a blog about nothing

In SCVMM 2012 R2 we suddenly couldn’t deploy VMs from a template, install “Virtual Guest Services Tools”, etc. All jobs failed with the following:

Error (2912)

An internal error has occurred trying to contact the server.domain.com server: NO_PARAM: NO_PARAM.

WinRM: URL: [http://server.domain.com:5985], Verb: [INVOKE], Method: [GetError], Resource: [http://schemas.microsoft.com/wbem/wsman/1/wmi/root/microsoft/bits/BitsClientJob?JobId={62469246-350C-4ADE-A0BE-80D9E30C382D}]

Unknown error (0x80072f05)

Recommended Action

Check that WS-Management service is installed and running on server server.domain.com. For more information use the command “winrm helpmsg hresult”. If server.domain.com is a host/library/update server or a PXE server role then ensure that VMM agent is installed and running. Refer to http://support.microsoft.com/kb/2742275 for more details.

We verified that we could connect to “server.domain.com” on TCP 5985 from the VMM server.

[PowerShell]:

tnc server.domain.com -Port 5985

Checking the self-signed certificate on the VMM server it showed that it was expired. (01.01.2018)

Resolution:

Delete the expired certificate from the VMM server’s Personal Store and create a new one:

[PowerShell]:

$credential = get-credential

Get-VMMManagedComputer -ComputerName “VMM-Server.domain.com” | Register-SCVMMManagedComputer -Credential $credential

You will now get a new certificate which is valid for 5 years.

If you are going to live migrate from a Hyper-V 2012 cluster to a Hyper-V 2012R2 cluster, the virtual switch name must be the same on the hosts.

We needed to rename the switch on the 2012R2 host, so we just deleted the switch in VMM and recreated it with the same name as the 2012 servers had.

Doing so gave us this error:

Error (25230)

Unable to find extension (0d37c9f0-ea6c-47a0-9c42-4baeba3768d1) on 
virtual switch (Hyper-V Logical Switch)

Recommended Action

Verify the extensions installed on the host and retry the operation.

Searching the Internet did not give us any leads.

Ran: Get-VMSwitchExtension -VMSwitchName “Hyper-V Logical Switch” | select id

This returned the IDs from the extensions attached to the virtual switch, and we saw the ID from the 25230 error was missing.

Solution:

Uninstall the DHCP extension from Add-Remove program. It was not removed when the virtual switch was removed.

Creating a new virtual switch added the DHCP extension back to the server.

COYS

If you have configured User Profile Disk (UPD) to be used with Virtual Desktops or Session Hosts (a.k.a. terminal services) you had to set a quota on the profile (the UPD which is a .vhdx file).

If you set the quota to i.e. 1 GB there might be some users filling it up with i.e. photos/videos and you’ll have to extend his/her .vhdx file:

1. The affected user have to be logged off so the .vhdx file is not mounted
2. Locate the UPD share and translate the user’s SID to username so you’ll get the correct file http://gallery.technet.microsoft.com/Retrieve-usernames-for-a-94780a9e
3. Take a backup (copy) of the file just in case…
4. Resize the disk (either within Hyper-V Manager or with PowerShell)
5. Mount the file and extend the disk within Disk Manager

I’ll show how this can be done with PowerShell.

After I have located the correct .vhdx file you can see the (max) size is 1 GB:

Run the Hyper-V cmdlets “Resize-VHD”:

Syntax: Resize-VHD –Path <to the .vhdx file> -SizeBytes xGB

Here I increase the size to 2 GB.

 Mount the .vhdx file and open Disk Manager

You’ll now see there are 1GB unallocated that you’ll have to claim

Extend the disk/volume

And the disk is now 2GB

Remember to unmounts/eject the disk/volume so the user can log on again.

The “ask DS team” posted a blog post about “Two lines that can save your AD from a crisis”. Not a bad thing to do as it will prevent you or another admin to accidentally delete users or computer objects.

The lines they wrote protected users, computers and OUs. Did they forget about Groups?

Anyway, to also include all your groups:

# Set the "ProtectedFromAccidentalDeletion" attribute to "true" on all users,
# computers and groups in your domain where the attribute is set to "false"

Get-ADObject -filter {ObjectClass -eq "user" -or objectclass -eq "group"} -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADObject -ProtectedFromAccidentalDeletion:$true


If you try to delete a user og computer object, you will get an error stating the object is protected from accidental deletion. You will have to untick the “Protect object from accidental deletion”:

What if you’d like to move the user object to a different OU? Same error as above. You must set the attribute to ‘false’.

If you have hundreds of objects in an OU you’d like to move, it’s easier to use Powershell to revert the attribute of all objects in the spesific OU:

Get-ADObject -SearchBase 'OU=OU1,dc=domain,dc=com' -filter {ObjectClass -eq "user" -or objectclass -eq "group"} -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $true} | Set-ADObject -ProtectedFromAccidentalDeletion:$false


Will Gareth Bale stay with Spurs next season?

If you’d like a glance/overview of Win8 for ITPros, I recomend you to have a look at the “Introducing Windows 8” preview.

