Tuesday, 1 October 2013

Microsoft Most Valuable Professional (MVP) Award

Well, didn't today make me smile with pride.

Busy working away when this e-mail landed in my inbox...


This is my first year that I've been awarded this and I hope all the blogging, tweeting and book writing has been useful and helped at least a few people.

No time to rest on my laurels now... more content and books to come!

Regards,
Steve Beaumont / MVP
Technical Director / PowerONPlatforms
Twitter: @StevybSC
Blog: http://systemscentre.blogspot.com/
Community: http://cloudoscommunity.com/

SCOM Console Install on VMM Server Causes Service Crash

Had a strange one today.

Customer had tried previously to setup the connection between VMM and SCOM but made some mistake somewhere along the line and then uninstalled the SCOM console without removing the connection as they said the console was causing the VMM service to constantly crash.

Having not seen that behaviour before and slightly doubting it somewhat I re-installed the console and sure enough was prevented from accessing the VMM console as the service was crashing.

Just as an added check, I tried running some PowerShell commands to check it wasn't a GUI issue only to be created by error messages complaining that the VMM service wasn't running or accessible.

So I uninstalled the console again which allowed me access back to VMM and running the Get-SCOpsMgrConnection showed me the broken connection.  However attempts to remove via the console or PowerShell were both met by errors telling me I needed the SCOM console installed first in order to manage the connection.  Arh.. slight problem...

After checking everything I could think of (SPN's, SCP's, Service Accounts etc etc) and not finding anything that stood out (Including nothing useful in the event logs) I thought I'd try a timing trick.

So I opened up a SCVMM PowerShell window ready, kicked off the SCOM console install again and then repeatedly spammed Remove-SCOpsMgrConnection -Force and wouldn't you know it after a few messages saying the SCOM console must be installed, just before the install completed the command completed successfully and removed the broken connection.  More to the point the SCOM console installation completed and the VMM service didn't crash.

After recreating the connection everything remained stable, but even though the create connection job ran successfully, the following error was present in the connector details:

“Operations Manager discovery failed with error: “Exception of type ‘Microsoft.VirtualManager.EnterpriseManagement.common.discoverydatainvalidrelationshipsourceexceptionOM10’ was thrown.

This is because the SCOM connection was created with the PRO-Tips enabled but without a SCOM monitoring agent deployed to the VMM Server.
Easily fixable, just untick the PRO and Maintenance Mode connection settings, deploy a SCOM agent to the VMM server and once the agent is installed and reporting, re-enable the options.

Monday, 30 September 2013

Offload Data Transfer (ODX) in Windows Server 2012

I've been working on a nice Dell R720 host based Hyper-V cluster this week with a Dell Compellent array providing the storage.

One of the things I was looking forward to with this job was getting hands on with the ODX feature of the Compellent.

ODX (Offload Data Transfer) is a feature found on some of the newer storage arrays that helps with large file operations by (in simplified terms) keeping the transfers within the array rather than passing the file to the source then destination servers then back to the array.

The first thing to do (assuming you know the hardware supports it) would be to check that the OS and it's software components supports ODX.

Now this is a Windows Server 2012 and 2012 R2 only feature so if you're on 2008 R2, time to upgrade.

From a PowerShell prompt, run the following command:
Fltmc instances



Take a note of the volume name of either the drive, or in my case the CSV volume you want to check.  Then run:
Fltmc instances -v <Volume Name>

e.g. Fltmc instances -v C:\ClusterStorage\Volume1


This will give you the filter names that you will need to check.
Run this command, replacing the <Filter Name> with those shown by the previous command.

Get-ItemProperty hklm:\system\currentcontrolset\services\<FilterName> -Name "SupportedFeatures"

So for my two filters of FsDepends and MpFilter I get the following output:


The property that needs checking is "SupportedFeatures".  If this has a value of 3 then ODX is supported and you're good to go.  Anything else and you'll need to look into it further.

Lastly, check if ODX is enabled on your server using this command:
Get-ItemProperty hklm:\system\currentcontrolset\control\filesystem -Name "FilterSupportedFeaturesMode"

If it returns a "FilterSupportedFeaturesMode" other than 0 as shown below then ODX isn't enabled.


Run this to enable ODX:
Set-ItemProperty hklm:\system\currentcontrolset\control\filesystem -Name "FilterSupportedFeaturesMode" -Value 0 -Type DWord


Or this to disable ODX if needed:
Set-ItemProperty hklm:\system\currentcontrolset\control\filesystem -Name "FilterSupportedFeaturesMode" -Value 1 -Type DWord

In order to demonstrate to the client that ODX was indeed enabled and more to the point worth having, I modified the script on Hans Vredevoort shows on his blog post discussing ODX testing between 3Par and Compellents here: http://www.hyper-v.nu/archives/hvredevoort/2013/07/notes-from-the-field-using-odx-with-hp-3par-storage-arrays/

I ran the script which loops through creating 10 x 50Gb and 10 x 475Gb fixed disks with ODX enabled and then does the same but with ODX disabled.

