Search This Blog

Saturday, December 2, 2017

Reccomendations / Best practices when putting SCCM Current Branch database on remote cluster

fdsfdsf

If you decide to put your SCCM DB on a remote SQL cluster instead of locally (which is a best practice) then follow these recommendations


  1. SQL instance and database collation must be SQL_Latin1_General_CP1_CI_AS
  2. No other SCCM site databases are on this SQL instance. SQL instance could be default or named.
  3. The use of dynamic ports on SQL instance is not supported
  4. SQL service user must have registered SQL service SPN
  5. SCCM server account must be local administrator on all SQL cluster nodes
  6. When installing SCCM or moving DB to remote cluster the user account performing the actions should have local administrator rights on SQL server nodes and sysadmin rights on SQL instance. After installation these rights can be removed.
  7. On all shared disks on SQL cluster put no_sms_on_drive.sms file which will disallow creating SCCM files on these disks. SCCM SQL backup service creates files on SQL cluster, so you need to control where these files are installed - they should be on same drive on all cluster nodes, otherwise SCCM backups will fail.
  8. Change Reporting Service DB recovery mode from Full to Simple.
  9. Use SCCM backup task for backup and put it onto share, where other backup solution backs it up.
  10. All SQL requirements from Microsoft are here https://docs.microsoft.com/en-us/sccm/core/plan-design/configs/support-for-sql-server-versions

Tuesday, November 28, 2017

"Protected Users" group in Active Directory to protect privileged accounts

I usually follow the updates to Active Directory, but only recently I found out that since Windows Server 2012 R2 there is a new secuirty group called "Protected Users" in Active Directory to protect the most privileged accounts in AD.

User accounts when put into this group will be forced not to use weaker encryption types and will be forced to re-authenticate every four hours:

  • The member of the Protected Users group cannot authenticate by using NTLM, Digest Authentication, or CredSSP. On a device running Windows 8.1, passwords are not cached, so the device that uses any one of these Security Support Providers (SSPs) will fail to authenticate to a domain when the account is a member of the Protected User group.
  • The Kerberos protocol will not use the weaker DES or RC4 encryption types in the pre-authentication process. This means that the domain must be configured to support at least the AES cipher suite.
  • The user’s account cannot be delegated with Kerberos constrained or unconstrained delegation. This means that former connections to other systems may fail if the user is a member of the Protected Users group.
  • The default Kerberos Ticket Granting Tickets (TGTs) lifetime setting of four hours is configurable by using Authentication Policies and Silos, which can be accessed through the Active Directory Administrative Center (ADAC). This means that when four hours has passed, the user must authenticate again.

DPM 2012 R2 Agent not reachable only on domain controllers

I had an interesting issue lately with DPM 2012 R2 agents becoming unreachable on domain controllers. All other protected servers were unaffected.
I started with usual thins - checked the network connectivity and DNS, but everything seemed to be OK. Also I reinstalled the client on domain controllers, but the agent was still unreachable.

Finally it turned out that in the domain Builtin - Users group following members need to included: Domain Users, Authenticated Users and INTERACTIVE, in my case two of those were missing. I added them back, refreshed the agent status in DPM console and issue was resolved instantly.

Friday, November 17, 2017

Microsoft update classifications and security update rating definitions explained

If you are working with deploying updates for Microsoft systems, then you definitely know that there are several types of update classifications, like:

  • Security Updates
  • Critical Updates
  • Updates
  • Definition updates
  • ...

And lately new classifications have appeared:
  • Security-only update
  • Monthly Rollup
  • Preview of Monthly rollup
In addition to this Security updates are classified as Critical, Important, Moderate and Low.

If you ever wondered what each means, then here are explanations for you:


Should I disable builtin domain Administrator account?

Builtin domain Administrator account is special account and it behaves unlike other accounts in Active Directory.

  • It cannot be deleted
  • It cannot be locked out (although you will get an event in Event Log that it was locked, but actually it is not)
  • It will be enabled if you log into Directory Services Restore Mode or Safe Mode

To summarize - I would recommend to disable the account, because you always will get a chance to unlock it in Safe Mode if such time comes.

