Tuesday, November 11, 2014
5:59 PM | Posted by Andreas Panagopoulos | |
- Configure network access account
- SCCM Console --> Administration --> Site Configuration --> Sites
- Right-click site --> Configure Site Components --> Software Distribution --> Properties --> Network Access Account tab
- Specify account with sufficient permissions
- Specify FQDN
- Launch Configuration Manager Console
- From the left pane of the Configuration Manager Console, click Administration
- Expand Site Configuration and click Servers and Site System Roles
- Click on the server or site system
- On the bottom pane under Site System Roles, right-click Site system and click Properties
- Select the Specify an FQDN for this site system for use on the Internet check box
- In the Internet FQDN field, provide the full FQDN
- Install Dell Server Deployment Pack 3.0.x
- Download from http://en.community.dell.com/techcenter/systems-management/w/wiki/4125.dell-server-deployment-pack-dsdp-for-configuration-manager
- Extract to C:\DSDP and install
- DTK 4.4
- Dell Systems Management Tools and Documentation DVD ISO, v.7.4
CONFIGURE SCCM with DSDP
Importing a DTK Package
- SCCM --> Software Library --> Overview --> Application Management --> Packages
- Right click --> Dell PowerEdge Server Deployment --> Launch Deployment Toolkit Configuration Wizard
- Select the downloaded DTK 4.4 self-extracting zip
- Use Boot Image from WAIK/ADK tools
- Complete wizard
Creating a Boot Image for Deploying Dell PowerEdge Servers
- SCCM --> Software Library --> Overview --> Operating Systems --> Boot Images
- Right click --> Dell PowerEdge Server Deployment --> Create Dell Server Boot Image
- Use Boot Image from WAIK/ADK tools
- Complete wizard
- On created image, enter properties and on the Distribution Settings Tab, check the box to distribute content
- On the Customization Tab, make sure the "Enable command support" box is checked
Importing Dell Server Driver Packages
- Mount/insert OMSA (Dell Systems Management Tools and Documentation DVD ISO, v.7.4)
- SCCM --> Software Library --> Overview --> Operating Systems --> Driver Packages
- Right-click --> Dell Server Driver Package --> Import
- Select Model and OS version
Distributing Content and Updating Distribution Points
- On all configured Library items:
- Dell Packages
- Boot Image(s)
- Software Library → Overview → Application Management → Packages → Dell PowerEdge Deployment --> Poweredge Deployment Toolkit Integration
- Right-click → Distribute content
- Right-click → Update Distribution Point
CREATE TASK SEQUENCE:
- In Assets and Compliance create a new folder called "Deployment"
- In the Deployment folder create a Device Collection called "Bare Metal Deployment Collection"
- Under "Devices" click on "Import Computer Information"
- Enter a name and the MAC address of the PXE-enabled adapter
- Add the computer to the previously created collection
CREATE THE TASK SEQUENCE
- Software Library → Operating Systems → Task Sequences → Right click → Dell Bare Metal Deployment → Create Dell PowerEdge Server Deployment Template
- Enter Name
- Use Boot Image created in previous steps
- In server hardware select RAID config.
- Add Network Access Account
- Use WIM Image
- No Sysprep
- In order for RebootStep variable to be set and incremented, task sequence needs to be run DIRECTLY from a Distribution Point
- To enable this option in Task Sequence Deployment, ensure for all packages: under package properties → Data Access → "Copy the content in this package to a package share on distribution points" must be selected, AND content must be distributed to relevant Distribution point AND DP updated
- DEFAULT CONFIGURATION MANAGER CLIENT PACKAGE has this option grayed out.
