespace.

Above are the folder contents of the DFSroots folder in my test environment. Top Secret is a stale folder, so I'd like to delete this. Windows contains a tool called fsutil that can help us reach this goal. Type: fsutil reparsepoint query \\. In my case this would be fsutil reparsepoint query "C:\DFSroots\Public\Top Secret". Remember to enclose your query with quotes ("") when your name contains spaces.

The result should look alot like the following:

As you can see within the Tag Value, this reparsepoint is created by/for Microsoft DFS. Now, we're gonna delete this reparsepoint so our view of the namespace will be nice and clean again. Type: fsutil reparsepoint delete \\ and press Enter. Again, mind the quotes.

In this case the rule is: No result is good result. When you get a blank line your command succeeded. When you try to remove something that's not a reparse point you'll get an error looking a lot like the following one:

This means the reparse point is already deleted or you're giving in the wrong directory in your command line.

Hope this helps in keeping your DFS environment clean and tidy.

Regards,

Stefan Hazenbroek

File Services: Shares not available after a reboot

2010-10-23T12:15:00.002+02:00

A short while ago a question was asked on the Technet Forums regarding folders not being shared as expected after a reboot. This specific issue was in regard to BitLocker, but this same issue applies when the folders are being hosted on a volume that's connected through a SAN (Fibre/iSCSI and such)

After being able to answer the question I thought I'd post a short blog article in regard to this issue, because it's a very common issue and not very well documented.

Issue
When you reboot your server all shares that are hosted on a SAN, on a BitLocker protected volume or anything other that needs a service in order to ensure it's availability. After restarting the Server service these shares come available, but there are no clear errors in the eventlog that states something is wrong.

Resolution
The issue is due to the BitLocker (or the service that connects your FC/iSCSI devices) service not being started yet when the Server service is started. When the server service is started, it tries to locate all folders to share and disregard the ones that aren't reachable. Because the service required is started shortly after, you won't notice any apparent issues until you investigate them.

Luckily this issue is quite easily fixed by editing a value in the registry. I'll explain this by showing an example.

1. First, open up services.msc.

When you look at the screenshot below, you'll see the shortname of BitLocker Drive Encryption. Write down this name or save it somewhere, we'll need it later.

2. Open regedit (Start, Run, type: regedit)

Browse to Hkey Local Machine\SYSTEM\CurrentControlSet\LanManServer

When you look in the key you'll see a value called DependsOnService. In my case this value is filled with SamSS and Srv. Open up this value.

As you can see, both services that need to be started in order to start the Server service are SamSS and Srv. Place the cursor after Srv and press Enter. Now type bdesvc (or the name of your required service you located in Step 1) and press Enter again. After filling in the value it should look like this:

Press Ok and reboot your server.

After a reboot your shares will be available directly from boot as they should be. Remember to remove the added service when you disable BitLocker again or remove the disks from SAN, otherwise the Server service won't be able to start.

Hope this helps.

Regards,

Stefan Hazenbroek

Active Directory: Managed Service Accounts

2010-07-05T21:00:00.022+02:00

Windows Server 2008 R2 introduces the new and nifty feature that's called "Managed Service Accounts". A Managed Service Account (from now on I'll call it a MSA) is an account that is tied to a specific computer (for example an IIS Server) and maintains it's own password and SPN's. I can't remember the number of times a service wouldn't start after a reboot of a server because the password for the service had changed but they forgot to change the password at all necessary places.

In this blogpost I will explain the following items:

The requirements for MSA’s
Implementation of MSA's

1. The requirements for MSA's
A MSA depends on the object class msDS-ManagedServiceAccount, for which your schema needs to be at the level of Windows Server 2008 R2. Also, only Windows Server 2008 R2 and Windows 7 support MSA's.

MSA's update the password in the same way as a computer account updates it. By default, the password of a MSA gets updated when the computer account updates it's password. They don't listen to password policies and cannot be locked out or perform interactive logons.

By default all MSA's are created in the CN=Managed Service Accounts,DC=domain,DC=net. When using DSA.MSC and setting it to show "Advanced Features" also displays them.

However, as you see when you open the properties of a MSA, there's nothing to be set apart from the description. This is because all administration of MSA's is done in Powershell.

MSA's automatically maintain their own SPN's but cannot be linked to multiple computers at a time or to a cluster node.

2. Implementation of MSA's For the sake of argument I'll assume you are creating a service account for use with SQL (although this isn't supported by SQL Server yet because of VSS Backups and such). Also, I will use the name SASQL02, but ofcourse you're free to change this to anything you want. For the servername I will use DB01.

