Monday 28 July 2014

Blackberry's consistently recevies an e-mail stating "Outlook Message Manager (Surname, Firstname) (KEY: 96B2A5668CD0D8438AD1D549xxxxxxxx)", although the error does not appear in Microsoft Outlook 2010/Exchange 2010.

The following Blackberry document outlines the fix for this particular issue it is related to Microsoft Exchange 2010 and is automatically ignored by Outlook clients.;jsessionid=92963A68CCF7910DC83B48677F08171C?externalId=KB32860&sliceId=2&cmd=displayKC&docType=kc&noCount=true&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewedDocsListHelperImpl

Although the fix is to create a filter to basically ignore the message, in this instance it cannot be done on the local Blackberry handset and must be done from inside the Blackberry Enterprise Server (BES) console.

Open the Blackberry Administration Service and click Manage Users from the main landing page. Use the Display Name search field to locate the user experiencing the problem. Click on the user from list of returned results.

Click Edit User.

Click Default Configuration.
Click on the E-mail tab.
Name the filter descriptively, and tick Body: and insert the string "Outlook Message Manager", and ensure Recipient Type is selected and Sent directly to me. You must also tick Do not forward e-mail messages to the device.
Use the + icon to save the configuration. The user will no longer get the annoying message.

Sunday 27 July 2014

Installing and Configuring the Reporting Services (SRS) Point for ConfigMgr 2012 R2 (SCCM)

You should begin with installing the Reporting Services - Native instance feature from the SQL 2012 media.

You will be prompted to name the SQL Instance I named mine SRS. Click Next.
When Reporting Services installs successfully, click Close.
You must now configure Reporting Services before it is integrated with SCCM 2012 R2. Click the Reporting Services Configuration Manager icon from Start.
Click on the Service Account tab, and select Use another account: and input an Administrative domain account, and click Apply.
Skip over Web Services URL for now, and click Database.  Click on the Change Database button.
You will then follow through the wizard to provision a new database instance.
Also click Change Credentials from the Database tab, and ensure it is using an Administrative domain account. Click Apply. Now go back to the Web Service URL, you do not have to change any configurations here you must simply click Apply and this will push the wizard to provision and configure the IIS virtual directories to support the Reporting Server.
Now launch the ConfigMgr console and click Adminstration, expand Site and then Server and Site System Roles. Right click on your Primary Site Server and select Add Site System Roles.
Tick Reporting Services Point and click Next to continue.
Review the configurations and set the Reporting Services Username to an Administrative domain account. Click Next.
Reporting Services is now installed and configured.

MDOP 2013 R2: Advanced Group Policy Management to Track GPO Changes

I was recently asked to investigate the Advance Group Policy Management toolkit to enforce greater compliance and change control of Group Policy objects in a large enterprise environment. This particular client had various different IT service providers making changes to the Active Directory and Group Policy objects.
You can download the MDOP 2013 R2 ISO from Microsoft;

The first step is to install the AGMP Server  on to a Domain Controller in your environment. The installation is very straight forward and uninteresting therefore I am not going to cover it in detail. In this example I am also going to install the AGMP Client on to the same Domain Controller.


When the AGPM Server installation completes a new tab will appear in Group Policy Management called Change Control this is where the majority of AGPM tasks are done.

Click on the Uncontrolled tab and you will see a list of Group Policy Objects that are not being audited or managed using AGPM. Right click on one of your GPO's and select Control.
This will then instruct AGPM to audit and track any changes that are made to that GPO. For this example I have deliberately make some policy changes to the AGPM Example GPO.

If you click on the Controlled tab, and right click on the GPO you have auditing set on and select Differences and then HTML Report.

AGPM will generate and output a full HTML report that highlights and changes to that particular GPO.

The History tab also tracks time and date stamps on events and GPO changes.

I have found this tool extremely useful in large enterprise environments where there are multiple Active Directory Administrators (or IT service providers) all working on the Group Policies. It was particularly good when someone accidentally deleted the Default Domain Policy link from a production domain.