Second best option is to have a SIEM system or other notification mechanism in place which alerts you if accounts are locked out, this will allow you to notice brute force attacks to Administrator account early.

Thursday, November 16, 2017

Best practices for configuring domain controller primary and secondary DNS servers

I get this question quite frequently - how should I configure DNS servers for domain controllers in IP config.


  • DC should have another DNS server listed as primary DNS
  • DC should have listed itself at least somewhere in DNS search order
  • DC should use loopback address when pointing to itself

Tuesday, November 14, 2017

How to extend Windows Server 2008 / R2 and SQL Server 2008 / R2 support lifecycle

Windows Server 2008 / 2008 R2 and SQL Server 2008 / 2008 R2 end of support dates are coming in huge steps, so you really should be thinking of how to migrate these to newer versions.

If migration for these Windows and SQL Server versions is not possible and will not be in near future, there is a way to extend the support and it is called Premium Assurance. Yes, you have to pay for this, but at least you will stay supported and get security updates. And you can do this for six more years.

Anyway, I do recommend to save this as a very last option.

More info here https://cloudblogs.microsoft.com/hybridcloud/2016/12/08/introducing-windows-server-premium-assurance-and-sql-server-premium-assurance/

Saturday, November 11, 2017

Windows Server 2016 Standard Edition licensing changes in virtual environment

As you probably have heard Windows Server 2016 has core-based licensing, meaning that every physical CPU core has to be licensed.

Windows Server 2016 also introduces some changes how virtual operating system instances are licensed. Especially you have to take into account this rule:

Standard Edition provides rights for up to 2 Operating System Environments or Hyper-V containers when all physical cores in the server are licensed. For each additional 1 or 2 VMs, all the physical cores in the server must be licensed again.

If you have a 20 CPU core server, this means that if you purchase Standard edition licenses for 20 cores, you are eligible for 2 OSes, if you need two more OSes on the same physical server you will need to license all 20 cores once again.

Sunday, November 5, 2017

Test network connectivity with Powershell (Replace Telnet Client)

You don't need to install Telnet Client on Windows Client and Server OSes to check if TCP port on remote machine is available from it.

Simply use this Poweshell command (replace ComputerName and Port with your own values)

Test-NetConnection -ComputerName 8.8.8.8 -Port 53

The output will be something like this:

ComputerName           : 8.8.8.8
RemoteAddress          : 8.8.8.8
RemotePort             : 53
InterfaceAlias         : Ethernet
SourceAddress          : 192.168.1.3
PingSucceeded          : True
PingReplyDetails (RTT) : 73 ms
TcpTestSucceeded       : True


This works for Windows 8 / 2012 and later OSes.

As always use Get-Help to get more info about the cmdlet.

Saturday, November 4, 2017

Can I do a packet trace on Azure Virtual Network Gateway?

Recently I had an networking issue with routing on Azure Virtual Network Gateway, and I wanted to understand if the gateway correctly routes the traffic.

As I was informed by Microsoft Support, at the moment of writing there is no option to check this by yourself and you need to reach out to Microsoft support to get the packet traces.

Also this has been asked by a lot of customers, but Microsoft is still struggling to implement this, no promised deadline yet.

Thursday, June 22, 2017

Can I use Azure Backup to restore system state backup of Domain controller running in Azure VM?

Microsoft recently announced that Azure Backup now supports System State backups directly to Azure Backup service, without installing Azure Backup Server.
This is a great improvement to Azure Backup service to it's current capabilities (backup Azure VMs and files on sever).

But I keep getting question will this feature allow to restore a System State backup of domain controller running as Azure Virtual Machine.
And the answer is no, at least not yet. It is not possible to connect to Directory Services Restore Mode (DSRM) for a VM running in Azure.

But I am 100% that we will have this feature in future.

Tuesday, June 20, 2017

Citrix Netscaler VPX Azure server looses network connectivity after changing IP address

Today I faced an issue when Citrix Netscaler VPX lost network connectivity when it was deployed as Azure virtual machine.
For a while I could not understand why this has happened because VM boot diagnostics showed that VM was up and running, but it was not reachable.
This happened because the VM had changed the IP address and in fact Citrix has documented this behaviour http://docs.citrix.com/en-us/netscaler/11/getting-started-with-vpx/deploy-vpx-on-azure.html

Bottom line - if you are using Citrix Netscaler VPX in Azure, make sure to make its IP static immediately after deploying.