At the moment it's not possible to create a MSA that's longer than 15 characters, so stay under this limitation (see http://derek858.blogspot.com/2010/02/server-2008-r2-managed-service-account.html for more information about this)

1. Open Powershell with the AD-Powershell modules loaded (Load this by using import-module ActiveDirectory within Powershell)

2. Create the MSA by using:

New-ADServiceAccount -Name SASQL02 -Enabled $True

3. Now, associate the MSA to a computer account:

Add-ADComputerServiceAccount -Identity DB01 -ServiceAccount SASQL02

4. Logon to the server on which the MSA will be running (in my case DB01). It's necessary to have the following features enabled on the target server:

Active Directory Module for Windows Powershell
.NET Framework 3.5.1

5. On the server start Powershell with the Active Directory modules loaded.

6. Install the MSA at the server by using:

Install-ADServiceAccount -Identity SASQL02

To install a MSA on a server you will need Local Administrator permissions on the target server and modify permissions on the MSA object in Active Directory.

7. Open up services.msc.

8. Browse to your service and double click on it.

9. Click the tab Log On.

10. Click Browse and type the name of the MSA.

11. The account name is filled in in the following screen. You can see it's a MSA by looking at the dollar sign ($) behind the account name. Also, it's very important that the password field remains empty!

12. Click OK and restart your service. After this moment it's no longer needed to manually change passwords, because your MSA will take care of this.

In a later blogpost I will explain how MSA's are maintained through your environment. In the meantime also check out This post by Ned Pyle.

Regards,

Stefan Hazenbroek

NOTE: For some reason all images have gone byebye on me. I’ll repost them soon.

ConfigMgr: AD Permissions for Domain Join Account

2010-05-11T07:32:00.002+02:00

It's a good practise to use a service account for any sort of automated task, and this is no different with SCCM Operating System Deployment.

SCCM OSD has the capability of automatically adding a workstation to the domain during the Task Sequence, so the amount of work that needs to be done by hand is kept to a bare minimum. You use a service account in SCCM that has the permissions to add the computer to the needed OU, but what permissions do you need exactly?
Well, at a minimum you'll need the following permissions:

I hope this helps, I know I'll be back when I need it set again :)

Regards,

Stefan Hazenbroek

HOWTO: DFS and ABE in Server 2008 and 2008 R2

2010-05-10T21:43:00.001+02:00

This blogpost will be quite alot longer than other blogposts, but that’s not an issue in my opinion. Too many times I encounter a situation in which DFS is misconfigured for use with Access-based Enumeration. Some of the times I even encounter an environment in which the fileservers themselves are configured incorrectly. In this blogpost I will explain the following items:

Installing Distributed File System.
Configure a domain-based DFS Namespace.
Creating a DFS Link (Target/Folder Target).
Configuring Access-based Enumeration on the DFS Namespace and the DFS Links.
Setting the correct (NTFS and Share) permissions on the File Share that the DFS Link points to.
Enabling Access-based Enumeration on the File Share on the File Server.

I’ll assume the following items are running as they should/are available, so I’ll not go into them any further:

A correctly working Active Directory infrastructure, running at least Windows Server 2008 Domain Functional Level.
Familiarity with creating users, groups and manipulating NTFS permissions.
You are logged in as a Domain Administrator.
The needed groups are available. This means you’ll need a group per DFS Link (or multiple, but that’s up to your design) and a group per folder that should have permissions set. I suggest you never set permissions deeper than the 4th folder, so that would be A\B\C\D and no deeper.

Now, on with the fun stuff.

1. Install Distributed File System

1) Open Server Manager, click Roles and right-click on Roles. Now click Add Roles.

2) Click Next.

3) Select File Services and click Next.

4) Click Next.

5) Select DFS Namespaces and click Next.

6) Choose Create a namespace later using the DFS Management Snap-in in Server Manager and click Next.

7) Click Install.

8) Click Close and reboot the server.

2. Configure a domain-based DFS Namespace.

Now that DFS is up and running we need to create a DFS namespace. This part of the blogpost will explain how you can install a domain-based DFS namespace and configure it for use with Access-based Enumeration.

1) Open the DFS Management Snap-in. This can be found in Start, All Programs, Administrative Tools.

2) Click on Namespaces. Right-click on Namespaces and choose New Namespace.

3) Fill in the servername. In my case this is FS01 and click Next. This is the server that will be running as namespace server. This means in a domain based DFS infrastructure that the server hosts the namespaces, but all configuration items are also available in Active Directory (in CN=DFS-Configuration, CN=System, DC=contoso, DC=com for example). This is still a single point of failure because no other namespace servers are designated.

4) Fill in the name of your namespace and click Edit Settings.

5) If needed, move the local path of the shared folder. You can do this by clicking Browse and choosing a new path. This path will be in the metadata of the DFS infrastructure, or the empty copy of your file server infrastructure when it’s finished. This directory is 0 bytes and will stay this way when it’s managed correctly. Click Use custom permissions and click Customize.