Integrating ConfigMgr 2012 R2 and the Microsoft Deployment Toolkit (MDT)

On your Configuration Manager 2012 R2 server install the Microsoft Deployment Toolkit (MDT) 2013. Once MDT installed you will notice a new icon Configure ConfigMgr Integration.

Ensure Install MDT extensions for Configuration Manager is selected. Click Next.
Click Finish.
Now if you return to ConfigMgr and browse to Software Library expand Operating Systems and right click on Task Sequences the option to click Create MDT Task Sequence will now have appeared.
If you have been looking for a tutorial on how to integrate these products your requirements probably could benefit from the added OSD capabilities.

Wednesday 23 July 2014

SCCM 2012 R2 "The Create Task Sequence Media Wizard Completed with Errors -2147212243" Refer to CreateTSMedia.log File

You are trying to create a Stand-Alone SCCM 2012 R2 USB Boot drive from one of your Task Sequences. It get all the way to the end and fails with The Create Task Sequence Media Wizard Completed with Errors -2147212243" Refer to CreateTSMedia.log File

It turns out in this instance that the Operating System image that was attempting to be compiled into a Stand-Alone USB Drive was approximately 10GB's in size. Having done some research on the Internet it appears to be a known issue for OS images greater than 4.75GB's to fail with The Create Task Sequence Media Wizard Completed with Errors -2147212243" Refer to CreateTSMedia.log File.
I opened up the CreateTSMedia.log file using the CMTrace utility, the log can be found at C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\AdminUILog.
From the log file there is a number of error relating to the formatting of the USB Drive. The USB Drive was brand new out of the packet, 32GB in size and was formatted in NTFS. I decided to manually format the USB Drive and try again, same result.
It transpires that to work around this issue you must use the Command Prompt to manually create an ISO containing all the SCCM components. The ISO file can be larger than 4.75GB's therefore it does not suffer the same issues as the automated wizard.
The following command can be used at an Administrative Command Prompt to generate an ISO file of an entire Task Sequence's components.
cd C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin\i386
CreateMedia.exe /K:Full  /P:”sccm_dp_fqdn” /S:”sccm_site_code” /C: /D:”sccm_mgmt_fdqn” /L:”Configuration Manager 2012” /A:”sccm_taskseqID” /Z:”False” /T:”CD” /M:”10240” /F:”C:\New\NewSCCM.iso
Change each of the variables in the command above to match the environment.
Configuration Manager Distribution Point FQDN
Site Code for the SCCM Site
Configuration Manager Management Point FQDN
The Task Sequence ID
Sets the maximum size of the ISO (mine is 10GB’s)
/F:”File Path”
Output path for the ISO file
To keep an eye on how the ISO being created the CreateTSMedia.log can be used to monitor the progress. It will end with the statement CreateMedia.exe: Success if the ISO has been created successfully.
Now instead of using diskpart you can use the Windows 7 USB/DVD Download Tool to create a bootable USB Drive from the ISO file. It will usually fail at 99% reporting it is unable to copy files, in most cases the USB Drive still works correctly.

Monday 21 July 2014

VEEAM Backup & Replication VM Fails to Backup with Error "Client Error: An Existing Connection was Forcily Closed by the Remote Host".

A Virtual Machine running on vSphere 5.1 running Windows Server 2003 R2 fails with the error "Client Error: An Existing Connection was Forcibly Closed by the Remote Host".

The cause of this issue is that packets are being dropped. The fix is to create a new DWORD key in the Registry of the VM that is failing to backup. The Registry path is \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, create a new DWORD with the value of SynAttackProtect and set the value to 0.

The following link outlines the function of the SynAttackProtect registry value. It is a protection mechanism against TCP SYN's (handshaking) floods, setting the value to 0 disables this features.

