Posted on

WSUSpool keeps stopping and console shows reset node

I recently found myself in a situation where WSUS would only work for a few minutes or even seconds at a time. A restart or IISReset could bring it back for a few minutes but it would soon stop again. The Configuration manager console didn’t show any errors but it also could not see any new updates.

The event log contained this message:

The WSUS administration console was unable to connect to the WSUS Server via the remote API.

Eventually the fix was to increase the amount of memory avaliable to the app pool from the default 1843200 KB – you could set this to 0 so there is no limit or to a higher sensible limit. After doing this and running an IISRESET the app pool remained running and I was able to syncronize new updates as well as service updates to clients.

To do this open up IIS and click the plus by your servername, then on “Application pools”. Next right click on WsusPool and then left click on “Advanced Settings”, then scroll down and locate the “Private Memory limit (KB)” near the bottom and edit this value to 0 or something higher.

Posted on

Windows 2012 Dedupe – huge chunk store and 0%

One of the best new features in 2012 was the file de-duplication.  That said it does sometimes behave a bit strangely under some workloads.  I recently faced an issue where a a 40TB volume with de-duplication enabled resulted in a huge chunk store that was using more space than the original data!

chunky

At a glance it looks like the best thing to do is turn off dedupe for this volume, but all this seems to do is disable further dedup work, anything that is already deduped will remain so.  I found the best/fasted way to “re-hydrate” your data and get rid of the chunkstore (You could just format the volume if you don’t need the data) is to leave the dedupe enabled, but set an exclusion on the root.

Then run the commands below in power-shell (Assuming drive letter F:):

Start-DedupJob -Volume “F:” -Type unoptimization -Memory 50

Then run:

Start-DedupJob -Volume “F:” -Type GarbageCollection -Memory 50

You can then monitor the size of the chunkstore and/or run this command to see the progress of any “dedupjobs” with this command:

Get-dedupejob

dedupejob

Do bare in mind the increased IO and server load while this runs, it maybe best to start this out of hours.  Please also note that this command will only actually re-hydrate your files if dedupe is still enabled.

Posted on

PowerShell script to setup SNMP

It is a bit old school and most people will be using something more modern and feature reach like SCOM or PRTG for monitoring but SNMP still enjoys just about the widest support and can be great for agentless monitoring from free/cheap tools such as observium or nagios.

Here is a script I use to automatically install and configure SNMP on windows servers where we want to use SNMP monitoring.

$pollers = @(“Observium”,”10.10.5.4″,”prtg01″) # Edit this to contain your SNMP Pollers (IP or DNS name) so it looks like this @(“monitorserv1″,”10.10.5.2”)
$CommunityStr = @(“Priv176c0m”) # Edit this to contain your community strings so it looks like this @(“Secretcommunity”,”private2″)

Import-Module ServerManager

#test if SNMP-Service Feature is enabled
$test = Get-WindowsFeature -Name SNMP-Service

#Install/Enable SNMP-Service if it is not enabled
If ($test.Installed -ne “True”) {
Write-Host “Enabling SNMP-Service Feature”
Get-WindowsFeature -name SNMP* | Add-WindowsFeature -IncludeManagementTools | Out-Null
}

#re-test if SNMP-Service Feature is enabled and update variable
$test = Get-WindowsFeature -Name SNMP-Service

#Setup reg keys to configure SNMP-Service if Feature is Enabled
If ($test.Installed -eq “True”){
Write-Host “Configuring SNMP-Services with your Community strings and Permitted pollers”
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SNMP\Parameters\PermittedManagers” /v 1 /t REG_SZ /d localhost /f | Out-Null

Foreach ($String in $CommunityStr){
reg add (“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SNMP\Parameters\TrapConfiguration\” + $String) /f | Out-Null
reg delete (“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SNMP\Parameters\TrapConfiguration\” + $String) /ve /f | Out-Null
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SNMP\Parameters\ValidCommunities” /v $String /t REG_DWORD /d 4 /f | Out-Null
$i = 2

Foreach ($Manager in $pollers){
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SNMP\Parameters\PermittedManagers” /v $i /t REG_SZ /d $manager /f | Out-Null
reg add (“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SNMP\Parameters\TrapConfiguration\” + $String) /v $i /t REG_SZ /d $manager /f | Out-Null
$i++
}
}
}
Else {
Write-Host “Error: SNMP Setup did not complete”
}

Click Enable-SNMP.ps1 to download this as a text file.

Posted on

List windows updates or Hotfixes installed after a certain date

Ever found something broken and wondered what updates have been installed since a certain point in the past?