6) Call me paranoid, but I like to keep my permissions granted to an absoluted minimum. Depending on the environment, I give Domain Admins or fileserveradmins Full Control on the share and Domain Users (also dependant on the environment) Change permissions. This way nobody can mess with the permissions except those that should maintain them. Click OK when done adding the needed groups.

7) Click Next.

8) Choose domain-based namespace and toggle Enable Windows Server 2008 Mode to enabled. Click Next.

Important: Access-based Enumeration will not function unless you have your namespace running in Windows Server 2008 mode.

9) Review all your namespace settings and if everything is correct, click Create.

10) Click Close.

3. Create a DFS Link (Target/Folder Target)

A DFS Link can be seen as a shortcut to another file server on which the files themself are hosted. In this part I will explain how to create a DFS Link.

1) Open DFS Namespaces, expand Namespaces and right-click on the namespace created earlier. Click New Folder.

2) Fill in the name of the folder, for this example I used Legal and click Add.

3) Fill in the path to the shared folder on your fileserver or click Browse. Click OK in the Folder Target dialog box and in the Folder dialog box.

4. Configuring Access-based Enumeration on the DFS Namespace and the DFS Links.

Access-based Enumeration is a method to hide files that users don’t have permissions to. As easy as this sounds, this means the NTFS permissions should be setup correctly, otherwise users will still see all files. In this part I will explain how the DFS namespace and the DFS Links can be configured to have Access-based Enumeration in place. I will assume all needed Active Directory Groups are already in place and filled with the users that need permission to this location. For the sake of demonstration I will use the group name DL-Legal-R for the DFS Link Legal.

NOTE! All commands in this section will give a “Done processing this command” notice when the command executed succesfully.

NOTE! Although it is possible to set permissions on the DFS Link (in C:\DFSRoots\…) this is not supported as the permissions will be overwritten by the next Active Directory or registry poll-cycle of DFS. The following method is the only supported method of configuring Access-based Enumeration.

1) Open up Command Prompt (Start, type cmd).

2) Type dfsutil property abde enable <path to the DFS Namespace (in my case \\stefanhazenbroek.net\public) and press enter. This will enable abde (Access-based Directory Enumeration) on the namespace.

3) Type dfsutil property acl reset <path to the DFS Link (in my case \\stefanhazenbroek.net\public\legal) and press enter. This will reset all permissions on the DFS Link to the default.

4) Type dfsutil property acl control <path to the DFS Link (in my case \\stefanhazenbroek.net\public\legal)> protect and press enter.

5) Type dfsutil property acl grant <path to the DFS Link (in my case \\stefanhazenbroek.net\public\legal> <AD Groupname>:R) and press enter. Repeat this step for every group that needs access to the DFS Link. Remember, all groups that are added in here will see the DFS Link, the rest won’t know it exists.

6) Type dfsutil property acl <path to the DFS Link (in my case \\stefanhazenbroek.net\public\legal)> and check if all permissions are set correctly. R stands for Read-only, F stands for Full Control.

5 Setting the correct (NTFS and Share) permissions on the File share the DFS link points to.

As important as setting the correct permissions on your DFS Links is, it’s nothing compared to setting the correct permissions on your Fileservers. In this example I will explain setting the correct permissions on the fileserver by setting permissions on the root folder (so the folder that your DFS Link points to) and one folder deeper by using Active Directory groups.

1) Go to your fileserver and right-click on the folder that operates as root folder for your DFS Link (this is the same folder as your filled in during step 3.3 in this blogpost. Choose Properties

REMEMBER! The permissions set on this folder should be the same as the permissions set on your DFS Link as set in 4.5 of this blogpost.

2) As you can see, the permissions are still set as they were by default. Click Advanced.

3) Now, click Change Permissions.

4) Untoggle the checkbox at Include inheritable permissions from this object’s parent and click Apply.

5) Click Remove.

6) Click Add.

7) Search for Domain Admins or any other group that will manage the fileserver infrastructure, for example FileServerAdmins and click OK.

8) Toggle Full Control (all other checkboxes will be marked automatically) and click OK.

9) Click OK.

10) Click OK.

11) Click Add.

12) Search for the group you use to give access to the folder.

13) Grant Read & Execute, List Folder Contents and Read permissions to this group and click Advanced.

14) Click Change Permissions.

15) Click Edit.

16) Change Apply To from “This Folder, Subfolders and files” to “This Folder Only” and click OK.

17) As you can see now, the permission is changed from “Read and Execute” to “Special”. Click OK.

18) Click OK again. Now the NTFS permissions for this folder are set up correctly. Repeat the step as needed until all groups that you’ve added in the DFS Link are also added here. Administrative Groups should have “This Folder, Subfolders and Files” set as permission, groups that contain users should have “This Folder Only” permission set.