- To create a custom package, Go to Software Library → Application Management → right-click on Packages → Create new Package
- In the wizard type a new package name
- Click "this package contains source files"
- Select source folder, location MUST be a network path: \\sccm_server\SMS_SiteID\client
- Program type = do not create program
- After package is created go to its properties, and select "Copy the content in this package to a package share on distribution points" under package properties → Data Access
- Edit created task sequence
- Consider removing "Set Boot Order" from STEP 1
- In set RAID config → set to wizard and create e.g. a RAID1 array AND save as variable
- In STEP 2
- BEFORE Format and Partition Disk, add new task GENERAL → Run Command Line
- Name: Release C and D Drive Letters
- Command Line: Release_Drive_Letters.bat
- Package: Dell PowerEdge Custom Reboot Script
- On Format and Partition Disk, create 2 volumes:
- Volume 1: Primary, no name, specific size 350 MB, make boot, do not assign drive letter, NTFS, quick format
- Volume 2: Primary, no name, size 100%, NTFS, quick format, Variable: OSDisk
- IMMEDIATELY BEFORE the Apply Operating System Image (last task in step 2) add a new task from General → Set Task Sequence Variable
- Name: Set OSDPreserveDriveLetter
- Task Sequence Variable: OSDPreserveDriveLetter
- Value: FALSE
- On Apply Operating System Image choose the captured image package
- Image should be 2 - 2, if the captured image contains a system reserved partition
- In DESTINATION choose: Logical drive letter stored in a variable
- Variable Name: OSDisk
- In Apply Windows Settings and Network Settings, set properties
- In Apply Driver Package, select the appropriate package (created in previous steps)
- Leave Apply Device Drivers as is
- In Setup Windows and ConfigMgr, select previously created custom SCCM client package
- Add task to install Software upadtes
- Copy "Release_Drive_Letters.bat" to C:\Program Files\Microsoft Configuration Manager\OSD\Lib\Packages\Deployment\Dell\PowerEdge\CustomReboot
- Go to Software Library → Application Management → Packages → Dell PowerEdge Deployment → PowerEdge Custom Reboot Script
- Right-click → Update Distribution Points
DEPLOY TASK SEQUENCE TO DEPLOYMENT COLLECTION
When going through the Deploy Software Wizard, under Distribution points select: Access content directly from a distribution point when needed by the running task sequence
EDIT: The importance of "Release_Drive_Letters.bat"
Most modern servers, certainly Dell 11th and 12th gen, now usually have a vFlash SD card on the iDRAC controller. For whatever reason, and regardless on any boot sequence config you do on the BIOS settings, this always show up as C drive whenever you boot the server with an SCCM boot image.
This behavior totally messes up the SCCM image boot sequence and OS install fails. Therefore it is very important to release all drive letters prior to the OS installation for it to run smoothly.
To do this you need to create the following batch file. Copy the script below to "Release_Drive_Letters.bat" :
Applying this batch file at the beginning of Step 2 of the task sequence (before formatting and partitioning disks ensures a smooth and successful workflow.
title "Changing device drive letters..."
echo Changing device drive letters...
:: Create a script file to be used by diskpart and then dump all volumes to a temp file
echo list volume > %systemdrive%\ListDrives.tmp
diskpart /s %systemdrive%\ListDrives.tmp > %systemdrive%\CurrentDrives.tmp
:: Parse the output from 'Diskpart> list volume' for available volumes
:: To change the following so that it works on different drive letters change the "C ____" and the set DriveC= to match the drive letter you want to move
:: See the following samples for examples of how to change the drive you want to move
echo Checking drive C: for devices that need to be moved...
FOR /F "tokens=2-4" %%a IN (%systemdrive%\CurrentDrives.tmp) DO @IF /I "%%b %%c" == "C Removable" @echo Drive %%b was found to have a %%c and will be moved... & @set DriveC=%%a
FOR /F "tokens=2-4" %%a IN (%systemdrive%\CurrentDrives.tmp) DO @IF /I "%%b %%c" == "C CD-ROM" @echo Drive %%b was found to have a %%c and will be moved... & @set DriveC=%%a
FOR /F "tokens=2-4" %%a IN (%systemdrive%\CurrentDrives.tmp) DO @IF /I "%%b %%c" == "C DVD-ROM" @echo Drive %%b was found to have a %%c and will be moved... & @set DriveC=%%a
echo Checking drive G: for devices that need to be moved...
FOR /F "tokens=2-4" %%a IN (%systemdrive%\CurrentDrives.tmp) DO @IF /I "%%b %%c" == "D Removable" @echo Drive %%b was found to have a %%c and will be moved... & @set DriveD=%%a
FOR /F "tokens=2-4" %%a IN (%systemdrive%\CurrentDrives.tmp) DO @IF /I "%%b %%c" == "D CD-ROM" @echo Drive %%b was found to have a %%c and will be moved... & @set DriveD=%%a
FOR /F "tokens=2-4" %%a IN (%systemdrive%\CurrentDrives.tmp) DO @IF /I "%%b %%c" == "D DVD-ROM" @echo Drive %%b was found to have a %%c and will be moved... & @set DriveD=%%a
:: In the following change the Drive_ and the letter=_: to match the drive you want to move from and to
IF DEFINED DriveC set ChangeNeeded=1
IF DEFINED DriveC echo select volume %DriveC% >> %systemdrive%\ChangeDrive.tmp
IF DEFINED DriveC echo assign letter=Z: >> %systemdrive%\ChangeDrive.tmp
IF DEFINED DriveC set DriveC=
IF DEFINED DriveD set ChangeNeeded=1
IF DEFINED DriveD echo select volume %DriveD% >> %systemdrive%\ChangeDrive.tmp
IF DEFINED DriveD echo assign letter=Y: >> %systemdrive%\ChangeDrive.tmp
IF DEFINED DriveD set DriveD=
:: Run diskpart using the new script file, wait 15 seconds before running per a note on http://msdn.microsoft.com/en-US/library/ff794606.aspx
if "%ChangeNeeded%" == "1" (
echo Changing devices to new drive letters...