This was the timings from the test:

With ODX
12.6 seconds for 10 x 50Gb vhdx files
84.2 seconds for 10 x 475Gb vhdx files
96.8 seconds total for all vhdx files

Without ODX
1015.5 seconds (nearly 17 mins) for 10 x 50Gb vhdx files
8615.8 seconds (just over 2 hours) for 9 x 475Gb vhdx files (N.B. I ran out of disk space for the 10th)
9631 seconds or 2.7 hours total for all vhdx files
 


There is a MASSIVE difference in creation times!

ODX is a feature well worth having in my opinion.  What I really can't wait for is ODX support with SCVMM libraries in the SCVMM 2012 R2 release!!


I've uploaded the ODX Test script to SkyDrive here: http://sdrv.ms/16QhZZE

Thursday, 26 September 2013

Using PowerShell CIM Sessions to Query Dell Hardware

I've been "playing" with some Dell hardware recently and as with everything I like to try and automate as many tasks as possible.

Dell have a really useful tool called Racadm which is a command line utility which you can call from a script to read and write various properties of Dell iDRAC and CMC (Chassis Management Controller).

However, since the latest iDRAC and CMC are built around WSMAN and DMTF standards, I prefer a more PowerShell only approach.

The key PowerShell command for querying is Get-CimInstance. Before we can use this command however we first need to establish a remote CIM Session to the hardware.

This is accomplished by using the New-CimSession and New-CimSessionOption cmdlets.

So...
Use some variables to store the IP, username and password for the iDRAC
$UserName="root"
$Password="calvin"

$DracIP="10.10.0.120"

Convert the username and password into a PS Credential
$SecurePass = ConvertTo-SecureString $Password -AsPlainText  -Force
$DracCred = new-object -typename System.Management.Automation.PSCredential -argumentlist $UserName,$SecurePass


We can then create a new CimSessionOption object, which for the Dell Hardware the below works nicely
$cimop=New-CimSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck -Encoding Utf8 -UseSsl

Then using the above variables and new session object we can create a new CIM session to the iDRAC
$Dracsession=New-CimSession -Authentication Basic -Credential $DracCred -ComputerName $DracIP -Port 443 -SessionOption $cimop -OperationTimeoutSec 10000000


Once we have the session established, we can then use the Get-CimInstance cmdlets to query various properties by passing in a WSMAN/WinRM ResourceURI.

For example, if we just wanted to query the general BIOS properties, we could use the following URI: http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/root/dcim/DCIM_SystemView

That would form the following command (cmdlet - session - resourceuri):
Get-CimInstance -CimSession $Dracsession -ResourceUri "http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/root/dcim/DCIM_SystemView"

Which supplies information like this:



This way if you assign the object to a variable ($BIOSINFO=Get-CimInst ...) then we can pull out specific items within scripts:



Again, you can do similar things with other hardware properties, for example I can use the resource URI for getting the network card information from a server (http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/root/dcim/DCIM_NICView)

Drop this into a command:
$NICS=Get-CimInstance -CimSession $Dracsession -ResourceUri "http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/root/dcim/DCIM_NICView"

... and now we can get the various MAC Addresses of the various NICs
$NICS[0].PermanentMACAddress
$NICS[1].PermanentMACAddress
...
$NICS[6].PermanentMACAddress
$NICS[7].PermanentMACAddress



Hmm... Useful for SCVMM Bare Metal deployment scripting maybe?

The only thing that I struggled with this very simple method of querying the hardware for info, was the resource URI needed.

Well to help with this, the following bits of information from Dell are a god send:

DCIM Profile Library
http://en.community.dell.com/techcenter/systems-management/w/wiki/1906.dcim-library-profile.aspx

WinRM WebServices for Lifecycle Controller
http://en.community.dell.com/techcenter/extras/m/white_papers/20066174.aspx


Next time I'll post about using PowerShell to set the values rather than just query them.

Microsoft System Center 2012 Orchestrator Cookbook

Better late than never...
In the last few days of August, Packt released the latest book I've had the pleasure of co-authoring.

The book is stocked by all major online retailers, below are the links for Packt and Amazon (UK)
http://www.packtpub.com/microsoft-system-center-2012-orchestrator-cookbook/book
http://www.amazon.co.uk/Microsoft-System-Center-Orchestrator-Cookbook/dp/1849688508/


Book Outline
In Microsoft System Center 2012 Orchestrator Cookbook you will learn how to plan, create, and manage powerful runbooks to help you automate mission critical and routine administration tasks.
In this practical Cookbook you will learn how to master System Center 2012 by creating runbooks to control and automate every feature possible. You will start by learning how to efficiently install and secure System Center Orchestrator.

You will then learn how to plan and create functional and fault-tolerant System Center runbooks to automate daily tasks and routine operations. Diving deep into runbooks, you will learn how to create powerful and practical runbooks for the entire System Center family of products.
Unleashing your inner control freak, you will then master System Center automation by creating IT Service Management process runbooks and advanced runbooks to help you control every feature imaginable of System Center. If you want to save time and energy automating mission critical tasks with System Center 2012 Orchestrator, then this book is for you!