Text stolen from the MCP newsletter:

“This complimentary e-book explores the great new features Windows 8 offers for IT professionals and businesses. It’s designed to help prepare you for deployment of Windows 8, deliver apps, and manage recovery, security, and virtualization”

You can download it from here: http://download.microsoft.com/download/B/1/E/B1E7F4C9-304D-456C-BD96-A2287FA7871D/Microsoft_Press_ebook_Introducing_Windows_8_PDF.pdf

If you use DirectAccess (DA), should you use a certificate on the IP-HTTPS listener from your internal CA or from a third party CA?

If you use a certificate from your internal CA, you’ll have to publish the CRL so it can be reached from the outside. If you don’t do it, external DA clients will remove the CRL from the cache after 24 hours and they will not be able to check if the certificate has been revoked or similar. DA will not work for them until they put their laptop in the internal network, and are able to reach the CRL.

The default time for the cache is 24 hours.

So I would not bother publishing the CRL, but instead use a third party certificate on the IP-HPPS listener.

If you use or consider using DA without UAG, Win8 has a lot of improvements regarding DA (features you only found in UAG).

For a complete list check out http://technet.microsoft.com/nb-no/library/hh831416.aspx

As I mentioned earlier in a post, causes of slow logons can be many things and troubleshooting this is often time consuming. I recommend you to download the ADK tools for Win8 (for the moment it’s for the Consumer preview) and use the “Windows Performance Recorder” and “Windows Performance Analyzer” to help you find the culprit.

To get an overview of the tool and some examples, take a look at this excellent TechEd session: How many coffees can you drink while Windows 7 boots?

When you use DirectAccess (DA) you have to unblock ISATAP on your DNS servers, so when clients do a DNS lookup for ISATAP they will get an answer.

If you add a new domain controller with the DNS role, you must remember to remove ISATAP from the block list. You removed it on your DNS servers when you configured DA long time ago, but will you or your successor remember to remove the blocking if you add a new DC/DNS?

I didn’t until I saw a 7600 event id on the new DC/DNS…

Too see the current settings:

dnscmd /info /globalqueryblocklist

To remove ISATAP manually from the block list:

dnscmd /config /globalqueryblocklist wpad

To avoid this from happening in the future, I configured a Group Policy (GPO) to do the job. I reckon a GPO is more reliable than a Teflon brain.

Open the Group Policy Management consol.

Create the WMI:

First you need to create a WMI filter so the GPO only apply to servers with the DNS server role. Give it a meaningful name.

Query:  SELECT id FROM Win32_ServerFeature WHERE id = "13"

(ID 13 = DNS Server)

Create the GPO/GPP:

Group Policy Objects -> New

Give it a name. I called it “GPP_Unblock_ISATAP”.

Computer Configuration – Preferences – Windows Settings – Registry

Choose New – Registry Item

Action: Update

Path: HKLM\System\CurrentControlSet\Services\DNS\Parameters

Name: GlobalQueryBlockList

Value to remove: isatap

Link the GPO to the WMI filter you created:

Link the GPO to the OU where your DNS servers reside. I linked it to the Domain Controllers OU since we don’t have any standalone DNS servers. The WMI filter will anyway only apply to DNS servers, so you can link it higher up.

You’ll have to restart the DNS server service, or reboot the server before the setting is applied to the DNS server. Check the status “dnscmd /info /globalqueryblocklist”. If ISATAP is not present you are good to go.

Notice this only apply to Win2008 and newer, since legacy OS don’t have the Win32_ServerFeature class.

If you have Win2003 DNS servers, you’ll see that the WMI filter return “false” and the GPO will not apply:

On Win2008 and newer:

Were you unable to attend at TechEd Europe 2012 in Amsterdam?

Don’t worry. You can view all the sessions on-demand at Microsoft Channel 9 for free.

TechEd: Microsoft Channel 9

Do you use Microsoft Forefront UAG 2010 to publish Lync and having problems to get it to work?

My co-worker Robert had struggeled with this for some time, but finally he managed to get Lync and mobility to work over UAG.

First we tried using the TMG part of the UAG and it worked, but I could not restart the server after the configuration. If I restarted the server the HTTP and HTTPS traffic was blocked by the default rule of the TMG. Other weirdo’s did also happened if we changed the UAG config.

We started a SR with Microsoft and they told us that using the TMG part of the UAG was not supported. It can work in some cases but if you do some configuration changes in UAG it can be broken. MS says that you should never touch the TMG settings on a UAG server.

So here is what we did on the UAG:

We added one more public IP address to the External leg of the UAG, so we have two IP addresses for Lync. One IP for lyncweb, meet and dialin. The second IP was dedicated for lyncdiscover.

We created a new HTTPS trunk for lyncweb, meet and dialin and changed the Session settings like this:

Important: The “Disable scripting for portal application” have to be ticked on the Lync trunk. This cannot be ticked on a trunk for i.e. Exchange or SharePoint. Therefor you have to create a new dedicated trunk for Lync.

We created a new http trunk for lyncdiscover and changed the Session settings like this:

Our uag console now looks like this:

The https Lync looks like this:

The http lyncdiscover looks like this:

Update:

Mobile clients will get logon servers unencrypted if you configuring the lyncdiscover on a HTTP trunk. You can skip the extra IP and configure the lyncdiscover on the Lync HTTPS trunk by doing:

Credit to Robert for getting this to work. Hope it will work for you too 🙂