ping -n 15 localhost 1>nul 2>nul
diskpart /s %systemdrive%\ChangeDrive.tmp 1>nul 2>nul
) else (
echo No devices need to be changed...
:: Delete the script files
del /q /f %systemdrive%\ListDrives.tmp 1>nul 2>nul
del /q /f %systemdrive%\CurrentDrives.tmp 1>nul 2>nul
del /q /f %systemdrive%\ChangeDrive.tmp 1>nul 2>nul
exit /b 0
Wednesday, April 18, 2012
3:42 PM | Posted by Andreas Panagopoulos | |
- Sign in to the Microsoft Online Services Portal with your Office 365 Administrator Credentials
- On the Admin page, under Management, click Domains
- Click Add a domain
- Type the name of the domain you would like to add (e.g. itguy.gr)
- Click Next
- Click Verify domain
- Add a TXT record on your public DNS system
Destination Host: autodiscover.outlook.com
Mail server: contoso-com.mail.eo.outlook.com
- Two Windows 2008 or 2008 R2 hosts joined to your domain. One will server as the primary server (the one you will install ADFS first) and the other as backup.
- One IP address that will serve as your NLB cluster IP Address
- One DNS A record (in your internal DNS servers) in the form: sts.yourdomain.com
- One trusted third-party SSL certificate
- Install the Network Load Balancing Feature on both servers and set up an NLB cluster. Make sure you define a port rule just for HTTPS (TCP port 443)
- Go to the primary ADFS server (i.e. the one you will install ADFS first), go to IIS Manager and create a certificate request. Tho points to pay attention to:
- As a certificate common name use: sts.yourdomain.com
- As a bit length use: 2048
- Now use the certificate request you created to obtain an SSL certificate from a third-party provider. (hint: if you're creating a lab or you just don't care too much about security give www.startssl.com a go... one year SSL certificate 100% free!!!)
- Install the certificate in the primary ADFS server's IIS manager. Also go to bindings, and select the newly-imported certificate for HTTPS
- Now extract the certificate with its private key (.pfx) and repeat step 4 on the secondary ADFS server's IIS
- Create an ADFS service account
- Create it as a user in Active Directory Users and Computers
- Make sure "User cannot change password" and "Password never expires" is selected
- Set the SPN of the service account as described here
- Install ADFS 2.0 on both servers
- Obtain installation package here
- On the Server Role page of the ADFS 2.0 setup wizard, make sure you select "Federation Server"
- Install the ADFS Update Rollup 1
- Install Microsoft Online Services Sign-in Assistant
- Install Microsoft Online Services Module for Windows PowerShell
- Configure First Federation Server in Federation Server Farm
- Add Secondary Federation Server to Federation Server Farm
- Start Windows PowerShell as an administrator. To do this, right-click the Windows PowerShell shortcut, and then click Run As Administrator.
- To configure Windows PowerShell for remoting (this will enable Remote PowerShell on the ADFS server. Skipping this step will result in an authentication error), type the following command, and then press ENTER: Enable-PSRemoting -force
- Open Microsoft Online Services Module for Windows PowerShell as an administrator.
- Type cd\ and press Enter.
- Type $cred=Get-Credential and press Enter.
- Enter your Office 365 administrator name and password and click OK.
- Type Connect-MsolService –Credential $cred and press Enter.
- Type Set-MsolAdfscontext -Computer <AD FS 2.0 primary server> and press Enter
- Type New-MsolFederatedDomain -DomainName yourdomain.com and press Enter
- Now type Get-MsolFederationProperty -DomainName yourdomain.com and press Enter (this should bring up a bunch of data regarding certificates and sign in URLs)
- Download and run the Microsoft Office 365 Deployment Readiness Tool
If the tool has found any discrepancies, you'll need to fix them before continuing.