19) Now we go a folder deeper. For this case I created the folder Legaldocuments with the Active Directory group DL-Legal-Legaldocuments-M and set this as the final folder in my permissions structure. In your case there’ll probably be one or two extra folders before you reach the last one, but in that case you can repeat the earlier steps with new groups. Keep in mind that Domain Admins is already added because we granted inherited permissions to this group.

20) Click Edit.

21) Click Add and add the group you created for this folder, see earlier in this blogpost how this is done. In my case I added the group DL-Legal-Legaldocuments-M and granted Modify permissions. Click OK.

22) Click OK again.

6 Enabling Access-based Enumeration on the File Share on the File Server.

1) Go to Start, Administrative Tools and click on Share and Storage Management.

2) Choose the Share for use with DFS and click Properties on the right-side of the screen (second blue tab at the right).

3) Click Advanced.

4) Toggle Enable access-based enumeration so the checkbox is enabled.

Congratulations, you’ve succesfully setup a simple DFS environment with a file share that has access-based enumeration enabled. It’s up to you to scale this to the enterprise solution you want it to be. Ofcourse, in the case of questions you can always ask them here or by emailing me at stefan<dot>hazenbroek<@>descentes<dot>nl (replace <dot> with . and <@> with @ ofcourse :))

I hope this howto has been of use for you.

Stefan Hazenbroek

ConfigMgr: Software Update Point - The server name or address could not be resolved

2010-04-19T10:56:00.000+02:00

The first thing I recommend costumers who are using SCCM is: Install the ConfigMgr Admin Console on a management server and keep your hands off the site server. This way when you accidentally fire up a script that contains a reboot, it'll restart your management server and not your site server. Also, when using it like this it'll keep your site server cleaned up and tidy, which is always something you'd want.

However, when this is the case and you're using a proxy server this also brings along some issues. When trying to download the updates you can run into the following error:

The server name or address could not be resolved

It took me a while to figure this one out, but it's quite easily fixed. Open up internet explorer and go to Internet Options. Now, go to Connections and choose Lan Settings. Fill in the same proxy server, so you can resolve internet addresses without issues. Close and re-open the ConfigMgr Admin Console and try to download the updates again. As you can see, the error is gone.

Hope this helps.

Regards,

Stefan Hazenbroek

ConfigMgr: The process is not in background processing mode.

2010-01-30T10:21:00.000+01:00

When trying to provision updates using the ConfigMgr Console of System Center Configuration Manager 2007 (R2 SP2 in my case, but it also applies to earlier versions) you can get the following error in the process screen of the Update List Wizard.

The process is not in background processing mode

Now what? Background processing mode makes you think it's because of BITS being used. Well, you're right. This is the way you can resolve this issue.

1. Login to your WSUS Server.
2. Stop the BITS Service (through Services.msc or net stop bits at a commandline)
3. Stop the Automatic Updates Service (through Services.msc or net stop wuauserv at a commandline)
4. Browse to: Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader

Note: If you're using Windows Server 2008 or Server 2008 R2 the Application Data folder is a junction point which has deny list permissions set to Everyone. If you need to be able to browse this folder you need to remove these NTFS permissions.

5. In the \Downloader folder delete the files qmgr0.dat and qmgr1.dat. These files will be recreated once you start the BITS service.
6. In the C:\Windows\ directory delete the folder SoftwareDistribution This folder will be recreated once you start the Automatic Updates service.
7. Start the Automatic Updates service using services.msc or by using net start wuauserv
8. Start the BITS service using services.msc or by using net start bits
9. Go into the ConfigMgr Console and go to Software Updates and right click on Software Repository. Choose Run Synchronisation.

Now you're able to download the updates again. I hope this helps.

Regards,

Stefan Hazenbroek

Exchange 2010: Certification achieved!

2010-01-29T16:16:00.002+01:00

I just recieved the following email from Microsoft Learning:

Congratulations on earning your Enterprise Messaging Administrator 2010 certification! We hope you enjoy the benefits of your certification and of membership in the Microsoft Certified Professional community.

Now that's a message you like to hear in the early morning!

ConfigMgr 2007 R2 SP2: Windows Server 2008 R2, WSUS 3.0 SP2 on Site Server

2010-01-16T23:34:00.002+01:00

And we have another one!

In my testlab I have WSUS setup on the same server as the SCCM Site Server. However, when trying to setup the Active SUP I got the following error in the WSYNCMGR.log

SMS WSUS Synchronization failed. Message: WSUS server not configured. Source: CWSyncMgr::DoSync. The operating system reported error 2147500037: Unspecified error

From this message it looks as if WSUS could not be contacted, but the WSUSCtrl.log states that all connections to the WSUS server are succesful. After searching around it seemed that this issue was due to the fact of WSUS and the SCCM Site Server being on the same machine. The fix is as follows (also check out http://support.microsoft.com/kb/896861 for more information (choose Method 1)):

1) Fire up regedit.
2) Go to HKLM\System\CurrentControlSet\Control\LSA
3) Create a new DWORD value called DisableLoopbackCheck
4) Edit the value and in the Value Data box type 1
5) Close regedit
6) In the SCCM Console right-click on Update Repository and check the WSYNCMgr.log for any issues.

