Search This Blog

Tuesday, March 29, 2016

Cool feature: Group policy administrative template central store

This time I want to write a little bit about cool feature, which I recommend to everybody. And that is to create a central group policy template store.
Why would anyone want to do that? Answer is simple - so that no matter from which computer you open Group Policy Management Console (GPMC), administrative templates section would always look the same. By default administrative templates are loaded from local computer and customizations are always left on that computer.
Configuring this is really easy:
1. First navigate to domain controller and browse to C:\Windows\SYSVOL\domain\policies
2. Create a folder named PolicyDefinitions
3. Copy all files from C:\Windows\PolicyDefinitions to the folder created in step two

And that's it!

You can verify that central store is working by opening GPMC, edit group policy object and open Policies in user or computer section and expand Administrative Templates:


More info here https://support.microsoft.com/en-us/kb/929841

Monday, March 28, 2016

Solved: RODC secondary protection with DPM fails with "Agent not reachable"

This was a tough one (to configure secondary protection for RODC with DPM 2012 R2)

First of all it was not so easy to set up DPM agent on RODC using this article https://technet.microsoft.com/en-us/library/hh758186.aspx, but it somehow I managed to get install DPM agent on RODC and start backing it up.

So then we decided that it would be cool to add secondary protection for the RODC (because there where some critical files on it), but this was not as easy as it should be. All other secondary protections "just worked", but that was not the case with RODCs, the failed with "Agent not reachable" error.
After a little bit of playing I added secondary DPMs machine account to local admin group of RODC and it worked, but as we all know "give admins rights everywhere" is not a good practice.
After weeks of trying different kind of things (because there is no documentation for this scenario), I somehow manged to work with two extra steps:

  1. Both primary and secondary DPM should be members of these groups:
    •  DPMRADCOMTrustedMachines$RODC
    •  DPMRADmTrustedMachines$RODC
    •  DPMRATrustedDPMRA$RODC
    •  Builtin\Distributed COM Users
  2. On RODC execute command:
SetAgentCfg.exe a DPMRA <Primary DPM server> DPMRADCOMTrustedMachines$RODC DPMRADmTrustedMachines$RODC

This somehow helped! RODC didn't show "Agent not reachable" errors and backups succeeded!

I will be glad to help if someone is having the same issue!

Friday, March 25, 2016

Cannot issue a certificate template on a Windows Server 2008 Certificate Authority

This time I am writing about an issue with "older brother" of Windows Server - Windows Server 2008.
One of my customers had an enterprise root CA on a Windows Server 2008 box. Nobody new who had installed it and very few certificates had been issued. But now it was necessary to create a custom certificate template and deploy it to workstations.
So I create the template and and wanted to issue it, but it didn't appear in the list when select New - Certificate Template To Issue in the Certificate Authority console.
I had heard that this could be due to AD replication delays, but there was no problems in AD, all domain controllers had replicated the template.
Finally I found out that this was an Enterprise Root CA installed on a Windows Server 2008 Standard edition and it is not possible to deploy custom templates in such scenario.
The solution was to create a new Windows Server 2012 R2 CA hierarchy this time.

Wednesday, March 23, 2016

Updated: Disable SQL Reporting Services logging on SCCM Primary Site server

Several times I have seen that SQL Reporting services logs eat up disk space very rapidly. This usually happens on a SCCM primary server which also has been configured with Reporting Point.role. These logs usually don't provide any value so the easiest way is to disable them.

To disable SQL Reporting services logging navigate to \Program Files\Microsoft SQL Server\MSRS13.<instance name>\Reporting Services\ReportServer\bin, open ReportingServicesrService.exe.config file with Notepad, find DefaultTraceSwitch and set value to 0.

More information here https://technet.microsoft.com/en-us/library/ms156500.aspx

Update: In addition to previously mentioned, you also need to set correct this line in ReportingServicesrService.exe.config file:

<add name="Components" value="all:0" />

Monday, March 21, 2016

Cannot create system state backup with DPM, error code: 0x80990ED0

Today I experienced a problem when it was not possible to create a system state backup through System Center Data Protection Manager 2012 R2 on a Windows Server 2012.

The error code was:
DPM cannot create a backup because Windows Server Backup (WSB) on the protected computer encountered an error (WSB Event ID: 546, WSB Error Code:  0x32F4570). (ID 30229 Details: Internal error code: 0x80990ED0)

This usually means that Windows Server Backup feature is not installed on the server. But that was not the case. First, I restarted the server, it didn't help. Second, I reinstalled Windows Server Backup, but that didn't help either.
After some time of googling with no results, I discover that Windows Server Backup could not successfully open on the server, it hung up. Then I also noticed that Disk Management was not opening correctly, it didn't show disks.
So this was the root cause of the problem - some disks were not correctly added through FC network and this caused errors in Disk Management and Windows Server Backup. After resolving issue with disks, backups were created successfully.