Great! Now log on to Microsoft Online Services, and:
- Go to Admin
- Click on Management, then Users
- Click on "Single sign-on: set up"
- On step 6 "Activate Active Directory Synchronization" click on "Activate"
- On step 7, download the Directory Synchronization Tool.
- Choose a machine to install the Directory Synchronization Tool on. The constraints are:
- This machine must be a domain joined computer
- It must be a highly-trusted PC or server that only trusted administrators have physical or remote access to.
- It must not be a domain controller
- It must not be one the of the ADFS servers
- If you run the Directory Synchronization Tool straight away it will fail! You'll need to do this first:
- Click Start, right-click Computer, and then click Manage.
- Under Computer Management, expand Local Users and Groups, and then expand Groups.
- Make sure that the MIISAdmins group exists. If the group is missing, create a group that is named MIISAdmins.
- Add yourself to the group.
- Log off from the computer, and then log on to establish the new group membership in the access token.
- You will need to type your Microsoft Online Services Admin Credentials as well as an on-premises Enterprise Admin Credentials
- On the Exchange hybrid deployment, check the box and click on Finish to Synchronize Directories
- On the computer that is running the Directory Synchronization tool, navigate to the directory synchronization installation folder. By default, it is located here: %programfiles%\Microsoft Online Directory Sync.
- Double-click DirSyncConfigShell.psc1 to open a Windows PowerShell window with the cmdlets loaded.
- In the Windows PowerShell window, type Start-OnlineCoexistenceSync, and then press ENTER.
Configuring the ADFS Proxy
So, now that the integration with the on-premises Active Directory and Office 365 is complete, it's time to configure the ADFS Proxy. What Microsoft recommends, and you should take this recommendation seriously, is that you utilize 2 load-balanced proxy servers. For the purposes of this article we will use only one ADFS Proxy server, but all you need to do to get your load-balanced pair is essentially to configure a second ADFS Proxy and set up NLB on both as described previously in this article.
What you'll need for this part:
- One Windows 2008 or 2008 R2 server
- Access to modify your external DNS records
- The certificate you used on your internal ADFS servers
- A working DMZ Topology
- Appropriate rules on your corporate firewall
- First of all, configure your Windows server, position it on the DMZ and make sure there is connectivity both to the Internet and your internal network
- Install the IIS Role with the default options, import the certificate you installed to the internal ADFS servers, and configure the bindings for port 443
- Add the respective Host Name and IP address of the ADFS NLB Cluster you created earlier to the ADFS Proxy server's Hosts file
- Create a new A record on your public DNS server with the name sts.yourdomain.com (exactly like the one you created on you internal DNS servers) and point it to the public IP address you will use for your ADFS Proxy
- Configure your firewall so that HTTPS requests on this IP will be forwarded to your ADFS Proxy
- Make sure you can:
- ping the load-balanced internal ADFS server farm (sts.yourdomain.com)
- browse to this link: https://sts.yourdomain.com/federationmetadata/2007-06/federationmetadata.xml
- On IE 9, hit the 'Compatibility View' button, then you should be able to browse the XML contents
- On the "Specify Federation Service Name" type: sts.yourdomain.com, i.e. the exact same name of the internal load-balanced ADFS server farm we configured earlier
- The "Use an HTTP proxy server when sending requests to this federation service" IS STUPID!!! Why on earth would we need yet another proxy, to proxy our proxy's requests!!!! Make sure this check box remains unselected and hit "Test Connection". If network connectivity is working you will get a "The specified Federation Service was contacted successfully" message.
- Hit Next, and you're prompted for the logon credentials for the internal ADFS server farm. Remember the ADFS service account you created? That's the one. You're supposed to enter the credentials in the form
But first go to Server Manager's Main Page, click on "Configure IE ESC" and turn it off for both users and administrators. Don't, and you'll get "unable to establish a trust between the federation server proxy and the federation service" errors
- On "Ready to Apply Settings, click on Next and watch the magic happen!
- Open Event Viewer
- In the details pane, double-click Applications and Services Logs, expand AD FS 2.0, then click on Admin
- On the Event ID column, look for event ID 198
- Log on to a computer that sits outside your corporate network (so that it will be directed to your ADFS Proxy server
- In an Internet Explorer window, type https://portal.microsoftonline.com
- In the User ID field, type your corporate username (e.g. email@example.com)
- The web page should update with the "You are now required to sign in at yourdomain.com" message
- Click the sign-in link and in the sign-in page and enter your domain credentials
- If this takes you to the Microsoft Online Services Portal home screen, then you can pat yourself to the back; the ADFS system you just configured works
- If not, re-check what we've done so far and that you haven't skipped a step. You can also check Adam Conkle's great post on this TechNet thread: http://social.msdn.microsoft.com/Forums/en-US/Geneva/thread/bd815b4e-70be-4f1c-ac7f-a5e9ac5aea02?prof=required
Great, all done then?? Not quite! It's the on-premises Exchange 2010 server's turn!
