a blog about nothing

In SCVMM 2012 R2 we suddenly couldn’t deploy VMs from a template, install “Virtual Guest Services Tools”, etc. All jobs failed with the following:

Error (2912)

An internal error has occurred trying to contact the server.domain.com server: NO_PARAM: NO_PARAM.

WinRM: URL: [http://server.domain.com:5985], Verb: [INVOKE], Method: [GetError], Resource: [http://schemas.microsoft.com/wbem/wsman/1/wmi/root/microsoft/bits/BitsClientJob?JobId={62469246-350C-4ADE-A0BE-80D9E30C382D}]

Unknown error (0x80072f05)

Recommended Action

Check that WS-Management service is installed and running on server server.domain.com. For more information use the command “winrm helpmsg hresult”. If server.domain.com is a host/library/update server or a PXE server role then ensure that VMM agent is installed and running. Refer to http://support.microsoft.com/kb/2742275 for more details.

We verified that we could connect to “server.domain.com” on TCP 5985 from the VMM server.

[PowerShell]:

tnc server.domain.com -Port 5985

Checking the self-signed certificate on the VMM server it showed that it was expired. (01.01.2018)

Resolution:

Delete the expired certificate from the VMM server’s Personal Store and create a new one:

[PowerShell]:

$credential = get-credential

Get-VMMManagedComputer -ComputerName “VMM-Server.domain.com” | Register-SCVMMManagedComputer -Credential $credential

You will now get a new certificate which is valid for 5 years.

If you are going to live migrate from a Hyper-V 2012 cluster to a Hyper-V 2012R2 cluster, the virtual switch name must be the same on the hosts.

We needed to rename the switch on the 2012R2 host, so we just deleted the switch in VMM and recreated it with the same name as the 2012 servers had.

Doing so gave us this error:

Error (25230)

Unable to find extension (0d37c9f0-ea6c-47a0-9c42-4baeba3768d1) on 
virtual switch (Hyper-V Logical Switch)

Recommended Action

Verify the extensions installed on the host and retry the operation.

Searching the Internet did not give us any leads.

Ran: Get-VMSwitchExtension -VMSwitchName “Hyper-V Logical Switch” | select id

This returned the IDs from the extensions attached to the virtual switch, and we saw the ID from the 25230 error was missing.

Solution:

Uninstall the DHCP extension from Add-Remove program. It was not removed when the virtual switch was removed.

Creating a new virtual switch added the DHCP extension back to the server.

COYS

If you have configured User Profile Disk (UPD) to be used with Virtual Desktops or Session Hosts (a.k.a. terminal services) you had to set a quota on the profile (the UPD which is a .vhdx file).

If you set the quota to i.e. 1 GB there might be some users filling it up with i.e. photos/videos and you’ll have to extend his/her .vhdx file:

1. The affected user have to be logged off so the .vhdx file is not mounted
2. Locate the UPD share and translate the user’s SID to username so you’ll get the correct file http://gallery.technet.microsoft.com/Retrieve-usernames-for-a-94780a9e
3. Take a backup (copy) of the file just in case…
4. Resize the disk (either within Hyper-V Manager or with PowerShell)
5. Mount the file and extend the disk within Disk Manager

I’ll show how this can be done with PowerShell.

After I have located the correct .vhdx file you can see the (max) size is 1 GB:

Run the Hyper-V cmdlets “Resize-VHD”:

Syntax: Resize-VHD –Path <to the .vhdx file> -SizeBytes xGB

Here I increase the size to 2 GB.

 Mount the .vhdx file and open Disk Manager

You’ll now see there are 1GB unallocated that you’ll have to claim

Extend the disk/volume

And the disk is now 2GB

Remember to unmounts/eject the disk/volume so the user can log on again.

If you’d like a glance/overview of Win8 for ITPros, I recomend you to have a look at the “Introducing Windows 8” preview.

Text stolen from the MCP newsletter:

“This complimentary e-book explores the great new features Windows 8 offers for IT professionals and businesses. It’s designed to help prepare you for deployment of Windows 8, deliver apps, and manage recovery, security, and virtualization”

You can download it from here: http://download.microsoft.com/download/B/1/E/B1E7F4C9-304D-456C-BD96-A2287FA7871D/Microsoft_Press_ebook_Introducing_Windows_8_PDF.pdf

If you use DirectAccess (DA), should you use a certificate on the IP-HTTPS listener from your internal CA or from a third party CA?

If you use a certificate from your internal CA, you’ll have to publish the CRL so it can be reached from the outside. If you don’t do it, external DA clients will remove the CRL from the cache after 24 hours and they will not be able to check if the certificate has been revoked or similar. DA will not work for them until they put their laptop in the internal network, and are able to reach the CRL.

The default time for the cache is 24 hours.

