Fixing things

WinRM Connection limits

by on Aug.28, 2014, under Exchange, VMM, Windows 2012, Windows 2012 R2

Sometimes in various Microsoft products (Exchange/VMM mostly) you might reach some of the WinRM connection limits.  Personally I see it most in Virtual Machine Manager when you have many admins who are making lots of changes and deploying large numbers of services.

The symptom is sometimes an error like this:  Error Connecting to remote server failed with the following error message: The WS-Management service cannot process the request. This user is allowed a maximum number of 5 concurrent shells, which has been exceeded. Close existing shells or raise the quota for this user.

It can also just show as a generic Failed/timeout job which then works when you re-try later.

1. On the offending server open a command prompt or Powershell window with administrative privileges.
2. Type in winrm get winrm/config/winrs to view the current configuration.

winrmmax

These values will need to be increased, don’t just add a load of zeros to the end as having limits configured can stop unwanted or malicious connections from brining a server to its knees.

To adjust the values use the commands below where 20 and 100 are appropriate numbers for your environment.

3. winrm set winrm/config/winrs @{MaxConcurrentUsers=”20″}
4. winrm set winrm/config/winrs @{MaxShellsPerUser=”100}

Leave a Comment more...

How to create an Operations Manager 2012 R2 alert on active directory account lockout or any other event

by on Aug.27, 2014, under SCOM, Server 2012

Over the various versions of windows server there have been many different event IDs logged when accounts are locked out after too many failed logon attempts.  The event you are after for 2008 R2 / 2012 is Event ID 4740 and it is logged in the security event log.

It is possible to use a simple scheduled task which runs with this event ID as the trigger to generate an “account is locked” email, but why do that when you have operations manager?

We can create a new rule to alert on this event and it is also even possible to base the alert on other items within the event description.  For example you might want a generic account is locked email to go to the support desk, whereas alerts for a critically important service account should go to a separate team who manage this service.   Here is a guide on how to setup such an alert.

1. Load up the operations manger console and click on “Authoring”

2. Expand the “Management Pack Objects” item and click on “Rules.”

3. Click on “Create a rule.” This is in the tasks pane on the right hand side, you might need to expand this if you have previously closed it.

4. Expand “alert Generating Rules” then expand “Event based” and select “NT Event log (alert)” and select an appropriate management pack to store the alert.  I would reccomend creating a management pack for all your custom rule based alerts or if you plan on having many it maybe worth breaking it out further, e.g. “Account Lockout Alerts”

createarulewizard

5. Click “Next” and give your new rule a suitable name.

6. Select a rule target, in this instance “Windows Computer” will work and click “Next.”

rulename

7.  Select the Log you wish to monitor, for this rule we need to select the security log then click “Next.”

securitylog

8. Now it is time to build the expression to filter the events we want to alert on.  If you simply want an alert any time this occurs set the parameter name to “Event ID” Operator to “Equals” and Value to “4740”.

simpleexpression

9. If however you want to be a little more presisce and only generate an alert for a particualr account or computer (or anything within the event) you can.  Simply locate an event you want to build an expression for on one of your target servers (e.g. log onto a DC and have a look for a security event with ID4740) and examine the details section.

4740eventdetails

10. Here I want to configure the alert to only fire if the “crit_service” account is locked.  So within the expression builder I insert a new expression and select an event property and enter my own.

Parameter Name: “TargetUserName”
Operator: “Contains”
Value “crit_service”

fullexpression

11. Finally configure the alert.  Here you can edit the alert name, description and other fields.  I simply changed the alert name and left the alert description and other fields alone as it is fine for my purposes.

configurealert

12.  Dont forget to setup an alert subscription for this so the right people get an alert when the account is locked out!  If you took a note of the alert name used you can filter against this to make sure only the right people get the message.

Leave a Comment more...

WMI reset failed

by on Jun.30, 2014, under Hyper-V, SCCM, Windows 2012 R2

Recently I have found myself in a position where I have needed to reset WMI to resolve various problems such as SCCM client failing to install/detect and disappearing cluster namespaces.  Generally resetting the WMI is a last resort and should only be tried when you have tried all other options. e.g. restart WMI service, restart server.

The command to reset the WMI repository must be run in an admin / elevated command prompt:

winmgmt /resetrepository

However sometimes this fails with this error:

C:\Users\adminuser>Winmgmt /resetrepository
WMI repository reset failed

Error code:     0x8007041B
Facility:       Win32
Description:    A stop control has been sent to a service that other running services are dependent on.

While it is possible to work around this by stopping the dependent services manually or even editing the registry so that nothing is dependent on this (as I have seen suggested else where) there is a much easier solution.

1. Launch an elevated (admin) powershell window.

2. Enter the following command.

Stop-Service winmgmt -Force; winmgmt /resetrepository

3. Restart the computer you just reset the WMI repository on.

Leave a Comment more...

User Profile Service service failed the logon. User profile cannot be loaded

by on Apr.07, 2014, under windows 2008 R2

Most people who work in a windows environment for some time will have seen profile corruption before where a single user cannot log in or looses settings with the fix often being to log on as someone else and remove the profile completely allowing a new working profile to be created or restoring from a backup.  But what about when no one can log in including new users?  I recently came across this problem where a server gave everyone who attempted to log in, including new users a “User Profile Service service failed the log in. User profile cannot be loaded” message.

