DPM Azure restores fail with error

Any Azure restore from DPM fails with the error “The recovery destination selected for one or more of the files to be recovered is invalid. (ID 100070)”

This one is a bit misleading as it often makes you think the issue is with the location you have selected for the restore when in fact it indicates a problem with the Azure staging location. You must make sure it is an NTFS formatted drive with sufficient space and permissions for the agent to edit files.

In my case I saw this error when using a ReFS formatted volume. What makes this error strange is that this same drive used to be OK.

To change the location to a different drive with an NTFS file system and enough free space.
Open the DPM Administration console -> Management -> click on “online” -> Configure > Recovery Folder settings.

You will need to know the original passphrase used or be prepared to change it. You will need access into Azure to generate a new recovery vault pin to save the settings. Once the staging folder is in the right location restores should work again.

How to make a windows CA stop issueing SHA1 and start using SHA256

You might think the place to make the change would be in a certificate template but that is not the case. It looks like the default hash algorithm is stored in the registry and can be changed with certutil.

Run this directly on your CA as administrator:

certutil -setreg ca\csp\CNGHashAlgorithm SHA256

Then restart your Certificate service:

net stop CertSvc
net start CertSvc

Freshly issues certificates should now have a SHA256 hash instead of an old depricated SHA1.

Redirecting traffic with Apache

There are two main types of redirection. The first is where you want to change a domain or server but you want to preserve the pages and URLs. For example, a company changes name from company1 to company2 and you want to redirect everyone from http://company1.com/ to http://company2.com/ while keeping all of the pages. For example, you would want a visitor clicking a link to http://company1.com/pages/page.html to be redirected to http://company2.com/pages/page.html

This is easy to accomplish with a simple redirect in the virtual host. For example:


ServerName company1
ServerAlias company1.com
Redirect “/” “https://company2.com/”


ServerName company1.com
SSLEngine On
SSLCertificateFile /etc/ssl/apache/company1-com.pem
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
Redirect “/” “https://company2.com/”

Another scenario is that perhaps company1 has stopped trading or maybe the site is down for maintenance and you want to send all traffic to a static page. In this example, we redirect to a complete URL which could be hosted elsewhere or on the same server.


ServerName company1
ServerAlias company1.com
RewriteEngine On
RewriteRule ^.*$ https://company2.com/maintenance.html


ServerName company1.com
SSLEngine On
SSLCertificateFile /etc/ssl/apache/company1-com.pem
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
RewriteEngine On
RewriteRule ^.*$ https://company2.com/maintenance.html

Please note that if you want to redirect to a page on the same server or domain you will need an additional line before each “rewriterule” preventing the redirect from kicking in on that page. If you don’t you will have an endless redirect loop.

e.g.

RewriteCond %{REQUEST_FILENAME} !/maintenance.html

Ubuntu /boot partition keeps filling up – move /boot to the root partition

Many of the ubuntu computers I look after were setup with a reasonable (at the time) 200MB /boot – in fact I think this was one of the default options in the Ubuntu setup. The default behaviour of the unattended updates package appears to install new kernels and not remove old ones. Combine this with the fact that the kernels are getting larger and 200mb is just not enough to maintain a few versions any more.

Rather then messing about with partition resizing or building a new machine out we can just move /boot onto the much larger root drive.

Make sure to either run these as sudo (or switch to root with sudo -s)

1. Take a backup of your server.

2. Copy the contents of boot over, remove the old one and rename.

cp -a /boot /boot2
umount /boot
rmdir /boot
mv /boot2 /boot

3. Now comment the /boot entry in /etc/fstab (Just add a # infront of the line that mounts boot):

vim /etc/fstab

4. Update grub and make sure everything is correct:

update-grub

5. Now reboot the computer and check everything is working – if not use the advanced options and try and alternate kernel version. Failing that restore from your backup.

Remove landscape client service from ubuntu

You may have your reasons, as I did for removing this client from a server. The process is very simple.

If you have the full GUI install:

sudo apt-get remove landscape-client landscape-client-ui landscape-client-ui-install landscape-common

If you have a cli only install:

sudo apt-get remove landscape-client landscape-common

Add virtual machine host fails with error 20408

I recently had a problem adding a host to a VMM server – all the obvious things had been checked. WinRM was enabled, firewall rules were in place. Service account had admin rights and DNS was correct.