In my case this fixed my issues.

ConfigMgr 2007 R2 SP2: Windows Server 2008 R2 and Management Point

2010-01-16T22:24:00.001+01:00

I've been reinstalling my testenvironment to support Windows Server 2008 R2 instead of Windows Server 2008, but while installing SCCM 2007 R2 SP2 I ran into the following problem:

SMS Site Component Manager failed to install component SMS_MP_CONTROL_MANAGER on server.

The WebDAV server extension is either not installed or not configured properly.
Solution: Make sure WebDAV is installed and enabled. Make sure there is an authoring rule that allow “All users” read access to “All content”. Make sure the WebDAV settings “Allow anonymous property queries” and “Allow property queries with infinite depth” are set to “true” and “Allow Custom Properties” is set to false.

Now what? I am 100% sure I have the correct settings in WebDAV (according to the log also) but it doesn't seem to recognize it. After doing some searching on the internet I found the location of the configuration file of Webdav. This file is located in: C:\Windows\System32\inetsrv\config\schema\WebDAV_schema.xml. After opening this file up I noticed that the settings in this file were different from the settings I changed in the IIS Manager.

The settings were configured as:

<attribute name=”allowAnonymousPropfind” type=”bool” defaultValue=”false” />
<attribute name=”allowInfinitePropfindDepth” type=”bool” defaultValue=”false” />
<attribute name=”allowCustomProperties” type=”bool” defaultValue=”true” />

However they should be:

<attribute name=”allowAnonymousPropfind” type=”bool” defaultValue=”true” />
<attribute name=”allowInfinitePropfindDepth” type=”bool” defaultValue=”true” />
<attribute name=”allowCustomProperties” type=”bool” defaultValue=”false” />

After correcting these settings (remember you have to take ownership of the file to be able to change it) and restarting the World Wide Web Publishing Service and the SMS_SITE_COMPONENT_MANAGER the Management Point gets installed correctly. You can check if the installation is succesful in the logfile MPSetup.log in your SCCM\Logs directory. If succesful the log looks like this:

<01-16-2010 22:08:36> ======== Completed Installation of Pre Reqs for Role SMSMP ========
<01-16-2010 22:08:36> Installing the SMSMP
<01-16-2010 22:08:36> Passed OS version check.
<01-16-2010 22:08:36> IIS Service is installed.
<01-16-2010 22:08:36> checking WebDAV configuraitons
<01-16-2010 22:08:37> WebDAV is configured
<01-16-2010 22:08:37> No versions of SMSMP are installed. Installing new SMSMP.
<01-16-2010 22:08:37> Enabling MSI logging. mp.msi will log to C:\Program Files (x86)\Microsoft Configuration Manager\logs\mpMSI.log
<01-16-2010 22:08:37> Installing C:\Program Files (x86)\Microsoft Configuration Manager\bin\i386\mp.msi CCMINSTALLDIR="C:\Program Files (x86)\SMS_CCM" CCMSERVERDATAROOT="C:\Program Files (x86)\Microsoft Configuration Manager" USESMSPORTS=TRUE SMSPORTS=80 USESMSSSLPORTS=TRUE SMSSSLPORTS=443 USESMSSSL=TRUE SMSSSLSTATE=0 CCMENABLELOGGING=TRUE CCMLOGLEVEL=1 CCMLOGMAXSIZE=1000000 CCMLOGMAXHISTORY=1
<01-16-2010 22:08:57> mp.msi exited with return code: 0
<01-16-2010 22:08:57> Verifying CCM_CLIENT virtual directory.
<01-16-2010 22:08:57> Website path is IIS://LocalHost/W3SVC/1.
<01-16-2010 22:08:57> Connecting to IIS.
<01-16-2010 22:08:57> CCM_CLIENT is currently C:\Program Files (x86)\Microsoft Configuration Manager\Client.
<01-16-2010 22:08:57> Installation was successful.

One last thing. When creating a backup of the WebDav_schema.xml, do not create the backup in the same directory as the original file. All .xml files put in this directory will be read by IIS so your settings will not seem changed afterwards.

Good luck, I hope this helps.

AD Certificate Services: How To Install on Windows Server 2008 R2 Core

2010-01-12T20:07:00.000+01:00

Windows Server 2008 R2 Core offers the possibility of installing a Certificate Authority. However, not much documentation is available on how to configure the role using the commandline.

In this blogpost I will explain how you can install the role and use it to issue certificates to your servers and clients.