PS C:\Users\robin> Get-HotFix | ? installedon -gt 06/09/2015

Source        Description      HotFixID      InstalledBy          InstalledOn
——        ———–      ——–      ———–          ———–
Mxxxxx    Update           KB2693643     NT AUTHORITY\SYSTEM  09/07/2015…

Posted on

Delegate rights to unlock accounts in AD

To delegate the right right to unlock user accounts in ADUC:

Right-click the OU or domain in Active Directory Users and Computers and select Delegate Control from the context menu
Click Next on the Welcome dialog
Click Add to select the user or group and click OK
Click Next
Select Create a custom task to delegate and click Next
Select Only the following objects in the folder. In the list, check User objects and click Next
Clear the General checkbox and check the Property-specific box
Check both the Read lockoutTime and Write lockoutTime boxes and press Next
Click Finish

Posted on

WinRM Connection limits

Sometimes in various Microsoft products (Exchange/VMM mostly) you might reach some of the WinRM connection limits.  Personally I see it most in Virtual Machine Manager when you have many admins who are making lots of changes and deploying large numbers of services.

The symptom is sometimes an error like this:  Error Connecting to remote server failed with the following error message: The WS-Management service cannot process the request. This user is allowed a maximum number of 5 concurrent shells, which has been exceeded. Close existing shells or raise the quota for this user.

It can also just show as a generic Failed/timeout job which then works when you re-try later.

1. On the offending server open a command prompt or Powershell window with administrative privileges.
2. Type in winrm get winrm/config/winrs to view the current configuration.

winrmmax

These values will need to be increased, don’t just add a load of zeros to the end as having limits configured can stop unwanted or malicious connections from brining a server to its knees.

To adjust the values use the commands below where 20 and 100 are appropriate numbers for your environment.

3. winrm set winrm/config/winrs @{MaxConcurrentUsers=”20″}
4. winrm set winrm/config/winrs @{MaxShellsPerUser=”100}

Posted on

Installing .NET 3.5 on Server 2012 and 2012 R2

.net 3.5 is still often required but the resources to install it are by default absent from the windows installation.  If you have internet connectivity this isn’t such an issue as the files are simply pulled down from microsoft but if you are performing an offline build or are in a dev/secure environment with no connectivity or heavily filtered it can be problematic.

Personally I find the fastest method is to mount/insert the 2012 installation media and install the feature with DISM.  Open an elevetates (run as admin) command window.

dism /online /enable-feature /featurename:NetFX3 /all /Source:d:\sources\sxs /LimitAccess

Simply change “d” to match the drive letter your install media is available at.

Dism install

 

If the GUI is more your sort of thing simply run the “Add roles and features” wizard and select the .NET 3.5

Click next and locate the “Specify and alternate source path” link at the bottom of the window.  Click this.

 

alternate source

 

In the window that loads type in the path to your side-by-side folder on the installation media.

alternate source window

 

Click on OK and on Install to start .NET 3.5 installing.

Posted on

KDC Authentication problems with 2003 to 2008 domain functional level

Recently I have had problems connecting to the console on a number of 2008 R2 Hyper-v guest virtual machines.  The error was “An Authentication Error Has Occurred.  The Encryption Type Requested Is not supported by the KDC” while I have also had a single Exchange 2010 server fail with the following event IDs: 2102, 2103, 2114, 9106 all reporting LDAP problems, non-responding domain controllers and global catalogs:

Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1696). Topology discovery failed, error 0×80040952 (LDAP_LOCAL_ERROR (Client-side internal error or bad LDAP message)). Look up the Lightweight Directory Access Protocol (LDAP) error code specified in the event description. To do this, use Microsoft Knowledge Base article 218185, “Microsoft LDAP Error Codes.” Use the information in that article to learn more about the cause and resolution to this error. Use the Ping or PathPing command-line tools to test network connectivity to local domain controllers.

Process STORE.EXE (PID=4084). All Global Catalog Servers in forest DC=xxx,DC=xx,DC=xx are not responding:

Process STORE.EXE (PID=4084). All Domain Controller Servers in use are not responding:

Attempting to open the Exchange management console on the local server console ended with a  HTTP server error status 500 and “Kerberos” authentication failed.

The Exchange server was able to ping and resolve all DNS names correctly and the problem went away on restarting only to re-occur in 24 hours or so.

The rather simple resolution in the end turned out to be restarting the “KERBEROS DISTRIBUTION KEY (KDC) service” on all Domain controllers.  While Restarting all Domain controllers in their entirety is also a good idea it isn’t always possible (or desirable) on a live production environment.