The Network Manager at Westminster School presents solutions to sticky problems...

Thursday, 13 December 2012

Exchange 2010 UM and WMF 3.0

Windows Management Framework 3.0 is about to be rolled out over Windows Update. Do you know what will break? I do! Exchange 2010 Unified Messaging. Specifically the part which uploads media files to the server for use in the Auto Attendants. When you try to do this you will get a WinRM error:

Starting a command on remote server failed with the following error message : The WinRM client sent a request to the remote WS-Management service and was notified that the request size exceeded the configured MaxEnvelopeSize quota. For more information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OperationStopped: (um01.westminster.org.uk:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : JobFailure
    + PSComputerName        : um01.westminster.org.uk

This is the PowerShell version of the error. The EMC will weakly complain that it has been given the above message with roughly the same text. Can you live without the ability to upload message to Exchange? I thought not.

Trust me, the about_Remote_Troubleshooting Help topic will not help you with this one. Changing the WinRM MaxEnvelopeSizekb value will not make a difference. The release notes point out that this has been change to 700. You can find out what WinRM config is set to by opening an elevated command prompt and typing 'winrm g winrm/config' to display the current config.

But WinRM/config is not the only place that MaxEnvelopeSize is specified! (See http://msdn.microsoft.com/en-us/library/windows/desktop/ee309364(v=vs.85).aspx) Hosted applications (such as Exchange PowerShell) also have their own configuration in IIS. This is typically in the system.management.wsmanagement.config xml portion of the web.config. Exchange PowerShell module has it's own virtual directory in IIS and it is here that you will need to make an amendment in order to restore functionality back to UM.

Find the web.config associated with the PowerShell IIS Virtual Directory. Found usually in the \Client Access\PowerShell directory. Make a backup. Amend the OperationsConfiguration node to add the MaxEnvelopeSizeKB="700" setting. Replace 700 with whatever MaxEnvelopeSizekb is in WinRM. (You've probably been trying to amend the value like I did and sinking into despair when it makes little difference. Go on. Admit it.) Mine now looks like this:

 
   
      ...
      <operationsconfiguration MaxEnvelopeSizeKB="700" ... >
</operationsconfiguration><
...
      ...


Reset IIS and the error should be gone. There are, of course, other issues with WMF that are detailed elsewhere. The most significant is the fact that WinRM IIS Extensions for me needed re-installing after WMF was installed, but that is well documented elsewhere.
As an additional warning, if you want to run update rollups, you will need to uninstall WMF 3.0 first before installing the rollup, and then reinstalling WMF.

Thursday, 22 November 2012

Getting SQL 2008 R2 Reporting Server working with System Center 2012 Configuration Manager

When you upgraded to System Center 2012, you discovered that in order to get reports from Configuration Manager, you now absolutely need to get Configuration Manager working with SQL Reporting Services. You follow the instructions provided by Microsoft and then you hit the train wreck!!!

Error 7403 - The report server service is not running on Reporting Service Point server "MySMS.domain.org.uk"; start the service to enable reporting.

Nothing out there seems to fix the problem. I have discovered that there are a number of problems that cause this error, hence the one or two 'fixes' out there are all red herrings. There are, of course, clues. I followed them and have come to the following solution to the problem.

What's the problem?
The problem occurs mainly when you have the SQL Server, the SQL Reporting Services on the same server as the Management Point. This means also that IIS is installed. That is not a problem, mind you. Reporting Services does work happily with IIS, but as you will see, there are caveats. After following all the installation you find that SMS_SRS_REPORTING_POINT under Component Status, has a Red X instead of a Green Tick. List the error events you get a repeated performance from Error 4703. It is also possible that if you go to Reporting Service Configuration Manager, you can sometimes get the ReportServer website to come up, and sometimes not, but only on HTTP, and not on HTTPS. You also see no reports and any attempt to create a report brings up AUEM (Another Useless Error Message.) Checking the srsrp.log you notice the error: 'The underlying connection was close: Unable to establish a secure connection.'

Problem 1 - The certificate Subject
If you have followed Microsoft's installation plan to the letter you probably have an IIS certificate. The subject on the certificate will be the host name of the Management Point (e.g. 'MySMS'.) This is fine, perfect for Configuration Manager. However, I bet when specify the Site Server, you specify them using their FQDN (e.g. 'MySMS.domain.org.uk'.) Can you guess what I am about to say now? Configuration Manager now cannot connect to SRS because the certificate is invalid! As I said - train wreck!

Solution 1 - The first thing you need to do is uninstall the Reporting Point, as you will need to re-install it later. Get yourself a new certificate from your CA with the FQDN as the subject and a uniquely identifying name (I used "For Report Server") as the subject and install it in the computer's personal certificate store.

Problem 2 - Conflicting Bindings
But it's not a simple as that. Why? Because Reporting Services shares the TCP Port with IIS. IIS needs to be using the SMS IIS Certificate. Despite the fact that you can specify a separate certificate in IIS to that in Reporting Services, they both present their Certificate to the OS to handle. The result is that only one certificate can remain on that particular binding (IP and Port combination.) In the report server log you see 'Failed to register url=https://MySMS.domain.org.uk:443/ReportServer...' etc.