Approach
This book is written in a practical, Cookbook style with numerous chapters and recipes focusing on creating runbooks to automate mission critical and everyday administration tasks.

Who this book is for
System Center 2012 Orchestrator is for administrators who wish to simplify the process of automating systems administration tasks. This book assumes that you have a basic knowledge of Windows Server Administration, Active Directory, Network Systems, and Microsoft System Center technologies.

Saturday, 21 September 2013

Converting a WIM file to VHD on a UEFI system

I always use the excellent Convert-WindowsImage.ps1 script by Mike Kolitz for taking the WIM files from the Windows media and converting them into bootable VHD files.  It's the quickest and easiest way for creating VM Templates in SCVMM.

The script can be found here: http://gallery.technet.microsoft.com/scriptcenter/Convert-WindowsImageps1-0fe23a8f/

However, I ran into a problem today with the script throwing an error about "Could not get the BootMgr object from the Virtual Disks BCDStore"


It turns out from a couple of replies in the discussion thread of the TechNet Gallery listing that this will generally happen if trying to run the script from a device that uses UEFI to boot, which I happen to be doing.

Thankfully the fix is relatively easy, you just need to modify the script slightly.

  1. Do a search in the script for $bcdBootArgs which is usually first referenced at line 4055
  2. On the line a couple below (usually 4057) change the following
    "/s $Drive" modify to "/s $Drive /f ALL"
This tells the BCDboot.exe command to create boot entries to enable the vhd(x) to boot for both BIOS and UEFI systems.
http://technet.microsoft.com/en-us/library/dd744347(v=WS.10).aspx

Save the script and you're good to go!

 

Wednesday, 11 September 2013

Cloud OS Week - Empower People Centric IT

As part of the Microsoft Cloud OS Week, Thursday will be the day for learning about everything "desktop" related and how Microsoft can help you shift from looking at managing devices to how you can empower your users with self-service and a seamless experience across devices.

I've been lucky enough to be asked to help out on the day and take over the Virtual Desktop Infrastructure and Remote Desktop Services in Windows Server 2012 session.

http://www.eventbrite.com/event/7530739645/es2/?rank=1

If you're not already signed up to attend the session, I definitely recommend signing up quick and attending as it's sure to be a brilliant day packed full of information from some brilliant MVP's!

Friday, 30 August 2013

Why is Microsoft System Center 2012 Service Manager not in the Gartner Magic Quadrant?

Shaun Ericson from Cireson post an interesting article the other day, discussing why Service Manager doesn't appear in Gartner's Magic Quadrant alongside other staple service desk vendors such as LanDesk, BMC, Hornbill etc.

You can find the post here:
http://www.cireson.com/business/why-is-microsoft-system-center-service-manager-scsm-not-on-the-gartner-magic-quadrant/

This has also started some discussions on LinkedIn which you can find here:
http://www.linkedin.com/groups/Why-is-SCSM-not-on-3981211.S.268959967

Kathleen Wilson on that discussion raises a very good point. a) You have to pay to be ranked b) What benefit/ROI will being ranked give Microsoft & Service Manager?

While I do feel it a shame that SCSM isn't on the Quadrant, purely down to the solution being more than capable of holding it's own against the other competitors, I'm not so sure adding it would bring much more value.

As Shaun says in his post, the overall approach with SCSM is different from a normal call logging system.  SCSM is designed to be the beating heart of your Service Management process and is there to offer unparalleled links into the other System Center components and help drive down your IT costs and time by automating all those mundane/time consuming tasks and delivering customer focused self-service.

What do you think?  Read Shaun's post and then join in the discussion on LinkedIn.

Wednesday, 28 August 2013

System Center 2012 - Lab Setup Notes

I was looking back through my draft posts that I never got round to fully finishing the other day and found a list post with tips in that I was jotting down while rebuilding the lab just after SP1 went RTM.

Tip #1 - Server Core/Firewall
I choose to use Server 2012 Datacenter Core for the Hyper-V hosts in the cluster.  Good practice, more secure, less reboots etc etc...
However, if you're still learning the ins and outs of PowerShell as I am it can prove a challenge sometimes to tweak all of the settings just as you want them. #1 being firewall rules.

In hind sight, a group policy setting the rules before deployment would have gone a long way to help.

I also went though them and added in all the firewall rules I'd need for the various System Center and SQL components.

Tip #2 - Live Migration
Had I been physically located in the office (I got kicked out at 19:00) then moving the DC & SCVMM to the cluster might have been relatively easy.
When working remotely, connected to SCVMM it's a little more challenging, especially when SCVMM refuses to Live Migrate from the temporary Hyper-V host to the Cluster.

Remember - to Live Migrate using Shared Nothing LM, the Hyper-V hosts must all be members of the domain (I'd left the temp server in workgroup as it was only supposed to be there for a couple of hours!)

Tip #3 - VM's & Clusters
I build some virtual machines to cluster (1 SQL cluster & 1 File Server Cluster) as part of the core infrastructure.  I'd had some issues before with VM's being clustered but put it down to my old lab environment.  Well I ran into the same issue again.