Tuesday 15 July 2014

WDS/MDT Integration (DHCP Option 60,66,67): "PXE-E55: ProxyDHCP Service did not reply to request on port 4011" Client Fails to PXE Boot

You have deployed Windows Deployment Services (WDS) and the Microsoft Deployment Toolkit (MDT) to a new Virtual Machine on your Corporate subnet. You have configured WDS to use the MDT Boot Images to allow for PXE Booting over the Network.
When you try and PXE Boot from a client it timesout and fails with PXE-E55: ProxyDHCP Service did not reply to request on port 4011. I did some investigation around the WDS installation and the Boot Images although it seemed to keep coming back to the DHCP configuration in place.

I checked the DHCP Options for the Subnet in which I was working to ensure Option 66 Boot Server Host Name and Option 67 Bootfile Name were configured correctly. Everthing was as expected Option 66 was pointing to the IPv4 Address of the new MDT/WDS Server and 67 was pointing to \Boot\x64\ (resides in RemoteInstall on the local disk). again as expected.
After some further research it turns out the Option 60 Class ID can cause issues when PXE Booting. In this instance it was a production environment with some stale configurations. Option 60 was configured with the string "PXEClient". This apparently is telling the DHCP Clients that the target of Option 66 is a PXE Client and not a PXE Server. I edited Option 60 and cleared the field and restarted the DHCP Server.
I also restarted WDS and then attemtped to PXE Boot again, it started to work. The gotcha here is that when I tried to remove Option 60 ClassID completely from the Scope Options I did not correct the issue. Therefore Option 60 had to be present with no string in the field.

Monday 14 July 2014

Renewing and Replacing Microsoft Exchange Server 2010 Certificates for Outlook Web Access, AutoDiscover, ActiveSync and POP/IMAP

The Exchange Server's certificate or certificate(s) are about to expire and therefore going to start displaying security warnings to users connecting over Outlook Web App and ActiveSync.

The first step is to generate a Certificate Request File, to do this open the Exchange Management Console, expand Server Configuration and select the Client Access Servers from the top list of Exchange Servers. From the Actions menu click New Exchange Certificate...

Enter a Friendly Name to recognise the Certificate Request click Next.

Do not select Wildcard Certificate, click Next.

Expand the list of Exchange Services and select the Services and URL's which should be included in the Certificate as Subject Alternative Names, click Next when you have all these selected.

Configure a Common Name using the Set as Common Name button. This is important if you are renewing an existing certificate with your Certificate Authority, if this is the case the Common Name must match that of the old certificate. Click Next.

Enter the Legal Contact Information for the business, again it is important for these details to match if you are renewing an existing certificate. Use the Browse button to select a path to save the Certificate Request File.

Review the settings and click Next.
Click Finish.

You should be able to open the Certificate Request File using Notepad or another simple text editor. Copy and paste this entire sting of data into the Certificate Request Field on your Certificate Authorities website when requesting the new certificate.

Borrowed screenshot of how this may look with GoDaddy. You then submit this Certificate Request and that allows the Certificate Authority to generate your certificate.
When you have acquired the new certificate file from your Certificate Authority (usually with the file extension .cer or .pem) return to the Exchange Management Console\Server Configuration\CAS\ and right click on your Exchange Certificates (this will be listed as the Friendly Name you configured in an earlier stage). Select Complete Pending Request.

Click the Browse button to search for the newly aquired certificate file, if the file has a .pem extension you must change the File Type to All Files(*.*)
Click Complete to finalize the request.
Right click on your Friendly Name again and select Assign Services to Certificate (the screenshot shown is slightly misleading as I am doing these screenshots retrospectively).

Ensure your Client Access Server is listed and click Next.
Use the tick box listings to select what services your certificate will be used to secure. Click Next.

Click Assign to overwrite the existing certificate.

Now open up Internet Explorer and browse to the external FQDN of your Outlook Web App service and view the certificate. The date should now have changed to reflect the length of the certificate issued. Test all other effected services to ensure the process has worked correctly.