- On your Hybrid Exchange server install Microsoft Online Services Sign-in Assistant (the one you installed on your ADFS Farm servers) AND Microsoft Online Services Module for Windows PowerShell
- Open the Exchange Management Console and click the Microsoft Exchange node (the top-most node in the tree)
- In the action pane, click Add Exchange Forest.
- In the friendly name type "Office 365". This name will display in the console tree.
- In the FQDN field just select "Exchange Online" from the drop-down list
- DO NOT check the "Logon with default credential" box
- Click OK and a credentials dialog box appears. Type the Office365 Admin account and corresponding password. For example:firstname.lastname@example.org
- Watch in awe as your Office 365 organization appears on the EMC console!!
- On EMC, go to Organization Configuration and on the Actions pane, click on New Federation Trust
- Click on New and then on finish and you're done
- Right click under Organization Configuration and choose New Hybrid Configuration
- Go through the 2 steps of the wizard and click on finishThis was too easy, now comes the tricky part
- Right-click on the Hybrid Configuration and choose Manage. The Manage Hybrid Configuration opens
- On the credentials screen, type in the appropriate usernames and passwords. What I suggest you do is (since we've already synchronized Active Directory) to enable an Active Directory user that is member of the on-premises Organization Management role group, as a Global Administrator in Office 365. This way, you can use the same account for both fields
- Under Domains, choose your hybrid domain
- On the next step you will be asked to create a TXT record on your public DNS servers with a Record Value that is a lengthy string of alphanumeric characters. Check the box to confirm that the TXT record has been created
- Next up, choose your hybrid on-premises CAS and HUB servers
- Under Mail Flow Settings type the Public IP address of your on-premises Exchange server (i.e. the one on the public MX record), then type the FQDN of the HUB server you chose in the previous step
- Mail Flow Security is pretty much straightforward, the third-party certificate is already there, and for the Mail Flow Path choose the first option (as discussed in the beginning of this article).
- Click next but don't go any further just yet! If you continue you will most likely get an error and the wizard will fail with something like:
Execution of the Get-FederationInformation cmdlet had thrown an exception. Federation information could not be received from the external organization.
Exception has been thrown by the target of an invocation
What on earth is wrong? Well, either the MRSProxy is disabled, or WSSecurity is disabled, or the MRSProxy is unreachable from the Internet.
Regardless of where exactly the fault lies, do all of the following:
- On your Hybrid Server's Exchange PowerShell, enter this command:Set-AutodiscoverVirtualDirectory -Identity ‘autodiscover (Default Web Site)’ –WSSecurityAuthentication $trueto enable WSSecurity authentication for autodiscover on your hybrid server, and...
- On your Hybrid Server's Exchange PowerShell, enter this command:Set-WebServicesVirtualDirectory -Identity "EWS (Default Web Site)" -MRSProxyEnabled $true -MRSProxyMaxConnections 100The rule of thumb is that the larger number you use for the MRSProxyMaxConnections parameter, the less chances there are that a timeout will occur for large simultaneous mailbox moves.
- Create a new publishing rule for Autodiscover in your TMG server.To get your hybrid scenario working, you will need to set up an additional ISA/TMG rule pointing to the hybrid server, using the proper public names (don’t forget autodiscover), bound to the OWA listener. You need to allow All Users (as opposed to Authenticated Users), set authentication to “No Authentication, but users can authenticate directly” and configure the following paths:
After configuring the rule, you need to put it above all the other Exchange rules, making it the first matching rule when federation traffic hits ISA/TMG.
Now you're ready to go through with the wizard and bask in the glory of your success!!!
We're almost done. What have we done so far?
- We've configured our SSO domain with Office 365
- set up public DNS records
- installed an internal ADFS server farm
- enabled Single Sign-On
- configured Active Directory Synchronization
- installed our ADFS proxy on the DMZ
- verified the ADFS bit is all interoperable
- configured our on-premises Exchange 2010 hybrid server for Office 365
- On the EMC console, go to the on-premises node --> Recipient Configuration --> Mailbox
- Right-click the mailbox you want to move and choose New Remote Move Request
- On the Connection Configurations windows, under "FQDN of the Microsoft Exchange Mailbox Replication service proxy" type the Internet FQDN of your hybrid server. Definitely consider typing in a domain admin credentials for this test.