Basically the cluster wizard kept timing out when trying to add the nodes to the cluster.  It would create a cluster with a single node fine showing that permissions etc were fine.

The stranger bit came when I migrated both VM nodes to the same physical host and they joined the cluster fine straight away, yet broke the cluster each time one was on a separate physical host.

I came across a TechNet forum post discussing the issue here and then reached out to Twitter.
Thankfully, Hans Vredevoort ‏@hvredevoort came back with a reply confirming I wasn't going mad.

It looks like an issue with certain NICs (I have Broadcom and Intel in my hosts).  Hans thinks that Intels work ok so when I get chance I'll drop the Broadcom from my team and try again.

Tip #4 - Deployment Order
Microsoft have an official upgrade sequencing order here but for deployment it's not so strict.  However my approach is:
  • Virtual Machine Manager (VMM)
  • App Controller
  • Configuration Manager
  • Orchestrator
  • Operations Manager
  • Service Manager
  • Data Protection Manager (DPM)
VMM goes in first, closely followed by App Controller so that I can build the Service Templates that I use for deploying the rest.



Configuration Manager next so that we can get clients out for deploying software updates/pre-reqs and inventory the systems.

Next Orchestrator and SCOM as we'll be linking them into both SCVMM and SCSM

Then Service Manager last so we can consume the information from the other components and start to build the service catalog.

Oh, I forgot DPM... meh...

Tip #4a Deployment Order - Updates
I was talking to Sam Erskine the other day and he mentioned he hit an issue when installing Update Rollup 2 for Service Manager to the Data Warehouse and wondered if I could replicate it.

Well I did.

It looks like if you do a fresh installation of SCSM SP1 and then apply Update Rollup 2 before registering the Data Warehouse, the install will fail with the error:

An error occurred while executing a custom action:_PatchMP

Easy fix, register the DW from the console and wait for management pack sync jobs to finish (This will take a while!!) and then run UR2 again for it to succeed.

Tip #5 Account Preparation
Deploying all the System Center Components requires a fair few domain accounts if you're doing it right and not just using Local System or the same account for everything.

Use my previous blog post here on Service Accounts as a starter and prepare all the accounts in advance.  Use something like KeePass to store the accounts and their passwords to make it easier for yourself during deployment.

Tip #6 SCSM Portal
9 times out of 10 after the install you'll be presented with a blank middle pane or can't even get near the portal without being prompted for credentials constantly.

Credentials - Login as a user with SharePoint farm admin rights to the portal then use the Site Settings option in the top left to edit the site permissions to grant something like Domain Users read access.


 
If the content area is blank, chances are the URL doesn't match what it expects for the webcontent.  I used a DNS alias http://ServiceDesk to point to the IP of the server hosting my SM Portal, but the webcontent URL during setup was set to the server NetBIOS address.  Same thing applies if trying to use the FQDN most times.
 
Use IIS Manager to browse to the "Service Manager Portal" site and choose "Application Settings"
 
 
Edit SMPortal_WebContentServer_URL and modify the value to reflect the URL you are trying to connect to (and which matches your certificate if using SSL!)
 
 
 
Tip # 7 Orchestrator Users Group & Cloud Services Process Pack
I went to install the Cloud Services Process Pack (CSPP) and hit an error during install that I've seen a few times and still annoys me no end.

During the install of Orchestrator you're prompted to select a group to use to control access to Orchestrator.  It defaults to a local group, but as best practice it's best to change this to a domain account (as it says on the setup wizard).

However I've seen a few times where it still insists looking for a local group with direct membership, the CSPP is a prime example of this and it's hard coded into the install.

Manually create a local group called OrchestratorUsersGroup and assign the account you're installing the CSPP with to that account, re-run the setup wizard and it will allow you to proceed with the install.

Tip #8 SCOM Product Key
All the System Center 2012 setup wizards prompt you for the key during setup to ensure they don't install in eval mode.  Some can be converted from eval to fully licensed after install but watch out for Service Manager as this can't.

SCOM however, doesn't prompt you for a key.  Licensing SCOM is done via an Operations Manager Shell PowerShell command after install.

Rather annoyingly, if you open the shell without elevation it tells you that you don't have permission to the registry.


Yet if you run the shell elevated, you get messages that you can't load the PS Modules.


Quick and dirty, in the elevated shell type the following to load the modules:

cd\
cd '.\Program Files\System Center 2012\Operations Manager\Powershell\OperationsManager'
.\Functions.ps1
.\Startup.ps1

Then use this command to set the product key:

Set-SCOMLicense -ProductId "yourlicensekey“

Success!

 

Tip #9 - Where's my Runbooks
Sometimes the web console will fail to show any runbooks or the SCSM connector will return no runbooks after a sync.

The quick fix for this is to run the following query from SQL Management Studio connected to the Orchestrator database:
TRUNCATE TABLE [Microsoft.SystemCenter.Orchestrator.Internal].AuthorizationCache

You may also find this query useful which will run a stored procedure to clear auth cache every 10 minutes if it keeps reoccuring:
EXEC [Microsoft.SystemCenter.Orchestrator.Maintenance].EnqueueRecurrentTask 'ClearAuthorizationCache'


Tip #10 - Don't Deploy a Site Role to manage.microsoft.com
When extremely tired and you've not had enough relentless at 3am, it's often not a good idea to be making configuration changes to System Center...