So I would not bother publishing the CRL, but instead use a third party certificate on the IP-HPPS listener.

If you use or consider using DA without UAG, Win8 has a lot of improvements regarding DA (features you only found in UAG).

For a complete list check out http://technet.microsoft.com/nb-no/library/hh831416.aspx

Were you unable to attend at TechEd Europe 2012 in Amsterdam?

Don’t worry. You can view all the sessions on-demand at Microsoft Channel 9 for free.

TechEd: Microsoft Channel 9

Do you use Microsoft Forefront UAG 2010 to publish Lync and having problems to get it to work?

My co-worker Robert had struggeled with this for some time, but finally he managed to get Lync and mobility to work over UAG.

First we tried using the TMG part of the UAG and it worked, but I could not restart the server after the configuration. If I restarted the server the HTTP and HTTPS traffic was blocked by the default rule of the TMG. Other weirdo’s did also happened if we changed the UAG config.

We started a SR with Microsoft and they told us that using the TMG part of the UAG was not supported. It can work in some cases but if you do some configuration changes in UAG it can be broken. MS says that you should never touch the TMG settings on a UAG server.

So here is what we did on the UAG:

We added one more public IP address to the External leg of the UAG, so we have two IP addresses for Lync. One IP for lyncweb, meet and dialin. The second IP was dedicated for lyncdiscover.

We created a new HTTPS trunk for lyncweb, meet and dialin and changed the Session settings like this:

Important: The “Disable scripting for portal application” have to be ticked on the Lync trunk. This cannot be ticked on a trunk for i.e. Exchange or SharePoint. Therefor you have to create a new dedicated trunk for Lync.

We created a new http trunk for lyncdiscover and changed the Session settings like this:

Our uag console now looks like this:

The https Lync looks like this:

The http lyncdiscover looks like this:

Update:

Mobile clients will get logon servers unencrypted if you configuring the lyncdiscover on a HTTP trunk. You can skip the extra IP and configure the lyncdiscover on the Lync HTTPS trunk by doing:

Credit to Robert for getting this to work. Hope it will work for you too 🙂

To access Dynamics CRM 4 (on premise) from the Internet, you’d to configure IFD and you could use i.e. ISA in a DMZ if you didn’t want the CRM server to be facing the Internet.

If you decided to use ISA you couldn’t use the built-in security provided by ISA/UAG, but you had to just tunnel all traffic through and let the CRM server authenticate the user. This was not so cool, but it was fairly easy to set up and configure.

With the release of Dynamics CRM 2011 things started to get a little more complicated. If you wanted to access CRM from the Internet you’d to configure claims-based authentication, ADFS 2.0 and IFD. UAG was not supported.

I was taken by surprise when I read about this, since Microsoft uses UAG to make i.e. Exchange and SharePoint more secure. Did they forget about CRM?

Products like Citrix Access Gateway began to take a sole lead.

Things changed with the release of UAG Service Pack 1. CRM is now supported to be published via UAG. You don’t need to set up ADFS and claims. Let the UAG do the job to secure and authenticate the users. With or without two-factor authentication like RSA.

Easy to configure, easy to understand 🙂

Reference:

Publishing: http://technet.microsoft.com/en-us/library/hh490315.aspx
UAG: http://www.microsoft.com/en-us/server-cloud/forefront/unified-access-gateway.aspx

We recently had a two day visit by some folks from Microsoft Norway. Good food and drinking, driving ATVs, and talking. We talked much about how MS saw the future and things like Lync, Intune, Hyper-V, Windows mobile, Win 8 and Win Server 8.

We are in the middle of a Oracle consolidation, so what is better than giving us some really cool t-shirts and say good luck?

This is not an Active Directory entry, so I’ll tag it with “nothing” 🙂

We have been living happily in an environment with a fully patched Exchange 2007 organization and Outlook 2007/2010 clients. Autodiscover working like a charm using SRV-records for redirection. The joy suddenly stopped when a client had bought a Mac with “Entourage 2008”.

We knew that the autodiscover worked on Mac’s bundled mail client “Mail”, so it was out of the question that a Microsoft product like Entourage 2008 wouldn’t work.

How wrong could I be… I updated the Entourage with the latest patches, but it didn’t want to connect to the Exchange (CAS) through an ISA server.

Entourage 2004 used WebDAV, but 2008 should use EWS. I googled around and found on some forums that Entourage didn’t support SRV-records for autodiscover. BAH!

After further searching I got a track of “Entourage 2008, Web Services Edition”. I downloaded it and got it installed.

Voila!

It connected to the mailbox without issues using autodiscover. I didn’t have to modify the “Outlook Anywhere”  ISA rule as the /ews/* path already was set. The EWS directory on the CAS was left with default values.

You’ll find the Web Services Edition here.