Log in to the server (Windows Server 2008 R2 Server Core server) that you're going to install the Certification Authority on. You need Domain Admin or equivalent permissions on a single forest, single domain infrastructure or Enterprise Admins on a multi-domain infrastructure to be able to install AD Certificate Services correctly. The following command has to be issued on the commandline:

Dism /online /enable-feature /featurename:CertificateServices

Don't forget, the DISM command is Case-Sensitive, so you should keep the Capitcal C and S in mind.

Instead, if you have powershell installed on your Windows Server 2008 R2 Core machine you can also use the following commands to install the role:
First, fire up powershell by typing powershell in the cmd screen. When Powershell is fired up type:

Import-Module ServerManager

At the top of the screen you'll see the module being imported, when it's complete you have the possibility to use the CMDLets Add-WindowsFeature,Get-WindowsFeature and Remove-WindowsFeature. Install AD Certificate Services using the following command:

Add-WindowsFeature ADCS-Cert-Authority

Restart the server when the installation is completed to be sure that all needed information is correctly populated and login to the server again.

Now, the nice folks over at the PKI blog published a nice article on how to use a VBScript to install a Certificate Authority. Check out:

http://blogs.technet.com/pki/archive/2009/09/18/automated-ca-installs-using-vb-script-on-windows-server-2008-and-2008r2.aspx

Download the script from above link and place it somewhere you are able to access it from the machine the CA is running on. Browse to the directory you placed the script in and execute the following command to install an Enterprise Root Certification Authority:

Cscript setupca.vbs /ie /sn NameOfYourCA /sk 4096 /sp "RSA#Microsoft Software Key Storage Provider" /sa SHA256

When you've issued above script and it completed succesfully (it'll take about a minute or so) you will be able to start your CA. Go to the Windows 7 workstation with RSAT installed and open up Computer Management. Browse to the machine your CA is running on and fire up the service Active Directory Certificate Services. When running this from the commandline you issue the name CertSvc.

On the RSAT machine, open up the Certification Authority shortcut in the Administrative Tools folder. When you open this shortcut you'll receive the following error:

This is no problem. Click on OK and when in the MMC right click Certification Authority (Local). In the submenu you choose Retarget Certification Authority. Choose Another Computer in the wizard and fill in the hostname of the machine that is running your CA. From now on you can manage your Certification Authority from your machine with RSAT installed.

Active Directory: Corrupt Certificate Templates

2009-11-22T09:19:00.000+01:00

I was trying to get my Windows Mobile 6.5 to work with Exchange 2010, but when I tried to request a certificate to my CA i got the following error:

Eventid: 53, CertificationAuthority
Message: Active Directory Certificate Services denied request 17 because The requested certificate template is not supported by this CA. 0x80094800 (-2146875392). The request was for CN="". Additional information: Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: User.

Now what? For some reason it thinks my User certificate does not exist or something? It seemed the User Certificate Template on my CA was corrupt for some reason. This is how I fixed it.

Note: I assume you backup your CA before changing settings, because of this I'll not mention it in the Howto.

1. Stop the Certificate Services Service.

net stop CertSvc

2. Log in to ADSI Edit and open the Configuration naming context. Then go to CN=Services,CN=Public Key Services,CN=Certificate Templates. If all is correct there should be quite a few items listed there. Empty out the CN=Certificate Templates container. This is most easily done by deleting CN=Certificate Templates and recreating it with the same name.

3. Start the Certificate Services Service.

net start CertSvc

4. Open the Certification Authority Snap-In and go to Certificate Templates. You should see all templates listed with an X in front of it.

If this is the case, right-click on Certificate Templates and choose Manage. Windows should give a popup with a message like: "New certificate templates are found, would you like to install them?". Agree with the message and see the magic work. After a few moments (depending on the size of your AD) you'll be able to issue certificates again.

Exchange 2010 Certified!

2009-10-16T09:37:00.000+02:00

I just recieved the following email from MS Learning:

Congratulations on earning your Microsoft Exchange Server 2010, Configuration certification! We hope you enjoy the benefits of your certification and of membership in the Microsoft Certified Professional community.

Active Directory: AD Recycle Bin GUI

2009-10-10T14:39:00.001+02:00

Earlier on I blogged about the AD Recycle Bin. In this blog we checked out how the AD Recycle Bin is activated and how it's used through Powershell or LDP.

The fellows at Overall Solutions Inc. made a very nice GUI. In this GUI it's possible to see which items are deleted and also recover the deleted items.

The download can be found http://www.overall.ca/index.php?option=com_content&view=article&id=40:adrecyclebin&catid=15:adrecyclebinexe&Itemid=64

The GUI is built like this:

Exchange 2010 RTM!

2009-10-09T16:35:00.001+02:00

Yesterday at TechNet Live they already had some interesting information. At the end of the day when asked the question: "When will Exchange 2010 be RTM" the only answer we got was: "Check out the Exchange Team blog tomorrow". And what have we got? Finally! Exchange 2010 got RTM'd!