I accidently placed the Application Catalog Web Service Point site role on the manage.microsoft.com site server that is added to the CM console when you have an Intune connector setup.

Nothing within the console checks and stops you from doing this and to take matters worse, it won't then allow you to remove the role from the console.

However, these two lines of PowerShell run from a ConfigMgr PS Session should sort it out.

$web = Get-CMApplicationCatalogWebServicePoint
Remove-CMApplicationCatalogWebServicePoint -InputObject $web -force



 

System Center 2012 Configuration Manager SP1 and Windows Intune - Configuring the Exchange Connector

This is a post in a series of posts on Windows Intune and the new integration capabilities found in System Center 2012 SP1 Configuration Manager.  The other posts can be found here.

This post will show you how to establish a connection between Configuration Manager and your E-Mail Service.

For this example I’ve actually chosen to connect ConfigMgr into my Office 365 account as I made the decision not to have local infrastructure where possible in the lab.

Why would you want to connect ConfigMgr to your Exchange/Office 365 environment?  Well while iOS and Windows Phone utilise direct MDM management, Android doesn’t have a native MDM capability for controlling settings (That is until Intune Wave F is available later this year), but it does allow configuration via ActiveSync policies.

  • From within the ConfigMgr admin console, navigate to the Administration node | Expand Hierarchy Configuration | Click on Exchange Server Connectors
  • Click on Add Exchange Server on the Ribbon
  • Either choose On-premise Exchange Server or Hosted Exchange Server and supply the information of where to connect to.
    For an on-premise exchange this can be either the FQDN of the Exchange server or a URL to the PowerShell component.
    For Office365 (Hosted Exchange Server) use this URL - https://ps.outlook.com/PowerShell-LiveID
  • Click Next
InitialSetup
  • On the Account section either select an existing account if you have one setup already with the relevant permissions, or create a new one.  Take a note of the PowerShell cmdlets the account is required to be able to run.

    The following Exchange Server management roles include these cmdlets: Recipient Management; View-Only Organization Management; and Server Management.

    If you try to install or use the Exchange Server connector without the required cmdlets, you will see an error logged with the message Invoking cmdlet <cmdlet> failed in the EasDisc.log log file on the site server computer.

    There is a script available on the TechNet Gallery by Stephan Schwarz that will help with granting these permissions - http://gallery.technet.microsoft.com/office/Configure-Exchange-cmdlet-c4f2affd
  • Click Next
account
  • Choose a schedule for how often you would like for synchronisation to occur, as with everything, be mindful of extra load you may place on both your site server and Exchange.
  • Choose to ignore inactive devices based on how long they have been inactive if you wish
  • If you’ve chosen an on-premise Exchange connection you can filter down the discovery more, if like me you’ve chosen Office365 hosted Exchange then you cannot.
  • Click Next
discover
  • On the Settings tab, you can choose at this point to either leave the policies that are applied to the mobile devices to be assigned by Exchange, or choose the Edit button for a relevant group of settings and modify the policy.

    Be aware that the settings applied through ConfigMgr will take precedence over the Exchange ActiveSync policies.
  • Click Next
configure
settings
  • Review the Exchange connector settings in the Summary tab and click Next
confirm
  • The connector should complete successfully and show the result.  Review and then click Next
complete

Friday, 23 August 2013

Cloud OS Community

If anyone wonders why the post count on here has been exceptionally quiet of recent it's due to a combination of things such as being busy at work and vacation time.

Also, I've been doing some posting across on http://cloudoscommunity.com

This is new and upcoming community site for anything related to Microsoft's Cloud OS and I really do recommend you check it out and get involved!

Don't worry though, I'll aim to post some more bits here and will probably cross post between the sites too.

SB

Friday, 12 July 2013

Using O365 without On-Premise Exchange with System Center 2012 Orchestrator

I was checking over some Runbooks today in my lab and one failed when it hit the send e-mail activity.  Odd I thought and then it dawned on me that when I re-installed the lab a month or so back I didn't re-implement exchange as I went for a full Office 365 play.

Great, here comes the task of setting up SMTP e-mail relays, unless... will Orchestrator work directly with O365 using just the Send Email Activity?

It turns out it does and really simply too.

On the Send Email activity properties, fill out the information on the Details tab.

N.B. Make sure you untick the Task fails if an attachment is missing option if you're not putting an attachment on the mail.


On the Advanced tab enter the email username and password for the account you created in Office 365 that will be used for sending e-mail from Orchestrator.

You can leave the Domain field blank


Logon to Office 365/OWA as the Orchestrator e-mail account, click on the Options button and then About.

Make a note of the Server name and Port as highlighted in the screen shot below (pod51016.outlook.com in this example)


Enter this information into the Connect tab, along with the e-mail account you've setup for Orchestrator to send from


Make sure the Enable SSL option is ticked, otherwise you will get an error in Orchestrator informing you that the SMTP server requires a secure connection.