Solution 2 - Change the Binding in Reporting Services Configuration Manager (RSCM.) Now, funny enough guess what? You might have another problem.

Problem 3 - Lingering URLs in Reporting Services
When you change the certificate and binding in RSCM you sometimes find that although you have changed the binding, the original link to 443 remains. If it does, Reporting Services will still fail to bind everything.

Solution 3 - Remove all bindings first and stop the Reporting Services Service. Open \Program Files\Microsoft SQL Server\MSRS10_50.\Reporting Services\ReportServer\rsreportserver.config (remembering to take a backup first!!!) and remove any lingering URL Reservations. You will find them under ... For me it was okay to remove the entirety and leave a behind, if you understand xml. If not, just delete everything in between the individual  and . Restart the Reporting Services Service.

Wrapping it all up
Before you re-configure your bindings in RSCM I would look at netstat first. Using the command line 'netstat -ano -p TCP' list out all the bindings. I did not do this and guess what, I picked another port that was already in use! I would suggest using a custom HTTP port as well as a custom HTTPS port, for the simple reason that you will see it being bound in netstat. It's okay to leave it and share the binding with IIS, but it does mean that you won't see the successful binding.

Okay - you have picked your ports and you go back to RSCM. Go to the "Web Service URL" tab and click on Advanced. Reporting Services automatically picks a host only URL if you enter an IP Address. You don't want this, for sanity's sake. Add the HTTP identity using your custom port (I used 81) and the FQDN for the host header. Add your SSL Binding selecting (All IPv4), add you custom currently unused port (I used 446 - 443 was used by IIS and something else had 445) and select your uniquely named certificate (with the "For Report Server" name.) Do the same for IPv6 (You are using IPv6 - >frown<) and confirm. Do the same for the "Report Manager URL" tab. Now go back to netstat and note that you now have new connections (for me on 81 and 446.)

Great. Now Navigate to your ReportServer url (launch Internet Explorer using 'Run As Administrator')  on SSL and note that you do not get any certificate warnings. Start to feel happy.

Install the Reporting Point once more. You do not have to worry about port numbers, Configuration Manager figures this out. You will need to wait about ten minutes (should be less) and then check your reporting service URL again. Configuration manager will have added a folder. Go to the Monitoring Tab of Configuration Manager and check out the large number of default report that have suddenly appeared. Finally, notice that you now have a green tick next to your SMS_SRS_REPORTING_POINT component status.

Go back to you boss and state to him that you single handly resolved the problem that had been bothering him for the last six months. Brownie points all round!!!

Thursday, 19 July 2012

Jelly Bean - Accounts and Sync

Okay - your phone has just been updated to Jelly Bean (Android 4.1) and now your mail is not syncing, even though all your account settings say it should be. When you pull up your settings and go to your individual accounts you see the message 'Sync is OFF.'

Somewhere else in the interface as you search for why this just isn't working you find the message "Go to Settings, Accounts and Sync, etc. etc." but when you look at settings there is no 'Accounts and Sync.' What's going on?

Never fear, and do not buy the app "Accounts and Sync Missing" either; you don't need it. There are two ways to turn Sync on in Jelly Bean:

1. If you have the standard "Power control" widget, the auto-sync is the second option button from the right; the one that looks like two arrows circling each other. Enable that button and Sync is back on.

2. Got to Settings, select Data Usage and hit the menu button: Tick "Auto-sync Data" and it has the same effect.

Go back in to Settings and into your accounts: You should now have green sync icons (and lots of emails.) Oh joy!

Thursday, 14 June 2012

System Center 2012 Configuration Manager, 802.1x and Migration

It was interesting going to a Microsoft System Center 2012 launch party and hearing the opinion that wired 802.1x is an old outgoing technology and we should all move to IPSEC. At the same time across town Cisco have 802.1x at the heart of their up and coming ISE product. Anyway, well done to Microsoft for bring the System Center product up to date (to a point!)

My guess is that we will still be hacking away at Microsoft Products in order to enable the smooth running of wired 802.1x. Fortunately, with the ground laid down in my previous posts, there is very little to do different from the latest version of Configuration Manager. if you have not already read those posts, you will need to cover those. This just adds on to the previous offering.

Your prepared boot images will still work with one exception. Microsoft have done something amazingly sensible: They have moved the start up hook from the TSConfig.ini file and into the GUI. To be precise, you no longer have to amend the TSConfig.ini file I referred to in my previous into the boot image before showing it to Configuration Manager. In fact, if you do it will ignore it now. Instead go to the boot image in Configuration Manager and select property. On the Customisation tab tick 'Enable prestart command' and enter your script command here: x:\windows\system32\cscript.exe pretsmboot.vbs.

I have still included the pretsmboot.vbs files in the image because they are needed when you run a task sequence that does not boot from PXE, such as when you run it from the new Software Center. However, you do have the choice of including the files and you also specify this in the same location.