For the full announcement see: http://msexchangeteam.com/archive/2009/10/08/452775.aspx

In my opinion some very good news to get on Friday!

Regards,

Stefan Hazenbroek

Active Directory: FSMO Roles in Windows Server 2008 R2

2009-10-05T10:41:00.002+02:00

I've been getting alot of questions and debate about FSMO roles in an Active Directory domain environment. Where should you place what role? What does a specific role do? Should I seize it if it's not available?

I'll start by summing up the available roles and their task. The function of each role is defined for Windows Server 2008 R2.

Schema Master

There can only be one Schema Master defined per forest. The Schema Master contains the only writable copy of the schema and additions to it can only be done by a member of the Schema Admins and the Enterprise Admins security group.

When this role is unavailable additions or changes to the schema cannot be made.

Domain Naming Master

The Domain Naming Master is responsible for the addition or removal of domains in the forest. The Domain Naming Master is a forest-wide role, which means only one can be defined per forest.

When this role is unavailable no domains can be added, removed or renamed.

Infrastructure Master

The Infrastructure Master is a domain-wide role, which means it is defined per domain. Logically, if you have 3 domains within your forest, you have 3 domain controllers that contain the Infrastructure Master role. The Infrastructure Master is responsible for updating links to objects in the domain to objects in other domains. There can only be one defined per domain.

When the infrastructure master is unavailable changes in objects do not get replicated. However, when all domain controllers are also a Global Catalog, the Infrastructure Master does not have a function.

RID Master

The RID (or Relative-ID) Master is responsible for RID-requests from all domain controllers within that domain. When the RID pool of a domain controller depletes, it requests a new pool from the RID Master. The RID Master can only be defined once per domain.

When the RID Master is unavailable and a domain controller runs out of available RID's no new objects (as users, groups, computers and such) cannot be created.

PDC Emulator

The PDC (or Primary Domain Controller) Emulator role is used to act as PDC when Windows NT BDC's are used. The PDC Emulator also acts as Master Browser for the domain and handles password updates for the domain. The PDC Emulator can only be defined once per domain.

When the PDC Emulator is unavailable password-changes get updated with the regular replication traffic instead of right away through the PDC emulator. Also, the time (net time) will not get synced during this time, which can be an issue in a domain environment.

Now, what if a domain controller is unavailable for a while and you need to seize the role? In a pre-windows 2008 R2 environment, thus: in an environment without the use of AD Powershell this can be quite the hassle. When you need to move the Schema Master you first have to load the dll for the mmc, after which you can move it. It just costs needless time.

Move-ADDirectoryServerOperationMasterRole -Identity ADDirectoryServer -OperationMasterRole ADOperationMasterRole []

For example, when you want to move the Infrastructure Master to domain controller "DC001" you'll use:

Move-ADDirectoryServerOperationMasterRole -Identity DC001 -OperationMasterRole InfrastructureMaster

Now, if the server that contains the role is unavailable you can ofcourse Seize it. This can also be done in Powershell, by adding the -Force parameter to the CMDLet. In case of seizing the Infrastructure Master to domain controller DC001 you'll use:

Move-ADDirectoryServerOperationMasterRole -Identity DC001 -OperationMasterRole InfrastructureMaster -Force

Finally, one shell to manage your complete AD in!

Regards,

Stefan Hazenbroek

ConfigMgr: SMS Site Component Manager failed to reinstall this component on this site system.

2009-09-07T17:10:00.002+02:00

Within a ConfigMgr environment it's possible you run into the following error when running SMS_SITE_SQL_BACKUP and the SQL Server runs on a remote system.

SMS Site Component Manager failed to reinstall this component on this site system.

Solution: Review the previous status messages to determine the exact reason for the failure. SMS Site Component Manager will automatically retry the reinstallation in 60 minutes. To force SMS Site Component Manager to immediately retry the reinstallation, stop and restart SMS Site Component Manager using the SMS Service Manager.

I noticed this error at home (yes, I'm running ConfigMgr 2007 SP1 + R2 at home, call me crazy ;-)) and started looking around if there's a solution available. After finding no KB-article or anything about it I started searching on. The reason for this error seems to be that the SQL Server cannot bootstrap the executable to install the service on the SQL Server.