Still, every time I attempted to add the host an error occurred:

“Error (20408) VMM could not get the specified instance Microsoft:{668f165d-4dae-bcb6-5007ff1fc2e8} of class http://schemas.microsoft.com/wbem/wsman/1/wmi/root/standardcimv2/MSFT_NetAdapterRssSettingData on the server server.fqdn. The operation failed with error NO_PARAM”

In this instance, the server was a 2016 one which has been upgraded from 2012 R2. The fix was bizarre. Save all VMs and remove the vswitches so that only normal physical adapters remain and then recreate the vswitches. The config was identical but clearly, something behind the scenes was wrong and recreating the vswitches worked. Retrying the same job on VMM resulted in success and the host was added to VMM.

WSUSpool keeps stopping and console shows reset node

I recently found myself in a situation where WSUS would only work for a few minutes or even seconds at a time. A restart or IISReset could bring it back for a few minutes but it would soon stop again. The Configuration manager console didn’t show any errors but it also could not see any new updates.

The event log contained this message:

The WSUS administration console was unable to connect to the WSUS Server via the remote API.

Eventually the fix was to increase the amount of memory avaliable to the app pool from the default 1843200 KB – you could set this to 0 so there is no limit or to a higher sensible limit. After doing this and running an IISRESET the app pool remained running and I was able to syncronize new updates as well as service updates to clients.

To do this open up IIS and click the plus by your servername, then on “Application pools”. Next right click on WsusPool and then left click on “Advanced Settings”, then scroll down and locate the “Private Memory limit (KB)” near the bottom and edit this value to 0 or something higher.

Meltdown – Patching centos

The patches are out for centos 5/6/7 and you can install them simply by the normal update command.

yum update

and then restarting.

To check the patches are installed run:

rpm -q –changelog kernel | egrep ‘CVE-2017-5715|CVE-2017-5753|CVE-2017-5754’

and make sure you have entries for all three CVE numers.

Broken libc error: Can’t exec “locale”: No such file or directory at /usr/share/perl5/Debconf/Encoding.pm line 16.

When trying to fix a system that someone (something?) had managed to shoe horn a broken/old version of libc-bin onto an Ubuntu 14 server I ran in to this error when trying to run “Apt-get install” or “Apt-get upgrade”

Can’t exec “locale”: No such file or directory at /usr/share/perl5/Debconf/Encoding.pm line 16.
Use of uninitialized value $Debconf::Encoding::charmap in scalar chomp at /usr/share/perl5/Debconf/Encoding.pm line 17.
Preconfiguring packages …
dpkg: warning: ‘ldconfig’ not found in PATH or not executable
dpkg: error: 1 expected program not found in PATH or not executable
Note: root’s PATH should usually contain /usr/local/sbin, /usr/sbin and /sbin
E: Sub-process /usr/bin/dpkg returned an error code (2)
So you cant re-install or repair the libc package because the package manager depends on it working in the first place.

Fortunately we can download and install the package ourselves:

apt-get download libc-bin
dpkg -x libc-bin*.deb unpackdir/
sudo cp unpackdir/sbin/ldconfig /sbin/

This is enough to get apt-get install working again and we can reinstall the package properly, then upgrade.

sudo apt-get install –reinstall libc-bin
sudo apt-get install -f
sudo apt-get upgrade

SCOM 2016 Domain controllers agent status greyed out

I have noticed with operations manager 2016 that by default the agent enters a grey state on all domain controllers. This looks to be caused by a permissions problem with either the local system account (Or your alternative if you have configured one) Fortunately it is a simple fix. Assuming you have winrm setup and working and have administrator access the following should resolve the issue for you:

1. Connect to the server with the grey status:

WINRS -r:MYDCNAME01 cmd.exe

2. Change directory to the Agent location:

cd “C:\Program Files\Microsoft Monitoring Agent\Agent”

3. use the hslockdown program to permit your useraccount.

HSLockdown.exe /A “NT AUTHORITY\SYSTEM”

and/or

HSLockdown.exe /A “mydomain\someaccount”

4. Stop and start the health service:

net stop healthservice
net start healthservice

Your agent status should shortly turn green. Happy monitoring!