- Under Move Settings, for the Target Delivery Domain browse for "yourdomain.mail.onmicrosoft.com"
- If you followed this article to the letter, the move should go without a hitch.
For good measure, test moving that mailbox back to the on-premises server:
- On the EMC console, go to the Office 365 node --> Recipient Configuration --> Mailbox
- Observe that the mailbox you just moved appears with a green arrow. This means that a move request exists for this mailbox (albeit a completed one). You will need to go to "Move Request" underneath select the move request and click on "Clear Move Request". This will enable you to move the mailbox back to the on-premises organization.
- Now right-click the test mailbox and click New Remote Move Request
- On the Connection Configurations windows, under "FQDN of the Microsoft Exchange Mailbox Replication service proxy" type the Internet FQDN of your hybrid server. Definitely type in a domain admin credentials for this test, then consider using delegated permissions
- Under Move Settings, for the Target Delivery Domain browse for "yourdomain.com". For Remote Target Database, type the on-premises database you want to move the mailbox to. Contrary to what other guides might say, just type in the database name without the server name.
- This should be enough to get the test mailbox moving back to your on-premises exchange organization.
- From Office 365 users to Internet (external) recipients
- From Office 365 users to on-premises recipients
- From on-premises users to Office 365 recipients
- From Internet (external) email users to Office 365 recipients
- On the TMG Management Console, to to Troubleshooting and on the Tasks pane click on "Control E-mail configuration Integration"
- Set the status to "Disabled" and enforce the policy.
- Go to Forefront Online Protection for Exchange Administration center and make a note of the IP addresses listed under "IP addresses to configure on your firewall".
- Login to https://portal.microsoftonline.com/ with a Global Administrator account
- Click on Outlook
- On the upper right-hand side of the Outlook page click on Options and then "See All Options"
- On the upper left-hand side click on the drop-down list arrow right from "Manage Myself" and under "Select What to Manage" click on "My Organization"
- Go to Mail Control and on the right-hand side of the page, under Forefront Online Protection for Exchange click on "Configure IP safelisting, perimeter message tracing and email policies"
- This takes you to Forefront Online Protection for Exchange for your organization. Under Information, click on Configuration.
- Copy-paste the IP addresses and subnet ranges to a text document, then arrange them in a comma-separated way, like so:184.108.40.206/24, 220.127.116.11/26, 18.104.22.168
- Now open the Exchange PowerShell on the TMG/Exchange Edge server and type the following command:New-ReceiveConnector -Name "From Cloud" -Usage Internet -RemoteIPRanges <FOPE Outbound IP Addresses> -Bindings 0.0.0.0:25 -FQDN mailserverexternalFQDN.yourdomain.com -TlsDomainCapabilities mail.messaging.microsoft.com:AcceptOorgProtocolwhere <FOPE Outbound IP Addresses>, copy-paste the comma-separated list from the text document
That all! This is all everything you need to do to get your hybrid Office 365 working.
Tuesday, February 14, 2012
5:31 PM | Posted by Andreas Panagopoulos | |
Got SCVMM 2012 RC on a Windows 2008 R2 Virtual Host. When I tried to add a new Library Share with Default Resources on an existing Library Server I got a weird error. Adding a new Library Server with another Share also produced the same error.
Here's the error:
Addition of default resources to library share (\\server.domainname.local\foldername) failed. DetailedErrorMessage: VMM could not find the specified path \\server.domainname.local\foldername\ApplicationFrameworks\WebDeploy_x86_el-GR_2.0.1070.cr\WebDeploy.msi on the SCVMM.domainname.local server.
Ensure that you have specified a valid file name parameter, and then try the operation again.
Fix the problem, then try operation again,
The server is otherwise running ace. The operation did create the ApplicationFrameworks folder inside said folder but it looked like this:
Now, the same folder inside the default MSSCVMMLibrary folder looked like this:
It is clearly a Locale issue.
Furthermore, adding an update server in the Fabric Workspace, produces Update Catalog categories in Greek in the Library Workspace. I might speak Greek but I work in English, and by then it was clear to me that this should be dealt with now, before I end up with a mixed English/Greek SCVMM Console that I won't be able to understand.