Friday, June 16, 2017

Can I connect multiple sites to the same policy-based Azure VPN gateway?

Now you can!
With new Azure VPN gateways https://azure.microsoft.com/en-us/blog/new-azure-vpn-gateways-now-6x-faster/ it is possible to connect multiple sites to one policy-based VPN gateway. This was not possible with old VPN gateways.

Keep in mind that new Azure VPN Gateways do not address other policy-based VPN gateway limitations like integration with App Services and support for Point-to-Site VPNs.

What is maximum disk size for Virtual Machines in Azure?

You can have disks up to 4 TB in size for your virtual machines in Azure. This is four times more than it was previously.
4 TB disks are available both managed and unmanaged.

Keep in mind that Azure Backup and Azure Site recovery does not support 4 TB disks yet, but soon will.

https://azure.microsoft.com/en-us/blog/azure-introduces-new-disks-sizes-up-to-4tb/ 

Sunday, June 4, 2017

Calculating VM storage with Azure Pricing Calculator

Azure Pricing Calculator is a frequent tool when working with Azure, but it can be a little tricky.
For example, if you select a VM type, then there is already mentioned storage:

The included storage is a temporary VM storage.
To calculate pricing for OS disk and additional data disks, you must go to storage pricing section and calculate storage there.

And remember default OS disk size for Azure Marketplace images is 128 GB.

Azure Public IP pricing explained

Here is a little insight about Azure Public IP pricing.
First reminder, that there are:

  • Static Public IPs. These don't change.
  • Dynamic Public IPs. Are changed if the resource attached to IP is deallocated.

Public IP pricing is as follows:
1. Dynamic IP costs ~ 3$ /month
2. Static IP costs the same as Dynamic IP + a reservation cost, which also is ~ 3$/month
3. Also, first 5 Public IPs don't have reservation cost.

Azure Backup Server and Windows Server 2016 support

Hello,

If you are using Azure Backup server and need to install Azure Backup Server agent on Windows Server 2016 machine then you have following options:


  1. If you are using Azure Backup Server v1 (based on DPM 2012 R2), then you need to apply KB3175529 on Azure Backup Server, otherwise agent installation on Windows Server 2016 machine will fail with error 347.
  2. If you have the latest Azure Backup Server v2, then it has built in support for Windows Server 2016

Friday, May 12, 2017

Windows Defender default exclusions in Windows Server 2016

If you enable antivirus on a server then you always have to be sure to configure appropriate exclusions, so that antivirus does not affect server performance.
In Windows Server 2016 Windows Defender has a lot of default exclusions configured. So for example, on domain controller Windows Defender will not scan Active Directory database files:
  • %windir%\Ntds\ntds.dit
  • %windir%\Ntds\ntds.pat

Windows Internal Database (WID) location

Windows Internal Database (WID) is a free version of SQL database, it can be used with some Windows Server roles, like WSUS, ADFS.

If you need to find the actual databases files (.mdf and .ldf) then starting from Windows Server 2012 they are located in %windir%\WID folder and Data subfolder contains .mdf and .ldf files.

Saturday, March 18, 2017

What is Azure VM maximum network throughput

Azure VM network throughput depends on the VM size, you can see them in Azure VM sizes documentation page.
Currently VMs have values of low, moderate, high, very high or extremely high.

Microsoft is promising that in April 2017, the will replace current values to actual numbers, so we will be able to see in Mbps or Gbps maximum VM bandwidth.

Wednesday, March 1, 2017

Get user password expiration date from Active Directory with Powershell

Here is a Powershell script I used to get following AD user information :

  1. When user will have to change his password (msDS-UserPasswordExpiryTimeComputed attribute)
  2. When user's password has been changed last time (passwordLastSet attribute)
  3. If Password Never Expires has been enabled for user
and then output information to CSV file:


Get-ADUser -filter * -Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed", "passwordLastSet", "PasswordNeverExpires" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}, PasswordLastSet, PasswordNeverExpires |
sort-object -property ExpiryDate |Export-Csv C:\Output\passwords.csv

Fix "The Trust relationship between this workstation and the primary domain failed" issue

If you logon to domain workstation, but get the "The Trust relationship between this workstation and the primary domain failed" error, then it usually means that computer domain account has different password than computer thinks, and you have to reset the computer account password.