Check your Runbook in and give it a test run.
If it's setup correctly then this time you should see it succeed.


And voilà, you should end up with e-mails being sent to/from Office 365 without the need for any on-premise Exchange or SMTP relay.




Another, simpler method, is to use the Exchange User Integration Pack.

With this IP installed, you can configure the server to use (again the details from OWA) along with the e-mail and password by going to the Options menu and choosing Exchange User.


Then drag a Create and Send E-Mail activity to your runbook and provide at least the e-mail address to send a mail to, the subject and the body.  Other options are available such as priority and attachments via the Optional Properties... button.

 
Again, another successful e-mail can now be sent.
 
 


Thursday, 11 July 2013

Windows Server 2012 Server Manager "Red Services"

I've been using Server 2012 heavily now since release and in particular the new Server Manager that's thrown in your face whenever you log into a server I've come to find very useful.

However... One thing that always niggled me is by default it alerts you to EVERY service known to man that is stopped.  This is brilliant for alerting you to services that really should be running but it also catches one service in particular that will 99% of the time always be stopped but is set to a startup type of Automatic, the Shell Hardware Detection Service.

The behaviour of this service was modified in Server 2008 to stop when a user logs off to reduce the attack surface.

This results however in a default sea of red for your console.

 
The fix for this is very simple really.
 
Click the Services link in the offending dashboard box, usually the All Servers one.
Drop the list of Services down and look for Shell Hardware Detection and untick it.
 
 
And there we go, a nice filtered display, hopefully green.  At least now when it goes red you know there is actually something that needs attention!

 
This setting will also be saved so you don't have to do this every time you open Server Manager.

Wednesday, 3 July 2013

Adding an Azure subscription to App Controller - Service Unavailable

I noticed today that I hadn't re-added my Windows Azure subscription to my App Controller deployment in my testlab and so clicked the link on the overview page to add it back.
After entering the relevant details such as Subscription ID, Certificate pfx file and password, I was greeted by a not too helpful error message of "Service Unavailable" with no further details.

 
After scratching my head and trying several things such as deleting the certificate and re-adding it to Azure, checking firewalls etc I remembered this server had just had a restart.
 
I checked the services to make sure everything had started up ok and noticed that the App Controller Windows Azure Provider service wasn't started.
 
 
I started the service, tried adding the subscription again and voilà! It works.

 
I hope this helps someone else if they get this generic undetailed message.

Monday, 24 June 2013

System Center 2012 R2 Preview - Download and Extract Script

Well, System Center 2012 R2 Preview is here a day earlier than I expected.

Eskor Koneti posted a list of the direct download links to the preview bits here:
http://eskonr.com/2013/06/configmgr-sccm-2012-r2-preview-is-available-for-download/

So I thought I'd wrap them quickly into a PowerShell script that downloads and then extracts all the components ready for install.

I've commented out the DPM download and install as for me it wasn't downloading correctly (either manually or via the script) but feel free to try it.

The script has no error checking and I know could be much smoother, but hey, it's not even 8am here in the UK so what do you expect!

$dwnld = "E:\System_Center_2012_R2"
 if (!(Test-Path -path $dwnld))
  {
  New-Item $dwnld -type directory
  }
$object = New-Object Net.WebClient
 $SCCMurl = 'http://care.dlservice.microsoft.com/dl/download/evalx/sc2012/SC2012_R2_PREVIEW_SCCM_SCEP.exe'
 $object.DownloadFile($SCCMurl, "$dwnld\SC2012_R2_PREVIEW_SCCM_SCEP.EXE")
$object = New-Object Net.WebClient
 $SCCMurl = 'http://care.dlservice.microsoft.com/dl/download/evalx/sc2012/SC2012_R2_PREVIEW_SCOM.exe'
 $object.DownloadFile($SCCMurl, "$dwnld\SC2012_R2_PREVIEW_SCOM.EXE")
$object = New-Object Net.WebClient
 $SCCMurl = 'http://care.dlservice.microsoft.com/dl/download/evalx/sc2012/SC2012_R2_PREVIEW_SCVMM.exe'
 $object.DownloadFile($SCCMurl, "$dwnld\SC2012_R2_PREVIEW_SCVMM.EXE")
$object = New-Object Net.WebClient
 $SCCMurl = 'http://care.dlservice.microsoft.com/dl/download/evalx/sc2012/SC2012_R2_PREVIEW_SCSM.exe'
 $object.DownloadFile($SCCMurl, "$dwnld\SC2012_R2_PREVIEW_SCSM.EXE")
$object = New-Object Net.WebClient
 $SCCMurl = 'http://care.dlservice.microsoft.com/dl/download/evalx/sc2012/SC2012_R2_PREVIEW_SCO.exe'
 $object.DownloadFile($SCCMurl, "$dwnld\SC2012_R2_PREVIEW_SCO.EXE")
$object = New-Object Net.WebClient
 $SCCMurl = 'http://care.dlservice.microsoft.com/dl/download/evalx/sc2012/SC2012_R2_PREVIEW_SCAC.exe'
 $object.DownloadFile($SCCMurl, "$dwnld\SC2012_R2_PREVIEW_SCAC.EXE")
#$object = New-Object Net.WebClient
# $SCCMurl = 'http://care.dlservice.microsoft.com/dl/download/evalx/sc2012/SC2012_R2_PREVIEW_SCDPM.exe'
# $object.DownloadFile($SCCMurl, "$dwnld\SC2012_R2_PREVIEW_SCDPM.EXE")
Start-Process -FilePath "$dwnld\SC2012_R2_PREVIEW_SCAC.EXE" -Wait -ArgumentList /DIR="$dwnld\SCAC", /VERYSILENT
#Start-Process -FilePath "$dwnld\SC2012_R2_PREVIEW_SCDPM.EXE" -Wait -ArgumentList /DIR="$dwnld\SCDPM", /VERYSILENT
Start-Process -FilePath "$dwnld\SC2012_R2_PREVIEW_SCO.EXE" -Wait -ArgumentList /DIR="$dwnld\SCO", /VERYSILENT
Start-Process -FilePath "$dwnld\SC2012_R2_PREVIEW_SCOM.EXE" -Wait -ArgumentList /DIR="$dwnld\SCOM", /VERYSILENT
Start-Process -FilePath "$dwnld\SC2012_R2_PREVIEW_SCSM.EXE" -Wait -ArgumentList /DIR="$dwnld\SCSM", /VERYSILENT
Start-Process -FilePath "$dwnld\SC2012_R2_PREVIEW_SCVMM.EXE" -Wait -ArgumentList /DIR="$dwnld\SCVMM", /VERYSILENT
Start-Process -FilePath "$dwnld\SC2012_R2_PREVIEW_SCCM_SCEP.EXE" -Wait -ArgumentList /Auto, "$dwnld\SCCM"