My system was set with a Greek locale, and for whatever reason, SCVMM was trying to put locale-specific files in the ApplicationFrameworks folder. That's perhaps all well for SAV (Server AppV), since the Greek version of the agent is available to SCVMM. The same is not true for the Web Deployment Tool. In fact the "WebDeploy_x86_el-GR_2.0.1070.cr" folder was empty. Why?
Having a look at the Official Microsoft IIS Site (http://www.iis.net/download/webdeploy), on the bottom right of the page you can see this:
These, and only these, are the languages which the Web Deployment Tool v.2.0 is available for. So if your SCVMM server's system locale is set on one of the above languages you're good!
If not, then SCVMM tries to copy the Web Deployment Tool files in a language format that is not available (in my case Greek), hence the 24374 error. A bit disappointing but still, it's an RC version, hopefully such issues will be ironed out in the RTM version.
So, to the solution:
Clearly, changing the server Locale back to English should do the trick.
Go to Control Panel --> Region and Language, and change all tabs back to US-English. Then go to the Administrative tab and "Copy Settings" to "Welcome Screen and System Accounts" as well as "New User Accounts", like so:
Normally, after a restart the issue should be fixed, but it isn't. Some of the locale settings have been saved in the user profiles, so these should be erased.
To do a proper job of it, do the following:
- log on the SCVMM as a local Administrator
- stop the System Center Virtual Machine Manager service
- go to: Control Panel --> System --> Advanced System Settings --> Advanced tab and under User Profiles click on Settings
- delete all User Profiles except the Default Profile.
Do a restart, and it all should be well... right? Well, if SCVMM uses a locally installed SQL instance, most likely, yes. If you're using SQL on a different server, read on.
You will notice that the System Center Virtual Machine Manager service doesn't start. In the SCVMM server's Application logs there's this error:
The signature "P6: System.FormatException" suggests there is something wrong with the System Format (which we just changed) and most importantly "P5: M.V.E.SqmRefresher.IsRefreshRequired" suggests there is something wrong with the SQM Engine refresh. SQM stands for System Quality Metrics and this most likely relates to some entry in the SCVMM database.
A look in the Application logs of the SQL server holding the SCVMM Database confirms that there's something wrong.
Not much information here but there's definitely a correlation between the error in the SCVMM server and the one in SQL server.
We need to take a look in the VirtualManagerDB database, but what should we look for? All we have is the "SqmRefresher.IsRefreshRequired" signature from the SCVMM service error. Searching for the "Refresh" string could be a start.
So how do you search an entire database (i.e. all collumns within all tables) for a single keyword?
Luckily, Narayana (http://vyaskn.tripod.com/search_all_columns_in_all_tables.htm) has written a nifty stored procedure that does exactly that. Here it is:
CREATE PROC SearchAllTables
-- Copyright 2002 Narayana Vyas Kondreddi. All rights reserved.
-- Purpose: To search all columns of all tables for a given search string
-- Written by: Narayana Vyas Kondreddi
-- Site: http://vyaskn.tripod.com
-- Tested on: SQL Server 7.0 and SQL Server 2000
-- Date modified: 28th July 2002 22:50 GMT
CREATE TABLE #Results (ColumnName nvarchar(370), ColumnValue nvarchar(3630))
SET NOCOUNT ON
DECLARE @TableName nvarchar(256), @ColumnName nvarchar(128), @SearchStr2 nvarchar(110)
SET @TableName = ''
SET @SearchStr2 = QUOTENAME('%' + @SearchStr + '%','''')
WHILE @TableName IS NOT NULL
SET @ColumnName = ''
SET @TableName =
SELECT MIN(QUOTENAME(TABLE_SCHEMA) + '.' + QUOTENAME(TABLE_NAME))
WHERE TABLE_TYPE = 'BASE TABLE'
AND QUOTENAME(TABLE_SCHEMA) + '.' + QUOTENAME(TABLE_NAME) > @TableName
QUOTENAME(TABLE_SCHEMA) + '.' + QUOTENAME(TABLE_NAME)
) = 0
WHILE (@TableName IS NOT NULL) AND (@ColumnName IS NOT NULL)
SET @ColumnName =
WHERE TABLE_SCHEMA = PARSENAME(@TableName, 2)
AND TABLE_NAME = PARSENAME(@TableName, 1)
AND DATA_TYPE IN ('char', 'varchar', 'nchar', 'nvarchar')
AND QUOTENAME(COLUMN_NAME) > @ColumnName
IF @ColumnName IS NOT NULL
INSERT INTO #Results
'SELECT ''' + @TableName + '.' + @ColumnName + ''', LEFT(' + @ColumnName + ', 3630)
FROM ' + @TableName + ' (NOLOCK) ' +
' WHERE ' + @ColumnName + ' LIKE ' + @SearchStr2
SELECT ColumnName, ColumnValue FROM #Results
So now all we have to do to search the entire database for the string 'refresh' is this query:
EXEC SearchAllTables 'refresh'
Unfortunately, the word 'refresh' is referenced in 2586 columns. Browsing through all these would be tedious. So let's look for 'sqm' instead:
EXEC SearchAllTables 'sqm'
The result looks more promising - 'sqm' is referenced in only 5 columns.