Bottom line: error code 0x80990ED0 means that Windows Server Backup is not installed or not functioning correctly.

Sunday, March 20, 2016

Some updates don't report compliance in SCCM

Some time ago I had troubleshooted an issue where update didn't report compliance status in SCCM.

I found one interesting thing - each update has option ExcludedForStateReporting, if that's set to TRUE, then compliance will not be reported for particular update.

You can see this in the SCCM client logs folder in UpdateStore.log (by default C:\Windows\CCM\Logs\UpdateStore.log)


Upgrade to SCCM 1602 without sending telemetry data

Recently I wanted to find out if it is possible to upgrade SCCM Current Branch (CB) to next build without sending telemetry data to Microsoft. Unfortunately it seems that there is now way to do that right now. More discussion here https://social.technet.microsoft.com/Forums/en-US/e57043e8-6346-409d-abaf-a508bd56f53e/sccm-current-branch-full-offline?forum=ConfigMgrDeployment.

Saturday, March 19, 2016

No separate Office 2016 Proofing Tools

In case you are wondering where are the Office 2016 Proofing tools, then I can tell you that they are included in Language Accessory Pack https://support.office.com/en-us/article/Language-Accessory-Pack-for-Office-2016-82ee1236-0f9a-45ee-9c72-05b026ee809f

At this point there is no separate package for Office 2016 Proofing Tools. A while ago there was an "Office 2016 Proofing Tools - Beta" download available, but now this link doesn't work either.

So if you install Language Accessory Pack, then you could also get some text localized in Office programs. For example Skype for Business and Visio headers will show localized names.

Friday, March 18, 2016

Can I place no_sms_on_drive.sms file on a drive where SCCM is installed

Recently I was asked if it is possible to place a no_sms_on_drive.sms file on a drive where SCCM is installed.

Before I answer the question, no_sms_on_drive.sms is a simple file which you would place on a drive where you don't want SCCM files to be copied, for example distribution point files and other SCCM stuff.

In this current case there where to drives one for SCCM (C:) and second for distribution point and other related files (D:). When free space on D: was less than on C: SCCM started to place SCCM content on C:.

As I found it you can actuall place no_sms_on_drive.sms on C: drive to avoid this situation and DP files would only be copied on D:. More info here https://social.technet.microsoft.com/Forums/en-US/6eb3b472-f772-4939-9480-10d5a8a0f1a2/nosmsondrivesms-file-placement?forum=configmanagergeneral

Thursday, March 17, 2016

Placing two RODC in the same AD site

Several times I have heard that my customers have placed two Read-Only Domain Controllers (RODCs) in the same AD site thinking that no special considerations should be taken.

Here is Technet article https://technet.microsoft.com/en-us/library/ee522995(v=ws.10).aspx  which describes implications of placing two RODCs in the same site or placing a RODC in the same site with Read-Write Domain Controller (RWDC).

If you place two RODC in the same site then be informed that they will not replicate between each other, they will only replicate with a RWDC.
Second RODC will cache only passwords for accounts which have authenticated to the RODC, so it is very likely that cached passwords for accounts will be different on RODCs, because computer will stick to the same RODC if it has successfully authenticated. A workaround for this is to use a script on RWDC which prepopulates cached passwords on RODCs. This way RODCs will be consistent. But this is an extra thing to take care of.

Tuesday, March 15, 2016

Extend job title attribute length for Active Directory user object

Today I did some research about Title attribute for AD user object.

As some job titles are pretty long it was not possible to enter full job title in Active Directory Users and Computers console, it is possible to enter only 64 characters.

As it turns out this is a limitation of Active Directory Users and Computers console. If we connect to Active Directory Schema through ADSI Edit, we can see that maximum limit is 128 characters. We can use attribute editor or script to enter up to 128 characters.

If this is still not enough, it is possible to increase rangeUpper value.


Sunday, March 13, 2016

SCCM 1602 is here!

SCCM 1602 is now available, there are many new features, all of them can be found here https://technet.microsoft.com/library/mt622084.aspx#bkmk_1602

My two personal favorites are:
1. Support for in-place upgrade from Windows Server 2008 R2 to Windows Server 2012 R2 on SCCM server. You must uninstall WSUS before ugprade however.
2. Support for deploying Office 365 ProPlus updates. I already wrote here http://justforadmins.blogspot.com/2016/03/finally-deploy-office-365-updates-with.html

In few days time I will definately test the new release and report back other cool features!