Monday, 17 June 2013

Microsoft's "Blue" or R2 Wave

In 9 days we're due to get the Beta versions of Microsoft's next wave of releases (Formerly known as Blue) for Windows 8.1, Windows Server 2012 R2 and System Center 2012 R2.

I'm going to leave Windows (Client and Server) to one side for now as there's enough coverage of those features, but what's publically known in terms of new features and changes for System Center?

So far for System Center 2012, it's been mainly SCVMM features announced, along with some ConfigMgr and Intune details.

Virtual Machine Manager (SCVMM)
  • Management of physical network switches via OMI
  • OOB Service Templates to provision other System Center 2012 R2 components
  • OOB Service Template for Network Virtualisation Gateway with Windows Server 2012 R2
  • Use ODX deployment capability from Libraries sharing the same SAN
  • First node in a tier can run different scripts - helps deploying guest clusters
  • Better Windows Server 2012 IPAM integration
  • Shared VHDX support for guest clustering
  • Dynamic VHDX resizing
  • Linux Dynamic memory support
Configuration Manager (ConfigMgr)
  • Deploy and manage Windows 8.1 and Windows Server 2012 R2
  • Provision certificates, Wi-Fi and VPN profiles
  • Deploy links to web applications
  • RBAC Reporting control
  • Create and modify offline VHD Images
  • Publish VHD to SCVMM for use with templates
Intune
  • Auto VPN configuration
  • VPN and Wi-Fi profile configuration
  • Single pane of glass for both Mobile and Devices via Intune into ConfigMgr
  • More MDM policy configuration options
  • Selective wipe rather than just full device wipe
  • The new Server 2012 R2 Work Folders feature configuration
I suppose we're just going to have to wait until next week to get our grubby mits on more information and the ability to have a play.

Wednesday, 12 June 2013

Seize FSMO roles in Server 2012

One of the beautiful things of a test lab is getting to try things you might not get chance to do in a production environment.  So when my main Domain Controller went pop the other day, rather than work on bringing it back online I saw a good chance to test seizing the FSMO roles with PowerShell.

Previously the main way to seize the roles was using the Ntdsutil in Server 2003 & 2008.

Since PowerShell is now my weapon of choice I thought it would be useful to quickly document the method.

Move-ADDirectoryServerOperationMasterRole is the command that is used for this task.  More information on the command can be found here:
http://technet.microsoft.com/en-us/library/ee617229.aspx

You can use either the Role Name or Number to specify which role to move, this table shows the details:

Operation Master Role Name
Number
PDCEmulator
0
RIDMaster
1
InfrastructureMaster
2
SchemaMaster
3
DomainNamingMaster
4
 
 
Use the -Identity switch to specify the target Domain Controller and the –OperationMasterRole to specify which role to transfer. I've also used the -Force command as my current FSMO holder is offline.
 