Entry #5 looks like it might be the winner. LastSQMRefreshTime might well be related to the IsRefreshRequired error.
The column is "PropertyName" and sits inside the "dbo.tbl_VMM_GlobalSetting" table, so let's have a look:
select * from dbo.tbl_VMM_GlobalSetting
Mind you, this is not the actual query I did during the troubleshooting process (forgot to take a screenshot) so the time is not right. The date/time I actually saw was a couple of days before I changed the system locale back to Eng-US.
So it was clear to me that when the System Center Virtual Machine Manager service is starting, it's checking for this specific value, it's not liking what it sees, so it stops and prints that error in the SCVMM server's Application log.
Maybe deleting this value will fix the issue. Or to be more exact, inserting a NULL where the date/time is:
update dbo.tbl_VMM_GlobalSetting set PropertyValue=NULL where propertyName='LastSQMEngineRefreshTime'
checking to see the value has actually switched to NULL:
It has, and guess what? The System Center Virtual Machine Manager service now starts!!!
Now a couple of words regarding this post:
Granted, it was an insignificant issue that I could well live with, and perhaps troubleshooting it took more time than it was worth. What I am interested in, and the reason I believe that such posts are worth sharing, is the process of troubleshooting.
Troubleshooting is a reward in itself, as it provides you with product insight that would otherwise be unattainable. You also come across valuable bits of information that you can re-use, e.g. that great SQL stored procedure that searches for keywords. It improves your confidence. Think about it; how many times do you come across an issue that the solution isn't a 10 minute Google search away??? It's a rare occurrence, and I welcome the challenge regardless of the issue's importance.
Now regarding SCVMM 2012. I'm a huge Microsoft enthusiast, in fact if you'd listen to me talk about IT, you'd think I was on Microsoft's payroll. But in the case of SCVMM, it just has these annoying little quirks that give you the feel it's an unfinished product. This is true for the 2012 as it's an RC version, but versions 2008 and 2008R2 were also quirky. Don't get me wrong, I'd pick the Hyper-V / SCVMM solution over VMWare any day and firmly believe that Microsoft will be the winner of the Hypervisor race. I just hope that the 2012 RTM version will rid itself of these minor issues and emerge as the flawless product it deserves to be.
Well, the title says it all! You will have to excuse my lack of use of images, I'll have to get back to this post and add some la...
Workaround for Citrix EdgeSight Process Usage report showing average times instead of time sums and a quick insight into using MS SQL Report Builder with queries to generate custom SQL reportsWhy oh why did Citrix botch up their great "Process Usage" report? Why do software vendors tamper with great product features ins...
Annoying "You cannot access VMM management server scvmm.domain.local" 1604 error: "Contact the Virtual Machine Manager administrator to verify that your account is a member of a valid user role and then try the operation again."Seen this before?? I just introduced SCVMM 2012 RC to my Hyper-V cluster lab environment. Set it up on a VM, it immediately saw my...
EDIT: This post is receiving a surprising amount of hits, and is being debated amongst colleagues in forums, events and gatherings, in my...
"The trust relationship between this computer and the primary domain failed" messing about with SCVMM 2012 RCI love all things Microsoft, but SCVMM turns out to be a real pain... even in its latest version. Looks like 2012 will stay in my lab envir...
Got SCVMM 2012 RC on a Windows 2008 R2 Virtual Host. When I tried to add a new Library Share with Default Resources on an existing Library...
Remember the glorious days of net send? Admittedly some of us used to scare the lives out of our 'favourite' users by sending them...
PRE-REQUISITES: Configure network access account SCCM Console --> Administration --> Site Configuratio...
First post of many to come... I'll try to keep this one short and just share what this blog will be about. We'll talk about bot...
With a mind on the cloud, eyes on virtualization and feet planted firmly on the (datacenter) ground...Hindsight is great! Too bad it comes from mistakes. Not too long ago in human time but light-years in IT time there were mainframes and...