Friday, March 11, 2016

Updated: Office 2013 version of 365 ProPlus support

Last year Microsoft announced that they will continue to provide updates for Office 2013 version of Office 365 ProPlus till September 2016.

Today I noticed that Microsoft has extended Office 2013 version of Office 365 ProPlus support till February 2017. So You can continue to use Office 2013 version of Office 365 ProPlus and receive updates for it till February 2017!

Thursday, March 10, 2016

Finally: Deploy Office 365 updates with SCCM

So Microsoft has done (or almost done) the thing they had to do when they released Office 365 ProPlus - it will now be possible to deploy updates to Office 365 ProPlus through SCCM (relief..).

But.. wait a minute. The feature is announced but not there. It will be possible to deploy Office 365 Updates with SCCM 1602.
Keep in mind also:

  1. For deffered channel (businesses usually use this) it will be possible to deploy updates starting from June 2016.
  2. It will be necessary to make some configuration changes to Office.
  3. It will not be possible to deploy Office 365 ProPlus updates through WSUS.
More info here https://technet.microsoft.com/en-us/library/mt628083.aspx


Tuesday, March 8, 2016

New feature: Schedule WSUS Cleanup in SCCM 1511

Hi,

This time I wanted to mention cool new feature in SCCM 1511 - the ability to schedule WSUS cleanup. Previously this was only possible through WSUS console. This lead to admins forgetting that WSUS cleanup was necessary and this in turn lead to a huge WSUS database which caused various errors.

So here it is - just open SCCM console, navigate to Administration - Site Configuration - Sites - right click to site - Configure Site Components - Sofware Update Point - Supersedence Rules and check "Run WSUS cleanup wizard"


So after selecting to run WSUS cleanup it will run after next SUP synchronization and the after 30 days. Unfortunately I haven't found so far if this 30-day interval can be changed.

DPM and VMWare

Rumor says that System Center Data Protection Manager (DPM) will soon be able to create VMWare virtual machine backups

Monday, March 7, 2016

Limitation when installing SCCM 1511 on Windows Server 2008 R2

Hi again,

Just wanted to clarify that if you install SCCM 1511 or later primary site server on Windows Server 2008 R2 OS then it will not be possible to deploy Windows 10 Upgrades.

That is because WSUS 3.0 (which comes with Windows Server 2008 R2) doesn't support deploying Upgrades and you cannot have a remote Sotfware Update Point with Windows Server 2012, because site server needs a WSUS console and versions must much.

Good thing is that SCCM 1602 which is coming soon will support in-place OS upgrade from Windows Server 2008 R2 to Windows Server 2012 R2 (https://blogs.technet.microsoft.com/configmgrteam/2016/02/18/update-1602-for-technical-preview-available-now/)!

Applocker policies don't work

Today I found out that Applocker policies do not work if Application Identity service is not started.
So - start the service (preferrably with group policies) and Applocker will work!

Sunday, March 6, 2016

MP Control Manager detected management point is not responding to HTTP requests. The HTTP status code and text is 503, Service Unavailable.

I was playing in my SCCM 1511 test environement and started to notice that my MP is not working anymore.
mpcontrol.log said that there is error 503 "Service Unavailable".

I reinstalled MP, but that didn't help. I reinstalled IIS and MP and that also didn't help.

Finally I found out here https://technet.microsoft.com/en-us/library/mt589738.aspx that MP needs to have .NET Framework 4.5.2, but I had only .NET 4.5.
After installing .NET 4.5.2, errors disappeared in mpcontrol.log and MP started to work.

Hope this helps!

Can install FSRM on RODC

Recently I came across a problem that it was not possible to install File Server Resource Manager (FSRM) component on ar Read-only domain Controller (RODC). 

After some research I found Microsoft KB article https://support.microsoft.com/en-us/kb/2973343, which said that it is not possible to do this. Reading the article more carefully I found that it wasn't possible to do this because setup cannot create a group called "Access-Denied Assistance Users", and that is understandable that it is not possible to create a group on a RODC. 

But I didn't want to uninstall RODC, install FSRM and then install a RODC on a lot of servers, as this was a suggested workaround.

So after some days of testing I found that it was possible to create "Access-Denied Assistance Users" group on a writeable DC, let it replicate it to RODC and then it is possible to install FSRM on RODC.
You can create this group manually or install create the group by installing FSRM on writeable DC.

Keep in mind that it is not possible to uninstall FSRM from RODC when this group is in place.

Hope this helps!

Just admin