Profile error message

Everything else was working correctly, I could remotely stop and start services, browse administrative shares and even open the registry.  The culprit turned out to be bad permissions on the default user profile.
To fix, make sure you have turned on show hidden files and folders and also unticked “Hide protected operating system files” on the computer you are connecting from.

unhide files and folders

Next, browse to the administrative C: drive share on the computer which fails all log ons:  \\computername\c$\users\ and right click on “default” and then on “properties”

Next click on the “Security” tab at the top and then on the “advanced” button at the bottom. (You should see the window below)

Advanced Permissions

Next, click on “Change permissions” and then tick the box next to “Replace all child object permissions with inheritable permissions from this object” and then on OK.  This should re-apply the permissions on this folder and permit profiles to be re-created again.

replace child permissions with inheritable

4 Comments more...

Convert a .pfx certificate to a .pem

by on Mar.03, 2014, under Uncategorized

As is often the case different bits of software require things in different formats and you might find yourself with a pfx file when you really need a pem file.

It is pretty simply to convert a pfx into a pem with open SSL. Assuming you are on windows download and install the win32 OpenSSL package from http://www.slproweb.com/products/Win32OpenSSL.html

Then you can simply open a command window and change directory to the location of your OpenSSL install. (by default C:\OpenSSL-Win32\bin)

Then execute the following command: (where C:\cert\certfile.pfx is your source pfx file and C:\cert\certfile.pem is the desired name and location of the exported pem file.)

C:\OpenSSL-Win32\bin>openssl pkcs12 -in C:\cert\certfile.pfx -out C:\cert\certfile.pem -nodes

Note: you will be prompted to enter an import password if the pfx file is password protected.

If all is well you should see “MAC verified OK” and the .pem file will be written.

pfx to pem with openssl screenshot

Leave a Comment more...

Drive Error when mounting an ISO in idraq: Either Virtual Media is detached or redirection for the selected virtual disk drive is already in use

by on Feb.24, 2014, under Uncategorized

When you try to mount an ISO file in iDRAQ you get the following message: Either Virtual Media is detached or redirection for the selected virtual disk drive is already in use
The screen looks like this:

drive error

To fix this:

  1. On the iDRAC screen, click on “System”.
  2. Then, click on the “Console/Media” tab and then on “Configuration”.
  3. Select “Attach” on the drop down under “Virtual Media”.
  4. Lastly scroll down and click on “apply”
  5. Mount the ISO as you did before, you should now be able to mount it as expected.
2 Comments more...

Enabling Agent Proxy for all System Center Operations Manager Agents

by on Jan.23, 2014, under SCOM

SCOM is likley to require the proxy to be enabled on a large number of agents, certainly it is the case with a lot of the management packs and it can often be easier to enable it on all agents and then turn it off on the agents which don’t require it.

In any case, enabling the SCOM agent proxy on all agents is a simple power-shell one liner:

Get-SCOMAgent | where {$_.ProxyingEnabled.Value -eq $False} | Enable-SCOMAgentProxy

You can always modify the filter as required to match your own needs.  For example, to only enable the proxy on Agents installed within the last 3 months:

Get-SCOMAgent | where {$_.InstallTime -gt ((Get-Date).AddMonths(-3))} | Enable-SCOMAgentProxy

Leave a Comment :, more...

pfsense ERROR: exchange Identity Protection not allowed in any applicable rmconf. on VPN tunnel

by on Dec.20, 2013, under Uncategorized

This error doesn’t give many clues as to whats wrong but it turns out it is usually a simple fix and is caused by a mismatch between the main / aggressive setting on the negotiation of phase one.  Simply make sure both ends match, or if the setting is not available at one end change it on the pfsense.

pfsense

Leave a Comment :, , more...

Installing .NET 3.5 on Server 2012 and 2012 R2

by on Dec.19, 2013, under Windows 2012, Windows 2012 R2

.net 3.5 is still often requires but the resources to install it are by default absent from the windows installation.  If you have interenet connectivity this isnt such an issue as the files are simply pulled down from microsoft but if you are performing an offline build or are in a dev/secure environment with no connectivity it can be problematic.

Personally I find the fastest method is to mount/insert the 2012 installation media and install the feature with DISM.  Open an elevetates (run as admin) command window.

dism /online /enable-feature /featurename:NetFX3 /all /Source:d:\sources\sxs /LimitAccess

Simply change “d” to match the drive letter your install media is available at.

Dism install

 

If the GUI is more your sort of thing simply run the “Add roles and features” wizard and select the .NET 3.5

Click next and locate the “Specify and alternate source path” link at the bottom of the window.  Click this.

 

alternate source

 

In the window that loads type in the path to your side-by-side folder on the installation media.

alternate source window

 

Click on OK and on Install to start .NET 3.5 installing.

1 Comment :, , , , more...

SharePoint Correlation error: system.invalidoperationexception: namespace prefix ‘xsd’ is not defined. When using the person picker.

by on Nov.12, 2013, under SharePoint

This is an interesting problem which only occurs when the people picker is being run in IE9 mode.  You may find older versions of IE work without issue and other browsers too.  A quick server side fix can be implemented by opening the pickerdialog master file and editing the header.  The file should be located here: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\TEMPLATE\LAYOUTS\pickerdialog.master

Simply add the following to the top of the file using your favorite text editor.

<head>
                <meta name=”GENERATOR” content=”Microsoft SharePoint” />
                <meta http-equiv=”X-UA-Compatible” content=”IE=EmulateIE8″ />

You should then perform an iisrest.  Either use the IIS graphical tools to do this or in an eleveted command window run IISRESET /noforce

As always take a copy of the master file before editing and if possible test this change in your dev/test environment first.  (You do have one right?)

1 Comment :, , more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!