I'll be moving all the roles to a target DC called TLDC02.
N.B. To move the SchemaMaster role you'll need to be a member of the Schema Admins group.  My account was also a member of Enterprise Admins when I ran this.
  1. Logon to a working Domain Controller and launch an elevated PowerShell session.
  2. Type: Move-ADDirectoryServerOperationMasterRole -Identity TLDC02 -OperationMasterRole 0,1,2,3,4 -Force


  3. Either type Y on each role move prompt, or type A to accept all prompts
  4. After a while, all the roles should be successfully moved.
Last thing, a couple of PowerShell command just to list the FSMO roles and who now owns them:

Get-ADForest DomainName | FT SchemaMaster,DomainNamingMaster
Get-ADDomain DomainName | FT PDCEmulator,RIDMaster,InfrastructureMaster


One thing to note, only seize the roles if you have no intention of bringing the original holding Domain Controller back online.  Domains don't tend to like having two FSMO role holders...

Tuesday, 11 June 2013

Intune common logon without ADFS (Aka Password "sync")

Recently Microsoft released a new version of it's DirSync tool that enables organisations to synchronise it's Active Directory (AD) User accounts across into the Azure Directory Services used by Intune, Office 365, CRM etc.

This has previously only enabled organisations to reduce the administrative burden of having to recreate all of their accounts for those users they wanted to access online services, but they then had to either issue separate passwords or implement Active Directory Federation Services (ADFS) to offer a truly seamless single sign-on experience for the users.

With this latest release from Microsoft, they have now introduced the ability to also push passwords up into the Azure DS.  Notice the push aspect, not synchronised as the password cannot be changed in the cloud and replicate back into your AD.

While I wouldn't class this as true Single Sign-on (SSO) as your still effectively authenticating against a different directory service, it's still a great option for Microsoft to have added, giving great flexibility for those organisations that want to take the first steps or who can't/don't know how to deploy ADFS.

Nothing has majorly changed during the install (New Azure logo and Install Directory), so rather than re-inventing the wheel, check out the post link below that I did for installing DirSync. I've then run through the differences in the new version below the other post link.

http://systemscentre.blogspot.co.uk/2013/01/system-center-2012-configuration_12.html

The first thing to note is that you cannot "upgrade" the client as you will be presented with a dialog blocking you from continuing if an older version is installed, so remove the old version first.


The main installation/configuration screen change is this one, which provides the option to push your passwords up along with your users.


Tick the option box to Enable Password Sync and that's it done!

The user account sync element still runs on a 3 hour schedule, but passwords are set to sync within minutes of a change in your local AD.

Intune users can find the new version of DirSync at this link (Requires sign on with an Intune Admin Account):
https://account.manage.microsoft.com/DirSync/DirectorySynchronization.aspx

The TechNet Library article on Implementing Password Sync can be found here:
http://technet.microsoft.com/en-us/library/dn246918.aspx

Friday, 31 May 2013

Testing Windows Phone 8 with System Center 2012 Configuration Manager and Windows Intune

On 30/05/2013 Microsoft release a package that allows administrators to test Windows Phone 8 management via System Center 2012 Configuration Manager (ConfigMgr) and Windows Intune.

Previously the only way to test this feature was to purchase a Windows Phone Dev certificate which involved signing up as a developer at $99 and then purchasing a Symantec certificate at a further $299.

Now you can download this package from Microsoft which includes a pre-signed Company Portal, a script to set the relevant settings in ConfigMgr with a temporary token and also a couple of sample applications.

You can download the package here: http://www.microsoft.com/en-us/download/details.aspx?id=39079

After downloading the MSI, run through the install which basically just extracts the files to a folder.  By default this is - C:\Program Files (x86)\Microsoft\Support Tool for Windows Intune Trial management of Windows Phone 8.






Create an Intune subscription in the System Center 2012 Configuration Manager SP1 console and leave WP8 disabled


Copy the SSP.XAP from the package extraction directory to a UNC available path.
 
Create an Application within the Configuration Manager console and deploy this application to cloud DP (manage.microsoft.com) targeting cloud managed users
 
 
Watch out for the default name of the application and ensure you rename it to something a bit more friendly. 



Run through the deploy wizard and select manage.microsoft.com as the distribution point
 


To enable management of WP8 devices open a command prompt and run the script ConfigureWP8Settings_Field.vbs (found in the package extraction directory) in query mode to get Company Portal name

cscript ConfigureWP8Settings_Field.vbs <server> QuerySSPModelName
 
Replace <server> with the server name for top level site (standalone site or CAS)
The result looks something like this "ScopeId_3C63FB50-0302-48CE-B076-5F93020AC548/Application_42291d36-6ffc-4d18-be78-9efdace3eef5".
 
 
This output will be used in the next step.

Run the script ConfigureWP8Settings_Field.vbs in save mode this time with the SSP name result.
This will populate the necessary certificate information to enable Windows Phone 8 device management

cscript ConfigureWP8Settings_Field.vbs <server> SaveSettings <Company Portal name>
where <Company Portal name> is the output from the earlier step.



After completion of the steps above, verify that WP8 device management is enabled by checking the ConfigMgr console by going to the Intune subscription properties, WP8 tab.
WP8 should be enabled, certificate should be present, and company portal app should be populated with the name you gave the Company Portal app when you set it up.



Assuming you have users sync'd up to the Intune/Azure directory and the UPN's match the accounts known by ConfigMgr, you should now be able to enrol users on their Windows Phone 8 devices.

Also included in this new package is some sample apps so that you can import something straight away for testing!