There is a gotcha, of course. If you want to do the same for a CD or USB bootable image, you will need to put those same files into a package. When you create the bootable CD image you will be asked for a package is you want to include file, not just a source directory. But that's not a problem.

Otherwise everything else is the same as before. Of course, we are still talking about Windows 7 here, not Windows 8. That's another hurdle that will be long into the next half of the year before we venture there.

Other Gotchas in System Center 2012 Configuration Manager

  • It is entirely possible to import the Operating System Images and driver packages from SCCM 2007. My advice? Don't. Especially the OS images. Don't even think about just copying the same previously captured WIM file. I don't know what the MDT does to images when you capture them, but it creates interesting and varied problems with OSD afterwards. One such problem is the disappearance of the OSD Task Sequence Progress Bar on 64bit builds. Who knows why, it just solves it when you create and capture a new image. Instead create new images captured with the 2012 MDT that is the only version compatible with System Center 2012. This will save you a whole heap of pain.
  • I don't know about you, but we are now running totally on 64bit, with any 'I really need 32bit' applications running happily on Application Virtualisation. However, that does not mean you can ditch the 32bit boot image. Oh, no! If you want PXE to work, even if you only server 64bit OS to PCs, you need a 32bit boot image set up to be served by PXE as well as your 64bit version that will be the only image ever used. PXE will not run without a 32bit image. I think it's something like a comforter. PXE has reached that age when no-one really wants it in the room, but seeing it still hasn't written a will, everyone is being nice to it, so really it can do what it likes and no one will scold it. I will be glad when the IPv6 equivalent finally makes an appearance and puts the old man to bed.
  • Capture those reboots. The 2012 OSD seems to be a little less robust in handling unexpected reboots. So wherever possible, try to catch those application reboots with a -noreboot flag or similar. The OSD will bomb out if it is hit with an unexpected reboot and it will not recover.
Finally, if you haven't already, introduce some custom task sequence variables. The standard MDT Task Sequence includes such things as "Request State Store" regardless of whether it has actually done a Capture User State or not. You will end up with errors every time you run a task sequence on a new PC. It is a trivial task to clean up this mess by settings a task sequence variable after the Capture User State and referring to that Variable as a condition for the State Store Restore tasks. I don't know about you, but I hate spurious red marks in my logs that I know should not be there. It just makes it look like it's not a clean build when it really is.

Wednesday, 11 April 2012

Stateless IPv6 with DNS Options

Yes is it possible to have your cake and eat it!


IPv6 brought us stateless auto-configuration. Your routers do the work with router advertisements. This means no more having to configure every new VLAN with a DHCP range, worrying about your exceptions, your statics or router addresses. Now you can even have two routers on the one VLAN and your clients will happily talk to both/either. 

One of the problems to overcome is how to configure DNS while at the same time retaining a stateless IPv6 Addressing scheme. While running Dual Stack, this is not a problem; you will have already done the work in IPv4 and assigned DNS and Suffix Options to your DHCP range. Your IPv4 DNS server settings will happily serve AAAA addresses.

The days of IPv6 only networks are around the corner. They aren't here yet, so you have some time, but you will want to be ready.

First of all you will need a DHCPv6 server. If you are running DHCP on Windows Server 2008 or 2008 R2 this will serve. You need to bind your DHCP to a static IPv6 address on the server. There is a problem with Server 2008. DHCPv6 will not respond if it does not recognise all the options in the forward request. A solution to this can be found on KB Article 972962, and a hotfix is available. You need to set up your server options. I have at least one scope set up in the IPv6 section, although it is not used. You only need to set up a scope for a particular VLAN if you are intending to provide scope options different to that of the server options. As you are not intending to distribute IP addresses from the DHCPv6 server only the Server Options need concern you.

On your router, you need to enable the "other config flag." This flag is an option in the router advertisement package that signals the availability of other configuration options from a DHCPv6 server. This flag is an invitation, not an instruction, the client must act on it. Windows 7 does this. I have not tested other clients. The Cisco IOS interface command for this is:

ipv6 nd other-config-flag

You also then need a DHCP relay on the same interface that points back to the static binding on your DHCPv6 server. It is noted that in the past that our Cisco switches would not relay DHCP messages unless the DHCP server was running on the switch itself. So you may have to configure a DHCP pool on the switch, even if you do not use it. It is noted that on some older switches you can set up an IPv6 DHCP pool, provide the DNS server and domain prefix and user the ipv6 dhcp server command in the interface. This works as good as using the DHCPv6 server on windows. However, my latest routers running IOS-XE probably require an Enterprise Services License to do this. For the cost difference, I'll stick to relaying to a DHCPv6 Windows 2008 server running on VMware. The Cisco IOS interface command for setting up a DHCP relay is:

ipv6 dhcp relay destination [DHCPv6 Static IPv6 Address]

And that's it.

Remember that your clients will pick up the settings at the same time as they configure their IPv6 addresses, not their IPv4 addresses. This means that ipconfig /release and ipconfig /renew will have no effect on picking up these options. Either a restart is needed (preferable) or you can disable/re-enable the interface (or pull the cable out.) It has been noted that the later options can result in an inconsistent routing table on Windows 7, so use with caution.