To do this, you need to logon to computer with local account, run Powershell as admin and then execute this command:

Reset-ComputerMachinePassword -Server [DC-FQDN] -Credential [DOMAIN]\[USER]

Where DC-FQDN is name of reachable domain controller and DOMAIN\USER is user account which has permissions to reset computer account password.

Then reboot and you will be able to log on to domain.

Restore SQL database backup

If you are having trouble restoring SQL database from backup, try this SQL script (replace values in italic with your actual values)

ALTERDATABASE db_name SET SINGLE_USER WITH ROLLBACK IMMEDIATE
GO
RESTOREDATABASE db_name FROM DISK = 'db_backup_path'
WITH REPLACE
GO

Monday, February 27, 2017

How to find Azure VM resource limits

By default Azure sets limits to how much resources (for example, CPU cores) VMs can consume in specific Azure region. To see the limits and and resource consumption use this Powershell command:

Get-AzureRmVMUsage -Location "West Europe"

(I am using "West Europe" region, but specify the one that's relevant to you)

Preview version of Azure Portal

To get an insight of features coming to Azure Portal, log on to https://preview.portal.azure.comyou will be able to see all coming features which are not yet available to production Azure Portal.

Saturday, February 18, 2017

SOLVED: SCCM "Turn on" pre-release feature button is greyed out

If you want to turn on a SCCM pre-release feature, but go to SCCM console to Administration - Overview - Cloud Services - Updates and Servicing and find that it is greyd out, then you first have to consent to using pre-release features.

To do that, go to Administration - Overview - Site Configuration - Sites - select your site - Hierarchy Settings and in the General tab click "Consent to use Pre-Release features"

After that you will be able to activate pre-release features:

Saturday, February 11, 2017

Step-by-step: How to inventory OS architecture with SCCM

Here is an easy way how to inventory OS architecture with SCCM.

1. Extend inventory. In SCCM console go to Administration - Client Settings - Default Client settings (or your custom settings) - Properties - Hardware Inventory - Set Classes - search for 'operating system' - select 'OS architecture'


2. Make sure that this client settings object is deployed to computers. If you are using Default Client Settings, then no action needs to be done.

3. Wait for machine policy renewal and hardware inventory cycle afterwards on client.

4. Create a query:

select SMS_R_System.Name, SMS_G_System_OPERATING_SYSTEM.Caption, SMS_G_System_OPERATING_SYSTEM.OSArchitecture from  SMS_R_System inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceId = SMS_R_System.ResourceId

5. You will get following results:

Thursday, February 9, 2017

SHA1 thumbprint algorithm in certificates - is it secure?

Many of you have heard that SHA1 algorithm is not secure as certificate signing algorithm anymore. It is considered so insecure, that operating systems, and browsers consider certificates signed with SHA1 not secure and show warning messages.
But what about thumbprint algorithm, is it okay that it is SHA1?

No worries there, this really is not a security hole, as thumbprint is used to identify certificates more easily. For example, you have a web server and have to add a certificate to ensure HTTPS encryption. Web server offers to choose certificates from local store, but there are few certificates with equal subject name. And this is where you use certificate thumbprint - to choose correct certificate.
Also, to my knowledge, there is no way to change thumbprint algorithm.

Sunday, January 29, 2017

Audit who made changes to WSUS configuration

If you need to find an admin, who made changes to WSUS configuration, then the first place to look is %programfiles%\Update Services\LogFiles\Change.log

You will see there an entry which user has made the change, but there will not be written specific configuration change made:
(I am using SCCM CMTrace tool to view the log)


How to fix "Scan failed with error = 0x8024401c" error on Windows 10 v1607 clients

If your Windows 10 v1607 machines are getting "Scan failed with error = 0x8024401c" error in WUAHandler.log when performing SCCM software updates scan then most likely you need to install KB3159706 on your WSUS server.