Luckily, the fix is quite easy. Go to the ConfigMgr installation directory, in my case

C:\Program Files (x86)\Microsoft Configuration Manager\

and open the file install.MAP with notepad. In this file you'll search for the following lines:

BEGIN_COMPONENT_FILELIST
<SMS_SITE_SQL_BACKUP>
<1193>
BEGIN_DIRECTORY
<bin\i386>
<9><X86><>
FILE <smssqlbkup.exe><1><766496>
END_DIRECTORY
BEGIN_DIRECTORY
<bin\x64>
<17\><AMD64><>
FILE <smssqlbkup.exe><1><1547296>
END_DIRECTORY
UNIT <SMS>
END_COMPONENT_FILELIST

Change these lines to the following

BEGIN_COMPONENT_FILELIST
<SMS_SITE_SQL_BACKUP>
<1193>
BEGIN_DIRECTORY
<bin\i386>
<9><X86><>
FILE <smssqlbkup.exe><1><766496>
FILE <srvboot.exe><0><219904>
END_DIRECTORY
BEGIN_DIRECTORY
<bin\x64>
<17><AMD64><>
FILE <smssqlbkup.exe><1><1547296>
END_DIRECTORY
UNIT <SMS>
END_COMPONENT_FILELIST

Afterwards restart the SMS_SITE_COMPONENT_MANAGER at the site server and after a minute or so reopen the Components log. After changing the install.MAP and restarting the SMS_SITE_COMPONENT_MANAGER I got the following happy message:

SMS Site Component Manager successfully reinstalled this component on this site system.

I hope this helps resolve some issues.

Active Directory: Configure AD Recycle Bin

2009-09-06T11:06:00.007+02:00

Every Active Directory manager deals with it eventually, a user, a group of users or even an OU gets deleted by accident. Retrieving the objects using an authorative restore isn't the nicest job to do, because a lot of fields are stripped out when the account is deleted.

Windows Server 2008 R2 has a solution for this, namely the Active Directory Recycle Bin. In this blogpost I will explain how you setup the AD Recycle bin and how you can retrieve items afterwards. One drawback though: There is no nice interface available from Microsoft yet.

First off, it's necessary that the Forest Functional Level is at the level of Windows Server 2008 R2. This can be done using Active Directory Domains and Trusts, but can easily be done using Powershell.

Through Active Directory Domains and Trusts:

Through Powershell:

Set-ADForestMode -Identity domain.test -ForestMode Windows2008R2Forest

Now that the Forest is at the right level we'll start by configuring the AD Recycle Bin. First off we load the optional module in Powershell by using the following command.

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=domain,DC=test’ –Scope ForestOrConfigurationSet –Target ‘domain.test’

When this is done we need to make the forest aware the optional feature is installed. This can be done using LDP. Fire up LDP using Run and type: ldp.exe. Open LDP and connect to the domain controller that hosts the root domain (so the firest domain). This can be done by clicking Connection then choosing Connect and typing in the hostname of the DC you want to connect to, after which you choose Bind. In the menu bar open the menu View and choose Tree. In the popupbox choose Configuration BaseDN

Navigate to the CN=Partitions container, rightclick this and choose Modify

Make sure the field DN is empty and fill in the following in the other two fields:

Edit Entry Attribute

enableOptionalFeature

Values

CN=Partitions,CN=Configuration,DC=domain,DC=test:766ddcd8-acd0-445e-f3b9-a7f9b6744f2a

In the field Operation choose Add and click Enter. The extension will now appear in the field Entry List. At the bottom of the popup box choose Run and then choose Close. When you doubleclick on CN=Partitions at the left side the following appears in the details field at the right side.

msDS-Behavior-Version: 4 = ( WIN2008R2 );
msDS-EnabledFeature: CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domain,DC=test;
name: Partitions;

If this is the case the Recycle Bin is installed correctly and we can start using it.

ATTENTION! From this moment on the Recycle Bin feature is activated. Any user deleted before this action cannot be retrieved using the AD Recycle Bin.

Through LDP:
Open up LDP again and connect and bind to the DC hosting the root domain. Click Options and choose Controls in the menubar.

When this is loaded up in choose View and Tree and choose the BaseDN of the Forest, in my case DC=domain,DC=test. When you look at the left side, you'll see the CN CN=Deleted Objects,DC=domain,DC=test. When you doubleclick this a list with all deleted users opens up at the left side. When you find the user you are looking for rightclick the user and choose Modify. Make sure the popupscreen looks like the following screen:

Afterwards choose Run and the object will be retrieved from the Recycle Bin, after which you can see this in Active Directory Users and Computers again.

Through Powershell:
I know what you're thinking. We have an awesome tool called Powershell, why won't we use that? Well, that's what we're going to look at now. Because we enabled the optional feature using Enable-ADOptionalFeature we have access to the Restore-ADObject CMDLet. What if, you know the username of the user you want to recover. You can see this by running the following CMDLet:

Get-ADObject -Filter {sAMAccountname -eq "test"} -IncludeDeletedObjects

When this is executed the output will be as following:

If this is the account you want to recover run the following CMDLet:

Get-ADObject -Filter {sAMAccountname -eq "test"} -IncludeDeletedObjects | Restore-ADObject

That's it, the filter can be adapted to about anything you're comfortable with using Powershell. In a later blog post I'll post more information about retrieving objects or OU's.

For more information about retrieving objects from the Recycle Bin please look at the following link:

http://technet.microsoft.com/en-us/library/dd379509(WS.10).aspx