And don't forget to perform steps described in "Manual steps required to complete the installation of this update" section of the KB.

Friday, January 27, 2017

How to perform SCCM Updates full synchronization

To perform full SCCM updates synchronization you can place a file called FULL.SYN in SCCM install directory .\inboxes\wsyncmgr.box folder.

It looks like this:

In few seconds after such file is created, SCCM will start full updates synchronization. You can monitor the process in WSYNCMGR.log, which is located in SCCM install directory Logs folder.


Thursday, January 26, 2017

Script to completely uninstall Microsoft Intune client

Here is a script to completely uninstall Microsoft Intune client. Just put these lines in a .cmd file and run as administrator:

wmic product where name="Microsoft Endpoint Protection Management Components" call uninstall
wmic product where name="Microsoft Intune Notification Service" call uninstall
wmic product where name="System Center 2012 - Operations Manager Agent" call uninstall
wmic product where name="Microsoft Online Management Policy Agent" call uninstall
wmic product where name="Microsoft Policy Platform" call uninstall
wmic product where name="Microsoft Security Client" call uninstall
wmic product where name="Microsoft Online Management Client" call uninstall
wmic product where name="Microsoft Online Management Client Service" call uninstall
wmic product where name="Microsoft Easy Assist v2" call uninstall
wmic product where name="Microsoft Intune Monitoring Agent" call uninstall
wmic product where name="Windows Intune Endpoint Protection Agent" call uninstall
wmic product where name="Windows Firewall Configuration Provider" call uninstall
wmic product where name="Microsoft Intune Center" call uninstall
wmic product where name="Microsoft Online Management Update Manager" call uninstall
wmic product where name="Microsoft Online Management Agent Installer" call uninstall
wmic product where name="Microsoft Intune" call uninstall
wmic product where name="Windows Endpoint Protection Management Components" call uninstall
wmic product where name="Windows Intune Notification Service" call uninstall
wmic product where name="System Center 2012 - Operations Manager Agent" call uninstall
wmic product where name="Windows Online Management Policy Agent" call uninstall
wmic product where name="Windows Policy Platform" call uninstall
wmic product where name="Windows Security Client" call uninstall
wmic product where name="Windows Online Management Client" call uninstall
wmic product where name="Windows Online Management Client Service" call uninstall
wmic product where name="Windows Easy Assist v2" call uninstall
wmic product where name="Windows Intune Monitoring Agent" call uninstall
wmic product where name="Windows Intune Endpoint Protection Agent" call uninstall
wmic product where name="Windows Firewall Configuration Provider" call uninstall
wmic product where name="Windows Intune Center" call uninstall
wmic product where name="Windows Online Management Update Manager" call uninstall
wmic product where name="Windows Online Management Agent Installer" call uninstall
wmic product where name="Windows Intune" call uninstall

Tuesday, January 24, 2017

How to find when AD user password expiration date

If you want to know when AD user's password will expire then check MsDs-UserPasswordExpiryTimeComputed attribute. To find this attribute:
1. Open "Active Directory Users and Computers" console and enable View -> Advanced Features
2. Find user, click Properties, and select Attribute Editor tab
3. Find MsDs-UserPasswordExpiryTimeComputed attribute, to view this in the Filter section, make sure Constructed is selected.

You cannot manage Intune with Microsoft Edge browser

Microsoft Intune new portal (manage.microsoft.com) currently does not support Microsoft's latest browser Edge.
If you open it with Edge, following error appears:

Tuesday, January 10, 2017

VM live migration fails using SCVMM 2012 with error 0x8007274D

If you are using SCVMM 2012 and try to migrate a VM from one cluster to another, then migration will probably fail with error 0x8007274D.
The extended error message is:
Migration check for virtual machine <serverName> failed to create a planned virtual machine in the target host.  Detailed error message: The Virtual Machine Management Service failed to establish a connection for a Virtual Machine migration with host serverName.contoso.com: No connection could be made because the target machine actively refused it. (Ox8007274D).

To solve this - go to destination host in SCVMM, select Properties and in the Migration Settings click to "Use any available network":


The issue is explained in this KB2853203 article